Scary Software Not so Threatening

After some public outcry that the Safe Connect program that The New School uses to control Wi-Fi access could invade people’s privacy, the faculty senate charged its infrastructure committee with investigating the claims.

On November 9, the infrastructure committee presented their findings on Impulse Point’s Safe Connect to the faculty senate. Some of their concerns about the program had been resolved by The New School’s office of information technology and Impulse Point, the company that makes the software. However, the infrastructure committee’s report states: “On the question of Safe-Connect the [infrastructure committee] of [the university faculty senate] continues to have questions concerning issues of privacy and associated future risks.” Even so, the committee did not suggest taking any immediate action.

One of the concerns with the program is that it has “root” privileges, which means that it has access to everything on a computer running it. According to the “Safe Connect Technical Overview” released by The New School’s office of information technology in September, to safeguard the network, “the Safe Connect client application must run with this level of system privileges.” The overview goes on to state that just because an application has the technical capability to access clients’ computers, does not mean that it is doing so.

Impulse Point is currently undergoing an audit by an accounting firm, A-lign CPAs, to verify that it does not violate users’ privacy. “They’re essentially documenting that we do what we say we do,” said Impulse Point President Dennis Muley in a phone interview. “It’s sort of a health check.”

Among other things, the audit will verify that Impulse Point is following its privacy policy, which states, “Impulse Point will never collect or store personal information from its customer’s constituents.” Muley said that Impulse Point began the audit, but not because of The New School’s concerns. It is an industry standard internal investigation and part of a “continual improvement process,” Muley said. “We had it in the plans.”

The New School switched to the Safe Connect Network Access Control program after the previous one, Cisco Clean Access Agent, changed its licensing model, which would have required the university to purchase new equipment. “We had a considerable investment in the hardware that was used with the prior Cisco product and Cisco refused to offer a cost effective appropriate alternative,” wrote Shelley Reed, senior vice president for information technology, in an e-mail.  Safe Connect has the same functionality as the Clean Access Agent and was deemed more compatible with The New School’s existing network hardware than the other options.

The Infrastructure Committee’s report claims that the concerns are based on Safe Connect’s abilities beyond the functions it performs now — verifying the user, ensuring any computer connected is running anti-virus software, and that its operating system is up to date. Other features of the program, like preventing computers running P2P applications from connecting to the network, “could be initiated without the owner’s knowledge,” according to the report.

The results of the audit should verify or expel any privacy concerns when it is released next spring. Though the audit has not yet been released, Muley emphasized that the company is not collecting any information. “We don’t want to know anything,” he said.