142 comments

[ 6.7 ms ] story [ 315 ms ] thread
Brown also has their students cellular telephone numbers. It's feasible that the University acquired/purchased their students geolocation history via their mobile providers.
Is that kind of information really for sale on an individualized level, by mobile providers? Surely they have brands to protect, and don't like being sued.
Putting on my tinfoil hat, I'll note that mobile providers depends on Brown University for antenna space on at least three tall campus buildings.
(comment deleted)
Yes, in fact government agencies like the Secret Service [1], CBP [2], IRS [3], and others frequently purchase it to circumvent warrant requirements.

[1]: https://arstechnica.com/tech-policy/2020/08/secret-service-o...

[2]: https://www.wyden.senate.gov/news/press-releases/wyden-warre...

[3]: https://www.vice.com/en/article/m7agpa/irs-location-data-ven...

The information being sold there wasn't from mobile providers, they were collected by apps. See the first paragraph of the third article: "location data quietly harvested from ordinary smartphone apps over 10,000 times". The same applies to the other two articles.
Why would they be sued? It's all right there in the contract in black and white.

And, naturally, all the customers carefully read through the contract. /s

I don't even know what could be done to stop this stuff at this point? I think it's too far gone.

The NYTimes [1] did an excellent expose on this a year ago. They purchased location data on 12 million phones across the country.

[1] https://www.nytimes.com/interactive/2019/12/19/opinion/locat...

It's crazy that wiretapping is illegal but this getting is not.
There is a saying that "if libraries did not exist for millennia, no government would create one in the 21st century. They would instead give people a means-tested tax credit for buying books and call it a day".

I think this sentiment applies to much more than libraries or infrastructure. Laws against wiretapping and opening postal letters are vestiges of the past. They never got updated when communication moved digital. They would not be passed today. They are kept on the books only because of inertia. If they didn't exist in the first place, no government would create them in 2020.

A government didn't create them in the first place, at least not in the US. The Constitution and Bill of Rights were drafted by small committees, and later ratified by each state outside of the existing (paralyzed) governmental process.
Shouldn't there be like laws to protect against those, and a few huge class-action lawsuits, forcing the telcos to pay millions and millions of dollars because of that?
Yes. Call your representatives and campaign for new ones, or run propositions
I live in europe, we have many such laws, and noone can get that data. ...except government agencies, local and foreign spies, system administrators, etc.
Of course there should be. We stopped expecting them during the Reagan Administration because private industry would upset the entrenched monopolies that were keeping us down.

And safe. So now people think unions are icky and representatives that care about people rather than corporations are fantasy.

As the article states, WiFi monitoring is likely happening on a large scale. Why purchase outside data when you have better data (including authenticated users) already in house?
Does Brown require that its students have mobile phones?
Unless I were at Brown on a fully paid scholarship, I'd transfer out. Plenty other fine schools that won't be a nanny.
Are you sure other schools are not doing the same, or won't in the very near future?
Aside from camera use, because my team does not support that system, my team helped our university admin do the same things. In fact you could really just find/replace "Brown" with our name and this would be the same write-up. Lots of American schools run this same infra and did the same things.
I kind of doubt it. You, as a 18-22 year old college student, would leave your friends, girlfriend/boyfriend, and everything else because of this? More likely, you and your friends would instead just bitch about it and call the admins nazis while getting drunk.
This is the correct answer. They technically capable students might try to somehow undermine this as well. That's the extent.
Unfortunately, this is standard practice across schools (and most big employers). This is definitely not a problem unique to Brown, or even elite schools.

There was a scandal back in 2010 where a high school in Philadelphia was accused of spying on kids through school-issued laptop webcams [1], which is arguably more egregious.

https://www.computerworld.com/article/2521075/pennsylvania-s...

(comment deleted)
As someone who went to multiple schools for undergrad including brown I fully disagree. Brown is a very libertarian school with regard to the student body. Sure this example sucks but how many people at brown were involved with this decision making process? This feels like a situation where technical administrators who are not in charge of normal student life made a decision which is both highly unusual and clearly controversial. I would say the main people I came into contact with at brown for instance RAs in dorms and my professors and course staff were absolutely understanding, kind, and liberal in a way that I did not experience in other schools.
They’re all doing it, just at different levels of nanny-state oversight.
I don’t understand why they were worried about students lingering on campus?
Same reason the NBA had their bubble.
I'm not from the US, but from the excerpted letter, it appears to be related to COVID-19.

