Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Carl Kadie About Censorship and Privacy at Colleges

Posted by michael on from the no-more-than-one-Napster-question-please dept.

We've received a lot of inquiries recently about computer policies at various colleges and universities - usually the policy goes something like: "Anything you do or say on this network is ours, we own it, we can read your email, we can delete you, too bad. All your data are belong to us." Oddly enough, these sorts of policies are in place even at schools that would never dream of snooping on students' postal mail or the books they read at the library. Carl Kadie has been EFF's longest-serving volunteer, doing work for the past ten years in the area of academic freedom and computers. He's written two book chapters on the issue and helped examine, critique and improve the usage policies at many universities. Post below any questions you have on computers and academic freedom - maybe your school has a particularly bad policy, maybe you just have a general question - and we'll pick the best ones and forward them to him for a response.

25 of 221 comments (clear)

  1. Do they have these rights to with snail-mail? by chabotc · · Score: 3

    As i know universities in the US, they also own the postal office within campus grounds.

    Since both use a medium owned by the university, and both are 'private communication', does this mean they also have the right to read your private (snail mail) letters?

    -- Chris Chabot
    "I dont suffer from insanity, i enjoy every minute of it!"

    1. Re:Do they have these rights to with snail-mail? by Bob+McCown · · Score: 4

      The answer to this is no, because federal law prohibits them from opening your mail, but there are no laws reguarding your email. Thats the problem. Email spread has outpaced the government's ability to regulate the delivery of it....

    2. Re:Do they have these rights to with snail-mail? by tewwetruggur · · Score: 4
      I actually worked in the campus post office, which, mind you, is not the same as the little "mail rooms" at the respective dorms. At the post office, the non-student employees were federal postal employees. The students are paid by the university, but are held to the rules of the USPS. The people in the mail rooms in the dorms are emploiyed by the front desk of the dorm. They are not employed through the post office.

      So what does that mean. Well, simple. No one is allowed to open you mail. It is a federal offense. There were certain "special" cases when we might open someone's mail, but only because they had requested it during holiday times, or if they wre athlete's on the road who were needing something urgent. Even that was probably breaking the rules/law, but again, it was only if requested and was something urgent. It was often loan info, looking for plane tickets for home, a check from mom and dad. And its not like we opened everything addressed to that person - they had to tell us exactly who it was coming from and what was in it.

      But as far as the university "snooping" in your snail mail - well, that'd land a few butts in prison, to say the least.

      People tend to forget that e-mail is indeed NOT the same as snail mail. But that doesn't mean that it shouldn't be.

      --
      Hi! This is the Sig, blatantly attached to the end of this comment.
    3. Re:Do they have these rights to with snail-mail? by TechLawyer · · Score: 3

      My university (the University of Arizona), back in the 80s, used to intercept financial aid checks sent directly to students, where those checks were made out to students. Good ol' U of A then deposited them in a slush fund for a couple of months, before they issued the student their financial aid money, and after they had garnered significant interest. The funny thing is that the external scholarship entities weren't aware of this. It didn't stop until I worked out what was going in on conjunction with my external scholarship entity, and they promptly had a bunch of high-priced lawyers put a stop to that nonsense immediately. I suppose the lesson is that big institutions will do whatever they can get away with.

  2. Question? by aitala · · Score: 3
    I am the webmaster for a medium sized Univesity in the South. While our IT department does an excellent job supporting the University, we face some serious staff and available technology issues.

    How would you suggest balancing the privacy needs of a University community, the security issues created by such a diverse group, the issue of academic freedom, and the fact that college IT departments have serious staff/load/pay/tech issues?

    --
    Eric Aitala
    www.f1m.com
  3. With Power comes responsibility... by Zachary+DeAquila · · Score: 5
    What responsibilities do universiies incur when they have such overbroad AUPs and reserve such powers for themselves? What if, in their browsing through my data, they delete or destroy important information (thesis data or papers or somesuch)? Are they liable for it? What if they 'leak' damaging data either unknowingly or through misunderstanding? Can they be held responsible?

