Saturday, January 31, 2009

Big Brother and U, Part II: Is Your University Reading Your Email?

In a previous post, I discussed recent high-profile cases involving college surveillance and the use of email or Internet postings against students, faculty or staff. (Update: The Electronic Frontier Foundation effectively won its case defending the student leader who emailed her criticisms of Michigan State's calendar policy to faculty on campus. The university accused her of "spamming." FIRE referred the litigation to EFF, a civil liberties group specializing in electronic law).

In Part II, I offer the following information to shock you into how little privacy you have via e-mail or the Internet. In short, if you use a university email account--even off campus--the university owns that electronic "property" and may archive it for years.

Most universities have network policies that forbid anything even remotely personal via email or the Internet on campus. Of course, everybody breaks this rule because a) they are not trained to understand the limitations on email; and b) most people believe that "emailing home" about getting dinner for the family is much like calling the family on a university phone. We all do it and yet that too violates university policy. A few campuses allow reasonable private use of university email but my university, like most others, does not carve out that space for students or staff. (Correction: The main Carbondale campus does not allow personal use but the Edwardsville campus does allow "personal use").

The following guide by Tina Murch, "E-mail Privacy? Only a 'Virtual Reality'" is the best wake-up call that I have read on the Internet. I highly recommend it to any one who uses university email or equipment. If you use your own laptop, Murch notes, you are still using university wireless and can be busted. Moreover, if you email from a non .edu account to someone with a non .edu account but that recipient receives it on campus, you are still busted! University discretion is enormous. Since most people are unaware of the pitfalls of email and computer use, even when off campus, Murch offers tips on how to survive this Brave New World.

Her tips are not enough. I urge you to contact university officials and request several things:

1. Training and transparency: The rules on most campuses sound good but there is discretion to do just about anything, particularly when information is archived (my university states that privacy is a "basic right" but there are loopholes, including the unstated "gotcha" category of punishing people for private use of email. Also the catch-all "disclosure made for the purpose of resolving internal disputes," etc.)

2. Question authority: ask questions of campus authorities:

*How many monitoring cases have there been in the past five years?

*How long does your university archive email and other Internet usage logs?

*Campus newspapers need to ask whether their email correspondence is subject to surveillance. In one case, a university fired faculty, in part, because of "private" email sent to a student newspaper editor. Accused of trying to "discredit" an administrator, the campus president fired two faculty members!

For more on that case, read here. Apparently, bringing truthful information to the president, following procedure, and then having the local AAUP investigate when the president did nothing about a serious matter = termination of two tenured faculty. This case, and so many others, is why I have lost my capacity to be shocked but not to be outraged.

So, if you think it can't happen on your campus, it has and will if good people do nothing. Even on my own campus, high-profile termination cases left a lot of questions about the use of past email. But the investigation reports are sealed and heavily redacted, or so we are told. Who knows how far back universities go when retrieving email in cases against students or faculty.

Student email has been punished at my university because it "harassed" the recipient, who was so shattered she published it on her web magazine! Although the email was in poor taste, taking out an ad to decry anti-feminist ramblings sounded like overkill to our campus newspaper. One wonders when a college president will take similar action against some wild-eyed feminist bashing Republican women as "fascist sex-traitors." My guess is: never.

3. Statute of Limitations: Since most people are clueless, and have violated strict network policies, almost any one can have their electronic past used against them. Officials need to set a statute of limitations for violations, as they do in other university code violations. Currently, university network policies set "forever" as the default statute of limitation. That makes the IRS sound like a friendly agency by contrast!

4. Reasonable private use: Some universities take the "chill" off students and staff by allowing reasonable private use. The alternative is for people to avoid .edu email altogether--and that is not good for the university! God knows, this professor has to look up the preferred email of students on Facebook because I assume that .edu is not their primary address. This is an unproductive use of my time.

5. Offense is defense: if you are a free thinker--and who doesn't think freely from time to time?--and feel you may become a target, make a habit of archiving all of your email for contextual defense. Campus prosecutors routinely "cherry pick" email to cast the accused in the worst light. Don't let them do it.

If you become involved in controversies (or not), you may wish to retain certain information in case Big Brother tries to terminate you. Keep this information and your email archive in a safe place, preferably in an encrypted online storage site. (My home was burglarized but I had a backup AND certain information I may need in the future is in a place where burglars cannot get it).

