Slashdot Mirror

← Back to Domains

Domain: eff.org

Stories and comments across the archive that link to eff.org.

Stories · 1,385

  1. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  2. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  3. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  4. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  5. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  6. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  7. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  8. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  9. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  10. Carl Kadie Responds

    News · News · · posted by michael · from the it's-not-just-a-good-idea--it's-the-law dept. · 51 comments
    Carl Kadie has returned his responses to our interview questions. He covers a wide array of topics regarding computers and academic freedom - my guess is that this interview will answer about 5% of all questions submitted to Ask Slashdot. :)

    With Power comes responsibility... (Score:5, Interesting)
    by Zachary DeAquila on 02-14-01 02:41 PM EST (#28)

    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    Let me start with disclaimers. I'm not a lawyer. The legal matters I discuss are merely my understanding of the law, not real legal advice. Also, I speak for myself, not for the Electronic Frontier Foundation or my employer. For more on these issues look at the Computers and Academic Freedom Archive.

    As a practical matter, no rule, regulation, or liability could ever compensate you for something like lost thesis data. Hopefully, the terror you feel just thinking about losing something irreplaceable will motivate you to make multiple backups.

    For privacy, however, federal law does offer some protections. The Family Educational Rights and Privacy Act applies to any U.S. school, even high schools, both public and private, that accepts federal money. This is the law that stops schools from announcing your social security number and grades to the world. Schools that disclose personally identifiable information, beyond directory information, can lose their federal funding. Schools generally take this law very seriously. The only common problem is school staff who need to be educated about the law.

    Another useful law is the Electronic Communications Privacy Act. This is the law that stops AOL from disclosing your grandma's email. It can also be reasonably interpreted as stopping universities from disclosing student email. It may also protect staff email.

    Finally, public universities have obligations beyond federal law. As a government institution, they are bound by the federal constitution and their state constitution. A U.S. government task force says that [Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. Students are presumably protected at least as much.


    University policy (Score:5, Interesting)
    by Pacer on 02-14-01 02:43 PM EST (#31)

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    I'm optimistic about the trend. I once looked up the student regulations for my school from 1904 to present. (I've since graduated). Students were once literally treated as children. Now the policies generally respect students as scholars with academic freedom. Academic freedom (which includes freedom of expression, privacy, and due process) for students is guaranteed in the student code of many schools. It is advocated by dozen of important academic organizations. I believe academic freedom principles can be straight forwardly applied to computers and networks. For example, here is what our Draft Statement on Computers and Academic Freedom says about privacy:
    "Privacy Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office, lab, or dormitory (for example, files in a graduate student's desk). Private communications via computer should have the same protections as private communications via telephone."
    So, all is wonderful everywhere except for a few aberrations that your free ACLU lawyer can quickly take care of, right? Sadly, no. The struggle for civil liberties and academic freedom never ends. As you suggest, some in authority will always try to assert more and more control. They may never have heard the idea that students should have academic freedom. They may not realize public universities in the U.S. are constrained by the U.S. constitution. They may erroneously believe that federal law doesn't apply if you make students sign a waiver.

    So what can you do? Organize and fight! It won't be easy. You'll never win completely. But, you'll likely find friends and allies everywhere from student to faculty to staff. You may find your most important allies among the computer services staff. Many computer staff folks see themselves as true professionals with a professional responsibility to what's morally and legally right, not just what the boss thinks is expedient.

    If you are in high school looking at colleges, please read their student code and computer rules before you decide. This will be part of your contract with the university. If you decide not to attend a school because of bad policies, tell them and tell the world.


    Linux acceptability (Score:5, Interesting)
    by dwbryson on 02-14-01 02:45 PM EST (#42)

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    Let me break this into two questions. First, can a university department ban clubs or speech because it doesn't like what they advocate? Generally not. At most schools, the student code protects freedom of speech. At public universities, student speech is also protected by the 1st amendment. To take one example, the U. of Illinois has student organizations ranging from the International Socialists to the College Republicans. Linux really shouldn't be a problem.

    Second, can a University Technology Services group ban a program/OS from the Network? The difficulty is that while it might be legitimate to ban, say, a packet sniffer, it shouldn't be legitimate to stop Scientology students who want to filter their own Internet access on their own PC. How do we distinguish these cases? Legally, at state schools you could try to make a 1st amendment argument. You could also use freedom of information requests (if applicable) to see if a rule was made for legitimate reasons. These legal battles, however, would be expensive and uncertain.

    More effective than a legal approach is a good policy approach. How is good policy made? By getting everyone (students, faculty, and staff) involved in making decisions. And, if that doesn't work, by protesting and publicizing bad decisions. Here is what the Joint Statement on Rights and Freedoms of Students says about students and policy making:
    "As constituents of the academic community, students should be free, individually and collectively, to express their views on issues of institutional policy and on matters of general interest to the student body. The student body should have clearly defined means to participate in the formulation and application of institutional policy affecting academic and student affairs. The role of the student government and both its general and specific responsibilities should be made explicit, and the actions of the student government within the areas of its jurisdiction should be reviewed only through orderly and prescribed procedures."

    Legal Recourse? (Score:5, Interesting)
    by CU-Ballistic (rogersj@SPAMSUCKSclemson.edu) on 02-14-01 02:46 PM EST (#45)

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?

    I think I found policy in question. It has both good points and bad points. The good is that it provides for due process via the university's regular channels. Also, it lays out proscribed behavior pretty clearly. Now, to the bad:
    • It doesn't say how the policy was formulated and under what authority. Were students involved? Did the university senate give approval? Was there a committee? As far as we can tell from the policy itself, it could be the work of one person without any input from the university community.
    • The policy contradicts itself on privacy. It tries to use magic words to make federal law and constitutional requirements disappear. It says: "Students have no expectation of privacy when utilizing university computing resources, even if the use is for personal purposes." The policy for staff says the same thing: "Employees have no expectation of privacy ..." but a few lines before that it correctly acknowledges that "[...] Federal and State statutes protect the privacy of much of the information available on University computer systems." As a general rules, a policy should not contradict itself. (I wonder if researchers are really prohibited from storing human subject and other sensitive data on these computers?) [Editorial note: Federal laws concerning research on human subjects requires that data about such studies be stored securely, with a number of explicit security requirements. If Clemson faculty have no expectation of privacy when using Clemson computers, Clemson is breaking those laws if it conducts any research on human subjects (which it does) and stores the data on Clemson machines.]
    • Finally, the policy conflates invading-policy-because-of-an-emergency and invading-it-to-gather-evidence-of-wrong-doing. Any public university and any university that respects academic freedom should distinguish these cases. Here is how the Joint Statement puts it:

      "Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed."


    Finding Balance? (Score:5, Informative)
    by PapaZit on 02-14-01 03:59 PM EST (#161)

    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.

    It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.

    Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.

    There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.

    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?

    First, I commend you for taking your professional responsibilities seriously. As you know, incidental and emergency exposure of information is a fact of life. Your computers likely contain everything from medical information, to love letters, to evidence of criminal activity. After much debate at the U. of Illinois, with input from all of campus, the University adopted a policy that says in part:
    "Network and system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by University policies."
    Other schools also respect the privacy of email and files. You can see examples here. For some general tips on making good policy, look here.


    I am violating my school's policy by posting this. (Score:4, Interesting)
    by SkyIce (dangelo(a)ntplx.net) on 02-14-01 03:47 PM EST (#144)

    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:

    "No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet."

    "Accessing the accounts and files of others is prohibited."

    "Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts."

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?

    As a student in a private high school that likely doesn't take any government money, you have few legal protections. As long as they follow their own rules, they can do almost anything they want. Sorry.

    Again, I strongly encourage you to read the student code and computer policies of any colleges you are looking at. You'll find critiques of several dozen policies Computers and Academic Freedom Policy Archive. (Hopefully, most of the bad policies in the archive have since been improved.)


    Colleges vs Corporations (Score:3, Interesting)
    by Chris Brewer (chrisbrewer@paradise.net.nzSPAMBEGONE(TM)) on 02-14-01 02:44 PM EST (#39)

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?

    In the U.S., there is a world of difference between employees and students. (I don't know about the law in New Zealand). The work employees do on company equipment generally belongs to the company. Moreover, at work Americans have little privacy protection. (The ACLU has a project on workplace civil liberties.)

    Students, on the other hand, are customers of the university, not its agents or employees. Although your grandmother might store a document on AOL's computers, that does not give AOL ownership of the document's copyright. Likewise, while you might research a paper in the University library and store it on a University computer, they gain no ownership rights.


    WPI's Acceptible Use Policy (Score:3, Interesting)
    by Saint Nobody on 02-14-01 02:50 PM EST (#55)

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around.

    However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    The Joint Statement says that academic freedom "requires" policies that clearly define possible offenses and that are enforced though fair due-process procedures. As you point out, WPI, a private technical institute, leaves a lot unsaid in its computer policy especially about policy enforcement. Are such vague policies OK because we can trust the wisdom of the university staff to do what's right? As much as I respect the professionalism of many computer staff folks, we can't know that the good ones will always be there. To be safe, we must capture some wisdom in policy.

    So, what could go wrong? Imagine this nightmare: The WPI computer organization decides to ignore the Institute's regular judicial system with its system of check and balances. The computer org decides to impose punishments on students itself. It guarantees no notice of charges, no hearing, and no appeal procedure.

