May 15, 2002
New technology generates new anxieties–often with good reason. The trade-offs of one generation are not always the same for another generation with different historical circumstances or different expectations of efficiency, privacy, and social order. The popularization of the transportation and communications industries–from trains to planes and telegraphs to telephones–produced a long litany of contract and tort cases, not to mention reams of regulations and volumes of administrative law. In light of the remarkable technologies that have made electronic communications a popular and significant component of the American economy, it is no wonder that electronic communications have raised a wide range of new questions and concerns about Internet service provider liability, Internet governance, legal strictures for government surveillance, and privacy in general. And perhaps the main reason is that people feel so personal about their computer usage.
The psychological intimacy between people and their computers sharply contrasts with the fact that network operators can see electronic communications, governments with proper authorization can intercept transmissions or obtain stored data, and snoops or hackers can all too easily "sniff" communications or "trespass" into an individual’s computer. An early generation of literature on the psychology of the Internet has documented cases about people exploring identities or experimenting with anti-social psychologies; it must feel like a deep violation of the very technology upon which their experimentation relied to have it also reveal a less exotic and quite possibly very lonely and deeply defended identity. For those who have used electronic data or communications to express personal emotions or political thoughts it is shock to learn that their message has been posted on the web or widely circulated as the result of easy forwarding. Electronic diaries and wills have been sent out as documents as the result of a computer virus. The sniffing out of a credit card or social security number produces obvious credit problems. Harassing or defamatory messages put on the web for the entire world to see can be a psychic blow that leads to questions of trust, privacy and the "mystic cords" that bind people to their society.
So what are the rules, technical, legal and ethical, that shape this very uncertain reality of the privacy of electronic communications? Technically, people should be prepared to accept that network operators can see virtually any unencrypted communication. In cases where the operators are performing necessary business functions, they do, in fact, sometimes see such communications. Notwithstanding the common analogy that an e-mail is like a postcard going through the United States Postal Service, the more accurate comparison would be telephone operators or technicians who could or do break into live communications in the course of their duties. One distinction to make between both of these analogies and electronic communication is that in neither the postal nor telephonic world are "back-ups" or network "logs" maintained that provide yet another avenue for retrieval of communications and/or data after the fact. People are often surprised to learn that their own computers contain records of every web site visited (oh, no — the wife will see the porn site!…the husband will see the shopping site!…and the parents the downloaded music!…). The capacity and volume of information that network communications contain constitute a quantum leap of trace and tracking ability that understandably makes people nervous. And even if it could be established that no social or political entity conspired to make this technology so transparent, it simply feels unnerving to discover that the "privacy" of communications is not what it used to be.
Two federal criminal laws speak directly to the legal and ethical concerns regarding electronic privacy. First, the Computer Abuse Act, Title 18 of the criminal code, section 1030 specifically, renders computer trespass (not the scan "rattling of doorknobs" but penetration, retrieval and/or damage) and destructive programs (worms, viruses, etc.) illegal. Second, the Electronic Communications Privacy Act (ECPA) establishes privacy of electronic communications at a standard similar to the wiretapping act of the late sixties. In short, the disclosure of any information by an Internet Service Provider to the public is actionable. Since Congress amended ECPA in 1994 to include wireless communications, "sniffing"(1) is uncharted legal territory, given that the spectrum in which wireless communications operate is public. Almost certainly actually reading the text of a communication would support at least a cause of action, especially if that communication was disclosed to the public. Disclosure is regulated even for those who fall under some of the exceptions to ECPA, such as network operators who access communications in the normal course of business or law enforcement with an administrative, executive, or court order to access transmissions and data. If a network operator working in the usual course of business uncovers the extra-marital affair of a famous person, for example, it is against the law to disclose it. Likewise, if in the course of an investigation, law enforcement discovers legal but potentially damaging information about an individual, say the homosexuality of a closeted person (in a state with no sodomy laws), they may not disclose that information. The singular exception to the exception is when consent is given by one party to a communication to disclose information of the second party; such disclosure is not actionable.
___________
(1) "Sniffing" is a slang term for interception of data communications. In telephonic communications the analogous term is "tapping."
State tort laws offer another dimension to this issue. Claims such as defamation, misappropriation of likenesses, or invasion of privacy–together with state sexual harassment laws–offer opportunities for ambitious attorneys to carve out a specialized niche in tort and civil plaintiff Internet law. Actions in this area are still very sparse and have yet to yield a clear direction of the law and so remain speculative at best. Such speculation leads to another question, however: What about ethical dimensions exposure on the World Wide Web? I have a teensy example.
I was teaching my 10-year-old son how to do a search when he suggested that we search my name. To my surprise there appeared a title, "The shit hits the fan…" In my role as copyright agent for the University under the Digital Millennium Copyright Act of 1998, I had sent a student a form notice of copyright infringement. He had sent it on to friend at another university who posted the notice on the web with that lovely opening phrase. Since the recipient consented to the posting, I have no cause of action in criminal law, and since it does not allege anything defamatory about me, I have no private claim either. (It most certainly would have been a violation of the Buckley Amendment, or the Family Education Records Privacy Act, for me, as an agent of the university, to post the information.) But still, it is a gratuitous posting. I acted as an employee of the university, and yet the search turned into something personal about me.
