From comp.unix.admin Tue Apr 27 12:38:56 1993 Newsgroups: comp.unix.admin Path: utcsri!utnut!cs.utexas.edu!wupost!uhog.mit.edu!mintaka.lcs.mit.edu!ai-lab!news.cs.umb.edu!betsys From: betsys@cs.umb.edu (Elizabeth Schwartz) Subject: Re: electronic mail privacy at the workplace In-Reply-To: cokely@nb.rockwell.com's message of Fri, 23 Apr 1993 17: 33:34 GMT Message-ID: Lines: 40 Sender: news@cs.umb.edu (netnews) Nntp-Posting-Host: eris.cs.umb.edu Organization: University of Massachusetts at Boston References: <1993Apr21.141754.17105@wixer.bga.com> Date: Tue, 27 Apr 1993 01:34:05 GMT In article cokely@nb.rockwell.com (Scott Cokely) writes: >Hypothetical: >You're the system administrator. Something has gone awry with your >/var/spool/mail directory, and it's filled up. You can't send mail >to the users because of a catch-22. You go the the directory, and >note that a couple of users have massive mailboxes. Suspecting >a lack of uudecode-savvy, you tail one of the mailboxes. At the >end of this user's mailbox you find incriminating evidence that this >user has been sending/receiving projects that are confidential to >the Company. You report your findings to your supervisor, who >escalates it up the chain until the employee is terminated, and a >possible lawsuit is in the works. >Questions: >1) At what point did the sysadmin violate the user's privacy? When the sysadm did a tail, "suspecting a lack of uudecode-savvy." The sysadm did not need to read the mail file to clean up the mail spool. On our system, we just move large mail files out of the mail spool into the user's home, compress them, and then send the user mail telling them what we did and why. In the case of repeats we can ask to talk to the user. If a user refuses to talk to us, we have various options at that point, including backing the files onto tape and deleting them from the system. A mail file should not be read just to see what the user is "up to." (on our site, we do make an exception in one case: when we have confirmed beyond reasonable doubt that the account has been cracked, and frozen the account.) -- System Administrator Internet: betsys@cs.umb.edu MACS Dept, UMass/Boston Phone : 617-287-6448 100 Morrissey Blvd Staccato signals Boston, MA 02125-3393 of constant information.... From comp.admin.policy Tue Sep 21 22:08:52 1993 Xref: utcsri comp.org.eff.talk:20117 alt.comp.acad-freedom.talk:9694 alt.privacy:8028 comp.admin.policy:4123 Path: utcsri!utnut!cs.utexas.edu!uunet!pipex!sunic!trane.uninett.no!news.eunet.no!nuug!news.eunet.fi!funic!nntp.hut.fi!usenet From: jkp@cs.HUT.FI (Jyrki Kuoppala) Newsgroups: comp.org.eff.talk,alt.comp.acad-freedom.talk,alt.privacy,comp.admin.policy Subject: Computer privacy at Helsinki U of Technology Date: 15 Sep 1993 17:08:35 GMT Organization: Helsinki University of Technology, Finland Lines: 41 Distribution: inet Message-ID: <277i6j$e4q@nntp.hut.fi> References: <277cuv$2qn@eff.org> <277d7k$2to@eff.org> Reply-To: jkp@cs.HUT.FI (Jyrki Kuoppala) NNTP-Posting-Host: laphroaig.cs.hut.fi In-reply-to: kadie@eff.org (Carl M. Kadie) In article <277d7k$2to@eff.org>, kadie@eff (Carl M. Kadie) writes: >According to the the Chronicle of Higher Education (Volume 40, Issue 4): >"An attempt to bar broad searches of a computer system's contents >at Oregon State University has produced an emotional debate among >network users" (Page A24) Also at Helsinki University of Technology there is an ongoing privacy/admin policy discussion on local newsgroups. The discussion started from a court where the University sued some persons over unauthorized used of University computers, "outsiders" (I think mostly high schoolers or people having recently graduated from high school at the time) for unathorized use; and some HUT students as accessories to unauthorized use who had shared their accounts and passwords. The suspected unauthorized use was investigated by reading files and login sessions of users, and a memorandum enclosed as part of the court proceedings includes around a dozen email messages plus quotes from login sessions and IRC logs. The investigation (reading of the files and sessions) was done by a person who is not an ordinary administrator of the system, and based on the discussions it seems that reading users' files and traffic for other reasons than keeping the system going or helping users with their problems is not a normal practice at HUT. The discussion has mostly been about the policies on whether it's OK for administrators to read files, and if so, how and on what grounds it should be