    How likely is this nightmare? IT HAS ALREADY HAPPENED!

    Read another WPI policy, the Residential AUP Policy. This policy reminds me of a line from Lewis Carroll's Alice in Wonderland: "No, no," said the Queen: "The sentence first -- the verdict afterwards." Except they don't even bother with the verdict.


    Is it because of lawyers? (Score:3, Interesting)
    by Wariac on 02-14-01 03:06 PM EST (#83)

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Because students are customers of a school and not employees/agents schools generally aren't responsible for their actions. So, if it's not insurers who ask for bad policies where to they come from? It often works like this:
    • A student does something obnoxious, but not against any written rules.
    • The student is investigated and punished.
    • The department that punished the student creates very broad and very vague rules to justify, after the fact, the procedure and punishment already imposed. (For example, see the case of the NCSA.)
    • The new policy is run by University legal counsel. Legal counsel checks that it doesn't make any promises or guarantees to students. Counsel doesn't think to check for consistency with other policies or Constitutional requirements.
    • Some students, faculty, or staff members finally get to read the policy. Using email, web sites, netnews, newspaper stories, and sometimes even demonstrations on on the Quad/Green, they educate themselves and the University community about legal and academic standards. Everyone starts to see the problems in the first policy.
    • A committee is formed of students, faculty, staff, and librarians. They work for a while and create a much better policy.
    • The new policy is adopted by the University and replaces the old. (For example, the UIUC privacy policy that grew out of the NCSA policy.)
    • Everyone lives happily ever after. (Until the next time a student does something obnoxious but not against any written rules.)


    How do you handle bandwidth issues? (Score:2, Interesting)
    by Shook (shook@iname.com) on 02-14-01 10:34 PM EST (#261)

    I go to a fairly devout Christian U., that has very aggressive censor ware against sex, porn, illegal activities, but that isn't the focus of my question. Unlike many schools, my U. did nothing to block Napster use, and I always found this a little surprising.

    When we came back from X-Mas break, Napster was blocked. People moaned and groaned, but it turns out it wasn't even our school's call (though they might have had a say in it) Our school gets its access from a state-wide government-run ISP for educational institutions, and the ISP decided to block Napster, Gnutella, and probably others.

    Rather than copyright issues, they cited bandwidth problems. Although, I miss my Napster, I find this hard to argue with. (Theoretically) the network is for educaitonal purposes, and my average dorm-connection speed has doubled since Napster was blocked. But this could easily become a slippery slope, what is to keep them from blocking things like FTP, or Real Audio, both of which I have used for research, but can present bandwidth problems.

    How would you suggest balancing to need to reserve bandwidth for serious school-related purposes, and still provide a useful Internet service?

    Ten years ago, some schools thought it necessary to ban all games from their computers and networks. (Here is a critique of one such policy.) Now the computer game industry is as big as the movie industry. And, just as you can take film classes in college, so you can take computer game classes. This illustrates the wisdom of a tenet of academic freedom: no authority knows everything that will be important in the future. Therefore, every professor and every student should be free to examine and discuss all questions of interest to them. Schools should do their best to accommodate these explorations. Peer-to-peer systems could be the next big thing. It sounds like the students and professors in your state won't be part of it.

    Could there ever be a legitimate reason to ban ALL recreational use of the network? Sure, just as I can imagine a college so resource-poor that it banned all recreational reading in the library, I can imagine a college so resource-poor that it banned all recreational network use. But I won't want to attend such a school.

    But, how should needs be balanced when resources require it? I advocate following the model of librarians. They are experts at selecting books based on professional standards and respect for intellectual freedom.

    In closing, let me list some resources and ask for some possible help:



    Finally, if you go to the Computers and Academic Freedom Archive, my web site, you'll notice it has not been updated for a while. With a job, a family, and new interests, I haven't given the site and issue the attention it deserves. I'd love to get ideas and/or proposals from folks on how to get the Computers and Academic Freedom Project restarted. Thanks.

    Carl Kadie
    kadie@eff.org
    p.s. I'll be on vacation from the 4th to the 11th.

  11. Ask Carl Kadie About Censorship and Privacy at Colleges

    News · News · · posted by michael · from the no-more-than-one-Napster-question-please dept. · 221 comments
    We've received a lot of inquiries recently about computer policies at various colleges and universities - usually the policy goes something like: "Anything you do or say on this network is ours, we own it, we can read your email, we can delete you, too bad. All your data are belong to us." Oddly enough, these sorts of policies are in place even at schools that would never dream of snooping on students' postal mail or the books they read at the library. Carl Kadie has been EFF's longest-serving volunteer, doing work for the past ten years in the area of academic freedom and computers. He's written two book chapters on the issue and helped examine, critique and improve the usage policies at many universities. Post below any questions you have on computers and academic freedom - maybe your school has a particularly bad policy, maybe you just have a general question - and we'll pick the best ones and forward them to him for a response.

  12. Ask Carl Kadie About Censorship and Privacy at Colleges

    News · News · · posted by michael · from the no-more-than-one-Napster-question-please dept. · 221 comments
    We've received a lot of inquiries recently about computer policies at various colleges and universities - usually the policy goes something like: "Anything you do or say on this network is ours, we own it, we can read your email, we can delete you, too bad. All your data are belong to us." Oddly enough, these sorts of policies are in place even at schools that would never dream of snooping on students' postal mail or the books they read at the library. Carl Kadie has been EFF's longest-serving volunteer, doing work for the past ten years in the area of academic freedom and computers. He's written two book chapters on the issue and helped examine, critique and improve the usage policies at many universities. Post below any questions you have on computers and academic freedom - maybe your school has a particularly bad policy, maybe you just have a general question - and we'll pick the best ones and forward them to him for a response.

  13. See Lawrence Lessig At BayFF Monday

    Announcements · · posted by ryuzaki0 · from the and-send-us-reports dept. · 27 comments
    If you can be at Stanford University on Monday, Katina Bishop of the Electronic Frontier Foundation wants you to drop by the BayFF's 7 p.m. meeting, featuring law professor Lawrence Lessig (author of Code, and Other Laws of Cyberspace) speaking on "Architecting Innovation," to take place in room 290 of the Stanford Law School, Crown Quadrangle. (The event will also be Web cast; see the BayFF homepage for a link to the webcast.) I sat in on the online privacy debate BayFF hosted last August, and was very impressed.

  14. See Lawrence Lessig At BayFF Monday

    Announcements · · posted by ryuzaki0 · from the and-send-us-reports dept. · 27 comments
    If you can be at Stanford University on Monday, Katina Bishop of the Electronic Frontier Foundation wants you to drop by the BayFF's 7 p.m. meeting, featuring law professor Lawrence Lessig (author of Code, and Other Laws of Cyberspace) speaking on "Architecting Innovation," to take place in room 290 of the Stanford Law School, Crown Quadrangle. (The event will also be Web cast; see the BayFF homepage for a link to the webcast.) I sat in on the online privacy debate BayFF hosted last August, and was very impressed.

  15. See Lawrence Lessig At BayFF Monday

    Announcements · · posted by ryuzaki0 · from the and-send-us-reports dept. · 27 comments
    If you can be at Stanford University on Monday, Katina Bishop of the Electronic Frontier Foundation wants you to drop by the BayFF's 7 p.m. meeting, featuring law professor Lawrence Lessig (author of Code, and Other Laws of Cyberspace) speaking on "Architecting Innovation," to take place in room 290 of the Stanford Law School, Crown Quadrangle. (The event will also be Web cast; see the BayFF homepage for a link to the webcast.) I sat in on the online privacy debate BayFF hosted last August, and was very impressed.

  16. See Lawrence Lessig At BayFF Monday

    Announcements · · posted by ryuzaki0 · from the and-send-us-reports dept. · 27 comments
    If you can be at Stanford University on Monday, Katina Bishop of the Electronic Frontier Foundation wants you to drop by the BayFF's 7 p.m. meeting, featuring law professor Lawrence Lessig (author of Code, and Other Laws of Cyberspace) speaking on "Architecting Innovation," to take place in room 290 of the Stanford Law School, Crown Quadrangle. (The event will also be Web cast; see the BayFF homepage for a link to the webcast.) I sat in on the online privacy debate BayFF hosted last August, and was very impressed.

  17. DVD Case Follow-Up

    Yro · News · · posted by michael · from the keep-your-eye-on-the-prize dept. · 145 comments
    sirhan writes "The ACLU made a court brief today concerning the DVD CCA case. The release can be found here." There were actually a number of amicus briefs filed at the same time for this case, and now I think most of them are online. Journalists and publishers, law professors, law professors II, the Association for Computing Machinery, programmers and academics, library and public interest, cryptographers, and Arnold Reinhold. These are all in support of the EFF's appeal in the case, of course. The briefs make good reading because they attempt to convey, in a very direct and concise manner, the arguments of these various groups against the DMCA.

  18. DVD Case Follow-Up

    Yro · News · · posted by michael · from the keep-your-eye-on-the-prize dept. · 145 comments
    sirhan writes "The ACLU made a court brief today concerning the DVD CCA case. The release can be found here." There were actually a number of amicus briefs filed at the same time for this case, and now I think most of them are online. Journalists and publishers, law professors, law professors II, the Association for Computing Machinery, programmers and academics, library and public interest, cryptographers, and Arnold Reinhold. These are all in support of the EFF's appeal in the case, of course. The briefs make good reading because they attempt to convey, in a very direct and concise manner, the arguments of these various groups against the DMCA.