    I'm afraid that I know the answers to all these questions and am even more afraid of those answers. So what can be done about it beyond the standard SSH and PGP rhetoric ? Is there a way to make them take responsibility for these actions, preferably a heavy enough responsibility to discourage them from wanting to take these actions in the first place?

    --Z

  4. University policy by Pacer · · Score: 5

    I lived for two years in University residence and, frankly, my college didn't seem to have much respect for the privacy of students in any regard: all mail came through University-owned mailboxes, and packages had to be picked up at the dormitory desk, staffed by hall RAs -- students with a significant disciplinary function. All telephone service went through the university switchboard. Your room could be searched, by university staff or by police, without your permission and without any sort of warrant. Most tenant rights were violated (for instance, eviction with two weeks' notice any time of year), and now the university informs students' parents of on-campus alcohol or disciplinary violations (these are adults whose academic transcripts cannot be released to parents without a signed waiver).

    It is not any surprise to me that fascist user agreements are in place concerning electronic media in light of the general control-oriented attitude of many universities towards their on-campus student populations. Perhaps the problem runs deeper than simple technophobia?

    Pacer

  5. College's vs Corporations by Chris+Brewer · · Score: 3

    In your opinion, is there any difference between what a student does on the campus network using college owned computers and an employee using the corporate network using the company's computers with regard to who owns the data?
    --

    --
    Consultancy: If you're not part of the solution, there's money to be made in prolonging the problem
  6. Linux acceptability by dwbryson · · Score: 5

    Carl- I have fought a battle at my college over Linux being on the network. I told the UTS( Univeristy Technology Services ) that I was a big advocate of Linux and was starting up a Linux User Group on campus. But first I wanted their approval. They swiftly told me that, "You can absolutly not encourage the use of Linux on OUR network, and you should be lucky that we don't ban it on campus." I was completely uphauled by this, and so promptly turned around and tried to get as many people interested as I could in Linux. And eventually started my own LUG. Do they have a right to tell me what OS I can use on their network? They of course support windows, and allow Mac's, but flat out tell me I can't have linux on their network. Do you have any suggestions on what rights I as a user have?

    --
    - "Never let a computer tell me shit." - DelTron Zero
    1. Re:Linux acceptability by Sethb · · Score: 4

      It's also quite likely that they didn't want you to start installing Linux for a bunch of students who couldn't manage it themselves. The last thing that the typically overworked and underpaid university IT staff need are 2000 Linux newbies flooding the help line and support desks with questions about Linux on their dorm computers.

      That said, I don't think they can, or should, discourage a student group from forming. They may, however, ask you to make it clear to anyone that you give Linux to, that they're not going to receive any help from the support staff, other than being assigned an IP address...
      ---

      --
      When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
  7. Legal Recourse? by CU-Ballistic · · Score: 5

    I attend a rather well-known University in the South. Of course, they have the requisite "we own you and your data" policy. They state in very explicit terms that they have the right, at any time, to search and confiscate my computer, hard drives, and other media. They say that they also have the right to monitor network traffic, and disable any account which is exhibiting "unusual or excessive" activity. This all seems incredibly arbitrary to me, and worries me very much. My question to you is: Do I have any legal recourse? My main quarrel is that as a first-year student, I am forced to live on campus, and many classes require work to be submitted electronically. Since I am unable to "opt-out" of their heavy-handed policy, do I have any legal recourse if I were to encounter a search-and-seizure situation with the Administration here?
    -

    --
    I'd rather have a bottle in front of me than a frontal lobotomy.
    1. Re:Legal Recourse? by elmegil · · Score: 3
      So how many of you have actually been University Sysadmins?

      As a former sysadmin (and before that a former student hacker in trouble, so don't assume I don't know your side of the story), I can guarantee you that if everything is permissible in the name of free speech and I as sysadmin can't do anything to stop you, then the service you're going to end up with will be worthless. Because a few immature "l33t hax0r" types will make a point of abusing resources to the point where nothing more can be done.

