New head of University IT department switches from open-source server to Microsoft cloud servers which is a privacy threat

Helmut Neukirchen, 1. March 2018

Updates:
While I mentioned in my original post the US supreme court case to decide whether Microsoft has to hand over data from European Office365 servers to US, the US supreme court decided to not investigate this, because the new CLOUD act is now in force which anyway allows this (and without any court/investigating judge involved as it would be the case for a search warrant). While you may think that this violates the new European privacy directive, the European Commission is in fact working on a matching counterpart: E-Evidence. Time will tell whether European courts consider this as legal or not. But until then, it is obvious that using cloud services means that your data is not safe. (It is anyway not safe as I explained below as we can rely on that any network traffic, including our emails, leaving Iceland, in particular when going through UK, will be wire-tapped by foreign services.)

I was asked to remove some easy to google links to newspaper articles concerning the new head of the University IT department as it may violate the University's Code of Ethics ("Staff and students of the University show each other respect in behaviour, speech and in writing.").

The university administration tries to wipe away privacy concerns by referring to standards such as the privacy and security policy ISO/IEC27001 or European law. But it is naive to rely on non-European companies implementing European law:

"At the Office 365 launch, Microsoft U.K.'s managing director Gordon
Frazer, gave the first admission that cloud data, regardless of where it
is in the world, is not protected against the Patriot Act Act.

The question put forward:
Can Microsoft guarantee that EU-stored data, held in EU based
datacenters, will not leave the European Economic Area under any
circumstances — even under a request by the Patriot Act?

Frazer explained that, as Microsoft is a U.S.-headquartered company, it
has to comply with local laws (the United States, as well as any other
location where one of its subsidiary companies is based).

He said: "Microsoft cannot provide those guarantees. Neither can any
other company."
"
Source: http://www.zdnet.com/article/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/

For exactly that reason, many European universities and research centres forbid to use external and foreign cloud services for critical information (see, e.g., page 5 of the University of Dublin Cloud Computing Policy and Guidelines or the fact that German universities introduced their own private cloud, Sciebo, because external clouds are forbidden -- instead of outsourcing service (and competence) and depending on external providers as HÍ does, the German universities "insource", i.e. set up their own cloud (and gain cloud competencies)).

I think the above mentioned request to remove critical contents from my web page shows that the state of academic freedom is not the best at University of Iceland.

My protest has in the meantime reached international coverage (this tweet linked here has magically disappeared): the Nordic e-Infrastructure Collaboration (NeIC) used its Twitter account to report about the fact that I resigned on 2.3.2018 from representing University of Iceland in the Nordic e-Science community (how can I represent my University if the administration has a completely different view on IT? I sent the new head of the University IT department an email on 1.3.2018, but he did ignore that email (other university employees confirmed that he did not answer emails from academic staff); as he did not reply, I decided as last resort to resign hoping that he replies to that email -- but he still neither replied to that email. Also later email sent to him via the University discussion list were not answered). NeIC is associated with NordForsk and while on 2.3.2018, a NordForsk representative had a lot of understanding for my resignation, NordForsk forced NeIC on 5.3.2018 to remove the tweet. Honi soit qui mal y pense... Instead, a new tweet has been posted that only refers to a workshop that I organised together with my colleagues in 2017.

By the way, the job advertisement for the position of new head of the University IT department mentions explicitly that the job requires experience in introducing changes. So this may explain why changes are being pushed through in a completely undemocratic way.

Due to protests, the introduction has been postponed by one week. But this does not address any of our general concerns. Instead of solving the problems, they are just postponed by one week. The administration makes still very clear that the changes will be implemented just one week later without any democratic discussion.

In addition to a discussion on the university mailing list, I got many supporting personal emails and people where visiting me in my office to express that they agree with me. For example, the following was pointed out in addition:

In fact, Icelandic government, administration, and parliament were suggesting an open-source software policy -- why does University of Iceland not follow it? The following references are in Icelandic only:

Here is my original article:

Our University's computing IT department got a new head. As he does not answer emails to ordinary staff, such as professors like me, I decided to go public:

One of his first decisions was to switch off the old IMAP/SMTP-standard and open-source based email system (Cyrus and Sendmail) operated at our computing centre RHÍ. Instead, we are forced to use Microsoft Office365. It seems that he wants to make an impression as new IT head, but this is in fact a bad start:

We employees in Tæknigarður got an email that the University of Iceland is stopping to use its email system from today 11:00 and we employees thus have today to be between 10:00-11:00 in our offices to give IT personnel access to our computers so that they can setup a new email program that uses a new external email provider.