done. Finland has legislation to protect email privacy similar to phone and snail mail traffic protection. It is illegal for even the police to eavesdrop on phone or other telemessage traffic, and one student suggested that perhaps in the next court meeting the accused and the accused switch places. However, the wording of the law is such that it only protects email or telemessages in transit, and thus the protection doesn't seem to extend to files when they contain received email. As part of the process to reform the criminal code, it is planned to extend the email protection and though I don't have details, apparently the proposal also includes legal protection for protected files in general. //Jyrki From comp.admin.policy Tue Sep 21 22:09:36 1993 Xref: utcsri comp.admin.policy:4127 alt.comp.acad-freedom.talk:9705 alt.privacy:8041 Path: utcsri!utnut!torn!howland.reston.ans.net!sol.ctr.columbia.edu!news.kei.com!eff!eff!not-for-mail From: kadie@eff.org (Carl M. Kadie) Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk,alt.privacy Subject: Computer file privacy at McGill U. in Canada Date: 15 Sep 1993 22:27:40 -0400 Organization: Electronic Frontier Foundation Lines: 35 Message-ID: <278ius$8u5@eff.org> NNTP-Posting-Host: eff.org [Excerpts received via email. Posted at correspondent's request.] ===================================== The McGill Tribune, September 14, 1993, volume 13 number 2, page 6, Editorial "Student rights at issue in Code of Student Conduct amendments" "In the last few weeks, Dean of Students [...] has proposed crucial changes to McGill's Code of Student Conduct and Disciplinary Procedures." [... background information, plus description of several very good changes which are not disputed ...] "Another contentious change involves the issue of computer use at McGill. The dean is proposing that electronic mail written by students should be admissible as evidence in a hearing and that the article of the current code which stipulates that evidence obtained illegally is not admissible to a hearing would not apply in this case. McGill officials would have the right to access and scrutinize the computer files of students stored on McGill computers. This is a blatant infringement on a student's legitimate right to privacy." [...] "Students should recognize the importance of maintaining their hard-won rights on campus. It is only through a united student effort that students can ensure that the rights they have gained will not be lost." --------------------------------------------------------------------------- -- Carl Kadie -- I do not represent EFF; this is just me. =kadie@eff.org, kadie@cs.uiuc.edu = From comp.admin.policy Wed Sep 29 19:55:13 1993 Xref: utcsri comp.admin.policy:4156 alt.comp.acad-freedom.talk:9825 alt.privacy:8193 Path: utcsri!utnut!cs.utexas.edu!math.ohio-state.edu!sol.ctr.columbia.edu!news.kei.com!eff!eff!not-for-mail From: kadie@eff.org (Carl M. Kadie) Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk,alt.privacy Subject: Re: Computer file privacy at McGill U. in Canada Date: 25 Sep 1993 17:35:31 -0400 Organization: Electronic Frontier Foundation Lines: 114 Message-ID: <282dj3$hv8@eff.org> References: <278ius$8u5@eff.org> <27bbn4INN5gl@mojo.eng.umd.edu> <1993Sep20.185919.1122@seas.gwu.edu> NNTP-Posting-Host: eff.org The McGill Tribune, September 21, 1993, volume 13 issue 3, page 3 "Dean's proposed Code revisions leave students concerned" by Benoit Jacqmotte [[This article is copied verbatim, with permission of the author. All commentary posted to alt.comp.acad-freedom.talk will be collected and given to the author (who doesn't have e-mail [yet]) ]] Student leaders have expressed concern with proposed amendments to the Code of Student Conduct and Discipline issued by Dean of Students Irwin Gopnik. In response to Gopnik's amendments, Students' Society (SSMU) Council passed a motion at a September 9th meeting endorsing a list of alternative amendments prepared by the McGill Legal Information Clinic (LIC). SSMU VP University Affairs Ruth Promislow and LIC Director Jill Presser will present the list of amendments to Gopnik and other university officials at a meeting this Thursday. Presser and Promislow asked Council to approve their motion due to their concern that some of Gopnik's proposed changes would infringe on students' rights. The dean's proposed amendment to Article 40 would grant the Committee on Student Discipline (CSD), whose responsibilities include holding disciplinary hearings, the right to determine what constitutes appropriate and relevant