      If the University has any sense, they will have a grievance and arbitration board, and any actions by the staff considered overbroad or out of bounds can be taken before that board for appeal.

      Of course I've actually argued with Mr. Kadie about these issues (MANY years ago) on public newsgroups. He seems to believe that every organization has the resources and the responsibility to follow rules as complex as the FBI's rules of engagement. Most Universities do not have that luxury.

      And the fact remains that most of the loudest proponents on campus of "free speech uber alles" are also usually the last ones to actually exercise any responsibility in their behavior, and thereby poison the well for all their peers. Mr. Kadie's heart may be in the right place to insist on just treatment, but nonetheless, some thought needs to go into the issue as well; you can't just say that a University IT group of 3-8 people responsible for 5000 students have to follow the same due process that the police go through because 1) they don't have any legal obligation to do so and 2) there is no way they could be effective under such constraints.

      --
      7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
  8. WPI's Acceptible Use Policy by Saint+Nobody · · Score: 3

    Personally, i think that WPI has a pretty good AUP, (which is not to say i haven't had problems with netops regarding a few violations, only one of which i was actually responsible for.) it doesn't say that they can read our email personal files and other miscellany, and it requires us not to go poking around. However, it doesn't say that they can't.

    how do you feel about policies like that? It doesn't guarantee our privacy, but it doesn't infringe on it either. Is lack of a guarantee an implicit infringement?

    --
    #define F(x) int main(){printf(#x,10,#x);}
    F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
  9. Public v Private Universities by bmasel · · Score: 3

    1) Public Universities are in general more constrained than Private institutions in regulating speech, under the 1st Amendment, and in some cases further restrained by rulings under State Constitutions' free speech clauses.

    To what extent does this make "It's their hardare" arguments vulnerable?

    2) Do State or Federal infrastructure grants to privte Universities make their Net facilities Public Fora?

    --
    Ben Masel: 51,282 votes for US Senate in the Wisconsin Democratic Primary
  10. What about anti-monopoly issues by Pxtl · · Score: 3

    At my university, you connect through the university phone system which makes dial-up impossible, and they don't let you use cable-modems. This neighborhood lacks any DSL or anything like that, so in other words, if you're on res, its Resnet or do without. As a result the university can impose whatever net policies they like, at any time, and we can't do a thing about it. How can this problem be handled?

  11. They made me sign to agree to follow all EULAs! by Anonymous Coward · · Score: 4
    After crashing part of the CS dept's network (due to program error), I had my account disabled and was summoned to the sysadmin's office. In addition to explaining what I did that messed things up, which we all agreed was accidental, I was asked to again sign the dept's "terms of service" form.

    Stupid me, though, decided to read it first. One line said that I agree to abide by the software licenses of all the software packages installed on the system. When I asked to see these licenses, the sysadmin got all heated and refused. I asked if they were posted somewhere or stored on-line. He said, no. When I asked how I could sign to agree to follow licenses which were refused to be presented to me, he said, "well, you have to sign or your account can't be re-enabled".

    Hmmm. Sign or be unable to do required schoolwork.

    So I signed but wrote next to my signature that staff refused to show me the SW licenses they required me to agree to above. The sysadmin grumbled, but accepted the amended TOS form.

    I heard similar tales from students at other universities and schools. WHY DO SCHOOLS DO THIS?

  12. Re:If the want to own it all... by tewwetruggur · · Score: 3
    That, I believe, is why some universities banned napster and napster-like services. Some schools claimed it was a bandwidth issue, but your point was most definitely considered. I can't recall exactly which school it was, but they cited that exact reason for why p2p music sharing was banned.