In Australia, we did the same thing - a lot of universities went remote-only, so that we could eradicate the virus.

It seems to have succeeded - COVID-19 seems to be under control in Australia (along with many other countries like NZ, Vietnam, Singapore, Taiwan etc) - however, the US/Europe seems to have really struggled to get it under control. I hope they succeed soon.

I get the sense that a lot of people here (I assume from the US) are worried about their rights being infringed, as part of trying to protect people from getting sick. I'm not saying there doesn't need to be a discussion, or there isn't a balance - but it does come across as a bit churlish and petty, to try to openly defy public health measures in the name of defending human rights in the midst of a global pandemic.

Yes I understand it has to do with Covid. But more than asking people to leave - why do they actually worry if some don’t? E.g are they legally responsible somehow for making sure students leave?
you don't need to be "legally responsible" to not want unnecessary covid exposure on your campus!
Accusing students of lying does not avoid covid exposure, though? It just creates bad will (and possibly legal issue).
I think the university must be risking something bad (such as legal consequences) if they felt that this type of obvious bad publicity was worth it. If they tell people to leave campus that’s as much as they can reasonably do.

The next step before wondering why someone used their keycard to access a building they shouldn’t be near could be just removing the access?

The best way to get people to leave has to be removing reasons to stay, for example access to campus resources.

Churlish and petty?

I see it more that Americans were acting rationally and logically and parts of rest of the world were acting emotionally in panic and willing to stop thinking for themselves and put their trust in health officials.

I wore a mask when it was considered racist and selfish to do so (Jan). Months later the who changed their advice and everyone needed a mask.

Australia is willing to suspend human rights to prevent a few deaths. Not everyone is going to agree with that.

The IFR would have to be extraordinarily high for me to agree to a 6 month lockdown like enacted in Victoria.

After reading the article, I didn't feel like any of these were particularly nefarious intrusions as they largely involved the student knowingly using Brown's services (buildings, wifi, access management system IPs, physical presence on campus). The article was pretty well-written and informative in general on how a number of services we take for granted can be used to locate you.

I do take issue with Brown's extremely harsh language in one of the linked articles where they threatened students with suspension...all for being in the local Providence area?!

Is it an intrusion when Google/Android does the same thing when you access their servers?
The difference is you usually don't directly access their servers. You just walk in to a store and your phone grabs your location, sends it to google and then asks if you want to leave a review of the store.
You turned on location services.
I should not have to choose between giving Google a free for all access to my location data or having no location functionality on my device.

This is one of the primary reasons I won't use Android. They always bundle critical features in with privacy violations.

If you turn off location history, you shouldn't get the notifications to review stores and the like, IME. I've had location history off but location services on (damn you, uber!) for ages, and I don't get those any more.
They still lock features out if you do. You can't set your home location in google maps unless you allow them to track and store your location 24/7. Meanwhile ios manages perfectly fine keeping that data on your phones local storage.
As sibling comment wrote, the "do you want to review $location?" prompts come from you enabling location history, which is a Maps feature they offer to users who want to keep track where they've been.

You can enable location services (needed for apps like Maps, Lyft, Tinder, Find My Device) without enabling location history. Whether they still record your history, who knows.

> I should not have to choose between giving Google a free for all access to my location data or having no location functionality on my device.

Location indoors is made possible by sending a list of visible WiFi AP MAC addresses and relative signal strengths to a web service. WiFi MAC addresses are globally unique serial numbers, and Google/Apple maintain huge MAC-to-location databases. Enabling location doesn't just turn on GPS, it sends your location to Apple/Google constantly to retrieve the lat/lon from visible WiFi triangulation.

The only way to keep your mobile location halfway private (your carrier still gets it, and leaks it to your national military) is to keep all location services disabled on the device. Otherwise, simply enabling location access at all gives Google and Apple the aforementioned "free for all access".

I agree that it shouldn't be this way, but it is today.

