But a deeper problem is that QRadar does make it possible to engage in a kind of surveillance that really isn't appropriate at a university. Out of the box, the system exhibits all kinds of intrusive and inappropriate behavior—at least, inappropriate at Harvard. For example, the system can build a profile with the IP addresses of computers at Harvard that are going to porn sites, Internet gambling sites, job boards and so on. This data could trivially be cross-tabulated against authentication logs or Ethernet media access control (MAC) addresses to produce detailed reports of each user at the university. At the same time, the system is not keeping detailed logs about its users. It knows when they log in and log out, but it doesn't keep audits of who is searching for what kind of data.

Although it's tremendously important that organizations have the ability to reconstruct what’s happened in the past, it's also important to be able to detect when this ability is abused. One way to do that is by having surveillance systems automatically generating logs and reports of their own use. We use this sort of approach in our government, where surveillance requests are reviewed in detail both before and after the surveillance takes place. The Administrative Office of the U.S. Courts publishes an annual wiretap report that details summary information for every court-ordered wiretap in the United States. Organizations that have surveillance equipment should institute similar procedures, and surveillance tools such as QRadar should generate immutable logs that record not just who logged in and who logged out but also what they did.