  19. DVD Case Follow-Up

    Yro · News · · posted by michael · from the keep-your-eye-on-the-prize dept. · 145 comments
    sirhan writes "The ACLU made a court brief today concerning the DVD CCA case. The release can be found here." There were actually a number of amicus briefs filed at the same time for this case, and now I think most of them are online. Journalists and publishers, law professors, law professors II, the Association for Computing Machinery, programmers and academics, library and public interest, cryptographers, and Arnold Reinhold. These are all in support of the EFF's appeal in the case, of course. The briefs make good reading because they attempt to convey, in a very direct and concise manner, the arguments of these various groups against the DMCA.

  20. DVD Case Follow-Up

    Yro · News · · posted by michael · from the keep-your-eye-on-the-prize dept. · 145 comments
    sirhan writes "The ACLU made a court brief today concerning the DVD CCA case. The release can be found here." There were actually a number of amicus briefs filed at the same time for this case, and now I think most of them are online. Journalists and publishers, law professors, law professors II, the Association for Computing Machinery, programmers and academics, library and public interest, cryptographers, and Arnold Reinhold. These are all in support of the EFF's appeal in the case, of course. The briefs make good reading because they attempt to convey, in a very direct and concise manner, the arguments of these various groups against the DMCA.

  21. DVD Case Follow-Up

    Yro · News · · posted by michael · from the keep-your-eye-on-the-prize dept. · 145 comments
    sirhan writes "The ACLU made a court brief today concerning the DVD CCA case. The release can be found here." There were actually a number of amicus briefs filed at the same time for this case, and now I think most of them are online. Journalists and publishers, law professors, law professors II, the Association for Computing Machinery, programmers and academics, library and public interest, cryptographers, and Arnold Reinhold. These are all in support of the EFF's appeal in the case, of course. The briefs make good reading because they attempt to convey, in a very direct and concise manner, the arguments of these various groups against the DMCA.

  22. DVD Case Follow-Up

    Yro · News · · posted by michael · from the keep-your-eye-on-the-prize dept. · 145 comments
    sirhan writes "The ACLU made a court brief today concerning the DVD CCA case. The release can be found here." There were actually a number of amicus briefs filed at the same time for this case, and now I think most of them are online. Journalists and publishers, law professors, law professors II, the Association for Computing Machinery, programmers and academics, library and public interest, cryptographers, and Arnold Reinhold. These are all in support of the EFF's appeal in the case, of course. The briefs make good reading because they attempt to convey, in a very direct and concise manner, the arguments of these various groups against the DMCA.

  23. DVD Case Follow-Up

    Yro · News · · posted by michael · from the keep-your-eye-on-the-prize dept. · 145 comments
    sirhan writes "The ACLU made a court brief today concerning the DVD CCA case. The release can be found here." There were actually a number of amicus briefs filed at the same time for this case, and now I think most of them are online. Journalists and publishers, law professors, law professors II, the Association for Computing Machinery, programmers and academics, library and public interest, cryptographers, and Arnold Reinhold. These are all in support of the EFF's appeal in the case, of course. The briefs make good reading because they attempt to convey, in a very direct and concise manner, the arguments of these various groups against the DMCA.

  24. What's Wrong With Content Protection?

    Yro · Censorship · · posted by michael · from the artist-at-work dept. · 375 comments
    EMlNEM sent us a link to this excellent rant from John Gilmore of the EFF.

  25. EFF Appeals 2600 Decision

    Yro · News · · posted by michael · from the right-to-link dept. · 131 comments
    eclectro writes "The EFF representing 2600 has appealed the district court's decision that banned the posting of the DeCSS source code on websites. The case will be argued in April." EFF's brief makes good reading. If this is new to you, we've posted a few things about the DeCSS cases before.

  26. EFF Appeals 2600 Decision

    Yro · News · · posted by michael · from the right-to-link dept. · 131 comments
    eclectro writes "The EFF representing 2600 has appealed the district court's decision that banned the posting of the DeCSS source code on websites. The case will be argued in April." EFF's brief makes good reading. If this is new to you, we've posted a few things about the DeCSS cases before.

  27. Yahoo Knuckles Under

    Yro · Censorship · · posted by jamie · from the can-of-worms dept. · 232 comments
    ewhac was one of several to inform us that Yahoo has knuckled under. Their auction site will now start using "computer software," which as we all know is infallible, to roboban auctions of Nazi and Klan items (see SFGate's story or CNN's story). France wanted its countrymen kept away from these items, and since Yahoo couldn't block the French, they blocked the stuff. Cigarettes, switchblades and used underwear are also forbidden, but it seems only the hateful stuff gets autoblocked. "Photons have neither morality nor visas" my ass. Just wait until every one of the planet's sovereignties gets a proscripted category of its own -- will I be able to sell paintings by John Wayne Gacy? Wounded Knee medals? Confederate flags? The world's full of offensive knickknacks, Yahoo, have fun banning it all.

    The actual terms of service forbid: "any item which, in Yahoo!'s sole discretion, is inflammatory, offensive, unlawful, harmful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libelous, invasive of another's privacy, hateful, racially or ethnically objectionable, or otherwise inconsistent with the spirit of Yahoo! Auctions." It's the robo-enforcement that's new.

  28. Gifts For Geeks

    Features · Xmas · · posted by CmdrTaco · from the cheesy-alliteration-is-where-it's-at dept. · 245 comments
    Way back in October we solicited ideas for Christmas presents for geeks. This was done with Wired, and the results appear in the current issue (the lime-green colored one: unless you're blind, you can't miss it. You'll only be able to find the first copy, tho). The authors' money will be a nice Christmas present to the EFF. Thanks go to Paul, who did all the really hard work compiling the final list from all your ideas. Now read on to see the list.
    1. PlayStation2 - Sony list price $299.99; winning bids on eBay $550-1,375. Supplies are extremely limited. CowboyNeal has been waiting for his for months.
    2. Beowulf parallel computing cluster; 3 nodes for $1,305.95. A build-your-own supercomputer: three bargain PCs with Ethernet cards ($415 each), one four-port network hub ($16), and one Building Linux Clusters book from O'Reilly and Associates ($44.95), which includes Red Hat Linux and cluster software on CD. Perfect for trolls who lack a single iota of creativity, or that guy you know who always wants to simulate weather patterns.
    3. Car MP3 player - empeg $1,199 (and it even runs Linux, if you're into that sort of thing).
    4. IC-R3 handheld wideband radio/TV receiver - Icom America $599. 500-kHz to 2.4-GHz spybox tunes in to everything but cell phones. Voyeurism isn't just for breakfast anymore.
    5. iPAQ H3600 Linux-compatible handheld - Compaq $499, but good luck finding one. Apparently there is quite the shortage.
    6. Nomad Jukebox - Creative Labs $499. Give this, instead of a CD player, to your loved one in the Napster T-shirt ...
    7. Matrix- and Blade Runner-styled trench coats - TrenchCo. $375-482.
    8. CD-RW drive, $150-350. No drive fits all machines, so verify compatibility before you buy. Many popular drives have to be back-ordered, but others are always in stock.
    9. Voodoo5 5500 AGP or PCI graphics card - 3dfx Interactive $299.99. Better graphics than PlayStation2, on your computer instead of your TV.
    10. Klein Bottle - Acme $25-250. Designed by astronomer-author Cliff Stoll.
    11. MindStorms - Lego MindStorms $50-200. Classic Lego building blocks, updated with motors and microchips.
    12. GlobalMap 100 GPS - Lowrance Electronics $199.95. I get lost in my backyard. I wonder if this thing has a map of my back yard.
    13. TiNi Pocket PowerPlier - SOG Specialty Knives and Tools $84.95. Just keep those fingers free of extra holes.
    14. Broadband Internet access $39-50 per month (plus installation charges). Check for availability in your area. Consider moving. I know I do almost every day.
    15. Interactive Yoda - Tiger $39.99. A Jedi craves not these things. But if he gets one for Christmas, that's different.
    16. Non-computer games - Looney Labs $5-35. Card games that modify their own rules, and board games for the brainy.
    17. EverQuest - Sony $29.95 (plus $9.89 monthly service fee). Addictive multiplayer game lets you collaborate with others on the Net. Suitable even for a 200-MHz PC with a 28K connection. And the graphics look like ass. But I have many friends who've lost countless productive hours all for the lucrative reward of being able to take a bear by yourself in a virtual world.
    18. Tech-book gift certificate - Fatbrain.com $10-25. Let her choose her own robot-building manual.
    19. Klein Bottle knit cap or Mobius ear band - Math Hatter $12-22.
    20. Penguin Caffeinated Peppermints - ifive brands $12 (four-pack). Essential fuel for all-night hacking: sugar and caffeine wrapped in a handy breath mint. I'll never forget the time Trae ate a whole tin at ALS and traveled forward through time.

