IP: Universities as Big Brother

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Kobrin <KobrinS () wharton upenn edu>
Date: Wed, 27 Feb 2002 11:09:44 -0500
To: "Dave Farber (E-mail)" <farber () cis upenn edu>
Subject: Universities as Big Brother

The following may be of interest:


This article from The Chronicle of Higher Education
(http://chronicle.com)

_________________________________________________________________

_________________________________________________________________

  From the issue dated March 1, 2002



  Colleges Fear Anti-Terrorism Law Could Turn Them Into Big
  Brother

  By SCOTT CARLSON and ANDREA L. FOSTER
  
   Opening student computer files without their permission.
  Reporting on the library books checked out by a graduate
  student. Collecting data on who on campus is sending e-mail to
  whom. To many college technology and library officials, these
  sound like invasions of privacy that are antithetical to the
  traditions of academe. But these are the sorts of actions that
  a new law may well permit or in some cases require. And
  colleges are struggling to understand their obligations and
  rights under the measure, which is only now attracting their
  attention and is leaving many campus officials confused or
  worried.
  
  Called the USA Patriot Act, it gives law enforcement extra
  tools and authority to track suspected terrorists. Although
  the law, enacted in October, is not specifically aimed at
  colleges, some administrators are finding enough in the
  measure that affects them that they are now consulting lawyers
  and drafting policies on how to comply.
  
  Civil libertarians are outraged by the law, saying that it
  gives the federal government sweeping powers to pry into
  student records and e-mail accounts, and that it could hinder
  the climate of free inquiry. But on campuses, reaction has
  been more measured. Many students and faculty members seem
  unaware of the law and its ramifications.
  
  The law stretches the legal boundaries for prying into
  electronic communications. For example, one provision in the
  law permits agents of the Federal Bureau of Investigation,
  without a judge's sanction, to intercept the communication of
  a suspected network trespasser. The agents must first be
  called in by Internet service providers, which could include
  colleges.
  
  Another provision that worries colleges prohibits them from
  disclosing that federal agents have sought "business records"
  -- which some college officials say could include library
  records -- to investigate people tied to hostile foreign
  governments.
  
  Virginia E. Rezmierski, adjunct associate professor at the
  Gerald R. Ford School of Public Policy and the School of
  Information at the University of Michigan at Ann Arbor, says
  the gag order prevents colleges from checking whether the
  government has been overzealous in investigating people. "Is
  this just a wide net being thrown? Is there due cause for
  taking these records?"
  
  Many college administrators say they find the law extremely
  difficult to understand; it is a 132-page patchwork of
  amendments to laws including the Family Educational Rights and
  Privacy Act, which governs students' privacy rights; the
  Foreign Intelligence Surveillance Act, which authorizes the
  federal government to spy on suspected foreign agents; and the
  Electronic Communications Privacy Act, which limits disclosure
  of electronic communications.
  
  Tracking Federal Inquiries
  
  Cornell University is among the first institutions to create
  specific guidelines for responding to law-enforcement requests
  made under the law. The guidelines instruct employees of
  Cornell's Office of Information Technologies to contact the
  office's policy adviser or the office's security coordinator
  if they are asked to disclose information to law-enforcement
  agents. They would then consult with university lawyers on how
  to proceed.
  
  Cornell established the guidelines because college employees
  are sometimes too eager to please law-enforcement agents by
  quickly providing them with the information they seek, or the
  employees are confused about which college higher-ups to
  contact for advice, says Tracy B. Mitrano, the policy adviser
  and director of the Office of Information Technologies there.
  
  Since enactment of the Patriot Act, the university has
  received one request for confidential information, which Ms.
  Mitrano declines to discuss in detail. She and Polley Ann
  McClure, vice president for information technologies at the
  university, anticipate more.
  
  "We expect that some of those may not be legally valid," says
  Ms. McClure, who helped write Cornell's procedures. "We don't
  want our staff and thus the institution to violate the privacy
  of our constituents in response to an invalid request."
  
  The computer-trespasser provision allows the Federal Bureau of
  Investigation to help network operators, possibly including
  colleges, find intruders on their networks only if operators
  ask for FBI assistance. But some college officials fear they
  could be sued if they did. Law-enforcement agents can, without
  a warrant, intercept the communications of a hacker. But since
  the interception would be done without a warrant, the
  suspected hacker could argue that the search violated his
  Fourth Amendment rights against abusive searches. And he also
  could argue that the college was complicit in violating these
  rights, Ms. Mitrano says.
  
  Cooperation between the FBI and colleges also opens the door
  for unsophisticated law-enforcement agents to damage a
  college's computer system, or to start prying into other
  communications that are unrelated to the specific
  investigation, says Ms. Mitrano.
  
  "I think it sets up a very potentially complicated
  relationship between [computer] owners and operators, and law
  enforcement," she says. "Circumstances could lend themselves
  to law enforcement calling owners and operators and suggesting
  that they have information about a computer trespasser ... and
  [saying], 'Wouldn't it be helpful if we came in and took a
  look?'"
  
