When you click Accept: concerns over new IT policy spark debate
November 21, 2013
A new Information Technology policy is being described as “vague and overreaching” or “possibly illegal,” depending on who you ask.
Members of the Student Government Association and the University Senate are concerned with the new policy. This leaves questions as to what IT is and isn’t allowed to do.
Three policies are going before University Senate for approval, one of them, Policy 5.5020, that is garnering the most attention.
The policy, among other things, states WKU “can access, seize, and/or commandeer any and all physical or electronic resources as deemed necessary to address a given situation,” and that students and faculty who practice “inappropriate content” may lose access to university Internet and email.
However, none of the policies are technically new.
Bob Owen, vice president of the Information Technology department, said his department has been reviewing its policies for the past year. Last month, the effort was completed, and they submitted the policies to the Administrative Council for approval.
Gordon Johnson, the associate vice president of IT, said this was primarily to update and consolidate previous IT policies.
“There is nothing substantially new about how we are doing business,” Johnson said.
After IT submitted these policies, Gordon Emslie, provost and vice president for Academic Affairs, referred three of these proposals to the University Senate, where they will be reviewed today in an informational session.
Seizure
For Mark Reeves, who is SGA executive vice president and sits on University Senate, one particular part of the policy poses a problem.
Specifically, Reeves is concerned with the section of Policy 5.5020 that says WKU “can access, seize, and/or commandeer any and all physical or electronic resources as deemed necessary to address a given situation.”
“I would ask them to include clarifications on what a ‘given situation’ is so that it is not just a situation defined by anyone,” Reeves said.
Owen said the term “physical resources” in this policy only applies to equipment owned by WKU. A student’s private resources could only be seized with a court order, he said.
This part of the policy does not explicitly distinguish between university property and private property, which Adam Goldstein, attorney advocate for the Student Press Law Center, said is a problem.
“The word ‘commandeer’ implies taking possession of something you don’t have the right to take possession of,” he said.
Remote Control
Owen said this policy would cover students illegally downloading copyrighted files, one of the most common breaches of conduct.
IT security analyst Brandon Vincent told the Herald last month that companies that own copyrighted material will look for those who are distributing the files illegally using special programs. They will then send a complaint letter to the IT security office if the activity is occurring on WKU’s network.
Vincent said the IT security office will make sure that both the copyrighted file is deleted and the device is no longer sharing the file with others before removing the redirect.
But Vincent was vague as to what exactly the process for removing the content is.
One student, who said he wished to remain anonymous because he was illegally downloading copyrighted files, said that wasn’t the case. Rather than bring in his computer physically, he had his computer remotely controlled by an employee in the IT department.
He discovered one day he no longer had Internet access. When opening his browser, he was greeted by a screen that informed him he had violated copyright law and needed to call IT. He did so, and IT told him if he wanted Internet access, he needed to download a program in order to give an IT employee remote control of his computer.
After downloading software to give IT remote access to his computer, the IT employee went through his downloaded files and deleted “stuff they found suspect,” which included uninstalling torrent software.
“It kind of bugged me though because the guy who did it also uninstalled things that weren’t being used unethically,” he said.
Goldstein said the procedure to remove copyrighted files also concerned him.
He said this policy is likely illegal, “creepy” and puts WKU at risk of being sued for conditioning access to the Internet on giving up privacy rights, without proper due process.
“You cannot demand students give you access to their machine to take on vigilante federal copyright enforcement,” he said.
Goldstein said this policy is also problematic because universities cannot determine with certainty whether a student actually violated copyright law.
“I just don’t think they have the forensic ability to do that,” he said.
Owen said the university is legally obligated to remove these files, and he hopes the policies will be implemented quickly to protect WKU from being sued.
“I’m acting with earnestness and some speed because we want to be protected and because we are required to by law,” Owen said.
However, Goldstein said the recording and film industries who submit copyright complaints have not been successful in suing universities over students’ copyright infringement.
“No Expectation of Privacy”
Laura Harper, SGA’s director of Public Relations, said the proposed Policy 5.5020 contains an element that is “intentionally vague” and may unnecessarily infringe on students’ and faculty’s privacy.