evidence in a hearing. Presser noted that allowing the CSD to determine what evidence is admissible creates the potential for the abuse of power. "Even if the committee hears evidence that it deems `inappropriate', they've already heard it, and it could be prejudicial", she said. The dean's amendment to Article 30 seeks to allow only members of the McGill community to be advisors in disciplinary proceedings. According to Presser, such a move could give the administration an unfair advantage in hearings. "The university could `prosecute' a grievance without option for an experience lawyer to defend". Presser explained. While the administration has access to several lawyers, student leaders claimed that students do not have equal access to McGill advisors with legal backgrounds. "In the past, the university has discouraged law professors from representing students", Presser said. In their list of amendments, the LIC seeks to prevent any member of a provincial bar association from advising at hearings. In another move that student leaders consider problematic, the dean's proposed amendment to article 69(h) allows the dean to bar any student deemed dangerous or disruptive from campus for up to 30 days. SSMU President Mark Luz claimed that this amendment could jeopardize student's rights. "When it's an individual decision and no action has to be taken for 30 days - that to me is conviction without a trial", he stated. According to Presser, the LIC amendments recommend that the Dean of Students should automatically convene the CSD for exclusionary penalties. Article 12(b) of the dean's proposed amendments attempts to address computer abuse at the university. According to the final draft version of the article, students accused of computer fraud or misconduct cannot expect that "communications made through the University computer system are privileged and confidential". According to Presser, the amended article would give the university access to the computer files of any student deemed suspicious. "The university is allocating this power without checks and balances", she said. "There is abuse of computers going on and the university has the right to protect itself. The question is how the university is going about detecting [these abuses], policing them, and proving them". Promislow expressed concern about the university's willingness to dispense with due process. "While the disciplinary committee is not a court of law, it certainly has to abide by a legal framework", she said. Both Luz and Promislow said they were disappointed with the overall tone of the dean's proposed amendments. "[The amendments] concentrate the decision-making process into the hands of a few people rather than in a full committee where student representation is present", Promislow added. Gopnik refused to comment on the specific concerns raised by SSMU and LIC. While he claimed that he had not yet received a response to his proposed amendments from either organization, Gopnik explained that the amendment process is in the preliminary stage. "This is a long process of consultation", he said. "I don't want to discuss [specific issues], because it's premature". Gopnik stressed that the process of amending the code would remain a fair and open procedure. "It is not a confrontation, it is a consultative process ...", he stated. "Had I heard from [SSMU and LIC], I would have incorporated their responses". -- Carl Kadie -- I do not represent EFF; this is just me. =kadie@eff.org, kadie@cs.uiuc.edu = From comp.admin.policy Wed Sep 29 19:56:05 1993 Xref: utcsri comp.admin.policy:4158 alt.comp.acad-freedom.talk:9827 alt.privacy:8194 Path: utcsri!utnut!torn!howland.reston.ans.net!sol.ctr.columbia.edu!news.kei.com!eff!eff!not-for-mail From: kadie@eff.org (Carl M. Kadie) Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk,alt.privacy Subject: Re: Computer file privacy at McGill U. in Canada Date: 25 Sep 1993 19:20:16 -0400 Organization: Electronic Frontier Foundation Lines: 40 Message-ID: <282jng$ieb@eff.org> References: <278ius$8u5@eff.org> <27bbn4INN5gl@mojo.eng.umd.edu> <1993Sep20.185919.1122@seas.gwu.edu> <282dj3$hv8@eff.org> NNTP-Posting-Host: eff.org McGill University proposes martial law. It proposes: 1) that the disciplinary committee be given authority to look at all evidence to decide if it should be allowed to look at that evidence 2) that only the disciplinary committee, but students, be allowed to get advise from any lawyer (currently both can) 3) that the dean be given authority to summarily suspend students for 