Lee University, located in Cleveland, Ohio, is a private Christian University that socialises in religious studies, music, and business and nursing.
It is perhaps best known for its ex-pupils who have reached the final of various TV talent shows, most notably Jordan Smith, who won season 9 of NBC’s The Voice in 2015.
But this mild fame is now turning into infamy after Lee set a new precedent in US universities undermining the rights and privacy of its students.
Lee bans unauthorised VPNs on campus
On February 13th, Lee’s Director of IT Operations Chris Golden sent an email to all students. This email, which was reported in the Lee Clarion stated that from February 17th, the use of unauthorised VPNs will be prohibited on the Lee campus.
According to IT officials in Lee, the move has been taken to protect the security of the University’s network.
Lee’s IT administrators seem to be labouring under the delusion that the use of VPNs makes their network more susceptible to hackers and ransomware attacks than not using them.
“In 2019, the costs to recover from ransomware attacks increased by over 200%, and most of those attacks started with phishing”, explained Golden in his email.
His argument is that VPNs allow students to click on phishing emails and download malware without his department being able to see what they are doing.
He says that when a VPN is connected, any defence put in place by the IT department at the university is essentially useless.
“VPNs bypass all of those protections on top of blinding us to what’s really happening,” he complains.
Throwing the baby out with the bathwater
Golden is absolutely right to say that VPNs allow students to bypass restrictions placed on students by university authorities.
But as we have explained before, this is often vital for students to complete their studies. Many universities are wildly overenthusiastic in blocking content they don’t consider fit for the network.
As a result, it is a common complaint among students that content they need to access for their studies is not accessible on their university’s network.
Students are also entitled to some downtime too, yet universities will often routinely block access to streaming services, online games, social media, and other websites young people will often browse to help them relax.
But there is a more fundamentally important role that VPNs offer all users and, interestingly Golden’s email recognises this too.
A vital online security and privacy tool
Computer Science major Johnny McGuire summed up the importance of a VPN to all students best in his comments to the Lee Clarion.
“To put it simply, using a VPN provides security,” McGuire patiently explains. “It creates a private IP address where your connection is encrypted….When you are on the internet, you are constantly receiving and sending data from your IP address. The VPN helps encrypt and secure you from threats that can be found on the internet.”
He is absolutely right. VPNs actually make users more secure and the idea that they are a cause of malware and ransomware on the University network is utterly nonsensical.
It might sound like McGuire has a much better understanding of VPNs than the Head of IT Operations at his own university. But no, Golden understands this too.
“There are a lot of great use cases for VPNs — privacy, accountability or security — and if you are concerned about these things, VPNs can be an additional ‘layer’ of security,” he says towards the end of his email.
The problem is Golden thinks Lee students only need online security and privacy when they are off-campus.
This is a ludicrous stance and it is telling that Golden offers no defence of it whatsoever.
A security or privacy threat online is a threat regardless of what network you are connected to. The idea that students might be safer on the Lee University network than anywhere else is preposterous.
Scores of internet security experts concur that any internet user who values their security and privacy should always connect to a VPN.
For university students, there is a growing body of evidence that shows that Universities themselves routinely monitor students online activity making them a major threat to individual student privacy too.
Golden’s argument is self-serving and lazy. The use of VPNs makes his job harder and stops him from being able to snoop on students. Therefore, he believes it is worth scarifying the online security and privacy of every Lee University student to mitigate that.
How to tackle Malware without banning VPNs
What Golden and other IT staff should be doing is educating students and staff about what really causes problems with malware and ransomware; ill-informed internet usage.
He does actually allude to this in his email, in which he encourages students and staff to “start making better decisions about what we click on or download.”
It is this human element that causes problems with malware on networks. Malware cannot get onto a network without a user falling for a phishing email or a similar scam. Train people to identify these threats and the problem can quickly be brought back under control.
Of course, that sort of training programme is far harder than just banning VPNs.
It will be interesting to see if the Lee students take this ban on VPNs lying down or stand up for their online rights.
Equally, mitigating against students connecting devices already infected from outside the University will have zero impact from the new regulations.
Perhaps a bigger question is how many other universities will follow Lee’s lead on this matter and imperil their own student’s security and privacy simply to give their IT departments an easier life.