Email Privacy Redux

Bits and Pieces 2013-09-03

Summary:

It has been a quiet summer on the Harvard email privacy front, even as we have been inundated with Snowden revelations about the extent of surveillance of electronic communications by the US Government. Today's report in the New York Times that the Drug Enforcement Agency has even more telephone metadata at its disposal than the NSA does, and that it has AT&T employees under contract to answer subpoenas, only heightens the sense that if there is any way for the government to do any kind of surveillance under terms that are arguably legal, it's already being done. Which makes the work of the Barron Committee on privacy policies for electronic communication at Harvard even more important. Since the Barron Committee could not finish its work over the summer, President Faust issued some interim guidelines on August 22. I am glad to have something in place, since the FAS faculty policy was apparently never officially on the books, notwithstanding that the university CIO told the FAS IT committee in 2006 that it was. Here, in any case, are the guidelines.
  1. Any search should occur only after careful institutional consideration and in response to legitimate institutional interests. Each School or central administrative unit should ensure that any search is subject to an approval process that accords with the University's values and that fully satisfies the other requirements set forth below.
  2. Any search of electronic information should be done by or with the involvement of either University or School CIO.
  3. The University CIO and the School CIOs are accountable for ensuring that any search is conducted narrowly and that all data accessed is safeguarded.
  4. An authorization to conduct one search is not considered authorization to conduct additional searches. Any search must be independently approved.
  5. The OGC, HUIT, and the School CIOs will ensure that records are kept of any searches. The records must include a description of why the search was initiated, who authorized the search, and how the search was conducted. The University CIO will be responsible for consolidating and maintaining these records.
  6. During this interim period, HUIT and the OGC will meet regularly with the School CIOs to review any records and to clarify appropriate practices as needed. 
Now I am not really sure that this says anything different from the policy that was on the books already, the one in the employee manual:
 Privacy/Management's Right to Access Information
Employees must have no expectation or right of privacy in anything they create, store, send, or receive on Harvard's computers, networks or telecommunications systems. Although many employees have individual computers or computer accounts, and while employees may make incidental personal use of University technology information systems, ultimately Harvard University has ownership over, and the right to obtain access to, the systems and contents. Incidental personal use is permitted so long as it does not interfere with job performance, consume significant time or resources, interfere with the activities of other employees or otherwise violate this policy, the rules of an employee’s local unit, or other University policies. Electronic files, e-mail, data files, images, software and voice mail may be accessed at any time by management or by other authorized personnel for any business purpose. Access may be requested and arranged through the system(s) user, however, this is not required.
Well, I suppose the guidelines speak grandly of the University's values without saying what those are, and of legitimate institutional interests without saying whether those are any different from "any business purpose" as the employee policy characterizes the threshold. The guidelines come nowhere near the "extraordinary circumstances" foreseen in the would-be FAS faculty policy. If anything, they lower the "high … bar" that was surpassed when the Resident Deans email was searched last year, even though that search was conducted out of ill-founded anxiety about leakage of nonconfidential advising information to the Crimson. Glaringly missing from the interim guidelines--and I hope it will not be missing from the final policy--is anything about notice. The abandoned FAS faculty policy required the people whose email was searched t

Link:

http://harry-lewis.blogspot.com/2013/09/email-privacy-redux.html

Updated:

09/02/2013, 22:53

From feeds:

Fair Use Tracker » Current Berkman People and Projects
Berkman Center Community - Test » Bits and Pieces

Tags:

Authors:

Harry Lewis

Date tagged:

09/03/2013, 00:40

Date published:

09/03/2013, 00:40