Tuesday, July 23, 2013

The Keating Report

Michael Keating, the attorney retained by Harvard to provide a complete account of last year's email searches, issued his report yesterday. Summaries appear in the Boston Globe and the New York Times.

It is a careful and apparently exhaustive account of the particular email searches that happened in the context of the so-called leak by a resident dean. It does not answer any question beyond that. In particular it gives no clue about how often email searches are conducted, and of whom; the best information is from the president's reassurance last year that they happen "rarely." I did not expect to learn any new information on that, since Mr. Keating's charge was limited to the facts of the searches conducted last fall. Nor was the report intended to consider other issues raised by this case, such as the question of whether it would be wise in the future to follow the precedent of announcing an Ad Board case to the media via a press release.

Except for some confusion about a footnote, which I explain below, I am disappointed with the report in only one respect. The report goes to some length to state that the actions of those who authorized and conducted the email searches were taken "in good faith." However it imputes no motive or intent to the dean who forwarded the email to a student, stating simply "One of the listed emails was sent, on August 16, 2012, by Resident Dean X to a student advisee. Resident Dean X forwarded the `case process' email to the student less than 10 minutes after Dean Ellison sent it." I and others (for example, Professor Thomas in today's Globe story) have speculated that the dean was simply trying to provide the student with accurate and helpful advice, and never thought about the e-mail forwarding as a leak to the Crimson or a breach of confidentiality. Since the report goes to such pains to remove any suspicion from those who did the searches (the phrase "good faith" appears three times, and there are other statements of what various administrators "believed"), the omission of any similar conclusion about the intentions of the Resident Dean might be interpreted to mean that Mr. Keating was less confident, or not confident at all, that those intentions were as pure. I am not sure why, having imputed benign intentions to some of the players in this drama, the report is coolly nonjudgmental about the Resident Dean. If it is true that the dean was simply trying to give the student good advice (and the fast-forwarding suggests that the dean had no more complicated plan), the report might have said so.

The most important development going forward is that university officials are using a different voice about privacy protections. William Lee of the Harvard Corporation says in a prepared statement,
Mr. Keating found those involved in the searches to have acted in good faith and with a guiding desire to safeguard the confidentiality of the Ad Board process. That aspect of his report is reassuring.  His detailed account of how these searches were done, however, makes it even clearer than before that there is much work ahead in improving the University's policies and protocols concerning privacy of, and access to, electronic communications.  
President Faust's statement is even stronger:
Unfortunately, the detailed factual account in Mr. Keating’s report deepens my already substantial concerns about troubling failures of both policy and execution. The findings strengthen my view that we need much clearer, better, and more widely understood policies and protocols in place to honor the important privacy interests that we should exercise the utmost vigilance to uphold. A university must set a very high bar in its dedication to principles of privacy and of free speech; these are fundamental and defining values of our academic community. The searches carried out last fall fell short of these standards, and we must work to ensure that this never occurs again.
And in the Globe, Lee said very much the same thing:
"Hopefully, it will never happen again,” William F. Lee, a member of the Harvard Corporation, said in an interview. …. Even with “the unprecedented nature of the events, the urgency of the events, the fact that students’ privacy and individual rights were involved, it’s clear that the policies that we as a university had in place were inadequate to the task,” Lee continued. 
I am very glad to see such a consensus around the need for better and more exacting policies and practices for electronic searches of Harvard communications. On page 20, Mr. Keating's report notes two existing policy statements. One is plainly applicable only to students. The other is in the "Information for Faculty" handbook, and reads as follows:
The unauthorized examination of information stored on a computer system or sent electronically over a network is a breach of academic and community standards. Authorized system support staff however, may gain access to users’ data or programs when it is necessary to maintain or prevent harm to the University, its computer systems or the network.
For the life of me, I can't remember ever seeing that. The Information for Faculty is not voted by the Faculty, and I do not know who wrote that paragraph or when this language entered the handbook. It is a document professors are expected to know and obey, but since it is not faculty legislation, we are unlikely to notice changes year to year unless a dean points them out. Nor do I know by what authority language like this gets added.

