When using my university's internet connection, how much of my internet usage can they see?
March 1, 2010 5:54 AM   Subscribe

I access the internet in a university halls of residence, with internet access provided by the university. How much of my web browsing is private?

I am concerned about the university knowing exactly which web sites I have been on, and in particular whether it would be possible for someone to read an email I received through Gmail or Hotmail.

I think that the university used to require us to enter details of a proxy server before we could access the internet, but it doesn't require that anymore.

How can I know what the university has access to, and how can I make my browsing more secure?
posted by anonymous to Computers & Internet (17 answers total) 1 user marked this as a favorite
 
Assume that they can see anything but don't particularly care about anything other than bandwidth use. I am not a sysadmin, lawyer, college administrator, etc., but I am a former college student who vaguely remembers the contract I signed to use ResNet.
posted by Inspector.Gadget at 5:56 AM on March 1, 2010


You don't have to explicitly set the proxy server in order to use the proxy server. It's called "transparent proxying" and I would be very surprised if they didn't use it. However, they can't read your email (or anything else) if it goes via SSL: the address will say https://hotmail.com/ -- the S is significant since it means the traffic is encrypted. Gmail uses https by default, not sure about Hotmail.

Assume they can look at your browsing history, at least. However, chances are they are not interested since there are thousands of users, probably, at your campus and (believe me) reading other people's logfiles is even more boring than reading their emails ;)

(I'm a net.cop in a school so occasionally I have to do this stuff but not often, and there is legislation in the UK, where I work, which could put me into trouble if I play fast and loose with others' privacy.)
posted by BrokenEnglish at 6:01 AM on March 1, 2010


if the URL starts with "https://" it's encrypted, and only the IP address of the host will be known. In some cases, that resolves to a specific domain name, and in other cases it does not.

If the URL starts with "http://" most of what you transfer can be seen by anyone who can sniff your traffic. But a lot of websites switch to "https://" for log in, so that your username and password can't be seen. Gmail used to do it this way by default, which meant anyone upstream could see your emails, but not your password. After the China hacking thing, they switched to all https, so people can't see your password or email when you use gmail (In the past, you could switch to https if you wanted too)

I don't know about hotmail. Facebook doesn't use https, though.

So another question "who can sniff your traffic". In a lot of cases, only people responsible for maintaining the network but not always. In fact, if you're on a LAN it's not too uncommon for other people to see all the traffic on their segment. It depends on if you have a hub or a switch. If you have a hub, then you can probably see some of your neighbors traffic and vise versa.

If you have a 10mbps connection that hasn't been upgraded in the past decade you might be on a hub.

If you're curious, you can try using a network sniffer like ettercap to see if you can see anyone else's traffic. If not, your neighbors probably can't see yours either.

---

As for the proxy thing, proxies won't ordinarily work with https, because it would need to present a bogus certificate, which would cause an error in firefox and other browsers.
posted by delmoi at 6:11 AM on March 1, 2010


The stupid truth is that 99.9% of network admins don't care what you're doing online unless it's affecting the health or stability of their network. Anyone who tells you otherwise is living in a paranoid fantasy world. Such monitoring is boring and ineffective and flies in the face of common sense and the right to privacy. The rules of sysadmin are:

1) Respect the privacy of others.
2) Think before you type.
3) With great power comes great responsibility.

And most sysadmins adhere to these. Every now and then you hear a story of a rogue sysadmin or network admin, but these are often archetypal or urban legend, or exaggerated and sensationalized.

So, you should assume that they can see everything you're doing but aren't actively monitoring it in real-time. Most places have a system in place to watch for anomalies and can tell if one connection is suddenly hogging bandwidth or spewing spam because of a virus infection (etc.), and the SOP in typically to shut down that abusive connection. The idea is that the end-user will come to the Help Desk to find out why they can't get online anymore if they're locked out. For example, at my workplace, we use Intermapper Flows to watch for surges in traffic and because every IP number assigned is a reserved DHCP number, it's easy for us to track who's got a computer that's abusing the network.
posted by mrbarrett.com at 6:13 AM on March 1, 2010 [4 favorites]


archetypal = apocryphal. Doh! Too early for technical questions...
posted by mrbarrett.com at 7:07 AM on March 1, 2010


Caring or the lack thereof is a big difference from the ability to do so. If you are worried about it for some reason, assume they can and plan accordingly.
posted by JohnnyGunn at 8:51 AM on March 1, 2010


Caring or the lack thereof is a big difference from the ability to do so. If you are worried about it for some reason, assume they can and plan accordingly.

If I own a gun, I have the ability to use it to shoot up a mall full of people. Yet I don't see the mall owners erecting bullet-proof barriers or issuing kevlar vests to their employees. Just because there's capability for something to occur doesn't automatically mean that that something will occur.

If you're truly concerned about your privacy, don't use any network that is suspicious or unknown to you. Take precautions. Don't use open wireless networks to check sensitive email or do online banking. There's an implied level of trust with your University's network and it's up to each individual person to decide whether that trust is authentic or not. As I've said here and elsewhere, I'm inclined to lean towards Occam's Razor...the simplest explanation is often the correct one.

And if you must use a particular network and still don't trust it, there are anonymizing tools out there that can help disguise your footprints: hidemyass.com, Tor, and others. You could even set up a private VPN to your computer at home and tunnel your traffic (encrypted) through that. But I'll still argue that it's probably overkill or unnecessary for most people. Keep in mind that some network admins block anonymizing proxies and services....so that even if you decide to try to disguise your (potentially illegal behavior like downloading movies/music, etc.) behavior, you may still not be able to do so.
posted by mrbarrett.com at 9:16 AM on March 1, 2010


Using https does NOT protect you if your computer is a member of the university domain. It's fairly trivial to spoof certificates.