It used to be much easier for Android users to be able to choose which location service they wanted to use, for example Mozilla’s location service downloaded from F-Droid. However, Google made a change to AOSP that requires third-party location services to now be installed as a system app, not a regular app. (Only a tiny amount of people will have the skills to use the Android shell to move the package to the right place.) It is hard to not see this as a way for Google to lock Android users into using only its service and giving it all their location data.
A company selling a product to a few isn’t an issue, yet one who controls the market is. It’s all about the scale
What company? It an issue if Google runs ads against your location history and lets you delete it whenever you request, but not an issue that Flashlight App sells your permanent location history forever to brokers to aggregate and resell to anyone who asks for it?
These students have paid a non-trivial amount of money to attend this school, and passed up the chance to attend others. They are a market that Brown has almost complete control over.

What meaningful choice could a student make to avoid being tracked in the login they use to take classes is what tracks them?

Yeah, sounds like if you don't physically access the buildings, don't log onto the campus wifi (which requires authentication to use), and use a VPN (on computer and phone, for 2 factor auth) to access all your online course materials they can't really know where you are... Not too surprising, still good to know!
If they simply logged all MACs that passed by their routers, that would be a little concerning given the urban setting. If these people didn't turn off their WiFi autojoin and their devices were actively connecting, then that's on them.
It’s easy to fall into the trap of confusing how the system behaves with what your actually allowed to do.

Legally computers can’t give consent even if it seems like they do so. This is why people can be convicted of hacking for going to public URL’s etc. Presumably, the same rules apply in the reverse where if people are unaware that’s what’s happening then it should be illegal to track them like this.

If anything it’s legally ok because as a student they may have unknowingly agreed to such somewhere.

I'm surprised tracking MACs would be that reliable. Most phones and phone OSes > 2017 have had MAC randomization built in. Retail wifi points used to track MACs in order to profile foot traffic, but this technique hasn't been effective since 2017.

https://blog.elevensoftware.com/how-mac-address-randomizatio...

These are presumably students that have signed into the wifi, not just passerby
The students have agreed to follow certain rules related to Covid. Why is it shocking that the university is evaluating whether they are following the rules and doing some enforcement?
To provide a little more context...

Students faced a ternary choice prior to the Fall semester: 1. enroll as an on-campus (and thus live in a dorm), or 2. enroll as a remote student (and thus live at home), or 3. take a leave of absence (and thus live wherever)

Only students in that second bin were subject to the requirement stay out of Providence. A cynical take on this is that Brown has always had strict residency requirements for its students, and residency fees are far above the market rate in Providence. If students could simply mark themselves as "remote" to get out of paying dorm fees, I'm sure many would.

The other key bit of context is just how poor of a job Brown did at geolocating students. Dozens of students (some international!) received baseless notices of reprimand. The most compelling theory I've seen is that these students were using Brown's VPN, and were identified as on campus via IP geolocation.

Thanks for the context! Could you please explain to me as a European what's wrong with a student commuting to the university (if we put COVID aside, of course)? In Europe, university accommodation is usually below the market rate and is hard to get and many students end up subletting a room in a regular apartment.
(Again, this is a rather cynical take, but...)

Brown's monopoly on undergraduate housing is an essential source of revenue. Brown generates twice the $/ft² in revenue as private landlords in the area, but pays only a fraction of their running costs (Brown pays no income tax on this revenue, nor property tax on its dorms). There's nothing wrong with students commuting, per se, but for a University that's come to rely on residency fees, ditching the residency requirement is no easy financial feat.

I have no idea what Brown's policy is but a lot of 4 year universities have requirements that out of town first year students live in the dormitory rather than renting an apartment. It you were already living in town then you are normally exempt. It sounds like Brown is a lot stricter than that though?
Covid is the whole point. They don't want students to sign up for the remote option and then interact with the on campus students.
It's not a US vs. Europe thing. I went to a school in the US where the vast majority of students commute. I think at the time, it was something like 700 people living on-campus vs. 30,000 living off-campus.
Whoa there is a Brown VPN service?! I didn't see that mentioned in the article, but certainly could explain some of the issues.
For some more context: you cannot usually read scientific papers without a university IP, hence you need to connect via VPN if even briefly to download PDFs from Elsevier etc. unless you want to go the scihub route.
Many publishers explicitly forbid VPN accesses or proxies. So it is more probably just accessing lecture resources.
Interesting. I've never had any trouble VPNing in for journal articles (in the UK) though there are a few specialised resources (normally expensive databases) which can only be accessed from the library itself.

