On February 16, 2005 the Executive Policy Review Group approved the impact statement for University Policy on Privacy of the Network. This proposed policy represents the next step towards completion of the IT Policy Framework. Two main principles drive this policy: the university's position on monitoring its network and computers, established in University Policy 5.1, Responsible Use of Electronic Communications; and the conditions under which information technology data may be disclosed to third parties, pursuant to the authority given to the Vice President of Information Technologies (IT) in University Policy 4.2, Data Stewardship and Custodianship.
The university as a practice does not monitor or restrict the content of material transmitted on the university network, or posted on university-owned computers, but reserves the right to limit or remove access to its networks and to material posted on its computers, when applicable university policies or codes, contractual obligations, or state or federal laws are violated.
Policy 5.1, Responsible Use of Electronic Communications (originally promulgated in 1995) is a first-generation information technology policy. A number of its specifics have been refined into distinct, such as University Policy 5.4.1, Security of Information Technology Resources, University Policy 5.4.2, Reporting of Security Incidents and University Policy 5.x, Authentication of IT Resources. (For more information on this point, please see the IT Policy Framework. The name of each policy is a link.) One of the policy specifics of the current 5.1 Responsible Use is the university's position on monitoring, posting or removing content material from its networks and computers. In brief, the university does not monitor the network for content as a practice. This principle forms the basis of this new proposed policy.
A separate policy on this specific point is important for two reasons. First, a network not inhibited by content monitoring reflects the hallmark qualities of higher education: free speech and open inquiry. Second, in a political environment in which content owners have placed pressure on academic institutions not merely to comply with copyright law and educate their users, but to enforce their rights by monitoring the network for their content, it is critical that Cornell hold fast to its culture and traditions of openness with a clear, university policy statement. With this statement, Cornell, one of the earliest academic institutions in the country to speak to content in information technology policy, continues to stand as leader for open data networks in higher education.
It is important to clarify the conditions of this policy statement. Cornell University, Cornell Information Technologies specifically, monitors the network for maintenance, security and operations of the data network as a regular course of business. Given the open nature of the technology content is or may be transparent to network administrators who may observe it in the usual course of their functions. Potential or actual exposure of content under these circumstances does not fall afoul of this policy statement. University Policy 4.12 Data Stewardship and Custodianship places network operators, indeed all information technology personnel, under the standard prohibitions of respecting the confidentiality of institutional data. Moreover, there are circumstances under which an examination of content is appropriate, such as under the power of legal papers, in the case of a violation of law or policy, health and safety emergency circumstances and even for some extenuating business reasons. None of these conditions contravene the essential principle that as a practice the university does not monitor for content. It should also be noted that content that may be observed in the usual course of business, for example random words or Internet Protocol addresses, do not automatically identify individual users, i.e. Joe Smith or ewe2.
As steward of the university¹s information technology data, the Vice President of Information Technologies (IT) designates the following limited conditions under which information technology data may be disclosed to third parties: (1) in response to a court order, or other compulsory legal process; (2) upon the request of an appropriate university official in the investigation of a legal or policy violation; (3) to maintain operation and security of the network; (4) in the event of a health or safety emergency; and (5) in specific instances explicitly approved by the Vice President, for purposes of research that is to be shared with appropriate parties in other institutions of higher education.
This policy presents the opportunity for the Vice President of IT, as steward of information technology data under University Policy 4.12, to establish disclosure rules to third parties. These policy specifics are important for three reasons. First, they effectuate the obligation University Policy 4.12 placed on data stewards to establish policy for the institutional data under their authority. Second, these disclosure rules reinforce the university's position on monitoring the network for content. As data steward, the Vice President of Information Technologies makes it clear that system logs, network flow log data or other such information technology data shall not be any more readily available than is necessary to respond to court orders, legal, policy or business needs. Third, the Vice President of IT recognizes the potentially transparent nature of information technology data and the possible exposure of content, for example by mapping Internet Protocol Addresses to web pages, or the disclosure of personally identifiable information, for example by combining electronic identifiers and/or directory attributes.
For the purposes of this policy, information technology data refers to audit data produced by computer systems or by network devices such as routers, switches, and firewalls. Computer system data record the user and time for logins and logouts, services used, files created and modified. Network logs record Internet addresses contacted, and size and type of files sent or received. The data do not include the contents of any file, such as a spreadsheet or e-mail message. This example shows the type of data that network logs collect.
Cornell University respects the privacy expectations appropriate to the user community of its data network through policy statements about network monitoring as well as disclosure rules for information technology data under the authority of the steward of IT data, Vice President for Information Technologies.
For information about the processing of legal papers, please see University Policy 4.13, Acceptance of Legal Papers, and the Cornell Information Technologies implementation and procedures for this university policy.
To make a request for information technology data, please contact the IT Security Director or the IT Policy Director. If neither individual is available, please contact the Office of the Vice President of Information Technologies.
December 13, 2005