Network Flow Data Privacy Policy

(Updated and posted September, 2014)

I. Introduction
Internet2 respects the privacy of Member information when a Member is utilizing the Internet2 network. We are committed to protecting privacy and keeping Members informed about our privacy policy. This policy replaces the Internet2 Interim IPv6 Netflow Anonymization Policy.

II. What This Policy Covers
This Privacy Policy addresses the collection, storage, and use of Network Flow Data. In particular, it identifies:

III. What Information Is Collected
The Internet2 network captures Network Flow Data from Members. “Network Flow Data” means digital records (“metadata”) that describe and characterize connections made over a network, including data elements such as IP addresses and port numbers for source and destination endpoints, protocols, traffic volume, timestamps, and network interfaces utilized, but excluding the content (“payload”) of communications between endpoints.

“Internet2 Network” means a high-performance hybrid optical and packet network operated by Internet2 that is used primarily to support the R&E community with next-generation network services, as well as a platform for the development of new networking ideas and protocols.

IV. Why We Collect This Information
Internet2 collects Network Flow Data from its network to aid in operational support, capacity planning, and to support research projects.

Network Flow Data is collected specifically for operational forecasting and also to provide a high level analysis of current trends on the network for security purposes. Internet2 uses such data to respond to network security incidents. Internet2 also creates summaries derived from Network Flow Data to understand network growth and evolution, to engineer the network to meet demand, and to provide management-level summaries of how the network is being used.

Additionally, some Network Flow Data is anonymized and stored for use by researchers. The administrative controls and anonymization in place regarding creation and use of this research data attempt to balance privacy concerns with the benefits of sharing the data for research purposes.

V. Disclosure of the Data
Internet2 is the steward of all Network Flow Data associated with the Internet2 network. In general, Internet2 does not disclose, give away, or sell its Network Flow Data to any other organization, nor does it delegate its stewardship responsibility. Notwithstanding this nondisclosure principle, Internet2 may share Network Flow Data under the following circumstances:

A. Member Access to Anonymized or Unanonymized Network Flow Data
Internet2 Members may from time to time make a request for information about their own usage of the Internet2 network. In such cases, Internet2 will make reasonable attempts to provide views of data that only include information that the particular Member could reasonably have gathered independently by analyzing its own network connections to Internet2. Further, Internet2 will coordinate with a designated representative (or representatives), approved by the Office of the CIO at that Member institution, before sharing data. This approach will be used both for live analytic tools like “DeepField,” as well as for occasional individual direct requests for Network Flow Data. Notwithstanding the exception described below for Network Aggregators, Internet2 does not share one Member’s Network Flow Data with another Member without authorization from the Office of the CIO at the Member institution, nor does Internet2 share the name of a Member associated with any anonymized or unanonymized Network Flow Data.

B. Network Aggregator Access to Anonymized Network Flow Data
If an Internet2 Member that is a Network Connector or a Research and Education Network Member (each a “Network Aggregator”) requests information about its own usage of the Internet2 Network, Anonymized Network Flow Data and the names of other Members may be included in the information provided to the requesting Network Aggregator due to the nature of that Aggregator’s network connections to Internet2. We require all Network Aggregators with access to this data to enter into a written Nondisclosure Agreement.

C. Researcher Access to Anonymized Network Flow Data
Internet2 may share anonymized Network Flow Data with researchers who have made a proper written request and meet the criteria for authorization. Researchers must agree to the Terms of Use for Researchers before gaining authorization to access the anonymized Network Flow Data. Researchers are not permitted to share this data with any party for any reason, unless authorized in writing by Internet2.

D. Third Party Contractors Analyzing the Data
For the purposes of securing the network and its membership organizations, and to analyze network operational issues, Internet2 may, by contract, involve third parties to analyze the data. This analysis may include, from time to time, raw packet captures or network traces. Both Internet2 staff and such third parties are obligated to protect the data and use it only for the purposes identified herein. Internet2 will treat such data as at least as sensitive as raw Network Flow Data, and Internet2 shall assure that the information is managed and shared with third parties only within defined contractual relationships and purposes. Internet2 seeks contractual assurances that controls are in place for the data to be appropriately stored and used, and destroyed after it is used for diagnostics.

E. Law Enforcement Requests
If required by law and upon advice of legal counsel, Internet2 will comply with lawful requests to disclose Network Flow Data. These requests will be disclosed to the President and CEO, Vice President of Network Services, and General Counsel to the extent permitted by law.

VI. How Data Is Protected or Anonymized

A. Raw Data for Operational Use
Internet2 inspects sampled Network Flow Data collected throughout the network and occasionally takes full packet captures of specific links for network operations and security assurance. Internet2 also processes Network Flow Data online to provide operational, engineering, and management summaries. Internet2 minimizes the amount of un-anonymized Network Flow Data or packet captures stored on disk. Internet2, however, may store the data for up to two weeks to allow for incident response and correlation in the summaries. In special instances, data sets may be kept longer than two weeks. All data sets will be destroyed at the end of the specific activity for which they were kept. Any Network Flow Data is managed under the control of authorized Internet2 employees and contractors only. An administrative procedure to record and track these exceptions is located in the office of the Vice President of Network Services. The records are available for review upon request by the executive contact of any University Member of Internet2 in good standing.

Summaries derived from Network Flow Data may be kept indefinitely, but will not identify traffic characteristics that are more granular than participating institution, type of traffic transmitted, and other summary information. Summaries will be used to understand network growth and evolution; to engineer the network to meet demand; and to provide management-level summaries to Internet2 and its members of how the network is being used. Management level summaries targeted to a particular institution will be shared with that institution upon request.

B. Anonymized Data for Research Use
IPv4 Address Anonymization
For IPv4 Network Flow Data, the anonymized data is created by having the low order 11 bits of each unicast IPv4 address zeroed before data is stored or released for analysis, leaving the remaining 21 bits of each 32 bit IPv4 address intact.

For context, most sites have subnets somewhere in the /23-/25 range, which means that in general while it is possible to use the masked IP addresses to tie a given Network Flow record to a particular institution, it is not possible to localize IPv4 data down to a unique subnet.

This level of anonymization is designed to insure that a sufficient amount of user traffic will be inseparably “pooled” or “comingled,” thereby precluding the mapping of any given Network Flow record to a particular user or other identifiable campus activity.

IPv4 Multicast addresses are not anonymized, as they do not present any privacy risk.

IPv6 Address Anonymization
Internet2 anonymizes IPv6 Network Flow Data by having the low-order 80 bits zeroed, leaving only the remaining 48 bits of the IPv6 addresses for analysis. For IPv6, the practice is that only an 80-bit mask could be relied on to adequately protect the privacy of IPv6 user traffic while additional empirical data is collected.

IPv6 Multicast and 6 to 4 addresses are not anonymized, as they do not present any privacy risk.

VII. Security Controls
Internet2 takes appropriate steps to protect the Network Flow Data from unauthorized access or disclosure. Internet2 maintains the systems and software that house Network Flow Data in a secure facility operated by Internet2 staff. Additionally, Internet2 employs industry standard security measures, including physical, electronic, and procedural safeguards, to protect against the loss, misuse, and alteration of the information under our control.

VIII. Notice for Updates and Changes to Policy
Internet2 reserves the right to update this privacy policy at any time to reflect changes in the manner in which it deals with traffic and other information flowing over the Internet2 Network, whether to comply with applicable regulations and self-regulatory standards, or otherwise. The Network Flow Data privacy policy posted here will always be current. We encourage you to review this statement regularly.

IX. Who to Contact if You Have Questions
If you have any questions about this privacy policy, please contact privacy@internet2.edu.