This article was updated on Feb. 20 at 2:41 p.m.
This article was updated on March 2 at 7:24 p.m.
While one professor fears a five-year mandated technology could become a gateway for the University to access her personal information, Queen’s IT Services says otherwise.
Queen’s utilizes Endpoint Protection, a software designed to safeguard both University and personal employee devices from malware and viruses by connecting them to a remote network.
According to an e-mail obtained by The Journal, the program is now expanding after initially being introduced in 2020 through Microsoft Authenticator. Currently, faculty aren’t required to install Endpoint Assessment on their personal devices. However, next month, Queen’s-funded faculty devices must have Endpoint Protection, also known as Microsoft Defender for Endpoint. Also beginning next month, personal devices used by faculty’s Queen’s d s will need Endpoint Assessment, also known as Microsoft Intune. Both changes will roll out in three phases over March.
According to Paul Muir, the information security officer at Queen’s IT Services, the two levels of protection—Endpoint Assessment and Endpoint Protection—both protect s’ data in different capacities. While Endpoint Protection provides a “full featured protection of the system,” the assessment layer is “less intrusive.”
“The current requirement is that, if it’s a Queen’s funded device, Endpoint Protection is required. If it’s a personal device and it’s to be used for certain Queen’s related activities, meaning it’s going to be accessing Queen’s systems, Queen’s data, potentially handling data that is sensitive and the institution wants protection, then Assessment is required. What Assessment does is just tells our systems they have protection, meaning they have some kind of antivirus on there,” Muir said in an interview with The Journal.
“The IT Services Endpoint Management team has been working closely with faculty to prepare for these requirements since early January,” the University said in their statement. “The requirements, the service names, and the product names have not changed since the early planning stages for these safeguards in 2023.”
The new cybersecurity model is facing pushback from staff, including Catherine Stinson, an assistant professor in the Department of Philosophy and School of Computing. Stinson’s research focuses on the philosophical implications of Artificial Intelligence.
“With personal phones, we’re using those for many personal reasons, and Endpoint Protection gives people access to not just Queen’s related content on your phone, but everything on your phone,” Stinson said in an interview with The Journal.
She cited home videos, dating apps, or health apps as examples of data the University would have access to after the implementation of Endpoint Protection software.
“If you look at privacy law for companies, the way that’s written is that you should only ask for information that is needed for legitimate business purposes, and not just grab extra [personal information] because you can,” Stinson said. “And this seems like a pretty clear case of just like, grabbing for more stuff that has no sort of legitimate business purpose.”
However, Stinson remains skeptical, fearing the University may reverse this stance in the future. Stinson pointed to a previous instance when the University initially stated that Endpoint Protection would not extend to personal devices, only to later implement it on work laptops in 2020.
While Stinson said the University isn’t currently forcing workers to install Endpoint Protection on their phones, there are drawbacks to not installing the software on their devices. Not having Outlook ed on her phone, Stinson can’t check her Queen’s e-mail or calendar conveniently, causing a pile-up of e-mail, slowing her response time.
According to Muir, Microsoft Endpoint Protection is implemented to prevent malware from entering Queen’s servers.
When asked whether Queen’s could access employees’ data on personal devices, he firmly assured such access wouldn’t occur.
“It’s possible, in some cases, for, as with any system that is centrally managed, those with that privileged access to the system, such as the folks in IT Services do have the capability of accessing information that may be for the end ,” Muir said.
“[The people in IT] that manage these systems are professional,” Muir said. “They take their job very seriously, and they would never leverage the tools we’ve rolled out to protect others in a way that would violate the rights of [Queen’s staff].”
“I think it’s really important for folks affected by the controls that we’re rolling out to understand that what we try to do is design these controls to have as little impact on your day to day as possible […] when they aren’t seamless, we really need you to call us, talk to us, so that we can help make it seamless. They’re intended to work in the background as a protective layer.”
Corrections
A previous version of this article omitted a statement in which Muir assured Queen’s couldn’t access employees’ data on personal devices. The statement was initially removed as it was believed to be incorrect. We have since confirmed its accuracy and reinstated it.
The Journal regrets the error
Tags
All final editorial decisions are made by the Editor(s) in Chief and/or the Managing Editor. Authors should not be ed, targeted, or harassed under any circumstances. If you have any grievances with this article, please direct your comments to [email protected].
Catherine Stinson
I see you’ve deleted the parts of the article where ITS itted that they can see anything they want on our devices. Can I also request edits to my quotes so that they’ll say what I wish I’d said instead of what I actually said?