  Apart from the possible effects of the law, Ms. Mitrano says
  the computer-trespass provision, among other sections of the
  law, has no clear connection to combating terrorism, but had
  long been on the Justice Department's wish list of legislative
  reforms.
  
  By and large, though, the law doesn't impose undue burdens on
  colleges' networks, she says. For example, it doesn't require
  them to make design changes to their computer systems. And it
  provides compensation to colleges if they incur expenses to
  help the FBI install Internet-surveillance tools, or if they
  sustain damage in excess of $5,000 because of computer
  hackers, even if the hacking has nothing to do with terrorism.
  
  Many other colleges are still struggling to make sense of the
  act, and are hesitant to make procedural changes until they
  see how the government uses its new powers.
  
  "We have to wait and see how this plays out," says Steven J.
  McDonald, a lawyer for Ohio State University. He says Ohio
  State has not received subpoenas for computer files since the
  law took effect.
  
  Revising the Cornell Guidelines
  
  Virginia Commonwealth University is adapting Cornell's
  guidelines. At a campus meeting in February, faculty members
  and administrators tried to figure out how the law will affect
  their day-to-day network operations. They discussed when
  turning over data to the FBI would be required and when it
  would be voluntary. They talked about training student workers
  not to readily provide private records to law-enforcement
  officials, and about whether reporting problems to the campus
  police can substitute for contacting the FBI. They also talked
  about the types of electronic data the university stores and
  for how long it stores them, and about the difference between
  a search warrant and a subpoena.
  
  The distinction was explained by Clyde Laushey, the university
  information-security officer, who said that if university
  officials try to contest a search warrant, "They just lock you
  up.''
  
  Robert J. Mattauch, dean of the engineering school, requested
  a "first line of response" should federal agents come looking
  for confidential university records. He said he would help
  draft a simplified checklist for university staff members to
  follow in such a situation. Three university technology
  administrators were designated as interim contact people for
  potential FBI inquiries.
  
  "It's going to happen," Mr. Mattauch warned his colleagues.
  
  The University of Texas at Austin will probably analyze
  federal requests for confidential information on a
  "case-by-case basis," says Jeffery L. Graves, a lawyer for the
  university. Meanwhile, he says, the university is beginning to
  educate network administrators and others on campus about the
  requirements of the act.
  
  Despite a large number of international students on campus,
  Mr. Graves says federal agents have made few requests for
  computer-stored data on students. He suspects that agents are
  getting the information they need about students from other
  sources, like landlords, published articles, or phone
  directories.
  
  Modest Changes?
  
  Christopher Painter, the deputy chief of the computer-crime
  and intellectual-property section of the Department of
  Justice, has been an active defender of the Patriot Act for
  the government. Speaking before an audience of law-enforcement
  officials in January, he said that the law's
  Internet-surveillance provisions "are not sweeping expansions
  of wiretap authority." They are modest changes, he said, "and
  they don't abrogate Fourth Amendment protections."
  
  In response to critics who say that parts of the law have
  little to do with fighting terrorism, Mr. Painter, in an
  interview, says: "They're trying to make too fine a
  distinction between terrorist attacks and nonterrorist
  attacks. You don't know what kind of [computer] attack you
  have in the beginning."
  
  But privacy scholars and advocates say that some of these
  provisions endanger the climate of free inquiry on campuses.
  
  "Universities uphold the importance of free inquiry, and we
  don't want to chill that inquiry by having researchers and
  students think that their every move is being tracked by the
  government," says Peter P. Swire, a law professor at Ohio
  State University who advised the Clinton administration on
  privacy issues. "On the other hand, law enforcement worries
  that universities might become a safe haven for terrorist
  organizing. The traditional university tendency to allow
  dissent could potentially turn into a systematic effort for
  terrorists to hide their activities under the name of academic
  freedom."
  
  The attention already paid to the immigration violations of
  some foreign students shows that "we can expect a greater
  conflict between the tradition of academic freedom and the
  law-enforcement concerns about universities as safe harbors
  for terrorists," Mr. Swire says.
  
  Parts of the law, such as those outlining computer trespassing
  and foreign-intelligence surveillance, will expire in 2005
  unless Congress renews them. "Universities have a homework
  assignment to inspect how well these provisions apply in the
  university setting, and if there are problems, then academics
  and universities should point these out," says Mr. Swire.
  
  But so far, it seems that the privacy issues related to the
  Patriot Act haven't penetrated the academic community at
  large. Professors often give puzzled responses when asked
  about it.
  
  Students also are little aware of the potential threats to
  electronic privacy. "I would say that the majority of students
  haven't looked at this and don't understand the
  ramifications," says Matthew J. Murray, a sophomore at the
  University of California at Berkeley who is president of the
  campus chapter of the American Civil Liberties Union. He
  arranged a teach-in about the law soon after it was passed,
  and this spring he is organizing a student-run course covering
  civil liberties and the antiterrorism legislation.
  
