Interesting People mailing list archives
IP: Universities as Big Brother
From: Dave Farber <dave () farber net>
Date: Wed, 27 Feb 2002 11:17:32 -0500
------ Forwarded Message From: Kobrin <KobrinS () wharton upenn edu> Date: Wed, 27 Feb 2002 11:09:44 -0500 To: "Dave Farber (E-mail)" <farber () cis upenn edu> Subject: Universities as Big Brother The following may be of interest: This article from The Chronicle of Higher Education (http://chronicle.com) _________________________________________________________________ _________________________________________________________________ From the issue dated March 1, 2002 Colleges Fear Anti-Terrorism Law Could Turn Them Into Big Brother By SCOTT CARLSON and ANDREA L. FOSTER Opening student computer files without their permission. Reporting on the library books checked out by a graduate student. Collecting data on who on campus is sending e-mail to whom. To many college technology and library officials, these sound like invasions of privacy that are antithetical to the traditions of academe. But these are the sorts of actions that a new law may well permit or in some cases require. And colleges are struggling to understand their obligations and rights under the measure, which is only now attracting their attention and is leaving many campus officials confused or worried. Called the USA Patriot Act, it gives law enforcement extra tools and authority to track suspected terrorists. Although the law, enacted in October, is not specifically aimed at colleges, some administrators are finding enough in the measure that affects them that they are now consulting lawyers and drafting policies on how to comply. Civil libertarians are outraged by the law, saying that it gives the federal government sweeping powers to pry into student records and e-mail accounts, and that it could hinder the climate of free inquiry. But on campuses, reaction has been more measured. Many students and faculty members seem unaware of the law and its ramifications. The law stretches the legal boundaries for prying into electronic communications. For example, one provision in the law permits agents of the Federal Bureau of Investigation, without a judge's sanction, to intercept the communication of a suspected network trespasser. The agents must first be called in by Internet service providers, which could include colleges. Another provision that worries colleges prohibits them from disclosing that federal agents have sought "business records" -- which some college officials say could include library records -- to investigate people tied to hostile foreign governments. Virginia E. Rezmierski, adjunct associate professor at the Gerald R. Ford School of Public Policy and the School of Information at the University of Michigan at Ann Arbor, says the gag order prevents colleges from checking whether the government has been overzealous in investigating people. "Is this just a wide net being thrown? Is there due cause for taking these records?" Many college administrators say they find the law extremely difficult to understand; it is a 132-page patchwork of amendments to laws including the Family Educational Rights and Privacy Act, which governs students' privacy rights; the Foreign Intelligence Surveillance Act, which authorizes the federal government to spy on suspected foreign agents; and the Electronic Communications Privacy Act, which limits disclosure of electronic communications. Tracking Federal Inquiries Cornell University is among the first institutions to create specific guidelines for responding to law-enforcement requests made under the law. The guidelines instruct employees of Cornell's Office of Information Technologies to contact the office's policy adviser or the office's security coordinator if they are asked to disclose information to law-enforcement agents. They would then consult with university lawyers on how to proceed. Cornell established the guidelines because college employees are sometimes too eager to please law-enforcement agents by quickly providing them with the information they seek, or the employees are confused about which college higher-ups to contact for advice, says Tracy B. Mitrano, the policy adviser and director of the Office of Information Technologies there. Since enactment of the Patriot Act, the university has received one request for confidential information, which Ms. Mitrano declines to discuss in detail. She and Polley Ann McClure, vice president for information technologies at the university, anticipate more. "We expect that some of those may not be legally valid," says Ms. McClure, who helped write Cornell's procedures. "We don't want our staff and thus the institution to violate the privacy of our constituents in response to an invalid request." The computer-trespasser provision allows the Federal Bureau of Investigation to help network operators, possibly including colleges, find intruders on their networks only if operators ask for FBI assistance. But some college officials fear they could be sued if they did. Law-enforcement agents can, without a warrant, intercept the communications of a hacker. But since the interception would be done without a warrant, the suspected hacker could argue that the search violated his Fourth Amendment rights against abusive searches. And he also could argue that the college was complicit in violating these rights, Ms. Mitrano says. Cooperation between the FBI and colleges also opens the door for unsophisticated law-enforcement agents to damage a college's computer system, or to start prying into other communications that are unrelated to the specific investigation, says Ms. Mitrano. "I think it sets up a very potentially complicated relationship between [computer] owners and operators, and law enforcement," she says. "Circumstances could lend themselves to law enforcement calling owners and operators