Cornell University CIT

• IT Policy Home
• Policies
• Programs
• Articles
• Issues

ACUTA Journal of Telecommunications in Higher Education
Fall 2002, Vol. 6, No. 3

Privacy on Today's Electronic Campus

by Tracy Mitrano, Cornell University

New technology generates new anxieties -- often with good reason. The trade-offs of one generation are not always the same for another generation with different expectations of efficiency, privacy, and social order. The popularization of the transportation and communications industries -- from trains to planes and telegraphs to telephones -- produced a long litany of contract and tort cases, not to mention reams of regulations and volumes of administrative law.

In light of the remarkable technologies that have made electronic communications a popular and significant component of the American economy, it is no wonder that electronic communications have raised a wide range of new questions and concerns about Internet service provider liability, Internet governance, legal strictures for government surveillance, and privacy in general. Perhaps the main reason is that people feel to personal about their computer usage.

The psychological intimacy between people and their computers sharply contrasts with the fact that network operators can see electronic communications, governments with proper authorization can intercept transmissions or obtain stored data, and snoops or hackers can all too easily sniff communications or trespass into an individual's computer. For those who have used electronic communications to express personal emotions or political thoughts, it is a shock to learn that their message has been posted on the Web or widely circulated as the result of easy forwarding. Electronic diaries and wills have been sent out as documents as the result of a computer virus. The sniffing out of a credit card or social security number produces obvious credit problems. Harassing or defamatory messages put on the Web for the entire world to see can be a psychic blow that leads to questions of trust and privacy and strikes the mystic cords that bind people to their society.

Technology

So what are the rules -- technical, legal, and ethical -- that shape this very uncertain reality of the privacy of electronic communications? Technically, people should be prepared to accept that network operators can see virtually any unencrypted communication. In cases where the operators are performing necessary business functions, they do, in fact, sometimes see such communications. Notwithstanding the common analogy that an e-mail is like a postcard going through the United States Postal Service, the more accurate comparison would be telephone operators or technicians who could break into live communications in the course of their duties.

One distinction to make between both of these analogies and electronic communication is that in neither the postal nor the telephonic world are backups or network logs maintained that provide yet another avenue for retrieval of communications and/or data after the fact. People are often surprised to learn that their own computers contain records of every Web site visited. The capacity and volume of information that network communications contain constitute a quantum leap of trace and tracking ability that understandably makes people nervous. And even if it could be established that no social or political entity conspired to make this technology so transparent, it simply feels unnerving to discover that the privacy of communications is not what it used to be.

Law

Two federal criminal laws speak directly to the legal and ethical concerns regarding electronic privacy. First, the Computer Abuse Act, Title 18 of the criminal code, section 1030 specifically, renders computer trespass -- not just rattling the doorknobs but actual penetration, retrieval, or damage -- and destructive programs such as worms and viruses illegal. Second, the Electronic Communications Privacy Act (ECPA) establishes a privacy of electronic communications at a standard similar to the wiretapping act of the late 1960s. In short, the disclosure of any information by an Internet service provider to the public is actionable. Since Congress amended ECPA in 1994 to include wireless communications, sniffing is uncharted legal territory, given that the spectrum in which wireless communications operate is public.¹

Almost certainly reading the text of a communication would support at least a cause of action, especially if that communication was disclosed to the public. Disclosure is regulated even for those who fall under some of the exceptions to ECPA, such as network operators who access communications in the normal course of business or law enforcement with an administrative, executive, or court order to access transmissions and data. If a network operator working in the usual course of business uncovers the extramarital affair of a famous person, for example, it is against the law to disclose it. Likewise, if in the course of an investigation, law enforcement discovers legal but potentially damaging information about an individual, say the homosexuality of a closeted person (in a state with no sodomy laws), it may not disclose that information. The singular exception to the exception is when consent is given by one party to a communication to disclose information of the second party; such disclosure is not actionable.

State tort laws offers another dimension to this issue. Claims such as defamation, misappropriation of likenesses, or invasion of privacy -- together with state sexual harassment laws -- offer opportunities for ambitious attorneys to carve out a specialized niche in tort and civil plaintiff Internet law. Actions in this area are still very sparse and have yet to yield a clear directon of the law, and so remain speculative at best. Such speculation leads to another question, however: What about the ethical dimensions of exposure on the World Wide Web? I have a personal example.

I was teaching my 10-year-old son how to do a search when he suggested that we search my name. To my surprise there appeared a title, "The shit hits the fan ..." In my role as copyright agent for the university under the Digital Millennium Copyright Act of 1998, I had sent a student a form notice of copyright infringement. He had sent it on to a friend at another university who posted the notice on the Web with that opening phrase.

The capacity and volume of information that network communications contain constitute a quantum leap of trace and tracking ability that understandably makes people nervous.

Since the recipient consented to the posting, I have no cause of action in criminal law, and since it does not allege anything defamatory about me, I have no private claim either. (It most certainly would have been a violation of the Buckley Amendment, or the Family Education Records Privacy Act, for me as an agent of the university, to post the information.) But still, it is a gratuitous posting. I acted as an employee of the university, yet the search turned into something personal about me.

I decided to contact the student, not as an employee of the unversity but as a private individual on my home computer and with my private e-mail address. I asked him to redact my name and the name of another employee. He never did. Given the minor significance of this incident, I present it as an example of an ethical question. In lieu of law, how do we, as citizens of the United States and of the world of Internet users, articulate an ethics of electronic media?

