4:00 - 4:05 p.m. - Announcements (5 minutes)
April 1st minutes are approved.
If people did not get to watch the presidential awards, they can tune in here:
and see OIT’s own Charley Kneifel as well as many others so congratulations to all.
4:05 - 4:35 p.m. - IT Governance issues highlighted by the “Marriage Pact”, David Hoffman, Jessica Edelson, Niharika Vattikonda (30 minutes)
What it is: ITAC heard briefly about the Marriage Pact at past meetings and expressed interest in learning more. It is a service originating at Stanford which now has an instance at Duke where college students share extensive personal information about themselves to locate compatible partners. Many are worried about the data privacy issues inherent in such a service, and yet thousands of Duke undergraduates apparently willingly chose to participate in this.
Prof. David Hoffman from the Sanford School, and two undergraduates working with him, will outline some of the issues raised by the Marriage Pact to spark a discussion about what, if any, governance tools could or should have been looked to for guidance in this situation. As one example, ITAC helped draft Duke’s group email policy https://oit.duke.edu/about/policies/group-email-policy many years ago when the nature of the internet was much different than it is today.
Why it’s relevant: As the university’s primary body for IT governance, it is important for ITAC to be aware of new developments at the intersection of information sharing and privacy that might have future policy implications.
Robert Wolpert introduces David Hoffman who will be speaking about the Marriage Pact. The Marriage Pact is a tool for undergraduates to provide much information about themselves in order to enter an informal agreement with another matched person that if both remain unmarried and without prospects after a certain period of time, they will marry each other.
David Hoffman introduces the topic of IT governance by focusing on issues concerning The Marriage Pact and Duke undergraduate data. The Marriage Pact started as a class project at Stanford University in 2017 but has turned into a commercial company now.
The commercial offering is trying to obtain enough training data to train a machine-learning algorithm to operate a dating service and it is unclear whether the company will be able to maintain its promises around deletion and confidentiality of data.
Examples of data collected by The Marriage Pact include:
Do you like kinky sex?
What is your sexual orientation?
What is your race?
What other races would you like or not like to be matched with?
The university would never allow this type of data to be collected. This would never get past an IRB. David and Richard Biever dug into what happened here and it is difficult to understand. A Duke email list for all students was used and it is a bit confusing as to the degree to how the email list was generated or obtained and whether the Duke Student Government was actually involved since some of the branding of the communication came from the Duke Student Government. Some students in David’s classes said they knew this was an outside enterprise and it didn’t have anything to do with Duke and other students said that because this came to them in an email from the Duke Student Government, they assumed that Duke had done some sort of analysis on this and determined that this was safe to participate.
Since the Marriage Pact email went out to all Duke students and looked as if it came from the Duke Student government, this raises policy issues for Duke. There is a policy around the use of email lists that go to all students. It looks like this email list was either exported and provided to someone else or ‘screen scraped’ from directory information. Is this or is this not allowed? Also, if there is a student organization that is promoting an organization outside of Duke, it would be good for Duke to look out for the students by looking into cybersecurity breaches and informing students on data use. Duke cannot take on reviewing students’ use of the internet so where does Duke draw the line?
John Board – Duke like Stanford had enormous uptake on filling this out.
David Hoffman – Is a plan needed in case of a data breach with the Marriage Pact? For example, if it was leaked how many Duke students are not willing to date students of other races.
David introduces Niharika Vattikonda. Niharika received an email on January 29th with Subject: An update in light of Covid. Given the subject, Naharika thought this was important but it was email marketing the Marriage Pact. Also, the email looked like it came from the Duke Student Government and the email threatened to disable Duke cards if there was no response from the student. At first, Niharika thought this might be a phishing attempt especially as Niharika is not on many listservs.
Niharika said there is concern that students do not know the history of the Marriage Pact and while the Marriage Pact privacy statement says student data will not be sold, no other privacy or security promises are made. The Marriage Pact was incorporated in Delaware in 2020 and now operates in California. Niharika tried to get in touch with those who run the Marriage Pact but there was no response. David Hoffman inserts that it was not from want of trying that Niharika and Jess have not heard back about how the email list of all Duke undergraduates was exported.