I decided to contact the student, not as an employee of the university but as a regular person on my home computer and with my private e-mail address. I asked him to redact my name and that of another employee. He never did; it remains up today as I write. Now, if this is the worst incident to occur in my life I shall lead a charmed one indeed. Given its minor significance I present it as an example of an ethical question. In lieu of law, how do we, as citizens of the United States and of the world of Internet users, articulate an ethics of electronic media?
It is in this space between the law and ethics that policy lies, and colleges and universities, as authors of policy, play a special role in its development. Law, from Middle English, "to lay down," represents the floor of acceptable behavior, a level of performance beneath which an individual or institution courts liability. Policy, from the ancient Greek, "polis" or "citizen," speaks to higher principles that incorporate foundational social and political notions of rights and responsibilities of the individual to the group, and of the group to and for the individual. To be sure, policy does not fill the gap between the law and ethics completely. To draw upon the example explored above, it is important to note that not even policy would have addressed my concerns. The "fan" material is not posted on the Cornell University network, but even if it were, the University does not have a policy against posting it... To the contrary, the University’s Policy on Responsible Use of Electronic Communications holds forth on free speech that does not violate law or policy in such a way that it would have been a violation of policy for me, as an officer of the university, to use my authority to remove it!
Such strictures define the obligations that the university undertakes to protect its constituents. Conversely, intervening in cases where individual students interfere with the activity of others (for example in cases of bandwidth "hogging") or establishing ground rules of responsible use (no "e-mail bombing") and security ("prohibition against sharing passwords") are also obligations the university exercises to maintain order and to teach responsible use. Needless to say, to adhere to those rules is also the obligation of individuals who enjoy the privilege of network usage. That those rules are not codified in American law but could potentially bring sanction upon constituents of the university who use the network in violation of them illuminates precisely how policy raises expectations of an individual’s behavior. The "policy" reasons why those rules exist: to promote fairness, respect, and dignity–if not a relative concept of "privacy"–comport with the lofty mission of the university.
A note on the term "privacy" is worth making at this juncture. The concept of "privacy" in American law is largely a twentieth-century phenomenon and has come to revolve largely around the debate over "abortion" or "reproductive rights" as they took shape in the civil rights movement of the 1960s. However much ridiculed, Justice Goldberg’s famous statement that the First, Third, Fourth, Fifth and Ninth Amendments to the Constitution amount to a "penumbra" of privacy rights, otherwise not articulated as such by name in that august document, represent to date the best summary on how American constitutional law considers this nebulous area. But it is equally important to remember that the constitution protects against government action and not private entities. Thus, while privacy may have become the catchword for personal rights in the last half of the twentieth century, those rights do not translate to all areas of experience and certainly not to "private entities" such Cornell University.
Consequently, the University Counsel’s Office has made it clear to policy advisors across campus that their policies had best steer clear of the term "privacy,." lest it suggest or infer a set of rights to which the University is not obliged, and to which the University would not want to associate itself in policy as a matter of potential litigation. Nuanced terms such as "fair information practices" fill the gap that "privacy" policies might well play in state universities or other governmental institutions. Another example of how the "public" and "private" distinction plays out is in the area of "privacy" rights for employees of any "private" network. Employees enjoy no privacy whatsoever. Every case that has asked questions about monitoring, snooping, sniffing, self-consciously and intentionally looking at either transmissions or stored data of employees has found squarely for the employer, not the employee.
To its credit, Cornell, while reserving its right to monitor communications, has nonetheless stated in policy that it will not adopt those practices as a matter of normal business. The University Policy on Responsible Use states that while it reserves the right to control and access systems, it does not as a practice monitor data or usage.
Important distinctions must be made among three discrete points. Technologically, systems’ operators can see, for example, e-mail or URLs passing through as transmissions. Yet, the equally true fact that more than 1,000,000 e-mail messages pass through the Cornell network on average every day means that it is impossible to monitor them, even if the University did not hold itself to a higher ethical standard in policy. Thus, there is a difference between the technological ability to see e-mail and the practice of reading it. It is important to note, however, that as a matter of policy, in the course of standard business procedures, should a system operator observe content of e-mail, they are obliged to maintain the confidentiality of it unless the content of what they observe violates law or policy or is evidence of immediate danger of life and limb, in which case they are obliged to report it.
Another variation on the theme of "privacy" of an individual’s data on an electronic network is the question of how third parties can gain access to it. The Office of Information Technologies is sponsoring a policy on this matter, "Fair Information Practices for the Access of Data about Individuals Transmitted or Stored on Cornell Information Technologies Systems." Until such time as the University Policy office issues it, it is the practice of the Office of Information Technologies and Cornell Information Technologies to provide information to third parties only on the request of the head of the subject’s constituency (i.e. the Vice Presidents of Human Resources or Student Affairs, or the Dean of Faculty) or to law enforcement with proper authorization. Individuals may retrieve logging information about themselves if they present reasonable cause in a formal request to the Policy Advisor of Information Technologies.