  But explaining the vagaries of the law and the importance of
  privacy has been difficult. Students readily understand the
  dangers of ethnic profiling and of secretly detaining people.
  "It's easier to get a grasp on those than on the issues
  related to privacy," because the law's specifics can be
  arcane, he says.
  
  'They Are Terrified'
  
  International students and Muslim Americans generally seem to
  be more aware of the new law and its ramifications. For some
  international students, however, the notion of compromised
  privacy is perhaps too familiar. Omar Afzal, the adviser to
  the Muslim student group at Cornell, has been counseling
  students on what to do if an agent shows up to ask them
  questions: Contact the international-students office or elders
  in the community, and be polite and straightforward. "They are
  terrified," he says. "They come from a culture where if a
  policeman shows up at the door, you are being targeted to be
  sent to prison for a long time."
  
  There is less concern over breaches in privacy. Mr. Afzal told
  the students that law-enforcement officials can look at
  student information without their knowledge. "They don't
  understand, mostly," he says. Again, "culturally, they are
  coming from areas where this information is routinely [shared]
  with the police."
  
  Mr. Afzal is willing to compromise these days. "I am concerned
  about civil liberties, but every society has a right to take
  unusual steps in times of war."
  
  But college librarians are having a harder time compromising.
  Library policies are typically designed to protect the privacy
  of their patrons, and librarians themselves have traditionally
  been staunch advocates of privacy rights.
  
  "It's not just a policy; it's an ideology, almost a religion,"
  says Ross Atkinson, Cornell's deputy university librarian. He
  and other librarians worry that the government will use the
  law to see what patrons are reading, researching, or checking
  out.
  
  Like his institution, Mr. Atkinson's library is reviewing and
  solidifying policies, making it clear to employees what to do
  if a law-enforcement agent walks through the door and demands
  to see patron records.
  
  Miriam Nisbet, the legislative counsel for the American
  Library Association, says that the Patriot Act now gives
  law-enforcement agencies access to business records, which
  could include patron records. That brings up complicated
  issues in an electronic age. For example, to help protect
  privacy, libraries try not to keep information; most libraries
  destroy the record of, say, a book loan soon after the book is
  returned.
  
  But "computers being what they are, those records might still
  be around on backup tapes," Ms. Nisbet says. "So even though
  the library has a policy to erase that information as soon as
  you bring the book back, that information might still be
  available."
  
  Recorded Names
  
  Mr. Atkinson has already thought about these issues at
  Cornell. His library keeps backup tapes for about 35 days,
  then destroys them. The existence of the tapes is troubling
  from a privacy standpoint, but absolutely vital from a
  technical one, so the time period can't be shortened, he says,
  adding that the tapes were a lifesaver in a recent computer
  crash.
  
  But, looking around, he sees more threats to privacy than the
  tapes. The computers in the library don't require users to
  identify themselves, but users at home or in a campus office
  have to log in if they want to get access to the various
  databases that the library subscribes to. Somehow, somewhere,
  those names are probably recorded, along with the information
  those people look at, Mr. Atkinson says.
  
  He is worried that the Patriot Act pushes society toward an
  Orwellian future. "All of this legislation wouldn't be in
  place if they weren't going to use it," he says.
  
  But he is pleased to see his colleagues in the library
  community digging in. "The whole community is galvanized, and
  I'm hearing no dissent on this. There is a very strong feeling
  that we need to protect privacy more than ever."
  
  KEY PROVISIONS OF THE PATRIOT ACT
  
  The following are key provisions of the USA Patriot Act that
  affect college technology systems. The law:
  
  Permits federal agents to obtain stored voice mail without
  wiretap authorization.
  
  
  Compels Internet service providers to turn over to federal
  agents who have a subpoena: subscriber's telephone connection
  records, the subscriber's identity, the length of service, and
  how it was paid for.
  
  
  Allows federal agents to use a "trap and trace" device to
  obtain dialing, routing, addressing, or signaling data sent by
  wire or electronic communication.
  
  
  Allows federal agents to install technological tools to
  intercept and collect information from Internet traffic.
  
  
  Allows Internet service providers to call in federal agents,
  who do not have a search warrant, to help them intercept the
  communications of a computer hacker.
  
  
  Increases penalties for computer crimes, including
  transmitting viruses. If the network damage exceeds $5,000,
  the hacker may be sued.
  
      SOURCE: Law firm of Hogan &amp; Hartson
_________________________________________________________________

This article from The Chronicle is available online at this address:

http://chronicle.com/weekly/v48/i25/25a03101.htm
 
If you would like to have complete access to The Chronicle's Web
site, a special subscription offer can be found at:
  http://chronicle.com/4free
_________________________________________________________________

You may visit The Chronicle as follows:

   * via the World-Wide Web, at http://chronicle.com
   * via telnet at chronicle.com

_________________________________________________________________
 Copyright 2002 by The Chronicle of Higher Education



------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/