Niharika introduced Jess Edelson who is a co-writer of the Duke Chronicle article on the Marriage Pact.
Robert Wolpert thinks the Duke Student Government can send email out to the entire Duke population. David Hoffman thinks mass email like this must be approved by Student Affairs.
John Board – It was a conscious choice for the Duke administration not to be in the business of moderating what students send to each other.
Tracy Futhey – It is easy to harvest email addresses. Duke receives email from many agents trying to get Duke’s email lists. OIT does not know the means by which this mailing list was obtained. There are policies around Duke directory search, but it is easily foiled.
Jolynn Dellinger of the Kenan Institute for Ethics – There is concern that Duke students have the impression that this was sponsored by Duke University’s powers-that-be. Also, there is concern when personal Duke student information is entrusted to a public company that is beholden to no one. Students may not consider that this data could be used against them in the future. Jolynn hopes that the university can communicate to students about these issues. Otherwise, this could put Duke in trouble reputationally.
Jess Edelson says that when she and Niharika wrote the article for the Chronicle, they saw an opportunity for the various student leaders with regards to communication about student safety. Student leaders have access to listservs and know how to best support students.
Richard Biever – agrees and says the Security Office is working on this type of training and outreach to student leaders.
Brandon Le – chats that the Marriage Pact email sounds like it would violate the “deceptive” email clause of the CAN-SPAM Act of 2003. At the very least, it sounds like it would warrant some reprimanding. Duke IT is trying to train staff, students, and professors, but here is a Duke Student Government-sponsored email that is threatening this. Brandon wonders whether Duke Student Government could have targeted training to prevent this type of marketing from happening.
Niharika repeats that emails sent to the Marriage Pact have been ghosted but they are still looking into this email. Also, a Duke Student Government member provided a report on balance issues in the Marriage Pact.
Mark Palmeri thinks that Duke students advocated to bring this to Duke and not maliciously so Mark would like to see recommended procedures that are not ambiguous that could be provided to students.
Jackson Kennedy says this was not an official Duke Student Government initiative.
Mark Palmeri continues that when there is this type of solicitation, an email blurb stating that this data is going to an entity not related to Duke and that this is a big deal would be helpful. When students receive an email from what looks like Duke Student Government, there is some blurring between what is Duke-related and what is personal.
Tracy likes what Mark describes and envisions something similar to what Apple is doing with the app store. If entities are using or enabling the use of Duke’s email system, then maybe there can be communication and awareness around this.
John Board says that when someone wants to buy Duke data, there is a big process. John can also imagine a world of pain if the perception is that Duke is clamping down on what students can say to each other.
Niharika says the concern is not whether or not students should fill the Marriage Pact questionnaire out; the concern is that a company was able to market its product as coming from and being endorsed by a student-run organization. The other concern is that all students received this and very few faculty and administrators knew about it. Student organizations should not be providing listserv data.
David Hoff – asks if Tracy and Richard were saying how easy it is to write a script to harvest student emails? If so, Duke would want a policy about this type of harvesting and if an external company figures out a way to harvest Duke's email address, then this should violate Duke’s policy.
Richard Biever says the decision was made to have an open directory structure so the Duke community can easily communicate.
Tracy says there is a user-based setting such that only Duke-authenticated individuals can access directory data for an individual, but the setting only reflects whether directory information is shared or not, but not who can use the information. The directory is intended for individual communication but this is difficult to enforce.
Richard Biever adds that if someone queries the directory 10 times fast, this will look like screen scraping so the process of gathering this data will be a very slow process.
Robert Wolpert underscores that the open directory is on purpose to promote collaboration which is what the university is about.
David Hoffman – concludes with 3 things:
1. Duke should have a policy that would take advantage of what the law provides. This would have a prophylactic effect because an email like this would be an abuse of the law.
