‘We kept the programme educational and fun’

It is pure coincidence that the Privacy & Security Parade is happening after another Dutch university, TU Eindhoven, had its network hacked and a DDos attack targeted the Fontys University of Applied Sciences. The latter attack also slowed down Utrecht University's network. But that's also a slight bummer for the privacy officers and ITS directorate who organised the event.

"We kept the programme educational and fun because we already prescribe so much to keep our network secure," says David de Boer, Chief Information Security Officer at UU. The message "This laptop could be a threat!" was conceived with such an intention in mind. "We've heard that some colleagues were shocked by this. Messages about security often go unread or ignored, which is why we chose this ‘tantalising’ way to get their attention."

Privacy
This is the first time UU is organising a Privacy & Security Parade. The previous three events focused on privacy only, says Chief Privacy Officer Larissa Khan. "Training people and raising awareness of how to handle data safely is a mandatory part of the General Data Protection Regulation (GDPR)." GDPR is a European law that came into force in 2018. It raised many questions back then. And Khan acknowledges that it still does. "What exactly does the term personal data mean and what do people mean when they talk about protecting personal data? This is not clear to everyone."

When the GDPR was first introduced, the rules were sometimes very strict, but now the university interprets them a bit more practically, Khan says. For example, it is acceptable to hang a birthday calendar in the pantry and departments do not have to be difficult if someone asks the address of a sick employee to send them a card saying "get well soon". But the address is personal data. "It can be traced back to an individual, just like a student number, a license plate number or a phone number. At Utrecht University, we must pay attention to the protection of personal data, especially if it belongs to people who have participated in a study."

Safe internet
A secure network is an integral part of this protection. That's why the IT Directorate is co-organising the parade this time. After all, you cannot have one without the other. People who unknowingly click on links that could endanger the network are a weakness. "As a management team, we always hammer on what everyone should do to keep our network safe, such as changing your password or taking a website down if it's been created for a specific event. That's why the Parade programme did not have to be just about that," says David de Boer.

In his view, the most remarkable part of that programme is the participation of Jacques Beursgens, IT Director at Maastricht University, who will talk about his university's experience with hacking. Its network was taken hostage in December 2019. "That is really special because Maastricht doesn't want to communicate anything about it. They made an exception for us. Jacques can tell you like no other what's on your mind when data is not properly secured."

Artificial intelligence
The programme also has many activities dedicated to artificial intelligence, both from the point of view of privacy and security. Several speakers will talk about this. For example, what should staff and students consider when working with AI? What kind of information do AI programmes collect without us even noticing? "Some programmes seem harmless but they infringe on human rights because they collect data about you without your knowledge," says Khan. "That's why we will ban a few AI programmes from February onwards."

De Boer adds that there's a lot users don't know about AI. "It has been around for a long time, but at the same time, programmes like Chat GPT are fairly recent for most users. Users must not only think about what kind of data they process in such a programme but also whether or not it would be better to work with an AI programme within a closed system, like when you're a researcher processing confidential data."

The programme
The Privacy & Security Parade will take place on January 27 through January 30. The programme is pretty broad and includes activities like a pub quiz, a movie, and a game that requires Virtual Reality glasses. But educational activities are also included, of course. For instance, you can learn a thing or two about operating artificial intelligence and certain software. What are your rights and what are the rights of the people you are researching? There is also a crisis exercise, but the event is keeping the kind of Internet crisis secret in order not to give away the element of surprise. Last but not least, you can watch a hacker working live. Please find the full programme here. Staff and students can register through this link.