Monday, September 2, 2013

Email Privacy Redux

It has been a quiet summer on the Harvard email privacy front, even as we have been inundated with Snowden revelations about the extent of surveillance of electronic communications by the US Government. Today's report in the New York Times that the Drug Enforcement Agency has even more telephone metadata at its disposal than the NSA does, and that it has AT&T employees under contract to answer subpoenas, only heightens the sense that if there is any way for the government to do any kind of surveillance under terms that are arguably legal, it's already being done.

Which makes the work of the Barron Committee on privacy policies for electronic communication at Harvard even more important.

Since the Barron Committee could not finish its work over the summer, President Faust issued some interim guidelines on August 22. I am glad to have something in place, since the FAS faculty policy was apparently never officially on the books, notwithstanding that the university CIO told the FAS IT committee in 2006 that it was.

Here, in any case, are the guidelines.

  1. Any search should occur only after careful institutional consideration and in response to legitimate institutional interests. Each School or central administrative unit should ensure that any search is subject to an approval process that accords with the University's values and that fully satisfies the other requirements set forth below.
  2. Any search of electronic information should be done by or with the involvement of either University or School CIO.
  3. The University CIO and the School CIOs are accountable for ensuring that any search is conducted narrowly and that all data accessed is safeguarded.
  4. An authorization to conduct one search is not considered authorization to conduct additional searches. Any search must be independently approved.
  5. The OGC, HUIT, and the School CIOs will ensure that records are kept of any searches. The records must include a description of why the search was initiated, who authorized the search, and how the search was conducted. The University CIO will be responsible for consolidating and maintaining these records.
  6. During this interim period, HUIT and the OGC will meet regularly with the School
    CIOs to review any records and to clarify appropriate practices as needed. 
Now I am not really sure that this says anything different from the policy that was on the books already, the one in the employee manual:
 Privacy/Management's Right to Access Information
Employees must have no expectation or right of privacy in anything they create, store, send, or receive on Harvard's computers, networks or telecommunications systems. Although many employees have individual computers or computer accounts, and while employees may make incidental personal use of University technology information systems, ultimately Harvard University has ownership over, and the right to obtain access to, the systems and contents. Incidental personal use is permitted so long as it does not interfere with job performance, consume significant time or resources, interfere with the activities of other employees or otherwise violate this policy, the rules of an employee’s local unit, or other University policies. Electronic files, e-mail, data files, images, software and voice mail may be accessed at any time by management or by other authorized personnel for any business purpose. Access may be requested and arranged through the system(s) user, however, this is not required.
Well, I suppose the guidelines speak grandly of the University's values without saying what those are, and of legitimate institutional interests without saying whether those are any different from "any business purpose" as the employee policy characterizes the threshold. The guidelines come nowhere near the "extraordinary circumstances" foreseen in the would-be FAS faculty policy. If anything, they lower the "high … bar" that was surpassed when the Resident Deans email was searched last year, even though that search was conducted out of ill-founded anxiety about leakage of nonconfidential advising information to the Crimson.

Glaringly missing from the interim guidelines--and I hope it will not be missing from the final policy--is anything about notice. The abandoned FAS faculty policy required the people whose email was searched to be notified that the search had been conducted. The guidelines not only say nothing about notice; they do not offer to update the community with any general information about how many email searches have been conducted.

I think notice is essential, and I have a theory about why it is going to be hard to achieve.

The reason I think notice is essential is that it is the only way to keep the policy implementers honest. We have seen, at Harvard and in the federal government, that mere words do not suffice to restrain the abuse of the power to read email. The only restraining force that might work is the necessity, later on, to tell the person whose email was read. If you are going to have to tell Prof. X that you read his email, you are less likely to do it. But it should not make any really essential search impossible. Suppose the departmental checkbook doesn't balance and you suspect X has been spending the money on wine and women. You read his email, and after the fact, even if he wasn't, you can show him why your suspicions were justified. A clear mandate to inform the resident deans of the email searches a year ago would have prevented everything that happened, as they would surely have been informed that their email was going to be searched, even before it was searched.

It is, of course, easier to peek and not tell anyone. And that ease is exactly what requires the speed bumps that the notice requirement would lay down.

Which brings me back to the annoying fact that to this day, there has been no report of the frequency of past email searches at Harvard. I suspect that is for several reasons. At one level, probably no one knows. Email did not use to be as centralized as it now is. Finding out whether some boss in some small Faculty had a search done might not be so easy, with no record keeping and a great deal of turnover in I/T personnel. (Note, by the way, that decentralization also makes searches easier to do, because the chain of command required to carry out a search is shorter.)

Still, the president apparently felt comfortable assuring the faculty of Arts and Sciences that email searches were "rare." How rare? Here is why I think we may never find out.

I'll bet Larry Summers was reading faculty email during the troubles at the end of his presidency.

Worries about that were bruited among the faculty in 2004 and 2005, but I never used to think it had happened. My initiative to have FAS adopt a faculty email privacy policy was born of prudence in the face of legitimate anxiety, not reaction to anything I had heard. I never heard of an email search being conducted, except in case of research fraud or criminal conduct (or a missing person).

I now think it more likely that Summers did have searches done. He was a controlling figure, and he knew he had the authority under the University policy quoted above. As a man who was quite prepared to split hairs over rules and policies, and to act any time it was convenient and not prohibited to do so, nothing would have stopped him. The queasiness in the stomach that would have given pause to a more ethical person would not have slowed him down.

And that would explain the insistence on leaving at "rare" President Faust's description of when searches have been conducted in the past. Nobody wants to acknowledge that the searches of Resident Deans' email last year were small potatoes compared to what Summers had done to faculty he regarded has his enemies.

OK, that is all speculation. I have no evidence. Nobody has told me that Summers was having searches done. The theory just helps connect some dots.

One final thought was suggested by a comment on the Crimson story about the Faust guidelines. Guideline 5 says that records will be kept of any searches. If the search was of a student's email, is that an "educational record"? I should think, for example, if a search was conducted to determine what email a dean had been exchanging with a Crimson reporter about an advising matter, that would be an educational record. Under FERPA, students have a right to see all their educational records. They do not, however, have a right to be told proactively what records are being kept on them, I think.

So it seems to me that if records are going to be kept of searches of students' email, students have a legal right to ask and be told whether there are records showing that their email has been searched. Why not do the right thing, then, and tell students whenever their email has been searched, rather than having all 1650 graduating students ask during Senior Week for that to be disclosed to them? And if students are told when their email is searched, shouldn't other members of the community be given the same courtesy?

And don't forget those email forwarding addresses that so many alumni have taken at Harvard's encouragement. Do those fall under the Faust guidelines? I am sure, as the Campaign ramps up, that alumni might not be amused to think that the university could ever have any "legitimate interest" in reading their email.

No comments:

Post a Comment