2. None of us know how nor what entity got this email list and this should be discoverable.
3. Once a policy is in place, the students should be educated about how to treat email lists and about sensitive data.
For more about this topic, this podcast is recommended:
4:35 - 4:45 p.m. - COVID Data Usage Update, Richard Biever (10 minutes)
What it is: To best monitor the health of our community during the COVID-19 pandemic, Duke University temporarily expanded the use of electronic information and other institutional data to support symptom monitoring, pandemic testing, and contact tracing, all as part of Duke’s pandemic response. This information includes location data collected in Duke facilities and self-reported symptom monitoring information. Expanded access to these data is strictly limited to those with a need to know for pandemic response including Employee Occupational Health and Wellness, Student Health, and others as explicitly authorized under Duke’s Acceptable Use Policy. As we near the end of the 2020-2021 academic year, it is important to review the data usage to support Duke’s COVID response over the past academic year and what the rest of 2021 holds.
Why it’s relevant: The university’s declaration of extraordinary use of data during the pandemic explicitly designated ITAC as a vehicle for maintaining accountability over these uses. This is one of an ongoing series of presentations to allow us to fulfill that role.
Robert Wolpert introduces Richard Biever. Richard begins by recalling a previous ITAC conversation about putting a policy statement together about expanded use of COVID-related IT data. Initially this was specific to wi-fi, Duke card access and financial transaction data, and thenit expanded slightly based on work with Student Affairs (on housing assignments) and the Registrar’s Office (on class roster assignments). This data is used to see if any buildings have a spike in terms of contagion or if someone tests positive, to see who else needs to be interviewed and tested.
Unfortunately, it looks like Duke needs to extend this collection of data longer than what was originally planned into the end of this calendar year. Hopefully, this Fall things will start normalizing to the point of no longer needing this information.
Robert Wolpert interjects that there is a commitment to continue collecting data through this academic year with the promise of the data being destroyed after that.
Richard confirms that this is correct and that this is being extended through the calendar year and once a corner is turned, we can be in a place to get rid of this data.
Richards asks for Charley Kneifel’s thoughts. Charley says the unfortunate truth is that there are students on campus who have not been vaccinated yet and there are students who may or may not do the right thing all the time. Duke does not call them out, but they get contact traced and tested so the ongoing surveillance testing is the most powerful thing the community has toprotect the campus. Asymptomatic spread has been one of the more important things that we have discovered and help prevent.
Robert Wolpert – This data provides information on where and when most individuals are on campus and who is with whom. This could have serious privacy implications if treated casually.
Q. Mark Palmeri – When the university identifies hot spots, is this exclusively through self-reporting?
A. Charley Kneifel – For off-campus, it is self-reporting.
Q. Mark Palmeri – How is the data collected because it is not under this policy?
A. Charley Kneifel – Student Health.
A. Tracy – Students have amnesty if they report an event but this is non-digital and occursthrough Student Affairs, not OIT.
Q. Chase Barclay – With the announcement that vaccines will be required for all students on campus, why is this still needed? How much data collection is necessary?
A. Richard Biever – Because we don’t know; when a vaccine is 95% successful, that still leaves a 5% chance of infection. Also, variants, how long a vaccine provides immunity, and the efficacy of a vaccine must be considered. If we tear the system down now and then, have to reinstate it by August, that would be incredibly difficult.
A. Charley Kneifel – Pzifer is saying that there may need to be a third booster. We are working with a highly skilled medical team. Cam Wolf and Steve Haase are providing guidance on the modeling and spread. Student Health is also guiding on what needs to be done. As CDC guidance comes out, and as we know more about spread, I’m hopeful we can stop doing this.
4:45 - 5:05 p.m. - Staff Response to Graduate and Undergraduate IT Issues, Jen Vizas and service owners (25 minutes)
What it is: Earlier this semester, ITAC undergraduate and graduate student representatives surveyed their peers on a variety of IT services and perspectives, and presented their findings at the ITAC meeting on March 18, 2021. In today’s presentation, Duke’s IT leadership will provide feedback on the students’ concerns and suggestions.