Cornell University Policy

Where law treads, policy is sure to follow. Law -- from Middle English, "to lay down" -- represents the floor of acceptable behavior, a level of performance beneath which an individual or institution courts liability. Policy -- from the ancient Greek, "polis" or "citizen" -- speaks to higher principles that incorporate foundational social and political notions of rights and responsibilities of teh individual to the group, and of the group to and for the individual. To be sure, policy does not fill the gap between the law and ethics completely. To draw upon the example explored above, it is important to note that not even policy would have addressed my concerns. The fan material is not posted on the Cornell University network, but even if it were, the university does not have a policy against posting it. To the contrary, the university's Policy on Responsible Use of Electronic Communications holds forth on free speech that does not violate law or policy in such a way that it would have been a violation of policy for me, as an officer of the university, to use my authority to remove it!

Such strictures define the obligations that the university undertakes to protect its constituents. Conversely, intervening in cases where individual students interfere with the activity of others and establishing ground rules of responsible use and security are obligations the university exercises to maintain order and to teach responsible use. Such intervention prohibits bandwidth hogging, e-mail bombing, and sharing passwords. To adhere to those rules is the obligation of individuals who enjoy the privilege of network usage. Those rules are not codified in American law but they coudl potentially bring sanction upon constituents of the university who use the network in violation of them, which illuminates precisely how policy raises expectations of an individual's behavior. The policy reasons why those rules exist: to promote fairness, respect, and dignity -- if not a relative concept of privacy -- comport with the lofty mission of the university.

A note on the term privacy is worth making at this juncture. The concept of privacy in American law is largely a 20th-century phenomenon and has come to revolve around the debate over abortion or reproductive rights as they took shape in the civil rights movement of the 1960s. However much ridiculed, Justice Goldberg's famous statement that the First, Third, Fourth, Fifth, and Ninth Amendments to the Constitution amount to a "penumbra" of privacy rights, otherwise not articulated as such by name in that august document, represent to date the best summary of how American constitutional law considers this nebulous area. It is equally important to remember that the Constitution protects against government action and not private entities. Thus, while privacy may have come the catchword for personal rights in the last half of the 20th century, those rights do not translate to al areas of experience and certainly not to private entities such as Cornell University.

Policies on Privacy

The University Counsel's Office has made it clear to policy advisors across campus that their policies had best steer clear of the term privacy, lest it suggest or infer a set of rights to which the university is not obliged, and to which the university would not want to associate itself in policy as a matter of potential litigation. Nuanced terms such as fair information practices fill the gap that privacy policies might well play in state universities and other governmental institutions.

Another example of how the public and private distinction plays out is in the area of privacy rights for employees of any private network. Employees enjoy no privacy whatsoever. Every case that has asked questions about monitoring, snooping, sniffing, and consciously and intentionally looking at either transmissions or stored data of employees has found squarely for the employer, not the employee.

To its credit, Cornell, while reserving its right to monitor communications, has nonetheless stated in policy that it will not adopt those practices as a matter of normal business. The University Policy on Responsible Use states that while it reserves the right to control and access systems, it does not as a practice monitor data or usage. Important distinctions must be made among three discrete points. Technologically, systems operators can see, for example, e-mail or URLs passing through as transmissions. Yet, the equally true fact that more than 1 million e-mail messages pass through the Cornell network on average every day means that it is impossible to monitor them, even if the university did not hold itself to a higher ethical standard in policy. Thus, there is a difference between the technological ability to see e-mail and the practice of reading it. It is important to note, however, that as a matter of policy, in the course of standard business procedures, should system operators observe content of e-mail, they are obliged to maintain the confidentiality of it unless the content of what they observe violates law or policy or is evidence of immediate danger of life and limb, in which case they are obliged to report it.

Another variation on the theme of privacy of an individual's data on an electronic network is the question of how third parties can gain access to it. The Office of Information Technologies is sponsoring a policy on this matter, called Fair Information Practices for the Access of Data about Individuals Transmitted or Stored on Cornell Information Technologies Systems. Until such time as the university policy office issues it, it is the practice of the Office of Information Technologies and Cornell Information Technologies to provide information to third parties only on the request of the head of the subject's constituency (i.e., the vice president of Human Resources or Student Affairs, or the dean of faculty) or to law enforcement with proper authorization. Individuals may retrieve logging information about themselves if they present reasonable cause in a formal request to the policy advisor of Information Technologies. And then there is the question of sniffing. It may be murky in the law, but it is clear in policy. Cornell Information Technologies interprets the Cornell University Policy Regarding Abuse of Computers and Network Systems to make "sniffing" a violation.² And there are other matters too, such as the selling of e-mail addresses or the use of cookies for the collection of personal information about users--neither of which is a practice of Cornell Information Technologies, nor, in my humble opinion, should they ever be.³

Conclusion

Each generation will define privacy in the electronic world by setting the concept beside an array or external realities such as prevailing custom and law, technologies and practices, institutional policies, and ethical ideals. The tensions between the dual human impulses to preserve a personal environment and to accommodate the demands of society for survival inform that effort. Indeed, the electronic world will not change that dynamic, but will add to its many dimensions. We could choose to ignore the debate, but only with the most contemporary notions of privacy as this generation knows them hanging in the balance. Awareness, political discourse, and policy discussion will not eliminate the tension but animate it with creativity.

Tracy Mitrano is policy advisor and director of computer policy and law, Office of Information Technologies at Cornell University. Reach her at tmb3@cornell.edu.

Notes
¹ "Sniffing" is a slang term for interception of data communications. In telephone communications the analogous term is "tapping."
² http://www.cit.cornell.edu/computer/responsible-use/abuse.html
³ Cornell Information Technologies does use cookies for network tracking information, but not personal information--content--about users. It does not sell e-mail addresses either, but, like so many institutions, has fallen prey to commercial interests harvesting addresses from its directories.

---

Return to Cornell University's Privacy in the Electronic Realm site