Mind you, Oxford is sparing as to who gets VPN access, so it doesn't open a hole for non-members of the university to get access to the serial's collection.

I'd be surprised if most universities did not offer a VPN service. I know mine does so that you can access resources only available on the intranet (like course websites) while being off-campus.
Wouldn't it be more reasonable to assume that they're not trying to profit from their real estate side business and are instead legitimately interested in slowing the spread of COVID-19? They probably did some risk analysis and that guided how many on-campus students they could accept. They then accepted that many students. If other students show up on campus after agreeing not to, then their risk assessment is wrong, and the entire program is jeopardized.

The language in the letter triggers my "the lawyers are panicking" detector more than my "you're screwing us out of a few bucks" detector.

> Wouldn't it be more reasonable to assume that they're not trying to profit from their real estate side business and are instead legitimately interested in slowing the spread of COVID-19

No, if this is what they truly cared about, there wouldn’t be 3 different choices for students. All would be required to stay remote with special exemptions for those who don’t have a safe home otherwise.

That's the zero risk approach, but you can have a risk tolerance above zero.
And that tolerance is represented by how loose you make those exemptions.
I think the fine print about being around Providence is what probably tripped some students up. I am also betting that a few students had their plans change and didn't quite update their registration.

That all being said, I think threatening suspension is a bit too harsh for what is probably a simple mistake for a bunch of 17-22 y/os

"Agreed" is a bit unfair. Transferring schools is a huge ordeal and can mean losing scholarships, credits not transferring, and graduating late. Except for the freshmen who enrolled after those rules were already in place, the rest of the students agreed under duress.
My criticism is with how likes like these are bolded, almost like it's trying to say "beware! they're logging everything, don't get on the administration's bad side!"

> The C•CURE 9000 lets administrators view the complete historical building access history of a person.

> Combined, these logs paint a very accurate picture of your location on campus at any time.

But I did see the author's comments elsewhere in this thread[0], so there's no ill intent. This is an overall educational article.

0: https://news.ycombinator.com/item?id=25319883

This article was aimed at non-technical members of Brown community, who were very surprised that Brown has any geolocating capacity like this. When they think of security and privacy, they think of the campus's guards and surveillance cameras — not the course materials portal or their email!
Sorry if my edit caught you off guard - Thanks for the informative article, even if it is seen as obvious/reasonable for most of the HN crowd!
A friend does work at a state university for an early intervention program for at risk students in their opportunity program.

If you are buying snacks or sodas at 3am, don’t utilize your card keys over the weekend or do some other things, you’ll get flagged as a risk and your advisor get notified.

If buying snacks at 3am is considered at risk then that's probably 90% of college students at one point or another.
Very true. Some bureaucrat would have been clutching their pearls if they were following my undergrad habits for sure.

I think the point is excess. They are specifically working with students with the iq to succeed, but with bad circumstances that make failure likely. Some need to be taught 9th grade math for example. My understanding is they mentor them intensely and almost 80% graduate in 5 years.

Probably phd students excempted (isnt 3am peak productivity?)
No. That's sleeping time.
If your kids shoot up a school, look in the mirror to find the problem...

And people wonder why people like cash...

Bad conscience because you are neglecting your children? No problem, just use www.socialsentinel.com ...

> Brown University has a longstanding policy governing the appropriate uses of its surveillance cameras. Unfortunately, this policy is secret.

That's concerning.

"don't you worry, it's secret for your safety."

they probably do really think like that. or at least claim to while their real reasoning is a private affair.

I felt this post took on a semi-conspiratorial tone, when all the things I felt were just "duh". It's not that Brown "knows where you are" at all times, they just know when you use on-campus resources.

I'd be willing to bet a bundle Brown is just looking at building card access, or also possibly connection to an on-campus wifi network. In both cases I think any reasonable person would expect that Brown knew they were using these resources.