  29. Geek Charities?

    Xmas · · posted by ryuzaki0 · from the what's-out-there dept. · 276 comments
    Space Rogue writes: "Now that the holiday season is here and tax season is just around the corner, I am looking for worthy charities to donate some money to. I am specifically looking for 'geek' related charities. I know about the EFF but are there other worthy organizations that could put a few dollars to good use? "

  30. EFF Makes Call For DMCA Help

    Yro · News · · posted by Hemos · from the doing-good-can-be-fun dept. · 315 comments
    I received a request for help from the EFF, who've made a call for examples of how the anticircumvention provision of the DMCA impacts the world of the ordinary fair user. I've included the full text from them below -- please add your comments with examples. The Electronic Frontier Foundation

    We are looking for diverse, real world examples of the ways in which the lives of ordinary fair users are strangled by the anticircumvention provision of the Digital Millennium Copyright Act (DMCA).

    According to Judge Kaplan's ruling in the New York DVD Case (where 2600 publisher Eric Corley was ordered to take down DeCSS and any links to DeCSS), the DMCA makes circumventing access controls wrong, regardless of the reason you are circumventing. If your circumvention intentions are grounded in fair use, good for you. Fair use continues to be constitutionally protected by the First Amendment, but making and providing circumvention tools and even circumventing to do legal fair use is no longer allowed, thanks to Section 1201 of the DMCA.

    Applying this rule to videos would mean that although recording David Letterman is constitutionally protected, the use of VCRs and Circuit City's "trafficking" in them are illegal.

    We at the EFF feel that following this path will essentially destroy fair use. We foresee countless scenarios where librarians can't create a copy of encrypted material to archive, even if the archiving itself is a lawful use; professors can't use excerpts of encrypted material in classrooms even though the excerpts are a form of protected expression; scholars can't write their own computer programs to analyze the full digitized versions of copyrighted works in all media; and music aficionados can't customize digital searches for thematic research. But what else?

    Surely there have got to be more examples, and we need to collect a short but powerful list of them. Tell us your most Draconian visions for a world where circumvention is always criminal even to get to the fair use that's not. Who would lose? And how?

    Points will be given for brevity, concreteness and the ability to have your grandmother easily grasp the problem. Demerits applied for overuse of technical jargon, long-winded diatribes and multiple, repetitive messages. The winning scenarios may be discussed in our legal briefs, and, if they're very good, maybe even relied upon in a landmark legal decision throwing the statute out as unconstitutional.

    Let's "open source" this problem.

    Thanks,
    EFF

  31. A Devil Of A BSDCon

    Bsd · Bsd · · posted by CmdrTaco · from the angels-and-daemons-inside-of-me dept. · 67 comments
    OSDNs favorite BSD zealot BSD-Pat Lynch was on the scene at the latest BSDCon, and took the time to send us in a report. Lots of links to stuff for you BSD folks to share and enjoy.

    Well I just got back from BSDCon, and spent some time catching up with old friends, new core team members, and cool new products. The highlight of the event was the reception and dinner at the Monterey Bay State Aquarium, which in my opinion is a must-see. All five BSDs were represented this year: MacOS X, BSD/OS, FreeBSD, NetBSD, and OpenBSD.

    There were some really neat talks at BSDCon, three tracks in all: general, security, and development. The highlights of the security talks were Bill Fumerola's talk on DoS attacks and the new ipfw which uses compiled rulesets for better performance, Robert Watson's TrustedBSD presentation, and Mark Murray's explanation of the /dev/urandom work he has done with FreeBSD using Yarrow. In the development track, Greg Lehey and Jason Evans presented a paper on FreeBSD 5.0-CURRENT's new SMP model.

    The exhibit hall itself was small, lending to a larger focus on technical issues, but there were several exhibitors that caught my eye. One was RelexUS, a company with its roots in Russia. They make a relational database called Linter which I found extremely easy to use (though commercial, it was very robust) It also bills Linux and FreeBSD among its native support list, as well as almost every other OS under the sun. It supports ODBC, stored procedures, transactions, asynchronous replication, and a host of other features. Also, the EFF were there, and I finally got around to joining.

    Thursday night we piled into a bus to head on over to the Monterey Bay State Aquarium for dinner, drinks, and dessert. We had to wear Daemon horns to get in and fun was had by all. The new core team wrapped up the conference on Friday afternoon, and everyone left and went into town, tired, hungry, but satisfied with this year's turnout.

    More pictures can be found at Greg Sutter and Jim Mock's pages. More coverage can be found on BSD Today.

  32. Music Owners' Listening Rights Act

    Yro · Music · · posted by jamie · from the spacetimeshift dept. · 132 comments
    slashdoter writes: "EFF has some info on a new bill before Congress. The Music Owners' Listening Rights Act of 2000 says that you can use the internet to move music as long as you own the CD. You can read the story at the EFF website." The 360-word bill would have cut the my.mp3.com lawsuit off at the knees, so naturally mp3.com likes it; if it passes, mp3.com might even discover its missing backbone. So check to see whether your Congressperson is on the House Judiciary Committee; if so, since that's where the bill is, your opinion can have some real leverage. Send email!

    slashdoter continues: "And on a side note, I just received my welcome letter from the EFF and was angered to find I was only member #11420. After 10 years that's all they have. Come on, as a student it only cost me $20(US). Words are nice but money speaks."

    On another side note: civil-rights-wise, it's ironic that this bill's author also introduced H.R. 1081, a silly thing that died in committee. A hate-crime law with stiff penalties for flag-bashing.

  33. Music Owners' Listening Rights Act

    Yro · Music · · posted by jamie · from the spacetimeshift dept. · 132 comments
    slashdoter writes: "EFF has some info on a new bill before Congress. The Music Owners' Listening Rights Act of 2000 says that you can use the internet to move music as long as you own the CD. You can read the story at the EFF website." The 360-word bill would have cut the my.mp3.com lawsuit off at the knees, so naturally mp3.com likes it; if it passes, mp3.com might even discover its missing backbone. So check to see whether your Congressperson is on the House Judiciary Committee; if so, since that's where the bill is, your opinion can have some real leverage. Send email!

    slashdoter continues: "And on a side note, I just received my welcome letter from the EFF and was angered to find I was only member #11420. After 10 years that's all they have. Come on, as a student it only cost me $20(US). Words are nice but money speaks."

    On another side note: civil-rights-wise, it's ironic that this bill's author also introduced H.R. 1081, a silly thing that died in committee. A hate-crime law with stiff penalties for flag-bashing.

  34. Music Owners' Listening Rights Act

    Yro · Music · · posted by jamie · from the spacetimeshift dept. · 132 comments
    slashdoter writes: "EFF has some info on a new bill before Congress. The Music Owners' Listening Rights Act of 2000 says that you can use the internet to move music as long as you own the CD. You can read the story at the EFF website." The 360-word bill would have cut the my.mp3.com lawsuit off at the knees, so naturally mp3.com likes it; if it passes, mp3.com might even discover its missing backbone. So check to see whether your Congressperson is on the House Judiciary Committee; if so, since that's where the bill is, your opinion can have some real leverage. Send email!

    slashdoter continues: "And on a side note, I just received my welcome letter from the EFF and was angered to find I was only member #11420. After 10 years that's all they have. Come on, as a student it only cost me $20(US). Words are nice but money speaks."

    On another side note: civil-rights-wise, it's ironic that this bill's author also introduced H.R. 1081, a silly thing that died in committee. A hate-crime law with stiff penalties for flag-bashing.

  35. Your Holiday Present Wish List

    Xmas · · posted by ryuzaki0 · from the submit-a-link-get-your-name-in-lights dept. · 548 comments
    Paul Boutin from Wired approached me to help them do a Holiday Present list for last-minute shoppers ... but I'm lazy, so I figured I'd ask you guys to help (in exchange for your services, the $750 writers fee will be donated to the EFF to help make sure that the net is still free next Thursday). Anyway, this is part one: The Call For Recommendations. Read on to see what we're looking for. Part 2 will come in December, and it will run both on Slashdot and in the print version of Wired, in time for your last-minute shopping. (Yeah, that's months away, but print moves a little slower then us ;) ) We're looking for suggestions in 3 different price tiers.
    • Cheaper Then a Playstation 2 ($300 or less)
    • Cheaper Then a Playstation 2's rumored eBay sale value ($301-$1500)
    • Unlimited (Mommy, can I have a stealth bomber for Christmas?)

    The suggestions posted in this discussion will be milked for ideas for creating "The List". If you post an idea, you run the risk of seeing your name show up in Wired and Slashdot (Santa reads at least one of them right?) and helping distribute Christmas (or fill-in-the-blank with whatever excuse for presents you can come up with in december... Merry Yaksmas! ) cheer to good little boys and girls.

    Try to include a URL to a site where more information can be found on your Present Proposal. And try to include helpful information like price, and just why this is a good present idea.

    And we'll pick this up in December.

  36. Return Address: Arrogance, MS

    Microsoft · · posted by ryuzaki0 · from the would-you-like-to-buy-this-proprietary-doorknob? dept. · 251 comments
    Chris DiBona, a man of many titles (Linux Community Evangelist, VA Linux Systems; President, Silicon Valley Linux Users Group; Grant Chair, Linux International) passed to us this reminder that for all the (occasionally legitimate) claims of standards compliance out of Redmond, subtly breaking standards in the name of "improvement" can be far worse than more blatant attempts. Hint: supplanting ASCII is a bad idea. (More below.)

    Chris writes: " So here's an interesting feature from our friends at MicroSoft. They've decided that Outlook 2000 users by default really don't want to communicate with the rest of the world, preferring to communicate only with other OL2000 users.

