Anoushka Kloosterman, Mark Reid en Emiel Beinema
Monday 26 September 2022
The 371 smart cameras that Leiden University had installed during the Covid-19 crisis had major security flaws. In addition, the privacy of students and employees was violated and the participation bodies were insufficiently informed.

That is the conclusion of an investigation report that the university had drawn up on the cameras, which caused a great deal of concern among students and staff after the publication of a series of articles in Mare and were subsequently turned off.

The data protection officer initiated an investigation, and an external agency carried out penetration tests on the devices. Both reports are currently on the table of the University Council, and will be discussed there shortly.

The first penetration tests in January confirmed the flaws Mare had already reported on: users were able to access information on the cameras without logging in and the passwords were protected with outdated, low-security encryption.

VULNERABILITIES

The scanners’ manufacturer, Xovis, issued an update to fix these flaws but did not respond to Mare’s questions. That the reported flaws have indeed been fixed was confirmed by security investigators in February, the report states.
 
What is striking, however, is that the penetration test was only aimed at identifying potential security risks when logging into the system. The investigators did not look for other unintended uses of the sensors or vulnerabilities that are only accessible to logged-in users. The university has announced it will not investigate this further: ‘We consider internal vulnerabilities that are not remotely exploitable to be a negligible risk.’

Employees and students should have been informed: 'It was this lack of communication that caused commotion’

In addition to the reported technical flaws, data protection officer Ricardo Catalan states, based on his investigation, that the university should carry out a so-called data protection impact assessment (DPIA). This is an analysis that an organisation is required to do prior to any processing of data with a high privacy risk. The university previously held that this was not necessary.
 
According to the Dutch Data Protection Authority, a high risk exists if, among other things, you ‘process special categories of personal data on a large scale’ or ‘track people in publicly accessible areas on a large scale and systematically’.

If the university wants to turn the cameras back on, a DPIA should be carried out first, Catalan argues. This contradicts his previous advice. ‘My initial assessment was that the processing was low-risk and did not require a DPIA. This assessment was incorrect’, he informs.

INSUFFICIENTLY ASTUTE

Catalan: ‘As you may have read in the report, the privacy team was insufficiently involved in the implementation which meant I was not sufficiently astute to respond to the situation at the time. In my role as independent supervisor, I should have asked more questions. However, this does have to be placed in context, because the questions and problems were piling up at the time, as the university was forced to digitise its education in a short space of time due to Covid-19.’

There was no one at the University Services Department who was responsible for privacy matters, he concludes. He recommends that the Services Department ‘structurally incorporate compliance of privacy and security into its processes’.

According to Catalan, the lack of DPIA also led to inconsiderate behaviour towards employees and students. Had the university investigated the cameras earlier, it would have become clear that employees and students should have been better informed. ‘It was precisely this lack of communication that understandably caused commotion’, he writes in the report.

Graffiti in protest of the 'classroom scanners'

He also addresses the nomenclature used for the devices, which the university has consistently called ‘sensors’ or ‘scanners’. As a result, it was unclear to many people that the devices were, in fact, video cameras and the seriousness of the privacy issue was underestimated. In an accompanying letter to the University Council, the Executive Board stated that it valued the ‘sense of privacy’.

RECTIFICATION

In response to a question from Mare as to why it does not value privacy itself, university spokesperson Caroline van Overbeeke replied that the university wants to be mindful not only of the legal aspects of privacy, but also of its general importance and ‘the perception of privacy by our staff and students’.

Moreover, she reveals that the Executive Board considers privacy a very important matter. ‘This case did show us that a number of things did not go quite right in this respect. We are rectifying that now.’ Additionally, as a result of #CameraGate, the privacy office, which provides assistance to employees with privacy-related questions, is getting extra capacity.

The university has not yet decided whether to turn the cameras back on. The Board is adopting the report’s recommendations, and is currently carrying out the DPIA, reports Van Overbeeke. ‘Only when this is finished will we start discussing the matter further and decide, in coordination with the University Council, whether or not the people counters (the cameras, Ed.) can be switched back on. Until then, they will remain off.’

Lees ook

News
University Council opposed reappointment of Annetje Ottow following ‘worrying signals from the workplace’
This summer, the University Council opposed the reappointment of Executive Board president Annetje Ottow. The Council had received ‘worrying signals’: Ottow had allegedly ‘created a difficult working environment, particularly for subordinates’. The Board of Governors disregarded the negative advice.
News
Interim decision Hofman case: misconduct and integrity violations ‘sufficiently plausible’
News
Humanities overhaul: African Studies to be axed, language and Asian programmes to merge
News
Hofman case: child labour allegations added to misconduct charges in court
News
A trash bin for everything: what goes where?