They bring together information from different sources, which should raise eyebrows.
Brown University is conducting surveillance on its students. Everyone knew it was technically feasible, even trivial, but now that there is a financial incentive to surveil, it’s happening and impacting students.

I think that’s the reason for the tone.

Ah, sorry, I didn't mean to take a conspiratorial tone.

On campus, a LOT of students (perhaps the less technically adept ones) found it very surprising that Brown claimed to know where students were. This post was aimed primarily at those students, to clarify the technical mechanisms by which Brown located students.

I tried to speculate as little as possible. The rough set of indicators Brown took is straight from the University Spokesperson — I'm mostly just trying to fill in the technical details.

As for which of these mechanisms Brown is using most, the word on campus points mostly to IP geolocation.

maybe "How Brown University might know when you are on campus"
I recall at one university there was a student who was clever enough to hack the card access system, but dumb enough to impersonate the university president and swipe into a main gate in the wee hours of the morning.
Wisdom vs Intellect right there.
"Back in my day" we just set up card skimmers in the places that tended to attract the most law enforcement attention. Nobody blinks twice when "campus PD carded into X at 1:44AM" shows up in the logs. We also exploited the dining hall unlimited meals (if you pay a stupid amount, supposedly limited to only the individual who paid) program to the benefit of several dozen people (and there was at least one frat doing the same in parallel). We were smart but not geniuses. I'm sure that there's thousands of college students out there exploiting the various ineptitude of colleges. Colleges have a very adversarial relationship with their undergrads so it's no surprise.
When I was a student at Brown, Facebook would report which dorm you were logged in from, right there on your profile (for all to see!). If Facebook knew where you were on campus, campus IT certainly has a view into your physical location. Nothing about this surprises me.
I remember these days when it helpfully pre-filled in Bronson as my probable location as a freshman. That was back when you could list all your courses and sections, which was incredibly helpful to find people to complain about Math 17 problem sets.
Was that on ethernet? If so, there's nothing particularly nefarious: each building had a /24 and the building's name was in the reverse dns. It's not particularly different from how many [citation needed] commercial ISPs have town names in reverse dns, except the subnetting mirrors geography in a bit more detail. Dorm ethernet has since died.

If it was over WiFi, I would be much more concerned

What's different about it being on WiFi, where you most likely would be connecting to a base station in the same building that was then wired in over ethernet?
They didn't (and probably still don't) subnet by building on wifi, so more precise location than "on Brown's wifi" would have required intentional information sharing.
Why would wifi be more concerning? The access points would presumably be broadcasting the same subnets as are available on ethernet.
Didn't realize IT logs are subject to FERPA.
I'm not positive that they are. This post has already spawned one FERPA request, so I guess we'll find out!

I think the chances are good. If Brown is using IT records to determine academic standing, they're very much academic records.

I don’t believe it falls under FERPA. Plus, the WiFi monitoring tracks everyone with a mobile device, regardless of matriculation status.
I think universities err on the caution side.

I read once that someone at Stanford filed FERPA request for some innocuous reason and found in horror a log of every time he swiped into a building on campus.

If the future elite is growing up under surveillance and this is normal for them - won't it then just be a matter of time before this becomes the new normal for all of us?

As much as I would like it to happen, I doubt some switch will flip after they exit university, which makes them no longer accept measures like this.

I wouldn't call Brown students the future elite. till the middle management of the future should beware.
How should/could you "configure" yourself to make this not true?
IP you can use a VPN. Mac you can use the randomization method mentioned in the article. Swipe Card/Cameras there is nothing you can do.
Disconnect from campus WiFi when possible. When not, stick to the Brown Guest SSID with MAC randomization. Always use a VPN.

For swipe cards, tailgate into buildings. Brown's building access is so restrictive, and the experience of being locked out is so universal, that virtually all Brown students are conditioned to hold doors open for each other.

For cameras, there isn't as much as you can do to protect your privacy. The camera map included in the blog post displays OpenStreetMap data. It's very hard go anywhere near Brown without getting caught up in its camera dragnet. You usually cannot avoid cameras altogether, but you can minimize your exposure! And the one bright side of 2020, in this regard, is that it's normalized wearing a mask!

can't you simply buy the location history of cell phones these days? and the bluetooth pings each phone gives off can be unique too
As a recent Brown grad this makes me feel sick. I should have known but at the same time I did not expect this level of surveillance.

