All Data Is Consequential
As the world moves further and further into a technology-enabled and -dependent world, serious questions arise about personal and institutional privacy. Recently, news headlines have revealed that a seemingly innocuous bit of data could have far reaching and deadly side effects. Over the past several years, the U.S. Army has issued fitness trackers to its soldiers. They have a number of uses for the tracker and many soldiers are tied in with an online company called Strava.
Strava recently took all of the data of people using their system and created a heat map of the world using that data. Harmless, right? Wrong. Because so many military people use this system and so many of them are in remote parts of the world, observant people began to see patterns. These patterns indicated routes around known (and suspected) U.S. military locations and outposts. While the data is confidential in the sense that it does not name specific people, it provides significant details about patterns of exercise and may confirm suspected locations of covert outposts.
Like other security breaches in the past, this one should raise concern with all of us in the AV field. The first concern for me is that the data seemed so non-consequential at first. What could possibly be wrong with sharing how many steps I take per day? But in fact, that exact information could turn out to be deadly for some sets of people. How many things on your AV networks do you consider to be non-consequential? How many times have you considered security and thought “who cares about breaking into AV systems?” Now after realizing what can be done with a count of the number of steps you can take, consider what our AV systems tie into. We have cameras and microphones in dozens, even hundreds of locations around our campus. These can be in classrooms, in offices and in conference rooms. In higher ed, many of these systems may also be connected with recording systems, as class capture has become mainstream over the past several years. Finally, most systems include computing capabilities. These may include dedicated computers and laptops that faculty, staff, students and visitors bring in. When laptops and other external devices are brought to our spaces, we often grant them some access to our networ, and if we are doing many types of wireless connections, we ask them to connect (USB) something to their computer.
Just like I would not have guessed the vulnerability of the Army using fitness trackers, I can’t guess all the reasons that people would want to gain access to data from AV systems. There are a few obvious ones though. First, in higher ed in particular, we have a population of students who are the perfect age for hacking. They may be interested in it simply to see how far they can get or to gain access in order to take inappropriate action. In academia, there are few things more important than academic integrity. Exams, assignments and research are all important to our faculty and students. When I think about all that I just wrote about in the previous paragraph, it is clear to me that there are many ways for students to get into protected spaces. Listening in or viewing conversations and work for which someone has not been invited gives people the opportunity to steal ideas or see things in advance of when they are supposed to. For example, a faculty member may meet in a conference room with their TAs for the course as they discuss individual student progress or prepare an exam. By opening connections to that room, other people can see things that they shouldn’t. The same is true for any other conference room on campus with AV. This could include listening in on conversations with human resources, advancement, dean of students and other sensitive areas.
Anytime we ask someone (or allow someone) to connect their computer to our systems, we need to be sure that we know the risks. What do those devices put on the computer? Several manufacturers provide a USB connection for wireless and that often will install a small piece of software. Is there any chance that some piece of software we don’t want could go along with that? How about recording equipment? Can your recording equipment be used in a way that would allow someone to aim it at a keyboard and unknown to the person using it, capture their keystrokes and therefore their passwords?
Unfortunately, privacy and security are significant issues in today’s environment and they come with significant consequences. Breaches can cost an institution significant money, loss of access to federal resources and their institutional reputations. Most of the time when these happen people start looking for a person to blame. Let’s not let our AV systems be the weak point that lets something like this happen. Some security will need to be worked through with your network engineers, but other types are just thinking about how people will use things in ways not expected or intended. This is where integrators can continue to provide us services. They will have seen things at other places we have never thought about. They can advise us on how to avoid these at our location. Before you have a problem is the best time to make sure you don’t get one.