Faculty Affairs & Personnel Committee Report on E-mail Privacy

Faculty Affairs and Personnel Committee

Response to charge S-0310 E-mail Privacy

October 25, 2004

A. Charge

Examine university policies and procedures with respect to the privacy of the e-mail communications and other computer files of members of the university community and make recommendations for change where appropriate. Address: what are the current university policy and practices with regard to e-mail privacy? Are current policy and practices appropriate for a university community? How was the current policy formulated and how has it been communicated and explained to members of the University community? Are there appropriate procedures in place to regulate the examination of e-mail and notify those whose e-mail has been examined?

B. Summary

Compared to E-mail privacy statements examined from 13 other Universities, the policy at Rutgers as developed by RUCS appears to be conservative and rigorous. There is, however, no language that 1) addresses user notification if e-mail or user files are examined, or 2) that is explicitly applied to computer support units and systems administrators University-wide. Thus, in response to the issues stated above, we propose specific changes to existing Rutgers University policy on e-mail privacy in RUCS Acceptable Use Policy statements and guidelines.

C. Background

Existing language on e-mail privacy at Rutgers University can be found at the following Web sites:

http://www.rutgers.edu/oldqueens/standards.html
http://rucs.rutgers.edu/campus-privacy.html
http://rucs.rutgers.edu/acceptable-use.html
http://rucs.rutgers.edu/acceptable-use-guide.html
http://rucs.rutgers.edu/acceptable-use-rucs.html

Specific issues in the Senate charge include the following (responses to these issues by Charles Hedrick, Director of the Office of Instructional and Research Technology, are italicized):

1. Is there any additional articulation of the University policy with respect to e-mail policy?

All policy is posted on the Web; there are no additional documents.

2. Section IV of the Standards for University Operations Handbook: what is the meaning of “reasons of business necessity”?

File/e-mail access due to “reasons of business necessity” only occurs when the user is unavailable and files are needed by an administrator or co-worker.

3. What input did faculty have in the formulation of the policy on e-mail privacy? How has the university administration communicated this policy to the faculty?

The policy was formulated by Charles Hedrick and Bernice Ginder, University Director of Information Systems and Planning, and was not based on any other University model. The faculty had no input to the policy. The policy is posted on the RUCs Web site, and an announcement of the policy was included in the HR Digest (2/16/2004 edition).

4. What steps has the administration taken to guard against the effect of its policy with respect to e-mail privacy on the free and open communication and inquiry that are essential to a university?

The guidelines set by Mr. Hedrick for the RUCS staff who have access to files in user directories and other sensitive information are pretty rigorous. Prohibited access that is punishable by termination includes:

Accessing files of a faculty member from which the staff member is taking a course without explicit authorization
Accessing other files that violate University policies on academic dishonesty
Accessing a user’s mail file, without clear authorization from them, except during the course of an investigation.

Units within the University who are authorized to see user data in the course of an investigation include the University Police, Information Protection and Security, and Judicial Affairs offices. Units outside the University require a subpoena or other legal process.

[Gould comment: Note that these policies apply only to files and e-mail stored on RUCs systems. Once files or e-mail are copied or downloaded onto individual PCs, however, all protection is lost. The larger problem exists with local area networks and file sharing that is done on by individual departments or programs, where e-mail privacy statements are either not followed or are not in place. Although system administrators are expected to “ensure the integrity, confidentially, and availability of the resources they are managing” [http://rucs.rutgers.edu/host-acct-req.html], this action is merely a recommendation. Thus, capricious abuse of e-mail privacy is more likely to occur at this level.]

5. Are there procedures in place to regulate the examination of faculty e-mail? Must faculty be notified after their e-mail has been read? Is there an accountability mechanism with regard to examination of their e-mail?

There is no current language in the policy that provides for notification of faculty if e-mail has been accessed.

D. Recommendation

Compared to E-mail privacy statements examined from 13 other Universities, the policy at Rutgers appears to be conservative and rigorous. There is, however, no language that 1) addresses user notification if e-mail or user files are examined, or 2) that is explicitly applied to computer support units and systems administrators University-wide. Thus, in response to the issues stated above, we propose changes to existing Rutgers University policy on e-mail privacy as follows:

1. Acceptable Use of Network and Computing Resources, Standards for University Operations Handbook
(http://www.rutgers.edu/oldqueens/standards.html)

Present statement (final sentence in last paragraph):

“The University also reserves the right to examine material stored on or transmitted through its facilities if there is reason to believe that the standards for acceptable and ethical use have been violated or for reasons of business necessity.”

