Email Privacy at Harvard
Bits and Pieces 2013-03-10
Summary:
The Globe reports that Harvard read email sent via Harvard servers from 16 of its resident deans. I know nothing about what actually happened except what the Globe reporter told me; the story states that she has two independent sources, both of whom wished to remain anonymous to protect themselves. It appears that Harvard has confirmed the basic facts by informing the deans, some six months after the search of their email, that the search had in fact occurred. Some background first of all. Years ago I noticed Harvard's employee email policy. Here it is. It's in the employee manual, which for some reason is behind a login screen. I doubt that many Harvard employees have ever seen it or focused on it.
This plainly gives Harvard complete access to the email of employees--"for any business purpose" cuts a very wide swath around the domain of permissible snooping. I understand that this is very much boilerplate for employee email accounts in corporations. (Don't ask me why the fact that you have no email privacy as a Harvard employee is kept secure behind a login wall.) In spite of this language, which permits Harvard to be quite intrusive, I have known only a few cases where Harvard probably read employee email. Every time there is an investigation of scientific fraud or embezzlement of university funds, I suspect the university would archive and inspect email. Be that as it may, this seems to apply to staff and administration, everyone from support staff (who are covered by collective bargaining agreements with the University) up to executive vice presidents. The Student Handbook suggests that nobody is going to snoop student email, and that any student who reads the email of others is going to be in trouble.Privacy/Management's Right to Access InformationEmployees must have no expectation or right of privacy in anything they create, store, send, or receive on Harvard's computers, networks or telecommunications systems. Although many employees have individual computers or computer accounts, and while employees may make incidental personal use of University technology information systems, ultimately Harvard University has ownership over, and the right to obtain access to, the systems and contents. Incidental personal use is permitted so long as it does not interfere with job performance, consume significant time or resources, interfere with the activities of other employees or otherwise violate this policy, the rules of an employee’s local unit, or other University policies. Electronic files, e-mail, data files, images, software and voice mail may be accessed at any time by management or by other authorized personnel for any business purpose. Access may be requested and arranged through the system(s) user, however, this is not required.
Privacy of Information
Information stored on a computer system or sent electronically over a network is the property of the individual who created it. Examination, collection, or dissemination of that information without authorization from the owner is a violation of the owner’s rights to control his or her own property. Systems administrators, however, may gain access to users’ data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules.
Computer systems and networks provide mechanisms for the protection of private information from examination. These mechanisms are necessarily imperfect and any attempt to circumvent them or to gain unauthorized access to private information (including both stored computer files and messages transmitted over a network) will be treated as a violation of privacy and will be cause for disciplinary action.
I wrote that. There is a little wiggle room there in the phrase "compliance with other University rules" but I don't remember it ever being useIn general, information that the owner would reasonably regard as private must be treated as private by other users. Examples include the contents of electronic mail boxes, the private file storage areas of individual users, and information stored in other areas that are not public. That measures have not been taken to protect such information does not make it permissible for others to inspect it.