This change is implemented first in Tæknigarður, but soon the University email accounts of employees in other buildings will be affected until all email accounts (including all our students) are not provided by the University anymore.

I am very concerned about this massive change that the administration is introducing without any discussion. The head of the University IT department, does not answer my email for further details, but here is what I am aware of:

1.)
We shall not use our usual email programs anymore, but the University wants us to use Microsoft Outlook as only software for email and refers thus to http://rhi.hi.is/office365/ and writes
"
- Windows notendur geta fylgt þessum leiðbeiningum til að setja upp póstinn í outlook http://rhi.hi.is/node/1184
- Mac notendur geta fylgt þessum leiðbeiningum til að setja upp póstinn í outlook http://rhi.hi.is/node/1196
- Linux býður ekki upp á outlook en hægt er að nota vefviðmótið á outlook.hi.is
"

(short English translation: Windows users shall install Outlook, Mac users shall install Outlook, for Linux Outlook is not available, but a Web interface can be used.)

To me, this is not acceptable, I want to continue to use the email client that I am used to (which is not Microsoft Outlook, but Thunderbird on Linux). In addition, I cannot be in my office today 10:00-11:00 (I have a meeting) to allow changing my email system and some of the colleagues in Tæknigarður are abroad, e.g. in sabbatical.

2.)
The new external email provider will be Microsoft, i.e. all email that we get is not sent anymore to our University in Iceland, but to Microsoft servers abroad where the email is stored and when we want to read our email we have therefore to retrieve them from the Microsoft servers abroad.

As a computer scientist, I consider this as a severe security problem: with the old system where our email servers were located at our computing centre RHÍ, an email that I sent to another HÍ colleague was just sent from my office to the RHÍ building, stored there at the RHÍ email server and that colleague retrieved it from there, i.e. that email did not leave the University and our RHnet network (Rannsókna og háskólanet Íslands).

Now, an email that I send to a colleague next door is sent to the Microsoft server abroad, stored there all the time and when my colleague wants to read that email, she or he has to retrieve from the Microsoft server abroad where from now on all our email is stored.

If the Microsoft servers are located in the USA, they will be read by the National Security Agency (NSA) and their XKeyscore system as revealed by Edward Snowden. In fact, as soon as our email leaves Iceland, it may be subject of XKeyscore according to this map.

So when you send a Donald Trump joke to a colleague, NSA can read it and it has been documented by The New York Times that two European travelers reported they were denied entry to U.S. after having made U.S. jokes on Twitter.

Even if the Microsoft servers to which we will have to send and from where we have to retrieve our email would not be located in the U.S., but elsewhere in Europe: Iceland has two submarine cables that go to European mainland and our email might go through FARICE that arrives in UK; Snowden said "They are worse than the U.S.": the Tempora system of the British Government Communications Headquarters (GCHQ) extracts "most" internet traffic (incl. emails) going through the UK and preserves the data for three days to have enough time to search it.

Via the UKUSA Agreement, UK and USA exchange data and from our Scandinavian partners, it is known that at least Sweden and Norway are also involved.

And even if you hope, your emails will not be sent via the FARICE cable, but via the DANICE cable directly to Danmark and for Danmark, no UKUSA Agreement is known: our emails will be stored at Microsoft and while Microsoft Europe claims that the European General Data Protection Regulation applies to their data centres in Europe: the US
administration argue that U.S. law applies to all Microsoft datacentres all over the world (because Microsoft is a U.S. company): "The administration has the support of 35 states led by Vermont who say they routinely seek access to data stored overseas".

So in future think twice what you send in emails that you thought are HÍ internal: your next visit of a scientific conference in the U.S. is in danger.

Already the fact that starting from now, people make think twice what they write is in my opinion a very bad thing and does not fit at all the concept of academic freedom that should be given at a university.

3.)
Why is this change pushed through with such a short notice?
The announcement to us in Tæknigarður was sent to us just last Thursday after office hours, namely at 17:27 o'clock, i.e. essentially one working day between notice and change today on Monday morning. Why is this change not done outside of teaching during summer?

Also the style of ordering all employees to their office today 10:00-11:00 shows that the administration is getting out of hand and ignores the fact that we have academic duties due to which we may not be in our office at that time.