    --
    Hi! This is the Sig, blatantly attached to the end of this comment.
  13. hold on a minute.... by SGDarkKnight · · Score: 3

    I certainly hope this dosn't mean that uni's or colleges can just simply read the students mail. It should matter where the mail is. It is still directed to one person, and only that person. Just because the college or university has a mail deposit centre for the post office to drop off mail to all the students living in residence, should not grant them the right to read it just because they are holding on to it until it is picked up. Same goes for Email, just because its passing through several hops to get to its destination dosn't mean they the admin for those hops gets to read all the mail. So what does it matter if it goes through the hop or stops at the college, shouldn't it still be a private message protected by some sort of 'mail' law? Or do the laws just get tossed out the window when it comes to the internet.... ah well, maybe im just confused.... anyone elses opinion would be good.

    --

    ...A no smoking section in a restaurant is like having a no peeing section in a swimming pool...
  14. Re:You have no reasonable expectation of Privacy . by dvdeug · · Score: 5

    What do you mean, my dorm room is not my personal residence? I live here, and pay for the privilege. Would you be so happy if your employer forced you to live in a certain apartment building, and forced you to use the LAN instead of a modem, and then told you that they could listen in on anything on that LAN?

  15. Is it because of lawyers? by Wariac · · Score: 3

    Do you think that Schools do this in practice, or is this just a CYA (cover your ass) scenario in case a student does something stupid/illegal. It seems to me in this lawsuit-happy world full of sleazy lawyers that this could be the only way that Schools (or anyone) can avoid being sued into bankruptcy.

    In a nutshell, Do the schools implement these policies on thier own accord, or are they usualy done at the request of thier insurer?

    Thanks!

    --
    Remember it, write it down, take a picture, I dont give a fsck!
  16. Inventive students don't help by judd · · Score: 3

    Long ago I worked at a University where the computer use regulations were phrased so that we could bust you for more or less anything we liked. No one was happy about this, but there was a reason: the arms race of CS students vs administrators.

    As soon as we prohibited antisocial activity X, clever students would come up with equivalent activity Y which would not be covered by the original wording, but caused similar (or worse) harm. It turned out that it was terribly difficult to clearly delineate what was and was not acceptable use of the campus facilities in a way that was actually useful (ie protected the privacy of staff and students, allocated server resources fairly, protected the Uni from legal liability). So we gave up :(

    Classic quote: "Our firewall isn't there to protect the campus network from the outside world. It's there to protect the rest of the world from our students."

  17. Public funding. by killbill · · Score: 3

    University network administrators accept limited public funds to provide a particular subset of functionality to meet particular goals of the university. They have a great many technical and legal constraints (both internal and external) on their solutions. Many of these constraints are legitimately addressed by privacy intrusive policies.

    When publicly available dial up and broadband access is cheap and universal, why should a taxpayer funded institution have any obligation to incur extra expense to achieve "freedom"? Why not let the individuals who value freedom buy and use the services that meet their goals, and let the taxpayer funded institutions buy the services that meet the goals of the funding (taxpayer / university) community?

    --
    Mathematically impossible requirements are technically not against policy.
  18. It's not a post office or a library by osgeek · · Score: 4
    Oddly enough, these sorts of policies are in place even at schools that would never dream of snooping on students' postal mail or the books they read at the library.

    That analogy can only go so far. The thing you have to remember with Internet access is that the potential for abuse is so great.

    How can you abuse the post office? Get a lot of mail? Since all mail delivered is paid for through postage, receiving more mail just means more business for them.

    How can you abuse the Library (assuming you don't just destroy books or not return them, which are against "the rules" anyway)? One person can only read so many books. You really would have to go out of your way to abuse a library so that it's noticeable to a large percentage of the libary's users.

    How can you abuse a computer network?
    • I could set up a couple of hard-core porn sites on the campus network and bring it to its knees.
    • I don't even need porn. I could decide to start mirroring Yahoo and /., or maybe CPAN and RedHat.
    • I could start spamming people with product literature for some piece of software that I've written, sending out tens of millions of pieces of email through the servers.
    • I could engage in DoS battles with others on the net.

    In short, networking technology is just ripe for abuse, and having been an administrator at an ISP, I know that there is always that 1% of the people out there who will greedily waste 90% of everyone's shared resources without even being embarrassed.