New account because I don’t typically leak this much personal information. Maybe that speaks towards my concern about this. All I can say is that I’m glad I graduated before facial recognition and other massive surveillance tools became mainstream.

Hah, great account name! [0]

Brown's security camera surveillance is about twenty years in the making. [1] There were student complaints as it was initially expanded, but it's long since faded into being just another part of campus life.

Its electronic building access control system is perhaps about thirty years in the making? It seems to have been rolled out without any controversy. I've trolled the Brown Daily Herald archives and have failed to find any sign that the community discussed the convenience/privacy tradeoff being made.

[0] https://library.brown.edu/info/hay/carberry

[1] https://twitter.com/tenellous/status/1323752004775223302

I already knew how extrajudicial university kangaroo courts are, and this is a private university, so they literally can do what they want. Their burdens of proof and right to due process are already non-existent, and what would be Fourth Amendment rights in a real court are weaker than what you'd find in a FISA court.

But I do agree that this case isn't "outrageous," per se. It's just a reminder of what data they have on students and the power they have over them.

Can any current students comment on why you didn’t take the year off? It just seems like such a waste / not worth it.
I'm a late-stage PhD student, and thus academically unaffected. However, virtually all of my undergraduate friends did take the year off.
Getting re enrolled next year will be twice as hard?
Is that true? I don’t know what COVID policies are but back in my day you could generally take a year off and come back without needing to reapply. Of course if everyone did that this year, it would create problems so I imagine colleges are trying to disincentivize it?
> Of course if everyone did that this year, it would create problems so I imagine colleges are trying to disincentivize it?

I think they would be disincentivising it so they still hve revenue this year. But yes if the admissions per year is fixed a lot of people won't get admitted next year

Yes but my point is you don’t need to be readmitted if you take time off. At least under normal circumstances.
There is already a disincentive: you don't get your degree until you finish.
Universities seem like they're begging to disrupted with this sort of overreach to those who are putatively their paying customers.
A bit off topic,but I'm sure some positivity is needed, especially under such articles.Back in 2004, I finished the school and shortly after I was a freshly baked student at my little country's tech university. I was young little shit,so naturally, paying for the internet in the student dorm was beyond me. The entire campus is scattered all over the city, and more or less everyone was using this internal chat on the LAN( great to meet fellow students, especially women,as it was in my case). So it took me a few days to figure out that all I had to do to reach the Internet is to use any user's, that was on the chat, MAC address. There was at least 100 people connected at any given time,so plenty to choose from. As soon as I would give myself someone's MAC, they'd be kicked off the internet. It was glorious.I was little shit on wings! Anyway, one day, two,very very very pissed off people walk into our room( there were 3 of us living there). One looks like sys admin(he was),the other,who had a baseball bat, was the muscles.They ask to check everyone's PC.. he goes to my roommate first... It took me seconds to realise what's going on,so while the admin is checking my roommate's PC,I quickly try to change my PC name... And I run out of time before he goes on my PC...He goes mental... It's you!!! I've been trying to find you for nearly 6 months, checked so many rooms and buildings!!! I thought his head would pop.. The muscle man thinks it's an opportunity to hit me. Well, here I come..I put on idiot's play. I explain them that I'm clueless about computers, the room is more or less 24/7 party place with 20 people visiting just last night(not true,my roommates were calm). This goes on for 5 min or so,and they kind of believe and leave us, even though not quite satisfied with the outcome. Loved every single second of it..Still Karma exists,so fast forward 15 years later and I have to have very difficult conversations with people at work, who try to cheat the system...I became the sys admin.. of sorts..
as a recent Brown alumn, I really had no idea Brown could track us with such granularity. I wonder if they've used this data for anything else
I am also an alum. (Some of) Brown's tracking information isn't even particularly restricted. I have seen firsthand that live location information based on your device being connected to the network (I assume based on tracking MAC address as discussed in the article) gives room-level granularity, and can be accessed by students who work for the IT service center.
Can someone explain to begin with why the university cares that you're still in town, if you declared yourself "remote"?
A comment higher up posits that this is a money issue. My understanding of this post: due to COVID students were give the option to study from home, so as not having to pay on-campus fees. The university does not appreciate students electing 'off-site' but then staying on-site
Why does Brown University care?
I’ve seen my school’s firewall logs and the experience scared me. Something really clicked when I saw a log with my name on it. It showed everything I’d been doing and it was right in front of me and also someone else: the IT tech with whom I was working.

