Internet Privacy at Yale

It can be argued that as an educational institution, universities are less obligated to remain net neutral because it is not a commercial ISP and not in the business of providing that service. Rather, internet access is another resource universities offer its students over which it may exert discretion (like what to include in its library, who to hire, etc.). Students are not ‘customers’ in the traditional sense, and while network access has become a norm for students, a completely open internet is not something that can be assumed on the University network. With the large amount of users on any University network, it is understandable that the needs of the group would overshadow the needs of the individual, especially when issues with security or liability present themselves. So where does this line occur, when the University is no longer responsible for the needs of the individual (privacy, open access to the web, etc)?

On the other hand, it can also be argued that universities are more obligated than commercial ISPs to promote open and free use of the internet as an educational resource and means of disseminating ideas and opinions.

Personally, I hold more with the latter. Blocking sites or censoring network content feels a bit too much like book burnings in years past. As a place of learning and new ideas, promoting a free and open web should be among the top priorities of any University. While it is certainly within the University’s rights to police the network, doing so places a level of control over the student body that threatens to stifle innovation and free thought.

InfoSec and the ITAUP

With that in mind, I talked with InfoSec (Yale University’s Information Security within the Information Technology Department) about some of the issues that involve student security and net neutrality. A history of InfoSec and net neutrality at Yale can be found in the Yale v. Metallica section of the BitTorrent section of this blog.

In general, the University (InfoSec) does not actively monitor network use for content, nor do they review network flow content searching for peer-to-peer traffic. Copyright infringement is learned of solely through complaints from the copyright holders themselves, all of which are found through processes outside the University. To learn more about why this is the case and how the DMCA falls into play, check out the BitTorrent section of this blog.

To understand the circumstances in which your privacy may be compromised due to security concerns, it is important to first briefly mention what constitutes a violation of Yale’s user policies. The ITAUP, or the Information Technology Appropriate Use Policy, governs the use of Yale’s network services for students, faculty, and staff (as well as any other users on Yale’s network). There are a few main categories that this policy addresses:

1. Use that impedes or impairs the use of others – resource hogging, chain emails, and spamming fall under this category
2. Commercial use – basically any use that violates Yale’s non-profit status
3. Endorsement – use of the network that suggests the University endorses a candidate or ballot initiative, or lobbies for a specific political purpose
4. Harassment or threatening use – offensive material or harassment of an individual
5. Damaging the integrity of the University’s network or other IT systems – security breaches, unauthorized usage, identity concealment, virus distribution, removal/modification of University owned data, and use of unauthorized devices within the IT system
6. Use in violation of the law – this is where file-sharing comes into play (Copyright Infringement)

7-9. Use in violation of University policies or contracts

When Can The University Breach Your Privacy?

The circumstances in which the University may determine it necessary to access your account are found in section 1607.2 of the ITAUP, and are determined by the Office of the General Counsel. This section starts off by stating the University’s policy on privacy:

“The University places a high value on privacy and recognizes its critical importance in an academic setting. There are nonetheless circumstances in which, following carefully prescribed processes, the University may determine that certain broad concerns outweigh the value of a User’s expectation of privacy and warrant University access to relevant IT Systems without the consent of the User. Those circumstances are discussed below, together with the procedural safeguards established to ensure access is gained only when appropriate.”

There are six different conditions or situations in which direct access to your system can occur, and I have summarized them below:

1. For diagnosis or securing vulnerabilities and problems within the system
2. When required by federal, state, or local law or administrative rules
3. When there are reasonable grounds to believe there has been a violation of the law or a significant breach in University policy
4. When it is necessary to carry out essential business functions of the University
5. When required to preserve public health or safety
6. When a faculty or staff member has ended their employment with Yale and there is a legitimate business reason to do so

Since the sixth condition doesn’t affect us as students, we will ignore it for the time being. For one of these to occur, the approval of the Provost and the Dean of Yale College is necessary. Special circumstances (in which time is a factor) allow their respective delegates to fulfill this responsibility. When public health or safety are at risk, these necessities are put on hold. When an emergency entry such as this occurs, it is logged for review by the appropriate University authorities. Notification to the person(s) whose privacy has been breached will occur depending on the University’s discretion.

Aside from direct access to your system, the University can also deactivate the user’s access, scan your system, and take logs of your actions. Like direct access, these are also governed by specific guidelines. Deactivations and user privilege restrictions can be performed by the Systems Administrator at his or her discretion when necessary to preserve the integrity of the system as a whole. This can be done whether or not the user is suspected of violating the above policy (ITAUP), and notification from the Systems Administrator should be expected. In terms of scanning, consent is assumed once you have connected a personal computer to the network, although this is only done for security purposes. Logs of user actions are generally taken to facilitate recovery from system malfunctions, and the collection, security, and retention of this data is governed by the Systems Administrator’s policies.

Unfortunate But Necessary

While such breaches of privacy may seem grotesque, they are necessary for the operation of any network. Public safety has to take priority over individual privacy; especially in the circumstance that breaching said privacy protects innocent individuals. Notification at the University’s discretion (while unavoidable) still leaves a bad taste in the mouth. Safeguards certainly exist for these scenarios, but in general there is nothing that can stop an unlawful violation of your privacy as it occurs. Of course disciplinary action would certainly occur afterward, but that doesn’t changes the original events. Strict guidelines always have exceptions, but for the most part these policies are created to protect the individual user.