If you're using your own laptop, it's not as risky.

If you have access to an external computer (outside the university) you can setup up some sort of tunneling proxy (Using SSH, etc) which will prevent anyone from knowing what you're doing.
posted by blue_beetle at 9:16 AM on March 1, 2010


At your university, they probably track who's using any given IP address, because universities get a lot of takedown requests and worse from the RIAA and other copyright bloodhounds. Any ISP, and your university acts as your ISP, may log activity on its network. In case of a subpoena, they'll give it up without a peep, so if you're browsing sites that make you look like a terrorist, or have any suggestion of child pornography, or infringe copyright, you may want to keep that in mind. Universities differ widely in how much they care about activities like porn, hulu, and bandwidth use. Call your IT Offices or Helpdesk and ask them. They are likely to care about privacy and freedom of expression and will just tell you. Your university almost certainly has an Acceptable Use Policy posted on its website. Read it.

If you have a University-provided email account, any email on that server is accessible to the owner of the server, and might legally belong to the university. (My work email belongs to my employer.) Forward it to your gmail account, or use it only for school.

You can set Gmail encryption by following these directions.
posted by theora55 at 10:23 AM on March 1, 2010 [1 favorite]


Seconding what theora55 said: university IT people tend to be pretty fierce about privacy, and if they're anything like the people I used to work with, they'll be straight with you about what the law requires them to do and what you can expect.

Here's an example. Your school probably offers something similar.
posted by tangerine at 11:41 AM on March 1, 2010


I'm a Network Engineer for a large university, and I'm seconding what theora55 and mrbarrett.com, among others, have said. Also, although your question focuses on your browsing, I wanted to add that another concern of some schools is trying to run a business using the school as an ISP.
posted by kimota at 11:47 AM on March 1, 2010


Several years ago I used to do some work on a university network. We provided network access to students in halls of residence - we maintained the user quota + login systems and firewall.

I remember by law we had to keep all log file records for 5 years before they were slated for destruction. Just like corporate files, they would be labelled as follows - record created 2005, destruction date, 2010.

The log files contained every single web access request identified by user login and IP address.

In theory we can see almost everything, in practice we see nothing. Geeks are for the most part an idealistic bunch who understand the value of privacy so you probably have nothing to fear (unless you severely pissed one of them off, and he didn't care about keeping his job)
posted by xdvesper at 2:47 PM on March 1, 2010


The stupid truth is that 99.9% of network admins don't care what you're doing online unless it's affecting the health or stability of their network. Anyone who tells you otherwise is living in a paranoid fantasy world. Such monitoring is boring and ineffective and flies in the face of common sense and the right to privacy. The rules of sysadmin are:

1) Respect the privacy of others.
2) Think before you type.
3) With great power comes great responsibility.
I was going to bring up the the school that was spying on students, but then I noticed you were the same guy who showed up in that thread and said this:
I can tell you this much. I am a network administrator at a school very similar to LMSD where this occurred, and as such, have a high degree of expertise for the software they use to manage the laptops in their 1:1 program. I can say with some authority that the software (LANRev) does not have the ability--out of the box--to do this kind of monitoring that is claimed in the lawsuit. Yes, a technician could have written a script or policy to trigger PhotoBooth to take pictures using the webcam on a timed interval, but there is simply no reason to do so. I can't think of a single legitimate and non-nefarious reason for a school district to decide to enable that kind of monitoring. It just doesn't make any sense.
...
A much more likely scenario is that the kid took a picture of himself with the webcam, doing something stupid/illegal and the school found that picture on the computer's HD and now wants to discipline him for the infraction. And instead of owning up to his misbehavior, he and his parents decide to sue based on a lot of assumptions about what the management software can and cannot do.
Even at the end of the thread you were still accusing the kid of "questionable behavior", despite the fact there was no evidence of any questionable behavior on his part whatsoever.

Anyway, the "rules" of sysadmins are whatever the sysadmins want them to be. Pretending like they're all Spider-Man (which is where the 'great power/great responsibility' quote comes from) is ridiculous.
posted by delmoi at 3:54 AM on March 2, 2010


What's even more ridiculous is that you and others continue to cast judgment on the LMSD administration and network technicians without there being evidence of wrongdoing. Stop acting like judge, jury, and executioner and stand behind the idea of "innocent until proven guilty."

And the fact that you think that that quote originates with Spiderman says volumes.

But, hey, way to derail the thread and stay on topic. You and I clearly have different opinions on how ethics and technology intersect in our society.
posted by mrbarrett.com at 4:25 AM on March 2, 2010


And the fact that you think that that quote originates with Spiderman says volumes.

Look it up.
posted by delmoi at 10:12 AM on March 2, 2010


With great snark comes a "well, actually...."
posted by blue_beetle at 11:52 AM on March 3, 2010 [1 favorite]


blue_beetle: The FDR quote comes closes "great power involves great responsibility", but more importantly, it was written for a speech that he never gave, it was later published in a book. And the exact wording "with great power comes great responsibility" actually does come from Spider-man, that's certainly where it was popularized from. Obviously other people have said similar things throughout the ages.
posted by delmoi at 6:48 PM on March 6, 2010


« Older Green Onions?   |   The drawbacks of removing the frenulum? Newer »
This thread is closed to new comments.