and suggesting that they have information about a computer trespasser ... and [saying], 'Wouldn't it be helpful if we came in and took a look?'" Apart from the possible effects of the law, Ms. Mitrano says the computer-trespass provision, among other sections of the law, has no clear connection to combating terrorism, but had long been on the Justice Department's wish list of legislative reforms. By and large, though, the law doesn't impose undue burdens on colleges' networks, she says. For example, it doesn't require them to make design changes to their computer systems. And it provides compensation to colleges if they incur expenses to help the FBI install Internet-surveillance tools, or if they sustain damage in excess of $5,000 because of computer hackers, even if the hacking has nothing to do with terrorism. Many other colleges are still struggling to make sense of the act, and are hesitant to make procedural changes until they see how the government uses its new powers. "We have to wait and see how this plays out," says Steven J. McDonald, a lawyer for Ohio State University. He says Ohio State has not received subpoenas for computer files since the law took effect. Revising the Cornell Guidelines Virginia Commonwealth University is adapting Cornell's guidelines. At a campus meeting in February, faculty members and administrators tried to figure out how the law will affect their day-to-day network operations. They discussed when turning over data to the FBI would be required and when it would be voluntary. They talked about training student workers not to readily provide private records to law-enforcement officials, and about whether reporting problems to the campus police can substitute for contacting the FBI. They also talked about the types of electronic data the university stores and for how long it stores them, and about the difference between a search warrant and a subpoena. The distinction was explained by Clyde Laushey, the university information-security officer, who said that if university officials try to contest a search warrant, "They just lock you up.'' Robert J. Mattauch, dean of the engineering school, requested a "first line of response" should federal agents come looking for confidential university records. He said he would help draft a simplified checklist for university staff members to follow in such a situation. Three university technology administrators were designated as interim contact people for potential FBI inquiries. "It's going to happen," Mr. Mattauch warned his colleagues. The University of Texas at Austin will probably analyze federal requests for confidential information on a "case-by-case basis," says Jeffery L. Graves, a lawyer for the university. Meanwhile, he says, the university is beginning to educate network administrators and others on campus about the requirements of the act. Despite a large number of international students on campus, Mr. Graves says federal agents have made few requests for computer-stored data on students. He suspects that agents are getting the information they need about students from other sources, like landlords, published articles, or phone directories. Modest Changes? Christopher Painter, the deputy chief of the computer-crime and intellectual-property section of the Department of Justice, has been an active defender of the Patriot Act for the government. Speaking before an audience of law-enforcement officials in January, he said that the law's Internet-surveillance provisions "are not sweeping expansions of wiretap authority." They are modest changes, he said, "and they don't abrogate Fourth Amendment protections." In response to critics who say that parts of the law have little to do with fighting terrorism, Mr. Painter, in an interview, says: "They're trying to make too fine a distinction between terrorist attacks and nonterrorist attacks. You don't know what kind of [computer] attack you have in the beginning." But privacy scholars and advocates say that some of these provisions endanger the climate of free inquiry on campuses. "Universities uphold the importance of free inquiry, and we don't want to chill that inquiry by having researchers and students think that their every move is being tracked by the government," says Peter P. Swire, a law professor at Ohio State University who advised the Clinton administration on privacy issues. "On the other hand, law enforcement worries that universities might become a safe haven for terrorist organizing. The traditional university tendency to allow dissent could potentially turn into a systematic effort for terrorists to hide their activities under the name of academic freedom." The attention already paid to the immigration violations of some foreign students shows that "we can expect a greater conflict between the tradition of academic freedom and the law-enforcement concerns about universities as safe harbors for terrorists," Mr. Swire says. Parts of the law, such as those outlining computer trespassing and foreign-intelligence surveillance, will expire in 2005 unless Congress renews them. "Universities have a homework assignment to inspect how well these provisions apply in the university setting, and if there are problems, then academics and universities should point these out," says Mr. Swire. But so far, it seems that the privacy issues related to the Patriot Act haven't penetrated the academic community at large. Professors often give puzzled responses when asked about it. Students also are little aware of the potential threats to electronic privacy. "I would say that the majority of students haven't looked at this and don't understand the ramifications," says Matthew J. Murray, a sophomore at the University of California at Berkeley who is president of the campus chapter of the American Civil Liberties Union. He arranged a teach-in about the law soon after it was passed, and this spring he is organizing a student-run course covering civil liberties and the antiterrorism legislation. But explaining the vagaries of the law and the importance of privacy has been difficult. Students readily understand the dangers of ethnic profiling and of secretly detaining people. "It's easier to get a grasp on those than on the issues related to privacy," because the law's specifics can be arcane, he says. 