Remember the line: "do not go gentle into that good night!" (Dylan Thomas)

Again, just to let you know what universities can do to you, check out the cases in my prior post and this explicit statement by Temple University in its email usage guide: Scroll down to 14.6 to read this:

"14.6 WORKPLACE SURVEILLANCE AND SEARCHES
Temple University may authorize the use of reasonable surveillance and search measures as necessary to ensure an appropriate work environment or compliance with University policies and applicable law. Subject to legal requirements, the University reserves the right to inspect and search all work areas, desks, computers, file cabinets, lockers, lunch boxes, or other containers, and personal vehicles in University parking lots or public streets within campus boundaries or any other area within University control. In addition, all records contained in computers (including voice mail and e-mail) and storage devices (including removable media) are open to inspection by the University in accordance with University policies, subject to applicable legal requirements."

Got your attention?

Part III (forthcoming) will be a guide to protecting your privacy when you are completely free of campus life. Even at home, you may be vulnerable to keylogging and other privacy-invading practices. Yes, even if you use a Mac!

5 comments:

Anonymous said...

Part of me is simply exhausted to read yet another example of the omniscient and omnipotent You-Know-What strutting its stuff all the while at least publicly claiming to be an atmosphere in which truth is sought "wherever it may lead." On the other hand, to say and do nothing in a fog of anesthesia is to acknowledge that the last 30 years of You-Know-What has won, that what we its mere underlings do is nothing more than produce human widgets who write checks for the Post-Graduate Associations and receive their discounts for meals and tickets. Every last bit of attention drawn to these matters, on the other hand, provides a ray of sunshine and a ripple of hope, excepting our academic propensity for cliches. You-Know Whats can be what they once were, but only with diligence and honesty from those of us who try to actually pursue truth, as is said somewhere close to us, "wherever it may lead."

Anonymous said...

While the caution that Jonathan is urging is commendable, some of his references (especially Murch) make technical errors that change the game.
If you connect to a private (non-.edu) e-mail account in your office (which you do with a web-browser) your messages do not pass through 'university servers'. And even if they did, they would be unreadable, because gmail, hotmail and such are simply webpages, and are encrypted. This means it's cut into little pieces which are random gibberish to an outsider, and transmitted that way. So, unless you store your gmail on your office hard-drive, nobody can read it unless you let them. (Caveat--if you attract the attention of the Feds, especially the nasty spy ones (CIA, NSA) all bets are off--they can probably crack any encryption you might have access to).
Generally speaking, however, your web browsing doesn't go through 'servers'--that would be an expensive waste of time and resources. So as long as there's a little padlock symbol on your web browser nobody can intercept or store your e-mail for later perusal.
It's probably the case, also, that most universities permit 'incidental personal e-mail use'--only a few (apparently SIU is one) don't.
Finally, any university that attempts to claim ownership of whatever passes through its networks is violating the law. First of all, when you visit a webpage that is copyrighted (and pretty much all of them are) the material is owned by the copyright owner. When you go to cnn.com on your office web browser, what shows up on your screen is still owned by CNN.
Secondly, whatever you produce as a faculty member is probably also owned by you (although this will depend on your union contract, if you have one, or on your university policy). But certainly articles you have written, books you write etc. belong to you unless you assign copyright to the publisher. The university's policy may say they own it, but that's only because the policy hasn't met a lawyer yet.

testing05401 said...

I understand your technical point about web mail -- and I DO encourage people to use it rather than siu.edu Even so, many people set up their web mail to work through Outlook and so it is saved on their hard drives.

While I am not a network manager, it is my understanding that they may keylog through a "back door" on your computer. Normally, antivirus/antimalware programs would pick up backdoor key logging but couldn't a network get around that?

Most important, once you email something to someone else, you lose control because THEY can do whatever they want with it (say "weak link"). You have to trust them to not forward or print it out, etc. A specialist in electronic law informed me that you effectively give permission to the recipient to do whatever they want with it (there is no law preventing them unless there is attorny-client privilege). And if you email something to an administrator, all bets are off. The law apparently states that it is discoverable in court (as I learned in a T&P case).

NOTE: I hope to have EFF provide a primer. While it is heartwarming to know that a lawyer might defend you, we don't want to get to that point -- pro bono resources are limited, and few of us have the $$$ to hire a knowledgeable lawyer.

testing05401 said...

PS: Of course, the biggest problem is that these cases I cite encourage people to avoid discussing matters with people who have .edu accounts. This "chilling effect" is not good for universities. We can all retreat to encrypted web mail and only speak to others with encrypted web mail but why have university email in the first place?

Facebook and posting off campus is another university target. This is open to view for every one in the world (as the anti-feminist ranter found out, or the Valdosta student on Facebook). The only way to prevent university retaliation against criticism on the web it to shut your mouth and say nothing.

Anonymous said...

I want to retreat into Plato's cave...