    Now, while I don't have any problem with people extending the content of an e-mail with attachments, i.e. sending html-ized version and v.cards, it seems downright stupid to make the default behavior of ol2000 to send it's e-mail only in MS's proprietary TNEF format.

    Now, It's clear that they've had some support calls on this, as proven by this KB Entry. So that means that they caught some flak for it. But they haven't changed it.

    Fun Quotes from the KB entry:

    • In addition to the receiving client, it is not uncommon for a mail server to strip out TNEF information from mail messages as it delivers them. If a server option to remove TNEF is turned on, clients will always receive a plain text version of the message. Microsoft Exchange Server is an example of a mail server application that has the option to remove TNEF from messages.

    This means in essence that unless you are using a 'TNEF Aware' server -- like, say, hmm, MS Exchange -- you may not be able to read your mail. I may be reading a bit much into this paragraph, but it seems to me that this paragraph says 'if your friends can't get your email, it's their servers fault, not yours.'

    And to take this the further, go join the EFF if you haven't already, step, suppose somone were to circumvent the protections on the TNEF format and write a program that could understand it, would you be liable under the DMCA section on anti-circumvention? Admittedly, I'd be surprised if MS took this route, but it's worth considering every single time you think about decoding proprietary formats. Does this mean strings is now a circumvention tool?

    Anyhow, if there are any microsofties out there, do the right thing and cut down your support costs by making ascii the ol2000 default transmission behavior for text. And for anyone using Outlook 2000, you should switch to a program that your friends can actually recieve email from. Or at least shut off that option."

  37. Set Digital Music Free

    Yro · Music · · posted by michael · from the speech,-not-beer dept. · 235 comments
    The latest issue of EFF's newsletter covers the HackSDMI challenge. Probably not surprisingly, they're urging the same thing as Don Marti, who Salon interviewed.Update: 09/19 3:33 PM by michael : The RIAA, EFF, and 2600.com debated SDMI on Pacifica radio today.

  38. DMCA Study Reply Comments Posted

    Yro · News · · posted by Hemos · from the read-'em-and-weep dept. · 176 comments
    richardbowers writes "The Library of Congress has posted the replies it received to comments collected about DMCA enforcement. Kudos go to several individuals who submitted comments, people who have also been strong contributors to the OpenLaw discussions on these topics. Big business is also represented. If you have missed the last fifteen Slashdot stories on the aim of big business to take away ownership and replace it with rental, you can see it again here. Since the reply period is now closed, you will need to take up your disgust with your Senator or Representatives, or just give something to the EFF to help them defray the costs of the inevitable and continuing lawsuits."

  39. Ask The DeCSS Legal Team

    News · News · · posted by michael · from the pro-bono dept. · 283 comments
    Martin Garbus and Robin Gross are the attorneys defending Emmanuel Goldstein and 2600.com in the DeCSS case that just had its first decision. Ask them whatever you'd like about the case - we'll do the usual, forward highly-moderated questions and get their answers back to you ASAP. Note that standard, boring questions like, "Where do you go from here? Will you appeal?" are going to be asked and answered in other news stories, probably many times over. This is an opportunity to ask those questions that won't be asked in other news stories.

  40. NY DeCSS Case: Final Briefs Online

    Yro · Court · · posted by Hemos · from the reading-on-the-john dept. · 157 comments
    Iambic Pentametor writes "Defendants' brief is here and plaintiffs' is here. Openlaw has very comprehensive coverage including an ongoing discussion commenting on the briefs. The decision by Judge Kaplan is expected probably within a week."

  41. Civil Disobedience and DeCSS

    Yro · News · · posted by michael · from the forlorn-hope dept. · 480 comments
    The DVD trial has been underway in New York City since last Monday, testing the Digital Millennium Copyright Act, and it's expected to run through Wednesday or Thursday this week. It's not looking good for the forces of light. See below for more reading material than you could possibly take in.

    The EFF has put out a series of Updates covering the case day-by-day as it progresses. The most recent one or two aren't on the website yet, but should be soon.

    2600 is keeping a complete archive of case-related documents, including transcripts. The transcripts are serious time-killers - it takes a long time to read 7 hours of testimony. But if you've got some time on your hands, they make good reading. Nothing beats first-generation source materials.

    The New York Times has a nice summary in their Cyber Law section. Concentrates on the surprise testimony of Jon Johansen on Thursday, but touches on other issues as well.

    The people at Harvard's Openlaw project have been scrutinizing the trial as it unfolds. They've collected a bunch of links to press coverage of the trial, and it's frankly pretty interesting to see the substantial differences between publications - almost as if they were watching different trials, one about the freedom to view DVD's as you choose, and a completely different trial about pirates, freebooters, and buccaneers. Their DVD-discuss mailing list often has insightful commentary.

    So now that you've had a chance to read up on the trial, let's cut to the chase: the defendants are going to lose. (Note that the decision in the case may not come for a few weeks yet.) No doubt Monday-morning quarterbacks are already primed for action, and the MPAA's PR people have already prepared their after-action press releases calling 2600 a bunch of pirates, thieves, and baby-stealers. Some people will claim it was due to Judge Kaplan's evident bias (which has now degenerated into the lawyerly equivalent of a flame-war between the defense lead attorney Martin Garbus and the Judge); some will point out that any judge could have interpreted the statute as rigidly as Kaplan, with or without bias. Regardless of who wins, the case will be appealed, so this matter will be finally settled in the Court of Appeals or perhaps even the Supreme Court.

    In the meantime, I'm going to take the liberty of reposting an email from John Perry Barlow. I don't think he'll mind.

    Dave,

    Thanks for the LA Times link. I like best the delicious irony of the following:

    "This is a very profound moment historically," Time Warner President Richard Parsons says. "This isn't just about a bunch of kids stealing music. It's about an assault on everything that constitutes the cultural expression of our society. If we fail to protect and preserve our intellectual property system, the culture will atrophy. And corporations won't be the only ones hurt. Artists will have no incentive to create. Worst-case scenario: The country will end up in a sort of cultural Dark Ages."

    A profound moment, indeed. Indeed, it is an assault on everything that has stifled the cultural expression of our society. It's an assault on the system that stole every dime The Chambers Brothers ever made while grotesquely enriching Brittany Spears.

    There is certainly the potential for a cultural Dark Age here, by which I don't simply mean what would follow the death of Time-Warner. Rather, I refer to the very real possibility that Time-Warner and the rest of its loathsome kind will die with most of the expressive genius of the 20th Century buried with them, embedded in their corpses by their last success: using copyright to prevent the digitization and, hence, perpetuation of all that creation.

    Only massive civil disobedience will prevent this ugly future. Speaking as someone who has created a lot of "intellectual property," I can assure you that my primary incentive was the possibility that what passed through my heart would be heard. I want it to be available to my great grandchildren. But they will never hear it unless it's stored in some other medium than the material objects the record industry manufactured, all of which will be as mute as stones by then.

    Of course, I wanted to be paid for it, and I was. Just as Mozart, Beethoven, Bach, and countless others were paid, despite the absence of copyright protection.

    The only people who are likely to lose the lesser incentive of wealth will be the likes of Richard Parsons. His loss will be our gain. Unless, of course, he wins.

    Mad as hell,

    Barlow

  42. Civil Disobedience and DeCSS

    Yro · News · · posted by michael · from the forlorn-hope dept. · 480 comments
    The DVD trial has been underway in New York City since last Monday, testing the Digital Millennium Copyright Act, and it's expected to run through Wednesday or Thursday this week. It's not looking good for the forces of light. See below for more reading material than you could possibly take in.

    The EFF has put out a series of Updates covering the case day-by-day as it progresses. The most recent one or two aren't on the website yet, but should be soon.

    2600 is keeping a complete archive of case-related documents, including transcripts. The transcripts are serious time-killers - it takes a long time to read 7 hours of testimony. But if you've got some time on your hands, they make good reading. Nothing beats first-generation source materials.

    The New York Times has a nice summary in their Cyber Law section. Concentrates on the surprise testimony of Jon Johansen on Thursday, but touches on other issues as well.

    The people at Harvard's Openlaw project have been scrutinizing the trial as it unfolds. They've collected a bunch of links to press coverage of the trial, and it's frankly pretty interesting to see the substantial differences between publications - almost as if they were watching different trials, one about the freedom to view DVD's as you choose, and a completely different trial about pirates, freebooters, and buccaneers. Their DVD-discuss mailing list often has insightful commentary.

    So now that you've had a chance to read up on the trial, let's cut to the chase: the defendants are going to lose. (Note that the decision in the case may not come for a few weeks yet.) No doubt Monday-morning quarterbacks are already primed for action, and the MPAA's PR people have already prepared their after-action press releases calling 2600 a bunch of pirates, thieves, and baby-stealers. Some people will claim it was due to Judge Kaplan's evident bias (which has now degenerated into the lawyerly equivalent of a flame-war between the defense lead attorney Martin Garbus and the Judge); some will point out that any judge could have interpreted the statute as rigidly as Kaplan, with or without bias. Regardless of who wins, the case will be appealed, so this matter will be finally settled in the Court of Appeals or perhaps even the Supreme Court.

    In the meantime, I'm going to take the liberty of reposting an email from John Perry Barlow. I don't think he'll mind.

