University Professor Chastised For Using Tor

Irongeek_ADC writes with a first-person account from the The Chronicle of Higher Education by a university professor who was asked to stop using Tor. University IT and campus security staffers came knocking on Paul Cesarini's door asking why he was using the anonymizing network. They requested that he stop and also that he not teach his students about it. The visitors said it was likely against university policy (a policy they probably were not aware that Cesarini had helped to draft). The professor seems genuinely to appreciate the problems that a campus IT department faces; but in the end he took a stand for academic freedom.

Re:Bravo

He is an assistant professor. He is unlikely to have tenure.

Re:Bravo

[__aagmrb7289]

FYI (from TFA): My reason for downloading and installing the Tor plug-in was actually simple: I'd read about it for some time, was planning to discuss it in two courses I teach, and figured I should have some experience using it before I described it to my students. The courses in question both deal with controlling technology, diffusing it throughout society, and freedom and censorship online. When I cover online censorship in countries with no free press, I focus on how those countries rely on hardware, software, and phalanxes of people to make sure citizens can reach only government-approved media. Crackdowns on independent journalists, bloggers, and related dissidents all too often result in their being beaten, incarcerated, or worse. Technologies like Tor represent a beacon of freedom to people in those countries, and I would be doing my students a disservice if I didn't mention it.

Re:the ivory tower

[wernst]

I'm not sure what the story is here, the right to use tor on someone elses network? Does he have that right? It's not his network. I've used tor at home, but completely understand I cant use it at work, and if during my university days, had it existed (maybe it did but whatever), and was told I couldnt use it, I'd just deal with that.

What are you talking about?

The use of tor on "someone else's network" is implicit, because you are connecting to someone on the other side of the network as a whole.

You say you use tor at home, but that's not "your" network either. I think your ISP would say that you are connecting to *their* network. I think the Hosting Provider of the web server you're connecting to would say it is *their* network. I think AT&T, (or whoever owns the backbone your data is traveling across) would say it is *their* network too.

If any of these network owners told you to stop using tor at home, what would you say to that? I'm guessing it would be pretty close to what this professor said to the IT goons trying to intimidate him into stopping.

The only time it's "your" network is when you have two of your own computers on your own LAN, and a tor router between them.

University ID depts pay peanuts

[TheMCP]

I was a university IT director a few years ago. The university told me outright when they hired me that they expected to pay me 25% less than an identical job would pay in industry, because they're a not-for-profit organization, and that I should desire to accept this because of the benefits of working in an academic environment (which they listed as long term job security and minimum of four weeks of vacation per year). Okay, fine. They weren't happy when I came back with documentation showing that my industry value was about twice what they thought, but they coughed up the 75% of my industry value that they said they would.

Then when I wanted to hire anyone, however, they dictated to me what I could offer, and refused to accept any input regarding what industry norms were. So, when I needed a DBA (and frankly needed a really good one), they told me I should get someone Oracle certified, and that I should pay no more than $50k. Skilled, experienced, product certified DBAs, as you may know, tended to go for over twice that (usually more like three times that) a few years back in Boston, and our database wasn't Oracle anyway. I ended up hiring a junior-level person (when I really needed a senior level person) because that was the best I could get for the money they were offering (in fact the only applicant we had received who had any experience with the database products we actually used), and told HR they could forget about certification. Their response was to complain a lot that I hadn't hired a good enough person, despite that they hadn't actually asked me (his manager) about his performance, and he was actually doing unusually well for someone of his level. They also nagged me extensively to replace him with a woman who had applied who was oracle certified (which was still useless because we still didn't have oracle), but didn't actually speak English. (Presumably that's why she was willing to take the lousy pay rate.)

10 months after I was hired the university outsourced my job, proving that their claim of long term job security was a lie in the first place. (I hear they had to hire three consultants to replace me, each one at a cost of two to three times my salary.)

I've seen this pattern repeatedly in university IT groups; they won't pay what it really costs to get someone who can really do the job, but they insist on unreasonable qualifications given the pay level they're offering, so instead of either shelling out what it costs to get what they want or accepting the best qualified person who would normally be in the pay range they're offering, they instead hire the loser who is willing to both take the low pay rate AND inflate their qualifications (either by exaggeration or outright lies) to meet the university's unreasonable demands. So, when they most need a skilled, experienced person, they're most likely to get a lying fraud who can't get the job done and will give everyone else a hard time to try to make it look like nothing is their fault.

BGSU's IT usage policies

[harpune]

A little digging on BGSU's website comes up with what is likely the actual policies:

http://www.bgsu.edu/downloads/cio/file9602.pdf

12. Attempting to circumvent computer system or computer network security systems. Attempting to circumvent University computer system or computer network security systems, or using University computer systems or computer networks in attempting to circumvent security systems elsewhere.
and

22. Anonymous use, or use of pseudonyms on a computer system or computer network to escape responsibility. No person shall use a computer system or computer network anonymously or use pseudonyms to attempt to escape from prosecution of laws or regulations, or otherwise to escape responsibility for their actions.

Now, the first one seems like it is worded vaguely and may or may not apply in this situation, but the second one is pretty clear: as long as you are using anonymity services "to escape responsibility". Clearly, the professor was not trying to skirt the law or detection for any shady behaviour. of course, in the eyes of admins, allowing any use of such anonymizers could be dangerous to their network, and make their jobs harder.

I take most issue to the detectives' request that the professor refrain from discussing Tor in his classes. It would be academically unethical for the prof to bend to this pressure because a little pressure was put on him by the rent-a-cops. The detectives can ask the professor to do whatever they want, but dictating what he can and cannot teach in his classroom is inappropriate.