The policy states, “Users shall have no expectations of privacy associated with email transmissions or of other data, content and information stored, transmitted or accessed on University systems and resources.”
Owen claimed this also included IP login times for users. He said it is “settled law” that students should not expect privacy when using university Internet.
Goldstein said it is true that students should not expect privacy on university networks.
“Adding this to the policy technically doesn’t change the status quo in that you didn’t have the expectation of privacy before they added this — they are just telling you now,” he said.
But the policy goes beyond that, stating a list of “inappropriate conduct” across all IT resources, including the Internet, which includes “using abusive or harassing language in either public or privates messages or content,” or visiting “pornographic or illegal sites.”
The policy states those practicing “inappropriate conduct” can have their Internet privileges revoked at any time.
Johnson said the examples are not the only actions that could be considered “inappropriate,” but that much of the policy in question, including visiting pornographic websites, applied more to faculty and staff abusing university resources than students. Johnson said it could in some instances be applied to students.
“That’s not an exhaustive list,” Johnson said. “When you are wording a policy like this, to try and list every sort of inappropriate conduct someone may engage in is kind of a futile exercise. No one can think of everything.”
Goldstein said not explicitly saying which portions of inappropriate conduct only apply to faculty, WKU is potentially putting itself at risk of being sued for violating the First Amendment.
IT does not actively monitor emails or messages, Johnson said in regard to the “abusive or harassing language” example. He said IT would only take action if an issue was brought to their attention.
“We are not in any way regularly monitoring these communications to try and screen for that type of problem,” Johnson said.
Change
Reeves said he does not support the policy as it stands.
“It needs clear revisions and safeguards for everyone who uses computers, software and networks at this university,” he said.
Owen said the policy changes are modeled after “best practices” at other universities and that these policies are necessary to ensure WKU complies with federal law.
“The whole thrust of these policies is to allow us to protect the university’s technology resources and digital infrastructure and preserve everyone’s right to use those resources in as an unfettered way as possible,” he said.
Owen said the IT department has a policy to only access students’ network activity or email account if directed by the General Council or if there are “technical reasons,” such as a hacked student email account that is spamming other students.
However, Reeves said the General Council’s role in directing IT to access student records should be codified to protect student privacy.
“My intention isn’t to target the IT department but the general grant of authority,” Reeves said.
If there were too many restrictions placed on the IT department’s ability to access student’s network activity, Owen said it may cause disruptions in the department’s ability to do its job.
“That would curtail our ability to respond to a variety of needs,” Owen said.
Even without a university policy to prevent the IT department from inappropriately accessing student network records, Owen said there would be consequences for any staff member who did so and that federal law prohibits universities from unnecessarily accessing student records.
“…Having a policy that says IT cannot inappropriately access a student’s record presumes that we would try to do this, which again, as professionals with the highest ethical standards, we would not and do not do,” Owen said in an email.
Goldstein agreed with Reeves and said policies restricting IT’s ability to access information should be made explicit.
“The purpose of a policy is to restrict what should happen,” he said. “If those restrictions aren’t in the policy, then they don’t exist.”
Harper also said she is concerned at the speed of the changes. She said there needs to be more time to discuss the policy to ensure students’ privacy.
Reeves said he did not believe the proposed policy changes were unconstitutional or illegal. However, he still said he believes they should be rewritten.
Johnson agreed about confusion over aspects of the policy in regards to what portions apply to students and what applies to faculty and staff.
“I honestly think we could take a look at making this a little clearer in that respect,” Johnson said. “Overall, the use of university resources, whether students, faculty, alumni or whatever, we want appropriate conduct when you are using university resources. In the case of students, there is somewhat a different situation with students. Some of the things we have listed in here, we definitely would not be so concerned about with students.”
Harper said SGA will likely draft a resolution stating students’ opinion. Reeves also said he hopes the University Senate will pass a resolution to express disapproval of the proposed policy as it stands.
“For purposes of academic freedom and just being part of a free society, the university needs to lead the way in supporting digital privacy and privacy in general,” Reeves said.