This post was updated July 20 at 7:40 p.m.
Following the implementation of a systemwide cybersecurity program, UC faculty said they are concerned about privacy – and the University’s failure to consult the Academic Senate before requiring its installation.
The Assembly of the Academic Senate approved a June 12 resolution requesting the University halt the implementation and use of Trellix – an endpoint detection and response software that continuously monitors, detects and responds to cybersecurity threats. The resolution cited the ability of Trellix to upload or alter files without user consent, the potential for government agencies to access data and broader risks to research integrity and academic freedom as reasons for their opposition to the software.
The Senate also said in the resolution that the future deployment of similar monitoring software should undergo a transparent evaluation process with faculty involvement.
The resolution – approved by a 27–6 vote with 14 abstentions – followed over a year of faculty objections to the systemwide mandate.
UC President Michael Drake announced in a February 2024 letter to chancellors that employees across all campuses were required to install Trellix on devices managed by the University by May 28, 2025. The University directed chancellors to include Trellix as part of their updated campus information security plans, according to the letter.
According to the letter, campuses that do not comply with the software requirement may be charged up to $500,000 for security incidents and will face a 15% increase in cybersecurity insurance costs. Unit heads in noncompliant departments may also need to receive special approval from their campus chancellor to receive pay raises.
Despite a March letter signed by over 200 UC faculty members urging for the software’s implementation to be postponed, campuses began rolling out Trellix in May.
The UC Academic Senate said in a June 6, 2024, letter to President Drake that it was concerned about the administration’s failure to consult with faculty regarding Trellix’s capabilities, timeline and scope. The Senate’s University Committee on Academic Computing and Communications added that it learned of the letter to chancellors telling them to implement Trellix only after individual committee members heard rumors from IT staff weeks later.
The Senate also said Trellix could potentially delete files, monitor website browsing and shut down devices without saving ongoing work, according to the letter. The committee said in the letter that these actions could result in data loss or exposure of private information.
Stett Holbrook, a spokesperson for the UC Office of the President, said in an emailed statement that the University installs endpoint detection and response software on all UC-owned laptops and desktops to address growing cybersecurity threats.
“The cybersecurity tool identifies suspicious behavior, isolates affected systems, and supports investigation and recovery,” he said in the statement. “EDR tools focus strictly on detecting security threats while respecting user privacy. This approach aligns with UC’s privacy principles.”
Holbrook added in the statement that Trellix does not monitor personal internet activity or collect emails, documents or search terms. Data collection is limited to system-level information related to potential threats, such as file names, process paths and IP addresses, he said.
Jenson Wong, the current chair of UCACC, said he believes the administration failed to uphold its shared governance model by not consulting Senate faculty during Trellix’s rollout. This top-down approach created distrust between UC administration and faculty, he said.
“You’re saying that we have to do this, but you’re not telling us the how, the why, the what and by when,” he said.
Alex Alben, a lecturer at the UCLA School of Law, said that while ensuring cybersecurity is important, the details of data access under Trellix remain ambiguous.
“The goal of this program is that if there is hacking, which could be considered a suspicious event under the terms of this – I’ll call it a privacy notice – then the UC and presumably Trellix has certain rights to look at user data,” he said.
According to an online FAQ posted by UCOP, Trellix collects system-level data – including file names and process paths – and collects browser history if it is deemed necessary by UC security personnel.
Trellix may access files with user consent or through authorization under UCLA Policy 410, according to the UCLA FAQ. UCLA Policy 410 allows nonconsensual access to electronic records required for compliance with the law, policy violations or emergencies.
“I don’t think anybody would disagree that good security practices are important,” Alben said. “The question is, how far are we going to go in order to ensure good security?”
Kyaw Tha Paw U, a professor of atmospheric science at UC Davis and former chair of UCACC, said UC faculty’s main concern as of June 2024 was that the Trellix rollout bypassed formal consultation procedures between the UC’s administration and the Academic Senate, leaving key privacy concerns unresolved.
It remains unclear whether personal devices used for work or connected to campus networks are subject to monitoring, as Trellix implementation policies vary across UC campuses, Paw U said. He added that he believes the program could misidentify non-malicious files – including research data – as security threats, as it is a third-party system not tailored to campus environments.
Trevor Griffey, a lecturer in history and labor studies, said the UC does not typically supply lecturers with devices to conduct their work on. The vice president of legislation of the University Council-American Federation of Teachers added that the union is bargaining with the University to prevent the installation of Trellix on lecturers’ personal devices.
“What the University needs to do is, it needs to either not require this of lecturers, or it needs to buy us all computers,” he said. “Then we can have the debate that Senate faculty are having about whether this software is even needed and what we need to know about our privacy.”
Paw U said he believes that despite faculty members raising specific concerns about Trellix’s privacy risks and technical capabilities, administrators have provided little clarity regarding privacy concerns.
“There was insufficient consultation and insufficient protections made clear for faculty privacy, faculty rights, faculty research,” he said.
Comments are closed.