Administration is there to support university teachers, researchers and students to do what is the purpose of a university: higher education and research. -- The purpose of a university is not administration and university teachers, researchers and students are not members of the university in order to support the administration.

The faculties even pay for the IT services that we are using internally. So this sounds like a free market system, but a free market system works only with competition and consumers having a choice. But we have no choice and our IT administration does not listen to us.

Why is democratic participation of the affected staff and students completely lacking? Future directions of the University should be discussed in Háskólaráð and other committees? The University of Iceland should be a place of open discussion. Instead the administration tries to push through this significant change.

4.)
We have a perfectly running email server running at RHÍ. This software is open source and based on standards that allow us to use any email client that we like to use for writing and accessing our emails. While all trends in academia is towards openness (the University just spent significant efforts to introduce open access for publication), the University of Iceland's administration is now replacing that open source email server software by a proprietary software from Microsoft. Microsoft is anyway already dominating the market in Iceland. The University of Iceland has a social responsibility to promote diversity in all fields. Instead, students will now see when they log-in to the Universities email system, a Microsoft logo giving the impression that there is no alternative to Microsoft.

5.)
A justification for this significant change is missing!

Is it the price? The old email system is open source software, i.e. it is available for free. Setting it up may take a couple of days for the system administrators at RHÍ, but this has already happened and our email services are running without any flaws. Of course, from time to time system administrators have to spend some time, e.g. to install security updates, but this is not an 8 hours per day 5 days per week activity.

For the costs of the Microsoft service, I have to rely on what Microsoft advertises to businesses:
I assume the "Office 365 Business Premium" plan (RHÍ mentions Skype for Business only available in that plan) which is $12.50 per user and month before VAT:

Let's assume HÍ got a special price of $10 per user and month and let's assume that while the change will affect all 1600 staff and more than 10 000 students, a special offer requires only to pay for 10 000 users and instead 12 month per year only for 10 month per year. This would yield

10 000 users * 10 months * $10 = 1 million dollar per year

While I hope, that HÍ will not pay 1 million dollar per year for that service to Microsoft, the costs will not be insignificant.

Now compare these costs to the open source solution that costs just a part-time system administrator (plus some server hardware).
In any case, these costs will be significantly lower what HÍ pays to Microsoft.

6.)
As I am doing research in the field of eScience, I in addition extremely worried in abandoning open standards and using proprietary products instead. Also from a security point of view, I am convinced that proprietary closed-source products (such as Microsoft) are less secure due to a lack of source code reviews by independent security experts.

I was an Icelandic delegate to a working group of the Nordic e-Infrastructure Collaboration (NeIC). Given the new head's IT policies, I am very worried about the future of eScience at the University of Iceland as provided by our computing centre RHÍ as e-Infrastructure provider. I am convinced that eScience must be based on open standards and open-source software -- but how can this be the case with an e-infrastructure provider where the head is not convinced if this? Notably, one of our two HPC system administrators at our computing centre RHÍ has quit his job here at RHÍ (and started at a different Icelandic organisation doing HPC) after the new head took over. So it seems, I am not the only one who sees no eScience future at University of Iceland. I therefore resigned being a delegate on behalf of RHÍ/University of Iceland to the Nordic e-Infrastructure Collaboration (NeIC) both because it makes no sense to be delegated with an e-Infrastructure provider in the back that has a completely different opinion and also to protest against the decision of the new head the University's IT department who has no experience with an academic environment nor with eScience and is thus likely to ruin the existing e-infrastructure.

Most academic staff is pretty upset. It seems that the new head is used to push through decisions against the will of the end users. He has a background in IT for banks and public administration, but he seems not to understand that a university is completely different and a place of academic freedom and diversity. For example, the rectors of the University of Iceland have the ambitious goal to become one of the top 100 universities in the world (according to the Times Higher Education ranking) which means, the University of Iceland needs to employ top researchers. Given the fact that the Icelandic-speaking population is less than 400 000 people, it is obviously these top researchers cannot be Icelanders only, but need to be international researchers who do not speak Icelandic. Still, the email concerning the email infrastructure being changes was only send in Icelandic to the affected employees. Alone this shows, that the new head of the University's IT has no idea of an academic work environment which is by definition international.

This shows what goes wrong if a non-academic person is hired into an academic workplace and not willing to listen to his customers, the professors and students.