Why it’s relevant: ITAC values the input and needs of students, especially as it pertains to our goals of supporting Duke’s academic mission and reviewing the status of information technology. The dialogue between staff and students keeps the lines of communication open to identify and address problem areas, as well as to recognize successes. We invite further discussion of student concerns and proposed solutions and will share feedback with Duke’s IT leaders.
Jen Vizas hands the topic over to Camille Jackson who introduces the IT services leaders.
WiFi – Bob Johnson and John Robertson
There were questions about WiFi gaps outdoors which is even more important during Covid; there is now outdoor coverage for Perkins Plaza and McLendon Bridge and other locations are under review.
Due to Covid-19 consideration, attention has been refocused on “tent areas” identified by Student Affairs.
Also, Proof of Concept for Next-Gen Wireless has been launched on East and West Campuses.
Cellular and General Connectivity – Bob Johnson and John Robertson
Expansion of Duke’s cellular Distributed Antenna System (DAS) to include TMobile has been delayed due to the pandemic challenges and the complexity of the Sprint merger. The “go live” completion date is June 31, 2021.
The macros tower on 300 Swift Avenue is near final construction. This will improve service along Campus Drive.
General Residential Connectivity is being improved by working with ISPs on improvements for home connectivity. This may include bundled Duke-specific offerings.
Security – Nick Tripp
Duke Unlock is a painless solution to MFA timeouts.
To address students not knowing how to get security information, the Security Office will offer expanded information at back-to-school events and will offer some Co-Lab courses.
Password policy changes are also underway for students who are under the Duke Health policy; frequently students are sponsored for DHE account but now, instead of having to change their passwords every 6 months, they will not have to change them during their time as a Duke student.
25 Live / R25 – Jen Vizas
In response to student feedback that 25 Live is not the preferred mechanism to schedule resources, other platforms are being explored and some pilots are in progress across campus.
Q. Chase Barclay – There was a question on student’s issues with downloading software from the Duke software site. One of the main complaints is once you click the add to order and fill out your information, the download does not start. Instead, students must go elsewhere to retrieve the software. Chase would like to follow up with whoever is working on this.
A. Evan Levine – Download is different for different pieces of software; some are automatic, and some take you to a download page. Sometimes there is a manual process specified by the software manufacturer.
A. Robert Wolpert – Some of the free ones are not visible in the cart. You have to go to a separate place.
Chase Barclay – Yes, once you complete your order, you have to go to a different page.
Q. Chase Barclay – Also, the students appreciate the Wi-Fi connection expansion, especially on Campus Drive.
5:05 - 5:15 p.m. - Ivy+ Senior Leaders and Research Computing, John Board (10 minutes)
What it is: Representatives from top-tier schools meet biannually to discuss and share information in various areas. Topics include overall university directions, budgets, projects, online tools, and daily operations.
Why it’s relevant: Sharing experiences and discussing challenges with our peers helps provide a collaborative environment where ideas are formed, and problems are solved. John Board will share his experience at the 2021 Spring conference for the Senior Leaders and Research Computing groups.
Ivy+ Senior leader’s group discussions:
1. What return to work looks like after the pandemic – choose or mandate work from home. OIT will experiment to try out different models. Robert is working on this. The question was asked: is this short-term or long-term? John Board says many peers say work from home is permanent and are embracing having a large number of the workforce working from home.
2. Diversity and inclusion in IT – every school has significant programs underway; one has autism outreach on top of looking after greater representation of black, brown, and female staff.
Brand new Ivy+ on Research Computing and Data – Big-name universities are doing this. Discussion included what models for what needs are sustainable, how to split costs with researchers, etc.
5:15 - 5:30 p.m. – Celebration (15 minutes)
Robert Wolpert says John Shaw will assign everyone to a break-out room. There are no themes, just enjoy conversation and the break-out rooms will be left open past 5:30 p.m.