A Safe Connection?

The time is 3 A.M., and you are stuck in front a glowing computer screen writing a last minute research paper. For the next few hours the Internet remains inoperable, and your nearly complete paper still lacks some very vital information that could be found nowhere else at that hour. Whether you are utilizing the research tools on Google Scholar or trying to de-stress on Facebook, the one thing you are probably using (or trying to avoid using) is the Internet.  Now imagine the possibility of the College’s network tumbling down amidst an ill-fated attack by some students’ virus-infected computer.

This was far from an uncommon occurrence in previous years at the College, but starting in the fall of 2009, the number of incidents slowly decreased. The reason, according to the College’s Information Technology department, is SafeConnect.

The security program started in 2008 as a trial run for residents of Eickhoff Hall and took effect campus-wide the following fall; some oppose the application and the shroud of secrecy surrounding its operation on campus, while most ignore it as a nuisance. Two years after its installation, what has SafeConnect done for us, and what might it be doing without our knowledge?

To many TCNJ students, SafeConnect appears as a log-in page when accessing the Internet from campus, and in the form of a “policy key” application upon arriving on campus to ensure your anti-virus software and operating system are up to date.

Many students on campus have complained about receiving faulty messages demanding that they download and install the Policy Key, despite already having done so.  “Half of the time I’ll log in and it’ll give me that message, and then three minutes and 50 refreshes later, it’ll tell me I’m behind a router or using a NAT device when I’m connected at the library via wireless and that I’m quarantined,” said Matthew Tom-Wolverton, a senior computer science major, who then concluded “and that’s when it works correctly.” This policy key is relatively innocuous, sitting in the background, ostensibly keeping an eye on the student to make sure they do not do anything TCNJ would not approve of.

When contacted to discuss the history and concerns surrounding the system, IT Security Manager for the College Alan Bowen declined to comment except to say, “The SafeConnect system provides electronic enforcement of the computing access agreement. The sophistication of network based attacks is increasing and by ensuring that our community meets a minimum standard of computer security everybody benefits.”

Class of 2010 computer science major, Rich Defrancisco, believes the goals of keeping campus virus-free and limiting file-sharing traffic are acceptable, but believes that the College is going about it in the wrong way. When asked what an acceptable alternative would be, he said, “Don’t make us run spyware on our own computers. I don’t think there is anything wrong with restricting our access in the closed community of campus, but I do think there is something wrong when the restrictions stop being on their hardware and start being on ours.”

Former TCNJ student Andrew Timmes had a much stronger reaction to SafeConnect’s perceived problems despite having graduated before the system was put into campus-wide use. In a public posting on Facebook, he said: “I’m highly opposed to the TCNJ-sanctioned spyware called SafeConnect. I understand that as students using a public service, we have to adhere to certain rules to utilize TCNJ’s infrastructure. I do not, however, agree with TCNJ’s method of enforcing said rules by infringing upon our privacy.”

Alan Bowen was contacted again to respond to these sentiments, but did not return emails.

So why do some students refer to SafeConnect as “spyware?”  Wikipedia defines spyware as “a type of malware that is installed on computers and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect.”

SafeConnect does not hide its presence, but it never announces itself as an icon in the system tray or an entry in the computer’s programs list. Only an ambiguous description is available on the College’s IT security webpage, where the College freely admits that the software surreptitiously collects information from users: “[TCNJ] username, IP address, MAC address, and security profile of your machine gathered from the state of your anti-virus software, operating system update settings, and any peer to peer file sharing applications.” Any information gathered will not be transmitted off campus, they assure us, but it is stored on-site for an undefined period of time. To date, no one has been charged as a result of this information, but it is unclear what purpose this gathered information does serve.

Impulse Point, LLC., manufacturer of SafeConnect, describes it on their site as “a more secure, reliable, and predictable IT network infrastructure that is easy and cost-effective to deploy and maintain.” Anne Torgler, Marketing Manager for Impulse Point, confirmed the software system operator’s ability to view information on students’ computers with the Policy Key installed, adding “an organization may also build custom policies based on the existence or non-existence of file types, registry settings, services, and processes on individual endpoint devices.”  This essentially means that the College (our ‘system operator’  verifying file existence), can not only see exactly which programs are being run on our computers, but use this ability to identify and block any program or system configuration.

Despite the intentional vagueness from Bowen and lack of information on the College’s website, an employee of User Support Services who wishes to remain anonymous did comment on TCNJ’s SafeConnect capabilities, “SafeConnect has the ability to look at a list of processes, but they didn’t have it turned on until now.” File-sharing programs themselves are legal in the US, though they are often used to transmit copyrighted works —which is illegal. The College has made the decision to block entirely some prominent file-sharing technologies, such as Bittorrent, a popular method of distribution for updates to computer games, as well as for Linux, a free computer operating system, and infamously, DC++.

Torgler did specifically deny that SafeConnect has the ability to view web browser history or download history. The openness of Impulse Point’s staff came as a great surprise, as finding information from the various educational institutions implementing SafeConnect was difficult, although they did not explicitly decline to divulge any specific information as IT Manager of the College Alan Bowen did.

The ultimate goal of SafeConnect is admirable, but the College wields its position as a local monopoly of Internet service to enforce it. In an arena where multiple Internet Service Providers could compete, a provider using such invasive and secretive methods as the College is using on its residential students would most likely be forced out of business fast.

Unfortunately, residential students don’t have any easy alternatives to the Internet service that the College bundles with their tuition fee. While it is possible to get commercial broadband Internet access as a resident at the College, it is often more expensive and more complicated, and the College’s website is unclear whether or not it would even be possible to opt out of paying the Computer Access Fee.

The next time your computer wrongfully receives a frustrating quarantine message, or you are blocked from using an application that works perfectly fine at your home, you may recall that this is the price the College has deemed acceptable for a secure network on your behalf. What all residential students must decide is whether these incursions into their privacy are worth that security, and whether they trust the College to make that decision for them.

Recently, Impulse Point has announced a new version of SafeConnect that has improved support for mobile devices and video game systems.  Whether this means that those devices will now be required to install some version of the Policy Key required on Windows and Macintosh computers is not immediately clear.  It is also not clear if The College has already completed this update, or if it has any plans of doing so. The new update will also support an “emergency broadcast messaging” capability, and improves the ability of SafeConnect operators to manage and observe users’ information in real time.