    Dave,

    Thanks for the LA Times link. I like best the delicious irony of the following:

    "This is a very profound moment historically," Time Warner President Richard Parsons says. "This isn't just about a bunch of kids stealing music. It's about an assault on everything that constitutes the cultural expression of our society. If we fail to protect and preserve our intellectual property system, the culture will atrophy. And corporations won't be the only ones hurt. Artists will have no incentive to create. Worst-case scenario: The country will end up in a sort of cultural Dark Ages."

    A profound moment, indeed. Indeed, it is an assault on everything that has stifled the cultural expression of our society. It's an assault on the system that stole every dime The Chambers Brothers ever made while grotesquely enriching Brittany Spears.

    There is certainly the potential for a cultural Dark Age here, by which I don't simply mean what would follow the death of Time-Warner. Rather, I refer to the very real possibility that Time-Warner and the rest of its loathsome kind will die with most of the expressive genius of the 20th Century buried with them, embedded in their corpses by their last success: using copyright to prevent the digitization and, hence, perpetuation of all that creation.

    Only massive civil disobedience will prevent this ugly future. Speaking as someone who has created a lot of "intellectual property," I can assure you that my primary incentive was the possibility that what passed through my heart would be heard. I want it to be available to my great grandchildren. But they will never hear it unless it's stored in some other medium than the material objects the record industry manufactured, all of which will be as mute as stones by then.

    Of course, I wanted to be paid for it, and I was. Just as Mozart, Beethoven, Bach, and countless others were paid, despite the absence of copyright protection.

    The only people who are likely to lose the lesser incentive of wealth will be the likes of Richard Parsons. His loss will be our gain. Unless, of course, he wins.

    Mad as hell,

    Barlow

  43. Civil Disobedience and DeCSS

    Yro · News · · posted by michael · from the forlorn-hope dept. · 480 comments
    The DVD trial has been underway in New York City since last Monday, testing the Digital Millennium Copyright Act, and it's expected to run through Wednesday or Thursday this week. It's not looking good for the forces of light. See below for more reading material than you could possibly take in.

    The EFF has put out a series of Updates covering the case day-by-day as it progresses. The most recent one or two aren't on the website yet, but should be soon.

    2600 is keeping a complete archive of case-related documents, including transcripts. The transcripts are serious time-killers - it takes a long time to read 7 hours of testimony. But if you've got some time on your hands, they make good reading. Nothing beats first-generation source materials.

    The New York Times has a nice summary in their Cyber Law section. Concentrates on the surprise testimony of Jon Johansen on Thursday, but touches on other issues as well.

    The people at Harvard's Openlaw project have been scrutinizing the trial as it unfolds. They've collected a bunch of links to press coverage of the trial, and it's frankly pretty interesting to see the substantial differences between publications - almost as if they were watching different trials, one about the freedom to view DVD's as you choose, and a completely different trial about pirates, freebooters, and buccaneers. Their DVD-discuss mailing list often has insightful commentary.

    So now that you've had a chance to read up on the trial, let's cut to the chase: the defendants are going to lose. (Note that the decision in the case may not come for a few weeks yet.) No doubt Monday-morning quarterbacks are already primed for action, and the MPAA's PR people have already prepared their after-action press releases calling 2600 a bunch of pirates, thieves, and baby-stealers. Some people will claim it was due to Judge Kaplan's evident bias (which has now degenerated into the lawyerly equivalent of a flame-war between the defense lead attorney Martin Garbus and the Judge); some will point out that any judge could have interpreted the statute as rigidly as Kaplan, with or without bias. Regardless of who wins, the case will be appealed, so this matter will be finally settled in the Court of Appeals or perhaps even the Supreme Court.

    In the meantime, I'm going to take the liberty of reposting an email from John Perry Barlow. I don't think he'll mind.

    Dave,

    Thanks for the LA Times link. I like best the delicious irony of the following:

    "This is a very profound moment historically," Time Warner President Richard Parsons says. "This isn't just about a bunch of kids stealing music. It's about an assault on everything that constitutes the cultural expression of our society. If we fail to protect and preserve our intellectual property system, the culture will atrophy. And corporations won't be the only ones hurt. Artists will have no incentive to create. Worst-case scenario: The country will end up in a sort of cultural Dark Ages."

    A profound moment, indeed. Indeed, it is an assault on everything that has stifled the cultural expression of our society. It's an assault on the system that stole every dime The Chambers Brothers ever made while grotesquely enriching Brittany Spears.

    There is certainly the potential for a cultural Dark Age here, by which I don't simply mean what would follow the death of Time-Warner. Rather, I refer to the very real possibility that Time-Warner and the rest of its loathsome kind will die with most of the expressive genius of the 20th Century buried with them, embedded in their corpses by their last success: using copyright to prevent the digitization and, hence, perpetuation of all that creation.

    Only massive civil disobedience will prevent this ugly future. Speaking as someone who has created a lot of "intellectual property," I can assure you that my primary incentive was the possibility that what passed through my heart would be heard. I want it to be available to my great grandchildren. But they will never hear it unless it's stored in some other medium than the material objects the record industry manufactured, all of which will be as mute as stones by then.

    Of course, I wanted to be paid for it, and I was. Just as Mozart, Beethoven, Bach, and countless others were paid, despite the absence of copyright protection.

    The only people who are likely to lose the lesser incentive of wealth will be the likes of Richard Parsons. His loss will be our gain. Unless, of course, he wins.

    Mad as hell,

    Barlow

  44. Artificial Intelligence At The COPA, COPA Commission

    Yro · Censorship · · posted by jamie · from the and-then-the-punches-flew dept. · 205 comments
    There's a boatload of censorware news today, enough for two or three Slashdot stories -- but to conserve electrons, we're bringing it to you all in one easy-to-download package. First, Peacefire has a report on the accuracy of intelligent skin-tone-scanning software, one month after its company said they'd have it working in a month. And since the CEO of ClickSafe spoke at the COPA Commission meeting yesterday, Peacefire ran a check to see how many COPA-related sites its AI blocks. Finally, Waldo Jaquith has a report from the meeting itself which should be sobering but cracked me up anyway. Pay attention, everyone, these are the folks who are going to censor your Internet.

    The Child Online Protection Act, passed late last year and then struck down early this year, is still under appeal. Colloquially it's known as "CDAII." Part of what the Act does is establish a Commission that meets every so often -- the Commission's website has details on its mandate and so on.

    (Update, a few minutes later: make that "injunctified," or whatever one says for a law against which an injunction has been applied, instead of "struck down." Sorry; IANAL.)

    Speaking at the Commission meeting yesterday and today were the CEOs of several major censorware companies. Among them was Michael Stephani, whose company Exotrope makes a product called BAIR.

    BAIR

    BAIR checks images as they download onto your computer, and claims to be able to tell the difference between pornography and other types of images. The "AI" in its acronym stands for artificial intelligence, running on supercomputers.

    When the Wired story on BAIR came out last month (a story "borrowed" from Peacefire -- I'm not going to get into it), Wired quoted the company as saying "they plan to fix the errors within the next month." What errors?

    "BAIR incorrectly blocked photographs of Yellowstone, the Baltimore waterfront, Snoopy, boats, sunsets, dogs, vegetables and even a Wired News staff meeting.

    "It rated as acceptable for minors -- even on the most restrictive setting -- explicit images of oral sex, anal sex, group sex, masturbation, and ejaculation."

    That was one month ago. How's BAIR doing now?

    Peacefire retested the same 50 pornographic images that they'd used last month (which presumably BAIR's programmers would have paid extra-special attention to). Their new report finds that, instead of zero, the number of blocked images is now: 34. I've got a great slogan for them: "now your children can only see 32% of the web's oral sex, anal sex, group sex, masturbation, and ejaculation."

    One's respect for these programmers is dampened a little, though, because there's more to Peacefire's report. It seems, in a random sample of 50 photos of people's faces, BAIR blocked ... how many? ... 34.

    Maybe that slogan should be: "now your children can only see 32% of the web," period.

    It's wonderful to live in a world where artificial intelligence offers limitless possibilities. Its website suggests that "Because Artificial Intelligence can be taught to recognize a variety of patterns," -- oh, OK -- "our BAIR can be taught to evaluate other categories such as violence or illegal activities. The BAIR is currently undergoing training in these areas to provide additional filtration selections."

    ClickSafe

    Richard Schwartz, CEO of ClickSafe, also spoke yesterday at the COPA Commission meeting. Just for kicks, Peacefire decided to try out their spiffy AI software too.

    Insert marketblurb here: "...by combining cutting-edge graphic, word and phrase-recognition technology, ClickSafe has achieved accuracy rates of over 99% (according to recent sample tests). ClickSafe can precisely distinguish between appropriate and inappropriate sites (e.g. sites related to issues such as breast cancer will not be blocked)."

    What Peacefire did was test this software against the website of the COPA Commission itself, and related sites such as those of speakers or Commission members. They found that blocked pages included:

    and so on.

    When I spoke with Bennett about this, he commented that the strange thing was that these flaws are so easy to find; you'd think someone would have run these simple tests already. If anyone reading wants to get their name in Slashdot (and other news media too), censorware is a gold mine of untested misinformation. Buy a product, design a solid unbiased test for it, run the test, and send us what you find. Repeat until the whole world has a clue.

    The COPA Commission Meeting

    The following is an account of yesterday's COPA Commission meeting, by Waldo Jaquith. Keep in mind that this meeting's purpose, according to the Scope & Timeline Proposal which is blocked by ClickSafe, is to study filtering and blocking software to learn what to recommend in its report to Congress late this year.