I was getting help debugging something (package manager barfing on the org’s wildcard MITM SSL cert) and the inanity of the tech scrolling through everything I’d done that day in such detail was spine chilling.

Deep packet inspection put everything from command line args to Google search terms at their fingertips. It felt grubby.

My org requires that I install their SSL cert which made the logs more detailed than Brown’s. That’s certainly a pretty high level of creepiness. But even without SSL DPI when the org has control over the network and at least one website using your identity then it’s trivial to correlate the application layer userid all the way down to your network access, including AP location.

If they outsource to Gmail or Outlook there’s usually still an org controlled single sign on that captures your identity.

I love the accessible way in which this report is written. While it’s specific to Brown it summarizes the generic surveillance patterns of many employers and education orgs. We all know these programs exist but it’s not until one experiences them first hand that one realizes how desperately creepy they are.

What bugs me is the seemingly high influx of users on HN that are accepting of such behavior. The propaganda is real.
I cashed out and left the Bay Area many years ago. I currently work in a small college town doing something I love (teaching CS in a private school) and live in the nearby countryside.

My school runs its IT department like it’s the 1990s from buildings constructed in the 1890s. That should give a frame of reference as to the progressiveness and pace of change I can reasonably expect. It’s salaried but I treat the job like a contracting gig: I provide my own equipment and network connection. It helps me sleep at night.

Buildings equipped with an access control system makes it easy to track where users are. That's even a feature ; for instance when an emergency evacuation happens (e.g. fire alarm), the system can tell you if there's still someone in there (assuming the fire has not destroyed parts of the system).

Although one should assume nowadays that a public network is the same thing as a public street, and that using the LAN of a school is the same thing as walking on its campus, it is indeed disturbing that some people within those org (and the org itself) have some of the possibilities as police has - except that police would need a judge and a mandate in some cases.

So as always there are pros and cons. Good uses and evil uses. In Europe, GDPR laws mandate that not every admin or user of the system have access to this type of data, and that's a good start IMO.

Access control without mantraps doesn’t give you a clear list of who’s inside in an emergency. Tailgating is the norm for such systems, so the best you can answer is “what’s the subset of people who might be inside?” With both type 1 and type 2 errors.
Mantraps or similar significantly slowdown the flow, which is an inconvenience. Only big buildings or plants with strict security/safety constrains invest in multiple mantraps at entrances.

Anything else - or even proper poorly done mantraps that can be gamed - are imperfect it is understood that this feature of the access control system is a support feature, not a guarantee.

As I mentioned, a disaster can compromise the working of the system directly, and people may forcefully bypass restrictions (e.g. get out by windows), so you are correct that it only tells who might still be inside. However coupled with other features (e.g. marking users that are on vacation and therefore who are not allowed to be there) can also tell you who cannot be inside.

How common is for orgs to require installation of their own certificates?

That’s more creepy than video cameras installed in toilets.

I imagine it is common when tech isn’t the primary business function and BYOD is permitted (or required.)
Most companies just include that certificate into the machine they provide to you.
It is established industry practice at this point. It is necessary to identify malicious downloads, which are hidden due to https. This surveillance grade is certainly creepy and should be strongly regulated in my opinion.
I'd guess they simply sent this to anyone showing to have connected to on-campus wifi using their school credentials that wasn't supposed to be there.

The lax attitude surrounding privacy overreach like this is paving the way for a future surveillance state as described by this author. The "they're a private entity and they can do whatever they want" argument is getting old quickly. Needs to be nipped in the bud.

This data is also be highly unreliable. Some students might connect remotely to devices through labs or a dorms. I did that very often while I was in university.

That said, the obsessive desire for surveillance should be stopped. Best day to start with that would be yesterday. People are getting crazy, which reduces overall security.