Proposed changes (underlined):

The University also reserves the right to examine material stored on or transmitted through its facilities if there is reason to believe that the standards for acceptable and ethical use have been violated, if required by law, or when it is necessary to maintain the performance, operation, or security of its systems.

2. Acceptable Use Policy for Computing and Information Technology Resources, February 14, 2000, RUCS
http://rucs.rutgers.edu/acceptable-use.html

In this document, there are two statements about privacy:

a. “Respect the privacy and personal rights of others” (5th bullet under paragraph 5)
No proposed changes at this time.
b. 8th paragraph:
Present statement:
“Although all members of the community have an expectation of privacy, if a user is suspected of violating this policy, his or her right to privacy may be superseded by the University's requirement to protect the integrity of information technology resources, the rights of all users and the property of the University. The University, thus, reserves the right to examine material stored on or transmitted through its facilities if there is cause to believe that the standards for acceptable and ethical use are being violated by a member of the University community.”
Proposed changes (underlined):
User files on University computer systems are kept as private as possible. Attempts to read another person's files will be treated with the utmost seriousness. The systems administrators will not override file protections unless necessary, and will treat the contents of those files as private information to the extent possible. Although all members of the community have an expectation of privacy for information in which they have a substantial personal interest, this may be superceded by the University's requirement to protect the integrity of information technology resources and the rights of all users as well as the need of the University to carry out its necessary operations.
Thus the University reserves the right to examine material stored on or transmitted through its facilities if there is cause to believe that the standards for acceptable and ethical use are being violated by a member of the University community, if required by law, or when it is necessary to maintain the performance, operation, or security of its systems. All units that provide computer support and their system administrators are expected to adopt policies and procedures that reflect general expectations of users for privacy of items such as e-mail and other information with substantial personal content, while still providing access to the information and records needed for the University to function. Such inspections or monitoring will be conducted with advance notice to the user, unless, after consultation with University counsel, it is determined that notice would seriously jeopardize substantial interests of the University or of third parties. In such cases, notice will be withheld until the completion of the investigation or proceedings but will, nonetheless, be given a posteriori as soon as possible upon such completion.

3. Guidelines for Interpretation and Administration of the Acceptable Use Policy for Computing and Information Technology Resources, February 14, 2000, RUCS
http://rucs.rutgers.edu/acceptable-use-guide.html

This document has two statements that concern e-mail privacy.

a. The fifth bullet in the section on “User Responsibilities":
Respect the privacy and personal rights of others.
For example: it is a violation

to tap a phone line or run a network sniffer without authorization

to access or attempt to access another individual's password or data without explicit authorization

to access or copy another user's electronic mail, data, programs, or other files without permission

No proposed changes at this time.
b. Under “System Administrator Responsibilities”
Present statement:
“System Administrators and providers of University computing and information technology resources have the additional responsibility of ensuring the integrity, confidentiality, and availability of the resources they are managing. Persons in these positions are granted significant trust to use their privileges appropriately for their intended purpose and only when required to maintain the system. Any private information seen in carrying out these duties must be treated in the strictest confidence, unless it relates to a violation or the security of the system.”
No proposed changes at this time.
c. Add a new, separate section on privacy to this document:
Proposed addition:
Privacy
All units of the University that provide computer support and their system administrators are subject to the policies and procedures of the present document that balances general expectations of privacy with the needs of the University to maintain the proper operation and security of its systems, to investigate possible violations, and to have access to information needed to function.
Items in which individuals have a substantial personal interest, such as the content of e-mail and other correspondence, or material which under University policies are copyright by the individual, should normally be accessed only in circumstances such as the following:

with the permission of the owner

in situations where it is reasonable to expect that the owner would agree, e.g. when the owner is unavailable, and it is material that would normally be made available to others

as necessary to investigate alleged violations of University policy for which probable cause has been affirmed by the supervisor of the investigator, or problems relating to the operation or security of University systems

as required by law

Where permission is not given, both the scope of the information accessed and the number of people who see it should be limited to the minimum needed for the purpose.
Where permission is not given, all accesses should be reported to the owner, unless, after consultation with University counsel, it is determined that notice would seriously jeopardize substantial interests of the University or of third parties. In such cases, notice will be withheld until the completion of the investigation or proceedings but will, nonetheless, be given a posteriori as soon as possible upon such completion.
d. This document is subject to review for efficacy by the FAPC after 1 year.