The Globe reports that Harvard read email sent via Harvard servers from 16 of its resident deans. I know nothing about what actually happened except what the Globe reporter told me; the story states that she has two independent sources, both of whom wished to remain anonymous to protect themselves. It appears that Harvard has confirmed the basic facts by informing the deans, some six months after the search of their email, that the search had in fact occurred.
Some background first of all.
Years ago I noticed Harvard's employee email policy.
Here it is. It's in the employee manual, which for some reason is behind a login screen. I doubt that many Harvard employees have ever seen it or focused on it.
Privacy/Management's Right to Access Information
Employees must have no expectation or right of privacy in anything they create, store, send, or receive on Harvard's computers, networks or telecommunications systems. Although many employees have individual computers or computer accounts, and while employees may make incidental personal use of University technology information systems, ultimately Harvard University has ownership over, and the right to obtain access to, the systems and contents. Incidental personal use is permitted so long as it does not interfere with job performance, consume significant time or resources, interfere with the activities of other employees or otherwise violate this policy, the rules of an employee’s local unit, or other University policies. Electronic files, e-mail, data files, images, software and voice mail may be accessed at any time by management or by other authorized personnel for any business purpose. Access may be requested and arranged through the system(s) user, however, this is not required.
This plainly gives Harvard complete access to the email of employees--"for any business purpose" cuts a very wide swath around the domain of permissible snooping. I understand that this is very much boilerplate for employee email accounts in corporations.
(Don't ask me why the fact that you have no email privacy as a Harvard employee is kept secure behind a login wall.)
In spite of this language, which permits Harvard to be quite intrusive, I have known only a few cases where Harvard probably read employee email. Every time there is an investigation of scientific fraud or embezzlement of university funds, I suspect the university would archive and inspect email. Be that as it may, this seems to apply to staff and administration, everyone from support staff (who are covered by collective bargaining agreements with the University) up to executive vice presidents.
The
Student Handbook suggests that nobody is going to snoop student email, and that any student who reads the email of others is going to be in trouble.
Privacy of Information
Information stored on a computer system or sent electronically over a network is the property of the individual who created it. Examination, collection, or dissemination of that information without authorization from the owner is a violation of the owner’s rights to control his or her own property. Systems administrators, however, may gain access to users’ data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules.
Computer systems and networks provide mechanisms for the protection of private information from examination. These mechanisms are necessarily imperfect and any attempt to circumvent them or to gain unauthorized access to private information (including both stored computer files and messages transmitted over a network) will be treated as a violation of privacy and will be cause for disciplinary action.
In general, information that the owner would reasonably regard as private must be treated as private by other users. Examples include the contents of electronic mail boxes, the private file storage areas of individual users, and information stored in other areas that are not public. That measures have not been taken to protect such information does not make it permissible for others to inspect it.
I wrote that. There is a little wiggle room there in the phrase "compliance with other University rules" but I don't remember it ever being used except when the force of law is behind the search. There may have been times when email was subpoenaed by law enforcement and the University complied. Under the PATRIOT act the University may have to turn over email without telling anyone about it, including the person whose email it is. There is absolutely no way to know whether that has ever happened.
When I looked at the employee policy about nine years ago, it seemed to me utterly dissonant with what faculty expected and assumed, and probably with the very spirit of free inquiry and exchange of controversial ideas that lies at the heart of academic culture. (I am sure it is also quite different from what most staff assume about their email, but I leave that aside.) With the help of several other members of the faculty, university attorneys, and administrators, I helped steer the development of a
policy for faculty email. It reads as follows:
Harvard University Information Security
FAS Policy Regarding the Privacy of Faculty Electronic Materials
The Faculty of Arts and Sciences (FAS) provides the members of its faculty with computers, access to a computer network and computing services for business purposes, and it is expected that these resources will be used in an appropriate and professional manner. The FAS considers faculty email messages and other electronic documents stored on Harvard-owned computers to be confidential, and will not access them, except in the following circumstances.
First, IT staff may need access to faculty electronic records in order to ensure proper functioning of our computer infrastructure. In performing these services, IT staff members are required to handle private information in a professional and appropriate manner, in accordance with the Harvard Personnel Manual for Administrative and Professional Staff. The failure to do so constitutes grounds for disciplinary action.
Second, in extraordinary circumstances such as legal proceedings and internal Harvard investigations, faculty records may be accessed and copied by the administration. Such review requires the approval of the Dean of the FAS and the Office of the General Counsel. The faculty member is entitled to prior written notice that his or her records will be reviewed, unless circumstances make prior notification impossible, in which case the faculty member will be notified at the earliest possible opportunity.
So that is the background. Basically, email privacy is as sacred as paper mail privacy. You just don't slit or steam open envelopes addressed to other people, with extremely rare exceptions such as search warrants and PATRIOT Act demands. Where I have had a hand in drafting university policies I have tried to incorporate that understanding into the language, while still providing the compliance exceptions the lawyers say are necessary. When you look at faculty email, you have to inform the faculty member, afterwards if not before.
But what about the staff policy? It reads to me like a typical Terms of Service Agreement--written by lawyers on the assumption that almost nobody will read it, and that those who might read it will be too powerless to object. It puts all the authority in the hands of the University so that, if some official of the University does something stupid or invasive out of ignorance or malice, it will be hard for an employee to claim that the official broke any rules. From the standpoint of the university and its legal counsel, it's a nice, safe policy to have on the books, and that is why many businesses have similar policies.
Now come the facts as reported by the Globe. Last August 16, the Secretary of the Ad Board sent an email to (it appears) the resident deans in the Houses, advising them about how to counsel students who had been accused in the infamous Gov 1310 "cheating scandal." This email wound up in the hands of the Crimson, which
wrote a story mentioning and quoting from it. It seems like this email was a helpful attempt to clear up any confusion in the minds of the resident deans of the Houses. It certainly does not seem to have been the sort of thing that should have raised FERPA worries, reports to state authorities, and so on.
I haven't seen the email, only the parts of it quoted by the Crimson. But the Crimson's account suggests it wasn't meant to become public, but didn't actually contain any truly confidential information either--no students are named, no secret double probation is discussed. It just describes what good advisors should tell advisees.
For some reason, the College was alarmed enough about this email becoming public that it scanned the emails of the resident deans to find out which one of them was responsible for the leak. As I am quoted as asking, it is hard to know why someone did not simply ask the resident deans which of them did it, if necessary pointing out that the University had the power to find out if no one was willing to come forward voluntarily.
Or does it really have that authority, as claimed?
This becomes a matter of some dispute. Harvard maintains that the staff policy applies to Resident Deans, in which case Harvard can snoop the deans' email and don't have to tell them that is being done. The fact that the deans hold the academic rank of Lecturer, apparently goes the argument, does not make them faculty from the perspective of the email privacy policy. I am speculating to some degree, but I think the argument must be that their administrative responsibilities trump their faculty privileges. They gave up the protections enjoyed by faculty when they accepted the deanship.
And yet their status as faculty is intrinsic to their role as members of the Ad Board-- that is, the Board to which the Faculty of Arts and Sciences has delegated responsibility for Administering its rules. The Board is a faculty committee--and one whose purpose is educational, as the College itself
states,
The Administrative Board is the committee of the Faculty of Arts and Sciences (FAS) responsible for the application and enforcement of undergraduate academic regulations and standards of social conduct. Established in 1890, the Administrative Board is among the oldest of the Faculty’s committees and it follows well-established procedures and practices that are designed to further the educational mission of the College.
An ordinary lecturer is certainly a faculty member when she teaches a course--I am sure we include courses taught by Lecturers when we report to US News the number of courses taught by faculty. Could she really lose her faculty status by virtue of representing the faculty on the Board to which it has delegated authority to administer its rules? If so, that would also be true for faculty who become other kinds of deans: Can Harvard read all of Michael Mitzenmacher's email (he is area dean for CS at Harvard)? Or mine, when I resume my role as Director of Undergraduate Studies in Computer Science? And presumably the Masters of the Houses, who also assume significant administrative responsibilities when they become Masters. And directors of Centers, etc., etc. If I understand the logic, all these folks lost the protections of the faculty email privacy policy when they agreed to accept their positions.
This was not anticipated in the drafting or adoption of the FAS faculty email privacy policy. And I doubt that very many of those who accepted these roles understood what they were giving up.
Whichever policy is applicable, this way of handling the situation seems to me--well, dishonorable, to mention a concept that has been in the air a lot this year because of allegations that Gov 1310 students (but not their professor) have behaved less than honorably. Why not tell people you are reading their email? Would it not be the honorable thing to do? What is to be gained by not doing that? Other than avoiding, perhaps, the embarrassment of acknowledging that you are doing something to which the targets would reasonably object if they knew it. Perhaps there are considerations I don't know; as I said I don't know any of the facts except those reported in the Globe. But it doesn't feel right to me, and it apparently didn't sit well with the resident dean quoted in the story.
This seems to me a sad incident which raises many questions. If an employee's boss wants to spy on her, who has to sign off on it and how does it get done? How many such searches have been done over the past five years? Is it always done without informing the target? Have the targets generally been people like these resident deans--people with both teaching and administrative appointments?
Probably what we are seeing here is the confluence of two forces. One, the authority of the faculty is in decline. Members of the Ad Board are being treated as staff, not faculty, because staff are more easily controlled than faculty, and the increasingly centralized power structure of the university values control very highly. And two, the thing that most needs to be controlled in the modern university is information itself. Our communications offices have grown while our library staff has shrunk. The faculty finds out about things by reading press releases and Gazette stories. In the information-control university, an email gone astray is grounds for a witch hunt.
Personally, I will probably, after four decades, respond by moving most of my personal and frivolous email to my gmail account, harryroylewis@gmail.com, and use my Harvard address strictly for business, checking it less often and batching my responses. I have long had a statement on my home page to use the address lewis@harvard.edu, which only I read. That will go now. I have always taken pride in being able to assure upset students and angry parents that no staff intermediary would process their message--it would go straight from their fingers to my eyes. I used to favor Harvard email over gmail because I thought it protected me better. I figured, if someone issues a subpoena for my email, I would rather have Harvard's lawyers think about whether to comply than to know for certain that Google would comply. My assumption about the relative risks has now flipped. If something as innocuous as the leakage of the August 16 email justifies reading the email of a dozen faculty members, it is hard to know how low the threshold might be for invasion of our in- and out-boxes.
I am sure I and others will think of more questions in the coming weeks, but here is one that should be answered. We think that students are pretty well protected. But what about alumni? We urge seniors to
acquire post.harvard addresses--mine is lewis@post.harvard.edu. Does Harvard retain the right to scan incoming email as it passes through the Harvard domain and gets redirected to the address to which the alum has bound the proxy address? Given the University's encompassing view of its rights to scan "employee" email, including faculty email when the faculty have administrative responsibilities, I would not assume that the university would feel constrained. I could not find any reassuring statement about the privacy of post.harvard email on the alumni web site. That is why I am not, yet at least, using lewis@post.harvard.edu as a convenient proxy address.
More generally, it seems to me that we have taken another step away from the old feeling that the university was a family, benevolently disposed towards its members and even lovingly indulgent. It has taken a step toward becoming instead a bristling corporation, with adversaries within who must be spied upon using all available tools, or perhaps an authoritarian government. (I have written about this before: see
Campus Culture.) For most of my life Harvard has been both my work life and my personal life, inextricably entwined. But I too must now split them, and perhaps develop the thing a recent
Crimson story credited me and Howard Gardner with lacking: a merely "transactional relationship" to the university.
Updated 11pm 3/10.
The NYT had a piece this morning that did not add much to the Globe story. A followup story has just been posted and is more interesting:
http://nyti.ms/ZsAZdg
Michael Mitzenmacher posted an excellent piece this morning on his blog:
Harvard Spies on E-mails
Richard Bradley also blogged:
At Harvard, Secrets and Lies