This passage actually looks like a maladaption of the student policy, which refers to the need "to maintain or prevent damage to systems." With a little editing, perhaps that became a need "to maintain or prevent harm to the University, its computer systems, or the network." The Keating report states that the searches were done pursuant to this policy, which is, of course, extremely permissive.

The report does not mention another permissive email privacy policy, in the Employee Handbook (Section 2, no link because it is behind a login screen):
Electronic files, e-mail, data files, images, software and voice mail may be accessed at any time by management or by other authorized personnel for any business purpose. Access may be requested and arranged through the system(s) user, however, this is not required.
The report does, however, dismiss the FAS Faculty email privacy policy as basically nonexistent, and in fact unknown to the Office of General Counsel. Footnote 3 on page 20 states:

The OGC Attorney did not review a policy, entitled “FAS Policy Regarding the Privacy of Faculty Electronic Materials,” which was posted on an Information Security & Privacy website at <http://security.harvard.edu>, rather than the FAS website. That policy had never been approved by the OGC, and in 2012, no attorney at the OGC appears to have been aware of its existence. Also, neither the HUIT Employee nor the FAS administrators who approved the searches knew about it. In 2005, the FAS consulted with the OGC concerning a proposed privacy policy, but the OGC was never advised that the policy had been adopted by anyone or posted to this particular website. Also, as a matter of practice, the OGC is not asked to “approve” privacy policies adopted by different institutions at the University. Further, when the OGC is asked for guidance about whether particular actions comply with applicable policies, it focuses on the policies posted to the website for the relevant institution, such as the FAS website, or printed in the relevant handbook. 

Now a fair amount has been written and debated about this policy over the past year (see my blog post about these various policies, for example). This is the policy that requires notice of searches, and also stipulates a particular form of approval; maybe the searches were done in a manner consistent with the policy and maybe not. With the policy vacated, the question of whether it was followed becomes moot.

It seems entirely fair that since the policy was so poorly disseminated, the issue of whether it was scrupulously followed should be regarded as a technicality. I have said elsewhere that the more important and interesting question is whether the threshold for doing a search (which is permissible under some circumstances under all these policies, and will surely be allowed sometimes under any policy adopted in in the future) was set too low. I am interpreting the bottom line of the report and the official comments on it to mean that those who undertook the searches thought in good faith that the threshold had been exceeded, but that in light of this experience the threshold may need some recalibration. The great challenge to the Barron committee, which is writing a new policy, will be to find words and protocols to set that threshold low enough to give comfort to the lawyers and high enough to restore community confidence.

At the same time, Footnote 3 did not sound quite right to me, and since I was pretty sure I got the ball rolling that led to that faculty email privacy policy, I have tried to reconstruct the sequence of events that led to its appearance on Harvard's web site.

Ironically, what got me started back in early 2005 was exactly the discomfort of which the President spoke yesterday. This email explains the genesis of the mysterious disappeared faculty policy. I sent it on March 13, 2005 to the director of FAS computer services, with a copy to Richard Hackman, chair of the FAS I/T committee:
I raised this question with Richard for the I/T committee a few days ago. As I have learned a little more, thanks to conversations with [Harvard University Chief Information Officer] Dan Moriarty and with Hal Abelson of MIT, I'm including Richard in this followup for him, first contact for you. 
Following the resignation of the Boeing president because of emails showing he was having an affair with an employee, a student asked me, "Who can read my email?" I'd generalize that to who can read faculty, staff, or student email. It's the policy question in which we are interested, not the reassurances about how well your staff are trained (though god knows that is probably the most important thing as a practical matter!). 
Here is what I can figure out. If there are pieces I am missing I'd appreciate knowing that.
I wrote the privacy policy for students, which was, I think, voted by FAS before it was put in the Student Handbook. HASCS has put that language in its own policies in a place that suggests they apply to all FAS systems and users. I wonder if that broadening was done by you or by you and some FAS dean or committee. Anyway it's a good thing.
 
