Looking Back: Celebrating Five Years of Data Privacy and Transparency at UC Berkeley

January 28, 2020

Photo by Matthew Henry on Unsplash

Today, as we celebrate Data Privacy Day, the awareness — and concern — surrounding data privacy issues remains an issue garnering national attention. In 2010, major companies like Microsoft, Google, and Twitter began to address questions about when companies handed over their information to the government or other parties by offering transparency reports. These reports showed aggregate information on non-consensual government access to their users' personal information. Privacy is fundamental to UC Berkeley as it underpins academic and intellectual freedoms, key to the University’s mission. Which is why five years ago, UC Berkeley became the first institution of higher education in the world to launch a transparency report. “We believe privacy begins at home,” says UC Berkeley Chief Technology Officer William Allison. "While companies publish transparency reports about non-consensual access, Berkeley's staff administer services like Office 365, Box and Google Suite. We should have just as much responsibility to safeguard our users' privacy. When we launched our transparency report, we wanted to establish accountability and an expectation of privacy for our students, faculty, and staff." 

Launched on Data Privacy Day, Jan. 28, 2015,  the bConnected Transparency Report was part of a larger UC Berkeley Transparency initiative led by Campus Privacy Officer Lisa Ho. The larger program included three major areas: Clarity about UC Berkeley’s electronic communications policy, so everyone knows the rules and how those rules are tied to individual practice; consistency in how IT practices align with policy; and transparency through a biannual report. The bConnected Transparency Report shows the number of requests for non-consensual data access, the number of access requests approved, and other information for bConnected, which includes Google Suite, Box, and CalShare. It also highlights the limitations of bConnected privacy, based on certain laws that bypass the university’s policy. 

Berkeley created this University-centric transparency report after Bill Allison realized that students across the country may have been more likely to trust companies like Google and Microsoft than their own alma mater. In 2014, some students at another institution told the media they felt their east coast university was spying on their online activity and reading their emails. News reports did not clear up if that had really been happening - but regardless, it was how the students felt. Allison had been following the trend of industry transparency reports and reached out to Campus Privacy Officer Lisa Ho to ask if they could work together to make one happen at Berkeley.

A Transparency Report is Born

At Berkeley, the staff administering our services were following a rigorous formal process including approval by the Campus Privacy Officer to limit nonconsensual requests for people's information. But that process didn't report on the number of requests or how they were fulfilled. UC Berkeley students, staff, and faculty, had similar questions about how much, or little, access other people have to their data: Do we get alerted when the university gets a request for access to my data? Can the government look at our email? Can we request access to someone’s University Google account? 

The University sought to shine the light on data privacy, especially on how privacy supports intellectual and academic freedom. CTO Bill Allison notes, "Today the University is just as committed to transparency as when this started. Despite budget challenges, staff changes, and the passing of time, the process and our reporting still reflect our institution's values and are largely working as intended. We were surprised by the amount of press the report got when we originally launched.” After a quiet debut in January 2015, by the fall, articles began to appear in Slate, Inside Higher Ed, the Daily Californian, and NBC News. Says Bill Allison, "We got calls from other universities across the U.S. asking about how to implement similar programs, and we saw some editorials in student papers at other institutions asking their schools to provide the same transparency." Part of the reason for the energy around the report was people seeing an institution living up to its values. 

Challenges and Where We Are Today

Lisa Ho reflected this week on Berkeley's privacy track record, "With the tide of data collection so strong, it takes conscious effort to stay rooted to our fundamental ideals when people, budgets, priorities, and technology change. If new situations require changes to our practices, we must do so with full public awareness, and not simply drift away from our ethical stance in the middle of the night. Our transparency report acts as a public statement of accountability to help anchor us to the shared privacy values and principles we agreed were fundamental to our mission."

Over the years, one of the challenges has been ensuring tight linkage between requests for information, their fulfillment and the reports that get generated. Berkeley IT teams have been working with the Privacy Office to adopt more automation which will lessen the burden on staff in generating the reports. As Marlita Kahn, manager of the IST Document Workflow and Information Management team noted, "We are partnering with the Campus Privacy Office to help them improve visibility, compliance, and speed when managing access requests to personal data with our DocuSign service. The campus DocuSign service enables the request and follow-through process to be standardized for compliance and automated for greater responsiveness.” Lisa has moved on to become director of the Cybersecurity Program at Berkeley's School of Information, but she still keeps tabs on the project. She and Scott Seaborn, UC Berkeley's Interim Privacy Officer met to discuss how the process was designed and how it could be improved. Scott shared, “The UC Berkeley Privacy Office is taking further steps to automate the administrative review process for requests by university officials to access the electronic communications of students, staff and faculty to ensure that the appropriate checks and balances are in place, that the minimum necessary access is only granted after an extensive, defined review process occurs and that the rationale for granting access is documented and made publically available. As more and more of our personal information and communications are handled electronically, it is increasingly important that we protect the integrity and transparency of these processes to prevent overuse of access capabilities and to maintain the trust of the campus community.”

Additional Resources

Contacts for More Information