30 days 4) that privacy protection be removed from personal communications and (presumedly files) if they happen to be on a computer. It sounds as though a student got "away with it" and the school blames the inadmissibility of some personal communications archived on a computer. These proposals will certainly make sure *that* never happens again. * Without a lawyer's advice, students won't even know when their privacy is illegally violated by the school. * With the committee looking at material to decide if it should look at it, privacy will be a legal fiction, the school will likely to determine that more extensive privacy violations are permissible, even in admissible material will likely influence the disciplinary process. * With privacy protection withdrawn from personal communications that happens to be on the computer, students will have less privacy. * With authority to summarily suspend students for 30 days, students will be punished without due process. The price of a fair and practical disciplinary system is that that guilty will sometimes avoid just punishment. The price of McGill University declaring martial law will be that the innocent will be subjected to unjust punishment. Given this choice between efficiency and fairness, I hope McGill chooses fairness. - Carl -- Carl Kadie -- I do not represent EFF; this is just me. =kadie@eff.org, kadie@cs.uiuc.edu = From comp.admin.policy Fri Mar 17 12:11:07 1995 Xref: utcsri alt.censorship:42554 alt.current-events.net-abuse:23793 comp.admin.policy:6166 misc.legal.computing:12628 Path: utcsri!newsflash.concordia.ca!uunet!satisfied.apocalypse.org!news.mathworks.com!zombie.ncsc.mil!news.missouri.edu!mizzou1.missouri.edu!CCGREG From: CCGREG@mizzou1.missouri.edu (Greg Johnson) Newsgroups: alt.current-events.net-abuse,alt.censorship,misc.legal.computing,comp.admin.policy Subject: Re: E-mail Private or not? Date: Wed, 15 Mar 95 10:40:39 CST Organization: University of Missouri, Columbia Lines: 51 Message-ID: <173629635S86.CCGREG@mizzou1.missouri.edu> References: NNTP-Posting-Host: mizzou1.missouri.edu Michael Blazek quotes a new OSU policy: >Under Oklahoma law, all electronic mail messages are presumed to be >public records and contain no right of privacy or confidentiality except >where Oklahoma or Federal statutes expressly provide for such status. Just a guess: Many states have "sunshine" or "open meeting" laws that require that meetings in state-funded institutions be open to the public. Exceptions are typically listed for personnel reviews, etc. Some states have "Freedom of Information" laws that allow affected citizens to obtain any transcripts of meetings on state property. These laws might allow you to pop in on your college regents, your state senators, etc., if they're meeting on state property or doing state-related business. I'd bet that a sunshine law has been construed to apply to email on the Oklahoma State University computer systems. If I were you, I'd politely enquire for the citation number of the law(s) upon which this email policy is based. Then use reductio ad absurdum. I bet that the hypothesized sunshine law opens "state records" to _everybody_, not just sysadmins. You could as fairly request to see OSU President Halligan's email, or the govenor's email, or the sysadmin's email, as they to see yours. But complete openness would interfere with University missions such as submitting homework by email and taking contractor or vendor bids. If the law applies to OSU email, why not also to OSU campus mail too? Why not to an instructor's answer sheet? As a sysadmin and policy-formulator myself, I struggle reconciling four things: genuine needs for confidentiality; genuine needs for mission-centered accountability; sometimes vague laws and policies that could not anticipate all nuances of developing technology; and screwy perceptions of entitlement by both users and service providers. If OSU has clear policies on conserving resources, on protecting the institution from civil & criminal liabilities such as piracy or harassment via email, then these are probably sufficient bases for precisely-regulated sysadmin access to email; particularly if scans are performed by programs or under search warrant, are normally reported to those being scanned, and are generally not entrusted to any one person's whims. "Sunshine laws" do apply to some aspects of university life, but mostly, as I read them, to opening administrative activities to public scrutiny, not vice versa! -Greg Johnson, Campus Computing, U of Missouri - Columbia