At the university level there is a personnel manual item that says you have no privacy at all - Harvard can read your email for any "business" purpose. I am uncertain whether this personnel manual applies to faculty or just staff. In any case it is pretty amazing to read - I am sure it conforms to the law but it is certainly very far from community expectations today. (And even more amazing that you have to go through PIN authentication even to read that you have no privacy!) And even if it does not apply to faculty but does apply to staff, would university policy trump FAS policy for a staff member if there were a request from the Center? 
MIT has a policy which looks broader, simpler and more reassuring, though I am not sure it really is since the ball gets kicked to a VP to decide. I have an inquiry into that VP to find out what he thinks that means. 
I am attaching a collection of snippets of these various policies. If I am missing any, do let me know. I really wonder if it makes any sense to set these policies separately in 10 Faculties given the way computers are networked, with a potential of 30 different policies (for faculty, staff, and students) or more (if the Center has its own view, which it may well regard as trumping any policies adopted within a Faculty). 
By the way, my question has nothing to do with the (to me) obvious fact that the university will comply with any subpoena or court order. The question is just what the university can do for its own purposes by way of reading email of users of its systems. I should also say that some of these policies made more sense once than they now do. The staff policy in the personnel manual doubtless reflected (a) email storage as a scarce resource and (b) OGC's insistence on giving no more assurance of privacy than the law would require, which was not very much on business machines.
This email, which sounds hauntingly familiar in places (really? why not have 10 policies for 10 Faculties?), started a thread of discussion in the FAS I/T committee and elsewhere. I can't really say what happened next, but the minutes of the June 2, 2006 meeting of the FAS I/T committee include this item:
5. E-mail privacy policy Dan Moriarty reported that, after extended consultations andnegotiations, a new policy regarding the privacy of faculty e-mailhas been written and approved.  This policy, which is attached(email_privacy.txt), for the first time affirms that e-mailmessages and electronic documents on Harvard computers areconsidered confidential and will be accessed only in specific andextraordinary circumstances.  Note, however, that the new policyapplies only to faculty, not to staff or students, for whomexisting policies remain in place.  Members expressed gratitude toDan and his colleagues for their work in providing greaterprotection of electronic materials developed and stored by faculty.
The minutes don't say who the consultations and negotiations had been with, but intervening exchanges indicate that the Office of General Counsel was, reluctantly perhaps, involved in the discussion. The attachment included the text of the Faculty policy referred to in Footnote 3:
New Policy Regarding the Privacy of Faculty Electronic Materials
The Faculty of Arts and Sciences provides the members of itsfaculty with computers, access to a computer network and computingservices for business purposes, and it is expected that theseresources will be used in an appropriate and professional manner.FAS considers faculty email messages and other electronicdocuments stored on Harvard-owned computers to be confidential,and will not access them, except in the following circumstances. 
First, IT staff may need access to faculty electronic records inorder to ensure proper functioning of our computer infrastructure.In performing these seervices, IT staff are required to handleprivate information in a professional and appropriate manner, inaccordance with the Harvard Personnel Manual for Administrativeand Professional Staff.  The failure to do so constitutes groundsfor disciplinary action.
Second, in extraordinary circumstances such as legal proceedingsand internal Harvard investigations, faculty records may beaccessed and copied by the administration.  Such review requiresthe approval of the Dean of the FAS and the Office of the GeneralCounsel. The faculty member is entitled to prior written noticethat his or her records will be reviewed, unless circumstancesmake prior notification impossible, in which case the facultymember will be notified at the earliest possible opportunity. 
The policy has disappeared (been disappeared, I am tempted to say) from where it used to appear on the Harvard web site:
http://www.security.harvard.edu/files/Security_-_Faculty%20Privacy%20Advisory%205.13.10.doc

That is as far as I can go toward resolving the confusion as to whether the policy actually existed or not. I had good reason to think that it did, and so did anyone on the FAS I/T committee, but if there was no followthrough, or the minutes are somehow inaccurate, OGC may well have had good reason for thinking it did not. I have no way of knowing, and never asked, who exactly approved the policy, as reported in the minutes. Professor Hackman stepped down from the chairmanship of the committee after that meeting, and he passed away in January 2013.  Dan Moriarty left the University several years ago. 

I don't think it really matters, as the important issue at this point is what policy the Barron committee will recommend, and in particular how to define the circumstances in which searches will be permitted in the future. But perhaps this little historical record documents that those who have been citing this policy have been doing so, as the saying goes, in good faith.

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete