Saturday, April 6, 2013

Seizing the Opportunity to Restore Trust

The best part of Tuesday's FAS faculty meeting (see the Harvard Magazine site for the most complete account) was President's announcement of the independent authorities she is calling on for help: a privacy task force, and also an outside lawyer to check the facts of the particular email searches that took place recently. What comes from these two initiatives could be very helpful in putting this issue finally to bed and reassuring the community about what may and may not happen in the future.

Let's start with the privacy task force. Here is what President Faust said about it:
I am forming a task force which I will ask to develop recommendations on a set of policies and guidelines about email privacy. Those recommendations will be submitted for community discussion and Corporation consideration by the end of the fall term. I am pleased to report that Professor David Barron, the S. William Green Professor of Public Law at Harvard Law School, has agreed to chair this task force. Professor Barron is a graduate of the College—a history concentrator—and of Harvard Law School. He worked as a journalist early in his career, served as a Supreme Court clerk, and recently completed two years of service heading the Justice Department’s Office of Legal Counsel in Washington. I am very grateful to him for agreeing to lead this process. The task force will draw members from across the university and will be broadly consultative in its work.
Professor Barron seems to be a perfect choice to head the group. More importantly, I am thrilled that a University-wide policy will exist. (That is, a better one than the we-can-do-anything-we-want policy that now exists.) Back around 2005 when I started pressing for a policy that would provide some reassurance to FAS faculty, I knew it made no technical sense to have a policy restricted to FAS (consistent with that, can email to be monitored as it enters the domain before it is directed to the FAS or SEAS network?). I also personally felt ethical qualms about leaving the staff exposed while the faculty got strong protections. But I also knew that we had to start somewhere. If I remember correctly, after I stopped being involved Richard Hackman, who recently died, was the one who pressed to get the policy adopted. In Tuesday's meeting, the president remarked, quite correctly, that the policy is ill-known and oddly situated within the Harvard web.

So that is all good. And I personally recognize that this ultimately needs to be a Corporation policy, not one adopted by individual faculties, though of course I hope whatever the task force comes up with will be the subject of faculty discussion and feedback before the final version is adopted.

However, especially because the level of anxiety and mistrust is now so high, I hope the charge of this task force will be broader than the privacy of email. I hate even thinking about this stuff, because I hate to think that anyone in a position of authority at Harvard would need to be told not to do these things. But if part of the objective is to reassure members of the community that the University administration is not monitoring or snooping on their communications, then the policy needs to cover more than email. (And more than faculty, staff, and student email, by the way: The Alumni Association runs a server that gives alumni "" email addresses.)

A proper policy should cover all network usage, including what web sites are visited, for example, It would be unfortunate if the rule was "no, we did not peek at your email, but we did notice that you visited the following URLs …–no policy against our peeking at that." Likewise, any form of online social communication--tweets, texts, etc. And while we are at it, "pen register" data, that is, phone numbers dialed, and the numbers from which phone calls have been received, for both land lines and Harvard-owned cell phones. (Again, we don't want some future resident dean to have to answer to "We don't know whether you were emailing any Crimson reporters, because of course there are rules that say we can't check those records, but we did notice that you have been calling these two reporters.") There are plenty of other examples one could come up with–for example, Harvard will not install key-logging software on Harvard computers, in order to capture employees' passwords. (I assume wiretap law applies to Harvard phones, though I don't actually know that.) And maybe the policy needs to say something about the extent of Harvard's right to unlock my office door while I am out to lunch and search the files on my hard drive. If the administration of the university won't say it won't, except under limited circumstances, faculty and staff will have to assume they will.

I should stress that there can be legitimate reasons for accessing any of these. If a student disappears, it is certainly important to be able to find out if he or she has been communicating with anyone. The billing office certainly looks international calls, though I doubt there is any ordinary business reason these days to monitor domestic phone numbers called. And so on. It is a measure of the current anxiety that anyone would even think of the possibility that these things might be monitored for less than grave reasons, but the best way to ease anxiety would be set limits.

Now there is another view on all this–that the faculty policy is wrong and we should all grow up and realize that a university is a business like any other, and there is no more reason for professors or any other Harvard employees to have expectations of private communication than there is for Walmart employees. That is the overarching University policy and it has been posited in several commentaries on the current flap, including one in Business Week. The problem with this is that universities operate on trust to a degree that is hard for business leaders to understand (and which they sometimes resent and scoff at when they do understand it). I could riff on that for a long time, but that presumption of trust stems from two sources–it is a precondition for genuinely open and free scholarly inquiry, and it is the spirit in which the social and moral development of the young best thrives. It is not too much to say that the deepest blow to the sense of community trust was the first one in this affair, when senior Harvard officials did not trust that the resident deans were properly keeping confidential information from the press, even though, through the churn of thousands of pages of documents through the fall term, not a single student document had fallen into the wrong hands.

Aside from such arguments on principle for a robust privacy policy, there are practical reasons. If faculty actually think their email is being monitored, they will switch to Gmail. If they think their office phones are being monitored, they will use their private cell phones. Harvard would then have to strengthen its policies about doing Harvard business–whatever the edge of that may be–only on Harvard networks and computers. That would get very ugly and messy. Plainly that is true for certain kinds of data; the university has fiduciary obligations to control certain data, just as the SEC sets requirements on investment banks that in turn require bank business to be conducted on bank computers. But if I email a PhD student of mine from 30 years ago to set up a lunch while he is in town, is that personal or is that Harvard business? There is a risk that Harvard faculty would simply offshore to Google as much of their communications as possible rather than trying to distinguish in advance between things they don't mind university officials seeing and things they do.

President Faust also said on Tuesday,
Dean Smith, Dean Hammonds and I want to be sure that we now have a full understanding of the searches that were undertaken. To that end, I am asking Michael Keating, a leading Boston lawyer from outside Harvard, to take the necessary steps to verify that the information we have discussed today is, as we believe, a full and accurate statement of the searches and to report to me. Mr. Keating is Chairman of Litigation at Foley Hoag and a former trustee of Williams College.
Now Mr. Keating's task seems to be quite limited. His job, it would appear, is to make sure there will be no more surprises like the revelations at Tuesday's meeting. And it seems that his only charge is to report to the president; the faculty may or may not find out what he discovers.

A number of faculty have already voiced their disappointment about the limits on Mr. Keating's job. They would prefer a bit more quantitative clarity on the assurances that faculty (and student) email are searched only "rarely," for example. How frequently is "rarely"? And how often has it been done, as was done on this occasion, for reasons other than responding to clear evidence that laws have been broken or the personal safety of an individual is in jeopardy?

It would be good to get answers to such broader questions, though I doubt we will. But perhaps Mr. Keating's mandate could be just a bit more encompassing on the present incident. Perhaps he can review the paper- and email-trail that would confirm the rationale that has been consistently offered for undertaking the search–that senior officials were alarmed about the possibility that confidential student records would appear in the pages of the Crimson. To quote from my March 12 blog post, posted just after the release of the Smith-Hammonds statement, now known to be incomplete in certain details,
So the whole business remains a bit puzzling. The statement concludes that forwarding the email was "inadvertent," and I am glad that the conclusion lines up with the facts and that no action has been taken against the dean. According to the statement, however, the investigation was undertaken because of "the need to determine whether a member of the Administrative Board had compromised the confidentiality of case information." But the search did not, and COULD NOT HAVE, settled that question at all. Having cited the limited nature of the search in justifying it, the deans are suggesting that they would not have stooped to do a more invasive search if this one had failed. But then all the search could do is figure out who forwarded the message--and then only if the forwarding had been done innocently, without bothering even to change the subject line. No part of this "investigation" had a prayer of determining anything about inappropriate disclosure of case information, which in any case there is no reason to think ever happened.
 It would be a fine thing if Mr. Keating can review the contemporaneous deliberations about undertaking the search and reassure the president–and ideally the whole community–that the search was undertaken for good reasons. To quote the editorial opinion of the Boston Globe,
The administrators say they were concerned about potential breaches in student confidentiality; but there had been no such breaches in the news leaks. Much more likely, Harvard’s leaders were concerned about their own reputations and that of the university. The search was inappropriate — and out of step with the university’s responsibility to protect free expression.
I hope Mr. Keating's investigation could get to the bottom of this aspect of the controversy. Because as long as faculty wonder whether, in practice, the University considers the mere suspicion that people are talking with the media to be extraordinary circumstances justifying searches of electronic communications, the best privacy policy in the world will not restore the sense of community trust.

1 comment:

  1. "senior Harvard officials did not trust that the resident deans were properly keeping confidential information from the press."

    I expect they will argue that this mistrust arose, not from the initial forwarding of the e-mail, but from the resident dean's failure to come forward when asked whether s/he had done so.

    That's the original failing that initiated the cycle of mistrust, which then spiralled out of control in all the ways you say. Now the UC is in on the mistrust game too.... What a mess.

    Rereading your earlier comments about the investigation, I don't read the original statement as disingenuously implying that the administration wouldn't, once they had hits on the subject-line search, then investigate further. They could do so by interrogating the res-dean involved, however, before any further search became necessary.