'They Are Terrified' International students and Muslim Americans generally seem to be more aware of the new law and its ramifications. For some international students, however, the notion of compromised privacy is perhaps too familiar. Omar Afzal, the adviser to the Muslim student group at Cornell, has been counseling students on what to do if an agent shows up to ask them questions: Contact the international-students office or elders in the community, and be polite and straightforward. "They are terrified," he says. "They come from a culture where if a policeman shows up at the door, you are being targeted to be sent to prison for a long time." There is less concern over breaches in privacy. Mr. Afzal told the students that law-enforcement officials can look at student information without their knowledge. "They don't understand, mostly," he says. Again, "culturally, they are coming from areas where this information is routinely [shared] with the police." Mr. Afzal is willing to compromise these days. "I am concerned about civil liberties, but every society has a right to take unusual steps in times of war." But college librarians are having a harder time compromising. Library policies are typically designed to protect the privacy of their patrons, and librarians themselves have traditionally been staunch advocates of privacy rights. "It's not just a policy; it's an ideology, almost a religion," says Ross Atkinson, Cornell's deputy university librarian. He and other librarians worry that the government will use the law to see what patrons are reading, researching, or checking out. Like his institution, Mr. Atkinson's library is reviewing and solidifying policies, making it clear to employees what to do if a law-enforcement agent walks through the door and demands to see patron records. Miriam Nisbet, the legislative counsel for the American Library Association, says that the Patriot Act now gives law-enforcement agencies access to business records, which could include patron records. That brings up complicated issues in an electronic age. For example, to help protect privacy, libraries try not to keep information; most libraries destroy the record of, say, a book loan soon after the book is returned. But "computers being what they are, those records might still be around on backup tapes," Ms. Nisbet says. "So even though the library has a policy to erase that information as soon as you bring the book back, that information might still be available." Recorded Names Mr. Atkinson has already thought about these issues at Cornell. His library keeps backup tapes for about 35 days, then destroys them. The existence of the tapes is troubling from a privacy standpoint, but absolutely vital from a technical one, so the time period can't be shortened, he says, adding that the tapes were a lifesaver in a recent computer crash. But, looking around, he sees more threats to privacy than the tapes. The computers in the library don't require users to identify themselves, but users at home or in a campus office have to log in if they want to get access to the various databases that the library subscribes to. Somehow, somewhere, those names are probably recorded, along with the information those people look at, Mr. Atkinson says. He is worried that the Patriot Act pushes society toward an Orwellian future. "All of this legislation wouldn't be in place if they weren't going to use it," he says. But he is pleased to see his colleagues in the library community digging in. "The whole community is galvanized, and I'm hearing no dissent on this. There is a very strong feeling that we need to protect privacy more than ever." KEY PROVISIONS OF THE PATRIOT ACT The following are key provisions of the USA Patriot Act that affect college technology systems. The law: Permits federal agents to obtain stored voice mail without wiretap authorization. Compels Internet service providers to turn over to federal agents who have a subpoena: subscriber's telephone connection records, the subscriber's identity, the length of service, and how it was paid for. Allows federal agents to use a "trap and trace" device to obtain dialing, routing, addressing, or signaling data sent by wire or electronic communication. Allows federal agents to install technological tools to intercept and collect information from Internet traffic. Allows Internet service providers to call in federal agents, who do not have a search warrant, to help them intercept the communications of a computer hacker. Increases penalties for computer crimes, including transmitting viruses. If the network damage exceeds $5,000, the hacker may be sued. SOURCE: Law firm of Hogan & Hartson _________________________________________________________________ This article from The Chronicle is available online at this address: http://chronicle.com/weekly/v48/i25/25a03101.htm If you would like to have complete access to The Chronicle's Web site, a special subscription offer can be found at: http://chronicle.com/4free _________________________________________________________________ You may visit The Chronicle as follows: * via the World-Wide Web, at http://chronicle.com * via telnet at chronicle.com _________________________________________________________________ Copyright 2002 by The Chronicle of Higher Education ------ End of Forwarded Message For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: Universities as Big Brother Dave Farber (Feb 27)