Skip to main content
more options.

PRIVACY OF ELECTRONIC COMMUNICATIONS AT CORNELL UNIVERSITY: A POLICY PERSPECTIVE

Federal legislation, network security initiatives, new properties of electronic communications and the multi-constituency composition of higher education require, and challenge, the development of Cornell University information technology policies on privacy. Cornell University addresses these issues with focused attention on discrete issues in a cross-campus, collaborative policy formulation and issuance process.

Crisis often begets opportunity. In the wake of the Morris computer worm, Cornell University established one of the first information technologies user policies for higher education: the 1990 Policy Regarding Abuse of Computers and Network Systems. In addition to establishing the overarching principle that "[L]egitimate use of a computer or network system does not extend to whatever an individual is capable of doing with it," the policy explicitly states that users must respect the "privacy of or other restrictions placed upon data or information stored in or transmitted across computers and network systems, even when that data or information is not securely protected." The University Policy on Responsible Use of Electronic Communications, promulgated in 1995, fine tuned the earlier policy by stating the University position on privacy, specifically that the University does not, as a practice, monitor its network for content.

Subsequent University information technologies policies have given meaning to that observation. For example, the University Data Stewardship and Custodianship Policy disallows unauthorized resolution of internet protocol addresses by custodians out of recognition that conversational detail in electronic communications has the potential to reveal content unlike that of telephonic communications. Policy, therefore, acts as the ballast against the new properties of electronic communications whose effects otherwise might be to diminish privacy considerations. Likewise, the proposed Privacy of Electronic Mail seeks to cabin the open technological character and custodial handling of data stored and transmitted over mail servers by prohibiting disclosure except in circumstances of compulsory legal papers, health and safety emergencies or authorized permission set at the highest levels of responsibility of the University (Vice Presidents for students and non-academic staff and the Provost for academic staff/faculty respectively). This approach inherently addresses the balance between the business needs of the University and the different expectations that the Universityıs constituents faculty, students, staff and alumni have with respect to the privacy of data on the University infrastructure.

Some other proposed, but not yet fully drafted, University policies augment this overall effort to create a patchwork quilt of policies on privacy protection. Information technology security policies shift the notion that security and privacy oppose each other in favor of the complementary nature of their relationship in federal laws such as Family Educational Rights Privacy Act, Financial Services Modernization Act and the Health Insurance Portability Accountability Act. These laws, in some measure, contrast with new anti-terrorist legislation that emphasizes the sharing of information by lowering the bar on government accessibility to data Cornell seeks to protect. Finally, an Authorization and Authentication Policy should define the authority for, and processes by which, these technical functions occur at Cornell with the intent of providing for the security, confidentiality and availability of the right data to the appropriate parties. Drafts of these policies in process may be found at http://www.cit.cornell.edu/policy/drafts/.

Of course, policy and the policy process represent only one prong of a larger education program about privacy of electronic communications. Here are some others:

  1. Student Education: Before being entitled to maintain use of their network identifier, students must complete an on-line tutorial entitled Travelers of the Electronic Highway.
  2. On-Line Education: The IT Policy Office sponsors two webs sites of interest in this area. Privacy in the Electronic Realm devotes itself exclusively to questions of privacy. The USA-Patriot Act speaks to questions of privacy in relationship to new federal anti-terrorist legislation.
  3. University Computer Policy and Law Program: As Director of the University Computer Policy and Law Program, I have always included privacy as a topic in this distinguished speaker's series. So far we have hosted two specialists: Robert Gellman and Dan Solove.
  4. Academic Outreach: As an extension of my duties as Policy Advisor, I teach Computer Information Science 515, "Culture, Law and Politics of the Internet." Privacy is always a topic woven in with larger questions about the dynamics of cultural and technical changes over time, national security and the politics of the Internet.

Thus, while the legal, policy, technical and cultural terrain of what constitutes "privacy" in electronic communications may be in flux for American society overall, Cornell University strives to grapple with this shifting ground in manner that values the seeking of relevant information, the gaining of knowledge about the meaning of that information, and the setting of policy in concert with Cornellıs foundational values of excellence in teaching, research and outreach in the context of freedom of expression and inquiry.

Tracy Mitrano
October 14, 2003