    Because of that high abuse potential, network administrators need policies that allow them take action when there's a problem. I admit that it's not an ideal situation, but for now it's a compromise position that a lot of us who are just innocently going about our business are willing to deal with.

    One solution might be to make up and enforce heavy-handed rules for every aspect of Internet use. Set things up so that all of the machines on campus have very small individual pipes to the backbone. Heavily restrict server space, mailbox size, and firewall the hell out of everything. Lock up the whole network nice and tight... but that sucks too.

    Face it, it's not an easy problem to solve. Shaking our fists in the air at network administrators who are just trying to maintain a stable network that is available for all of their users is unfair and counterproductive.

    It would be nice if eventually the technology automatically prevented some chances for abuse. It'd be nice if our culture embraced a system of ethics that would make such safeguards unnecessary.

    Instead of just carping at authority in a typically /. fashion, how about proposing ways that the systems can be improved so that these kinds of stiff measures aren't necessary. Why is there such a problem with acknowledging that there are two sides to every problem and that solutions of value can only be reached by respecting everyone's goals?
    --
    Why are you letting these clowns ruin our country?
  19. I am violating my school's policy by posting this. by SkyIce · · Score: 4
    Take a look at my school's AUP at http://www.exeter.edu/publications/ebook/datavoice video.html . Some interesting quotes:
    No pseudonymous or anonymous messages may be sent. Students should be careful not to give out personal information over the Internet.

    Accessing the accounts and files of others is prohibited.

    Students may be held accountable for their actions while off-campus and thus for messages posted from off-campus accounts.

    Academy network resources, including all telephone and data lines, are the property of the Academy. The Academy will, to the extent possible, respect privacy of all account holders on the network. However, the Academy is responsible for investigating possible violations of and enforcing all Academy rules governing the network. Academy network users should, therefore, keep in mind that the Academy reserves the right to access any information stored or transmitted over the network.

    But nowhere in it does it mention the search of a personal computer. Somehow, last week, on mere suspicion, my and three other kids' computers were seized and held for a few days while the network administrator attempted to track down the source of network troubles. He ultimately failed, but in the process noticed that I was using a different IP address and hostname other than the one I had been assigned. The case was sent to the discipline committee under "Theft of IP address" and I am now on probation for eight weeks. My dorm room's port was activated "with restrictions" yesterday, and they now want me to e-mail them a list of every program I want to download so that they can verify it. Was this even legal? What can I do to stop something like this from happening in the future?
  20. Finding Balance? by PapaZit · · Score: 5
    Here's a shot from "the other side."

    I work in Computing Services for a tech-oriented private university. Our usage policies aren't as bad as some, but they definitely give us broad priviledges. We've been through many, many proposed revisions that keep being killed by some combination of faculty, staff or lawyers. The basic problems:

    • There doesn't seem to be a concise legal way to say "Don't be an asshole and don't break the law," which is all we really want.
    • It's occasionally necessary for staff to look at private information for technical reasons (reconstructing mail spool after disk crashed, making sure the nifty new backup program actually worked, etc.). We have a huge infrastructure, and if we had to stop and check every time we might accidentally see something, we'd never get anything done unless we made our staff size much larger. We don't have the budget to do that.
    • Occasionally, the sysadmins will find something really bad during the course of routine work. "Spending a long time in federal prison" kind of bad. We try to keep these sort of events quiet to avoid publicity for the user in case it's not their fault (someone cracked their account, etc). We don't want our users on the evening news, but this'll happen with most "notify lots of people before doing anything" plans.
    • There are two opposing viewpoints that are both vocal in our community. One says "privacy over all" while the other says "learning and sharing over all". We have quite a few people who make their home directories publicly readable as a sort of protest against the "privacy freaks" (their words). Finding a policy that makes both happy is very difficult.
    In light of these constraints (financial and social), how do we give more rights to our users without seriously impeding our ability to do our jobs?


    --

    --
    Forward, retransmit, or republish anything I say here. Just don't misquote me.