    Folks,

    For more information on the COPA Commission, see http://www.copacommission.org/. (Unless your network has ClickSafe installed, in which case you shouldn't bother.) There is an agenda for this meeting, and there are bios for most people, as well as the prepared speeches for many of the below folks. I've tried to be objective.

    Oh, screw that. There's nothing objective about it. But I've tried to give useful facts, quote accurately, etc.

    The whole affair, which was scheduled to start at 9:30am, didn't actually start until 10:15am. Which was good, because I didn't get there until 9:45. Although the event was being held at the University of Richmond's Jepson Alumni Center, the room felt like your basic hotel meeting room. Bad carpet, ugly chairs, poor lighting. There were enough chairs to seat about 100 people, but only 35 people were in attendance. Directly in front of the two columns of chairs was a table with chairs, facing away from the audience. This table was for people asked to testify before the COPA Commission. On the other side of that table was a long table, at which was seated the commission, all sixteen members. The result was that the people testifying, who did most of the talking, could only be recognized by the backs of their heads by the audience.

    Chairman Donald Telage called the meeting to order and introduced the first panel, who was to speak for approximately 45 minutes on the topic of client-side filters. This panel included Gordon Ross, the President and CEO of Net Nanny, Mark Smith, the President of BrowseSafe, Susan Getgood, the VP and General Manager of Cyber Patrol, and Richard Schwartz, the CEO of Opportunity-America (ClickSafe.com).

    Gordon Ross kicked things off with a tremendously boring ten minute speech about how client-side filters work. The only interesting comment that he made was his belief that "consumers should have the ability to analyze each and every site in the database..." [...because his product Net Nanny is the only one of the 150 censorware packages on the market that allows oversight of its blacklist. -ed] He also kicked off the First Amendment references, which nearly every speaker throughout the day would spend some time talking about, but not really saying very much.

    Mark Smith from BrowseSafe occupied the next few minutes, giving a rambling speech in which he discussed censorware as if it were some far-off and idyllic concept.

    "Most products focus on either client-side- or server-side-based technology. What would happen if the benefits of each could be brought together to provide the user with a new, more flexible and powerful way of surfing the web? What if every sub domain of every site had been categorized and classified by its content? Wouldn't you agree that everyone could benefit from that combination of technology? Of course you would? Now let's walk across the street to the front porch of the family of the home and try to view it from the parent's perspective. What if parents were able to determine what the child sees? What would it be like if e-mail, instant messaging, chat and other computer tools could be also controlled?"

    Then, although the topic was client-side filters, he rambled on for several minutes about PlanetGood, a website that was probably unfamiliar to many in the room. He used the site's name in every single sentence for several minutes. And, naturally, he closed talking about "our forefathers" and "these inalienable rights that our forefathers entrusted to us and many of them died for."

    Susan Getgood from Cyber Patrol kept things short and sweet, and took the "I'm a new mother and want to protect my children" approach. She muddled the definition of censorship somewhat, saying that "[s]ome critics confuse censorship, which is imposed by the government, with technology that a family or school can choose to use and then set to implement an individual policy." Our school system isn't a part of the government?

    Richard Schwartz of ClickSafe.com touted his product nearly as much as Mark Smith promoted the mysterious "PlanetGood." He also described a system that his company has developed that sounds very much like Exotrope's BAIR. "Fleshtone has a very unique set of features [...] Through a combination?of a set of sophisticated algorithms it can establish if something is pornographic. [...] Justice Potter Stewart lives within our system, because he knows it when he sees it. It works, it's been tested out, it's over 99% effective." "We can distinguish between chicken breast and sexy breast." "A consortium of Portuguese and Australian pornographers had been hijacking people off of different sites, including the Harvard Law Review site into their pornographic sites. And then you have to reboot your computer in order to get out."

    After the four had testified, we moved into the commission Q&A session. (No questions would be allowed from the audience.) A few interesting questions, answers, and comments cropped up during this portion.

    Richard Schwartz, only half kidding, proposed a tax on Internet pornography.

    Commissioner Gregory L. Rohde asked Richard Schwartz if his image filter could tell the difference between art and pornography. Astoundingly, Schwartz replied that it could.

    Commissioner Jerry Berman asked if there were any plans to create an organization that could provide objective reviews of censorware products to help parents decide what to buy. Gordon Ross said that this had been tried a few years back with SIFT (?), and that it didn't work out.

    After a short break, we began the second panel, which addressed server side filtering. Testifying was Kevin Fink, N2H2's CTO; Sunil Paul, Chairman of Brightmail; Stephen Boyles of Library Guardian (Swifteye); Michael Stephani, President and CEO of Exotrope; Ginny Wydler, Director of Standards and Policy at AOL; and Tim Robertson, CEO of FamilyClick.

    The first person to say anything interesting was Michael Stephani, who made some fairly interesting claims. He said that their blacklist of sites included four million sites, and that their image-recognition software, BAIR, is 99.8% percent effective. Stephani bragged that it blocked 1 out of 6 general images and 96 out of 100 pornographic images. He pointed out (perhaps rightly) that image filtering is the only real way to filter out pornography, and also that client-side filtering would so go the way of the dodo, given the proliferation of Internet appliances. It wasn't long before he got all 'God bless America' and 'think of the children,' and eyeballs could be heard rolling throughout the room.

    As Commissioners asked questions of the panel, Chairman Donald Telage admitted that he wasn't aware that client-side filters were able to use a blacklist. He was under the impression that they could only filter. I had flashbacks from the Napster hearings last week ("Can't you track their intellectual property address?")

    Out of the blue, Karen Talbert asked the panel for a show of hands regarding their respective products' ability to work with high-speed connections. Obviously, everybody's hands went up.

    How do these people get on the commission?

    When given half a chance, Stephani got all "think of the children, my god, won't somebody think of the children?" again. He also bragged that Exotrope has a new, not-yet-released product that filters IM [AOL Instant Messaging -ed.] and even detects innuendo. Stephani said that they just got a contract to install this program on 30,000 school servers. Continuing his spectacular Old Faithful of shit, he cheerfully envisioned a time in the future when there would be "photonic switches" that would maintain a complete blueprint of everything that every user had ever done on-line. Christ, that's frightening. Stephani said that they'd spent $6.5MUS developing BAIR, and went on to point out the coincidence that Peacefire released the report showing that BAIR was 0% effective on the same day that their servers went down. Perhaps he was implying that Peacefire members hacked the server, perhaps that we were taking advantage of them, or perhaps he was just laughing at the circumstances.

    There was no promised audience Q&A. That's probably because the whole event ran well over when it was supposed to end. Lacking a better approach, I rushed up to the ebullient Stephani with a copy of the newest BAIR report in hand. Although he was already talking to a reporter, he stopped when he saw my nametag ("Waldo L. Jaquith, Peacefire") and looked a little surprised. He, as well as his sidekick PR guy, enthusiastically introduced themselves. We talked for a few minutes, during which time I said that BAIR appears to suck less than many other censorware programs. But I was still fundamentally opposed to all of them. Between this and the revised report, Stephani was my new best friend. Several other people came forward to read nametags and shake hands, but I continued to talk to Stephani and the reporter, Drew Clark from Technology Daily.

    Ten minutes later, when I walked out, I felt a little baffled. Stephani behaved towards me as if Peacefire had just given him the most glowing review that BAIR had ever gotten. This, despite my repeatedly pointing out that Peacefire is fundamentally opposed to filters, always will be, and BAIR is simply rather effective at performing the task that we hate.

    I was disappointed that a few major points were never brought up during the discussions:

    • Server-side censorware (especially that which is housed with each website) will always be a severe privacy violation, because it needs data on the user in order to establish what information to provide.
    • Client-side censorware is doomed to fail because children know more about computers than their parents. The parent has to trust that little Suzy won't uninstall Cyber Patrol. But if Suzy can be trusted, why bother with Cyber Patrol?
    • Internet censorship is impossible. The Internet is so large that it's a waste of time, so let's all stop. Gated community models, like AOL, Compuserve and such, are a far better way to provide a "safe" experience for kids.
    • The concerns about children's wellbeing presented during the meeting mirror those that parents, since the beginning of time, have always had for their children. How can I keep my child safe when I'm not watching him? How do I know what my child is doing if I'm not around? How do I keep my children from hearing / seeing / saying bad things? Censorware makes no more sense than installing a v-chip in little Suzy's head. Get over it.

    In a nutshell, I'm not sure what, if anything, was established at this meeting. It's clear that most of the Commissioners knew every little to start off with, and their opinions are being formed on what amounts to a series of sales pitch sprinkled with god-and-country references, a la mega blowout carpet sales around Independence Day. I'm glad COPA was struck down. Let's get on with our lives.

    Best,
    Waldo

  45. Judge Conflicted Interest in MPAA/2600 DeCSS Case?

    Tech · Technology · · posted by CmdrTaco · from the try-saying-that-five-times-fast dept. · 174 comments
    vm writes "It turns out that Judge Lewis Kaplan used to advise Time Warner on DVD issues in the past. He also has past issues with one of the attorneys on 2600 Magazine's legal team; Martin Garbus. The New York Linux Users Group is holding a protest outside the federal court house this morning in support of Goldstein and crew. For more details, see this EFF DVD update or the NYLUG website."

  46. Just Say No To Reading About Drugs

    Yro · Censorship · · posted by michael · from the RU-486 dept. · 618 comments
    We keep getting submissions about bills in Congress to ban the distribution of any information on how to manufacture illegal drugs. The story of this is kind of humorous. The bill was having trouble on its own, so it's been grafted onto a bill called the "Bankruptcy Reform Act of 2000" -- this bill goes on for 50 pages about modifications to bankruptcy laws (to make it harder for consumers to declare bankruptcy, naturally), then suddenly has a whole section on illegal drugs, then goes back to bankruptcy. It's the censorship law that won't die. Even more disturbing, a tiny little rider in the bill alters the general requirements for search warrants so that you need never be informed of a search -- notification can be delayed indefinitely, which is a fundamental violation of the Fourth Amendment. In any case, it's in real danger of passing, so it's something you ought to pay attention to. We've done some grafting ourselves of some of the submissions related to this ...

    First, as always, you can read the bills yourself by going to Thomas. Key in "methamphetamine" or "bankruptcy." Here's a direct link to the Bankruptcy Reform Act, and there's a link to HR 2987 in a submission below. Places like DRCNet aren't too happy about the bill, but neither are civil liberties groups -- the EFF has a nice overview of the whole situation in their last newsletter as well.

    Vince Beiser writes: "New story from MotherJones.com: Speed Limit: A bill banning Internet sites that publish or even link to drug-making information looks set to sail through Congress -- to the dismay of free-speech advocates. Read the story." Mother Jones has also recently published an update to this story. If you only read one link off this story, it should be this one.

    wrenling writes: "Right now HR 2987 is before the House Judiciary Committee. The bill is marked as an anti-methamphetamine proliferation bill. Without getting into discussions of whether or not drugs should be legal, attention needs to be drawn to the rider that is attached to the bill which according to the ACLU would allow the following:

    Free Speech is at Risk. H.R. 2987 would also allow the government to order Web sites censored and shut down without any due process of law and without any notice given to the website's owner. One provision of the bill would allow agencies like the FBI to make judgment calls on the intent of online statements regarding drug use -- a power usually reserved for the courts. Internet service providers would then be ordered by law enforcement to take down any of these statements within 48 hours -- without notifying the Web site owner -- or be considered in violation of the law.

    It's not only things like DMCA we have to watch out for, but for little riders on other legislation that, if enacted, could be used to further grant the United States government censorship powers."

    Eric the .5b writes "Do we geeks really care, and do we geeks really matter?

    The Methamphetamine Anti-Proliferation Act, described here and here, is still in committee in the House as we speak. A similar bill sailed through the Senate last year, and if this goes through, the two should be very easy to reconcile into a final version and get made into law.

    • This bill,
    • HR 2987, would:
    • Allow police to search your home or business without so much as notifying you that you are under investigation or that such searches have taken place for as long as six months,
    • Allow investigators to make copies of your documents and computer files without ever notifying you,
    • And make it illegal to distribute information about how to make any controlled substance, to merely link to Web pages giving information on that or drug paraphenalia, or to even just describe how to find such information.

    If we want to do something about this, we have an excellent opportunity. Both the Committee on Commerce and the Committee on the Judiciary (members listed here) are working on this legislative abomination. If you see your House representative (if you don't know your representative, like most of us, use the look-up) on either of these lists, contact him or her. E-mail or snailmail them if you like, but faxes and phonecalls will probably make the best impression. Be polite and very nonthreatening, but make it clear that you vote, and that you don't like this bill. Be sure to mention the title and number (The Methamphetamine Anti-Proliferation Act and HR 2987). Even if you don't see your representative on the lists, it couldn't hurt to bug the chairpersons of the committees. Lastly, pass this info around to anyone you know who might care. The more displeasure the representatives hear, the less attractive doing anything but killing this bill will be."

  47. Just Say No To Reading About Drugs

    Yro · Censorship · · posted by michael · from the RU-486 dept. · 618 comments
    We keep getting submissions about bills in Congress to ban the distribution of any information on how to manufacture illegal drugs. The story of this is kind of humorous. The bill was having trouble on its own, so it's been grafted onto a bill called the "Bankruptcy Reform Act of 2000" -- this bill goes on for 50 pages about modifications to bankruptcy laws (to make it harder for consumers to declare bankruptcy, naturally), then suddenly has a whole section on illegal drugs, then goes back to bankruptcy. It's the censorship law that won't die. Even more disturbing, a tiny little rider in the bill alters the general requirements for search warrants so that you need never be informed of a search -- notification can be delayed indefinitely, which is a fundamental violation of the Fourth Amendment. In any case, it's in real danger of passing, so it's something you ought to pay attention to. We've done some grafting ourselves of some of the submissions related to this ...

    First, as always, you can read the bills yourself by going to Thomas. Key in "methamphetamine" or "bankruptcy." Here's a direct link to the Bankruptcy Reform Act, and there's a link to HR 2987 in a submission below. Places like DRCNet aren't too happy about the bill, but neither are civil liberties groups -- the EFF has a nice overview of the whole situation in their last newsletter as well.

    Vince Beiser writes: "New story from MotherJones.com: Speed Limit: A bill banning Internet sites that publish or even link to drug-making information looks set to sail through Congress -- to the dismay of free-speech advocates. Read the story." Mother Jones has also recently published an update to this story. If you only read one link off this story, it should be this one.

    wrenling writes: "Right now HR 2987 is before the House Judiciary Committee. The bill is marked as an anti-methamphetamine proliferation bill. Without getting into discussions of whether or not drugs should be legal, attention needs to be drawn to the rider that is attached to the bill which according to the ACLU would allow the following:

    Free Speech is at Risk. H.R. 2987 would also allow the government to order Web sites censored and shut down without any due process of law and without any notice given to the website's owner. One provision of the bill would allow agencies like the FBI to make judgment calls on the intent of online statements regarding drug use -- a power usually reserved for the courts. Internet service providers would then be ordered by law enforcement to take down any of these statements within 48 hours -- without notifying the Web site owner -- or be considered in violation of the law.

    It's not only things like DMCA we have to watch out for, but for little riders on other legislation that, if enacted, could be used to further grant the United States government censorship powers."

    Eric the .5b writes "Do we geeks really care, and do we geeks really matter?

    The Methamphetamine Anti-Proliferation Act, described here and here, is still in committee in the House as we speak. A similar bill sailed through the Senate last year, and if this goes through, the two should be very easy to reconcile into a final version and get made into law.

    • This bill,
    • HR 2987, would:
    • Allow police to search your home or business without so much as notifying you that you are under investigation or that such searches have taken place for as long as six months,
    • Allow investigators to make copies of your documents and computer files without ever notifying you,
    • And make it illegal to distribute information about how to make any controlled substance, to merely link to Web pages giving information on that or drug paraphenalia, or to even just describe how to find such information.

    If we want to do something about this, we have an excellent opportunity. Both the Committee on Commerce and the Committee on the Judiciary (members listed here) are working on this legislative abomination. If you see your House representative (if you don't know your representative, like most of us, use the look-up) on either of these lists, contact him or her. E-mail or snailmail them if you like, but faxes and phonecalls will probably make the best impression. Be polite and very nonthreatening, but make it clear that you vote, and that you don't like this bill. Be sure to mention the title and number (The Methamphetamine Anti-Proliferation Act and HR 2987). Even if you don't see your representative on the lists, it couldn't hurt to bug the chairpersons of the committees. Lastly, pass this info around to anyone you know who might care. The more displeasure the representatives hear, the less attractive doing anything but killing this bill will be."

  48. BayFF Kicks Off With DVD Trial Rally

    Yro · Court · · posted by emmett · from the be-there-or-be-square dept. · 23 comments
    Katina Bishop from the EFF sent me a link to a press release about an EFF event on Monday, and she asked me to ask Slashdotters to show up and show their support. The event is the kickoff of BayFF, and John Perry Barlow and Pam Samuelson will be speaking about EFF legislation and the upcoming DVD trial. For anyone following the DVD CCA battle, this will be a good event to attend. Here's the link to the press release which contains more info, contact information and directions. Stuff like this makes me wish I lived in the valley.

  49. BayFF Kicks Off With DVD Trial Rally

    Yro · Court · · posted by emmett · from the be-there-or-be-square dept. · 23 comments
    Katina Bishop from the EFF sent me a link to a press release about an EFF event on Monday, and she asked me to ask Slashdotters to show up and show their support. The event is the kickoff of BayFF, and John Perry Barlow and Pam Samuelson will be speaking about EFF legislation and the upcoming DVD trial. For anyone following the DVD CCA battle, this will be a good event to attend. Here's the link to the press release which contains more info, contact information and directions. Stuff like this makes me wish I lived in the valley.

  50. EFF Pioneer Awards

    Yro · Censorship · · posted by michael · from the fighting-the-good-fight dept. · 1 comment
    The Electronic Frontier Foundation gives out a set of awards annually to people who've made "a substantial contribution to the health, growth, accessibility, or freedom of computer-based communications". This year's awards went to: "Librarians Everywhere", which was accepted by Karen Schneider, a librarian who has opposed efforts to install censorware in libraries; Phil Agre, computer scientist and professor at UCLA; and Tim Berners-Lee of MIT, director of W3C. Dan Gillmor has a story, and sooner or later EFF will update their awards page with the text of this year's award.