Well, I have some evidence in support of what he says (at least, that universities log connections). My university, of some 48,000 students (in 2010), logs 100% of all connections. I know, because I have seen the data. It's provided to researchers with the IPs replaced by some other persistent identifier (which they hopefully generated randomly). You can see IP addresses/domain names, and I think they might have also had URL data for http connections (although I'm not sure on that one).
They also emailed and temporarily disconnected all students who were running servers vulnerable to heartbleed, so presumably they do some form of more intensive inspection and logging as well.
Because most universities have pretty wide-open networks with high bandwidth, they do monitor for illegal, commercial, or malware activity on their networks. They don't want to get blacklisted as spammers among other things. They are also highly concerned about possible exposure of sensitive student personal and research data and some have started auto-encrypting emails that appear to contain such.
In some cases, research does relate to identifying Security Threats. This mostly relates to layer 7, which is much more complex than ports and protocol based detection. The idea is; if you don't know what you're looking for (presumably a 0-day or unknown threat), then how would one find it? The answer is, research (aka analyze) the data. This ranges from Flow Data (which can date back months/years) to Packet Captures, to even Real Time Deep Packet Inspection (all relating to SIEM Solutions). In these scenarios, you would be looking for the needle in the haystack, but the needle is not clearly defined. You would have to work to identify and define it. So research does relate to identifying illegal/commercial/malware activity. Organizations that understand this are working towards implementing (or have already implemented) real time adaptive security models to mitigate these threats. This will allow them to not only identify and attempt to stop unknown Security Incidents, but also effectively investigate Incidents (forensics).
What he is saying is not bullshit, it's fairly accurate, but just way overblown with the "spying" drama. It should be common sense to keep your personal life at home and use work provided resources for work related stuff...
It's true. I develop such software commercially. Sure we have some govt. users, but the majority is the enterprise.
Full packet capture for how much disk space you want to allocate to it (many like 48 hours) then longer term storage of flow records, DNS and http metadata, etc.
The majority of the use cases are watching the internal uses of the network as well - not generally being used to detect intruders.
I did it back when I worked for a major private university (enrollment 25k+). It was simple, add a tap to the fiber coming into our network (we had redundant fiber connections to our particular little niche of a network, and conveniently, there were taps on the market that would aggregate the traffic from both fiber connections), pipe it to a monitoring server and run the logging + monitoring tool of your choice.
My boss barely understood what I was doing, his superiors certainly didn't know anything about it. We were not part of what would be considered the university IT department either -- we were just some random organization within the university. Who knows how many different people on hops above us were doing the same thing. And I was capturing the full traffic (not metadata) of people who would normally take even extra offense at this sort of thing going on. Not because the traffic contained SSNs or credit card details or something like that, but because the traffic was sensitive in a more private, personal way (I can't go into the particular details any more).
Unfortunately, this brief story doesn't have a juicy ending. I didn't do anything nefarious with the data. I didn't use it to spy on anyone. I simply used it to watch out for attacks against services on our network -- I thought I was doing something positive for the users of our services. But reading the parent post made me pause for a moment and consider that all these things I'm reading about and taking issue with in the news today (the NSA, eavesdropping, etc), that I did something similar, albeit on a much, much, smaller scale myself, many years ago when I was younger and more naive.
I was doing this sort of thing back in the 90's with a product called AbirNet SessionWall. Managers in the gov't department I worked for wanted to know how much time their employees where spending on the internet and what they were doing.
This is anecdotal of course but I can't imagine what were were doing back then was unique or isolated. It's trivial.
They also emailed and temporarily disconnected all students who were running servers vulnerable to heartbleed, so presumably they do some form of more intensive inspection and logging as well.