Saturday, April 27, 2013

Email Privacy Update

Harvard Magazine has an excellent summary of where things stand. Among the unanswered questions the Magazine mentions are these:
What was the impetus for the second and third e-mail investigations? How were they initiated without the FAS dean’s assent? What was learned about the handling of Ad Board materials from those further queries? What transpired in the March 12 meeting that prompted Smith to pursue further queries? When did he and Faust learn about the additional investigations?
There is also an oddity that the Crimson noted:
In her [April 2] remarks, Hammonds also said she had authorized that second search with the approval of the Office of the General Counsel. [Harvard spokesman Jeff] Neal declined to comment Monday night why the General Counsel did not correct the original statement. 
The same Crimson story details some disputed points, for example whether the resident dean who forwarded the email had actually made a mistake by doing so, and whether that dean had in fact not been sanctioned as stated in the March 11 Faculty meeting.

As the Magazine quotes several professors as suggesting, the mistrust emanating from this affair is infecting the way faculty think about other matters where the administration may be withholding information from the faculty. (Cf. also my earlier post, We Operate on Trust.)

So it is good news that the outside counsel's report on the email searches will, apparently, be made public. According to the Crimson, Harvard Fellow William Lee stated,
At the request of a Corporation committee, Mr. Keating’s review is focusing on the facts bearing on any searches of email or email metadata done in connection with the Administrative Board proceedings relating to a take-home exam in a spring 2012 undergraduate course.
 I expect the report to be definitive, truthful, and extremely narrow. I expect it to leave unanswered most of the important outstanding questions. It may, in fact, be very brief: "Yes, the searches described on March 11 and April 2 are the only ones that occurred in connection with this particular incident." In addition to the questions mentioned above, there would then remain the core questions: Were these searches really undertaken out of fear that student records might be leaked to the Crimson, or was the fear, as the Globe editorial board speculated, simply that Harvard's reputation-shaping and control bulwark was being breached, however harmlessly? And how often, and for what kinds of reasons, have searches like this taken place in the past?

A separate story in the same issue of the Crimson reports that the Undergraduate Council has asked for clarification and strengthening of Harvard's policies with respect to searching student email. Here are the relevant paragraphs of the Handbook for Students:

Privacy of Information

Information stored on a computer system or sent electronically over a network is the property of the individual who created it. Examination, collection, or dissemination of that information without authorization from the owner is a violation of the owner’s rights to control his or her own property. Systems administrators, however, may gain access to users’ data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules.
Computer systems and networks provide mechanisms for the protection of private information from examination. These mechanisms are necessarily imperfect and any attempt to circumvent them or to gain unauthorized access to private information (including both stored computer files and messages transmitted over a network) will be treated as a violation of privacy and will be cause for disciplinary action.
In general, information that the owner would reasonably regard as private must be treated as private by other users. Examples include the contents of electronic mail boxes, the private file storage areas of individual users, and information stored in other areas that are not public. That measures have not been taken to protect such information does not make it permissible for others to inspect it.
On shared and networked computer systems certain information about users and their activities is visible to others. Users are cautioned that certain accounting and directory information (for example, user names and electronic mail addresses), certain records of file names and executed commands, and information stored in public areas, are not private. Nonetheless, such unsecured information about other users must not be manipulated in ways that they might reasonably find intrusive; for example, eavesdropping by computer and systematic monitoring of the behavior of others are likely to be considered invasions of privacy that would be cause for disciplinary action. The compilation or redistribution of information from University directories (printed or electronic) is forbidden.
When I saw the last sentence of the first paragraph quoted in the Crimson, I could not help smiling. I wrote that language, just as I had written the FAS policy about which there was so much consternation when the Resident Deans' email was searched. These paragraphs carry fingerprints of the history of computing at Harvard; some provisions are a bit anachronistic, though in general they have held up pretty well.

I would have to go back to Archives to look at old student handbooks to retrace the development of this section. I am pretty sure that a later provision, "Computer programs written as part of one’s academic work should be regarded as literary creations and subject to the same standards of misrepresentation as copied work," dates to the 1980s and maybe to the 1970s, as a Gen Ed course in computer programming had been taught since the early 1970s. I remember being drafted to help the Ad Board with software plagiarism early on, probably because I was sending cases to the Ad Board out of Nat Sci 110, which I taught 1975-77.

I think probably the privacy provisions quoted above were drafted later, sometime in the early 1990s as students began using email. They were meant to cover a variety of stupid but "cute" things students used to do on timeshared computer systems, which students accessed via terminals located in the Science Center. For example, it was not hard to capture students' login credentials by dummying up something that looked like a login screen but was actually some miscreant's data capture program, left running as an active job. With some cleverness the student whose credentials had been captured might not realize what had happened. It was not obvious, in those days when email was new to the non-tech world, that stuff like this was in fact not cute at all.

My email files go back only to 1995, but my records from that year include some editing and drafting of thee privacy provisions, in collaboration with some faculty heavyweights, including philosophy professor Tim Scanlon and CS professor Margo Seltzer. Some corner cases I worried about were reading email that was sent to a student in error (that used to happen a lot, as naive users used to assume that <lastname>@… was a suitable email address for any individual), and that using the Unix "finger" command could not be considered an invasion of privacy even if it revealed more about the movements of an individual than the individual might realize.

The relevant question for the UC memo is, what is meant by ensuring "compliance with University rules"? And more generally, how often does the university read student email? I really don't have good answers to these questions (even though I wrote the language!). I don't think anyone would find it unreasonable to check a student's email box if the student had gone missing for several days and had not been in touch with family or friends. If a student is alleged to have sent a death threat and denies it, it's probably reasonable to check the student's sent-mail to be sure the alleged sender is not being framed. Any imaginative person can probably come up with other "obviously OK" cases, though the question of notice, which is built into the FAS faculty policy, had not occurred to anyone when the student policy was drafted.

During the eight years I was dean of the College, I don't remember the College ever reading a student's email, but that is not to say it never happened --- nothing in the rules says the dean has to approve or be notified. In the case of a missing student it might well have been done by a request of the police to some part of the university administration. I don't know why else a search might have been done and it may be that it never happened.

And in fact, though this clause has been on the books for at least 18 years and probably longer, I don't remember any student ever asking exactly what it meant. The question has arisen only because of suspicion and mistrust raised by recent events. There is a worry that authority the administration quite reasonably needs for extraordinary circumstances has been used for reasons that the community would regard as not particularly exceptional. Once that happens, trust breaks down, more questions get asked, and doubts are raised about the wisdom of unconstrained powers. And that is exactly why the faculty is asking for greater transparency on email searching. I have no idea how the student policy could be rewritten to provide stronger guarantees against abuse and still allow rapid response to emergencies.

There is nothing in the president's stated charge to the committee on email privacy to suggest that student email privacy will not also be on its agenda. That is, it seems to me, a good thing, as the old language, which worked fine as long as the community was confident that its intent was being honored, no longer seems suitable as it stands.

1 comment:

  1. In response to the second-to-last paragraph: (and rather off-the-cuff, as it is reading period...)

    It seems that there are two real questions in privacy that have been ubiquitous throughout this debacle: (1) "(Under what circumstances) is the University going to search my mail in the future?" and (2) "(Under what circumstances) has the University searched my mail in the past?" Ideally, a policy on email searches would answer both.

    Specifically, to answer the first, it might explicitly enumerate the cases in which email circumstances might be authorized. If there need be broad, catch-all provisions (say, 'in case of emergency' or 'to ensure compliance with other University rules'), it ought to include examples of such cases, to allow a reasonable comparison of scale (Do allegations of academic dishonesty allow for a search 'to ensure compliance...'? Do allegations of underage drinking?)

    In an ideal world (at a university, perhaps, with a greater expectation of trust...), such a policy would answer the second concern as well. I ought to be able to trust that either no such incidents had occurred (since I had a good idea of what exactly might constitute one) or at least, I could trust that the University had acted responsibly and with restraint had they had reason to search.

    In the absence of such trust, it might be useful to have an assurance that, were a search warranted, the affected party would be notified in advance. If this policy were clear and firm, it would be easier to trust that, since I had not been notified otherwise, my inbox has indeed been private.

    In light of recent events, an 'in-advance' notification might be more useful than the 'immediately-afterwards' policy currently written into the FAS policy. After all, it's not as if a user is capable of deleting their data from University servers...