And then there is the question of "sniffing." It may be murky in the law, but it is clear in policy. Cornell Information Technology interprets the Cornell University Policy Regarding Abuse of Computers and Network Systems to make "sniffing" a violation.
Members of the University community are expected to follow certain principles of behavior in making use of computers and network systems, in particular, to respect, and to observe policies and procedures governing the privacy of or other restrictions placed upon data or information stored in or transmitted across computers and network systems, even when that data or information is not securely protected. (Cornell University Policy Regarding Abuse of Computers and Network Systems)
One more quasi-privacy oriented policy bears noting: University Counsel and the Office of Information Technologies are co-sponsoring a University Policy on the Encryption of University Records and Institutional Data. In the absence of better security and perhaps more robust law in the area of electronic communications generally, many users in the industry are turning to software programs that scramble data to make it unreadable to anyone but users with the appropriate electronic "keys" to unscramble it. Afraid that poor management of keys and the absence of policy could lead to the loss of university records and institutional data, counsel’s office and OIT have put together a draft that states some basic rules: authorized university officials (president, provost, heads of units, colleges, and departments) may demand the de-encryption of university records or institutional data on university owned computers.
Already existing policy gives definition to these terms, and in the case of difference of opinion, the president and provost shall be the final arbiters of what constitutes records or data. The policy does not require encryption, a specific method of it, or a central repository of keys. But if users deploy such a method then they shall develop their own reasonable policy and procedure for the appropriate escrow of keys. To read this policy in reverse is to suggest that any users of the university network services not working with university records or institutional data can encrypt to their heart’s content; users of that data must simply follow the rules. Insofar as they transmit or store "personal" data on university owned computers they have procedure on their side to do so (exempting a discussion here of other interlocking policies such as inappropriate use of university resources and/or matters of workplace performance).
Two other items are worth mentioning in a discussion about "privacy" matters in policies and practices in electronic communications: institutional use of "cookies" and the selling of e-mail addresses or other electronic directory information. These issues are slam dunks for Cornell Information Technologies in favor of "privacy." First, Cornell Information Technologies does not store or reuse any form of "cookies,"(2) or software information programs that feed data about a user back to a central server. Second, Cornell Information Technologies does not sell e-mail addresses or any other form of electronic communications or directory data to third parties. To those all too unhappily familiar with "spam" or unwanted junk e-mail, the receipt of those messages is emphatically not the result of a sale of your address, but the unfortunate technical ability of marketers to "harvest" data from publicly available directories.
While these "wins" on CIT's part may seem innocuous enough, their significance is well worth noting in light of the practices of commodity and public Internet services providers. The very presence of "cookies," increasingly taken for granted by flattered users of portals such as Amazon ("Hello, Tracy Mitrano!"), nonetheless initially signaled a diminution of privacy as a cost of computer and Internet usage. If people are now more accustomed to that technology, and accepting of it, then the transition to acceptance underscores our adaptability to different or new levels of identification in public spaces such as electronic communications. Still, it is an important distinction that at least the backbone university service provider can make not to indulge in what is essentially a ploy for sales. The same is true for the sale of e-mail addresses or any other information about users. Yahoo can make a business decision whether it gains more in selling such information or maintaining integrity with its users. Universities, given their cherished not-for-profit status, do not and should never, in my humble opinion consider the question. Commercial portals may at various times be sexier and offer more services, but they will always be in business for the sake of business. College and universities have goals that distinguish them from the commercial world. Institutions of higher education, even private colleges and universities, may not be able to offer each of their constituents, employees, faculty or students an ideal measure of "privacy," but their mission to foster free inquiry and to teach for the sake of knowledge itself offers a set of values different from the marketplace, a set of values that information technology organizations can and should reflect.
___________
(2) A few CIT services, such WebEmail and the library proxy server, do use cookies to store temporary information during an active session, but do not collect personal data or share information with any other application.
It is commonplace to describe privacy laws in the United States as a "patchwork quilt." Unlike the European Union, which has adopted a comprehensive approach to rules and regulations about matters of privacy, the United States, steeped in a political philosophy of "negative rights" (rights against government interference such as search and seizure instead of obligations such as food, education and housing), has taken the piecemeal approach to privacy by setting forth discrete positions in a full span of constitutional (Roe v. Wade, e.g.), statutory (Family Education Records Rights Act) and regulatory (all flavors of administrative due process) law. As such, "privacy" remains something of an elusive term for most Americans, and can conjure as wide a variety of associations for different individuals as human experience allows. Having said that, it is worth noting the various discrete attempts that the law has made to address these matters in electronic communications. Even more heartening are observations the efforts of colleges and universities to fill in the law’s gaps with policy. If our expectations change it is only a development of changed circumstances of technology combined with the natural law of politics: with every measure there is a counter measure, and probably a counter measure after that. The policy initiatives here at Cornell may not address every single fear or concern about the new world of information technologies, but they hope to address at least the most appreciable ones. To be sure, they won’t be the last.
Tracy Mitrano
Policy Advisor
Office of Information Technologies
