From: comp-academic-freedom-talk-request@eff.org Reply-To: comp-academic-freedom-talk@eff.org Precedence: bulk To: comp-academic-freedom-talk Return-Path: Date: Tue, 23 Apr 91 04:43:19 -0500 Sender: "Carl M. Kadie" Subject: FYI: Re: New NCSA e-mail policy inconsistent with Academic Freedom Status: R Newsgroups: uiuc.general Path: m.cs.uiuc.edu!kadie Sender: kadie@m.cs.uiuc.edu (Carl M. Kadie) Subject: Re: New NCSA e-mail policy inconsistent with Academic Freedom Message-ID: <1991Apr23.084510.17584@m.cs.uiuc.edu> Organization: University of Illinois, Dept. of Comp. Sci., Urbana, IL References: <1991Apr23.082959.78@m.cs.uiuc.edu> Date: Tue, 23 Apr 91 08:45:10 GMT Lines: 193 [These are my notes from my conversation with Michael Smith - Carl] Earlier today (April 23, 1991), Michael D. Smith and I talked over the phone. He kind enough to answer my questions about the NCSA e-mail policy. Mr. Smith is the Associate Director of the National Center for Supercomptuer Applications (NCSA), a department of the University of Illinois. He is also the Computer Operations and System Administration NCSA Security Officer. It is he who sent the letter setting down the NCSA's e-mail policy. The following is my reconstruction of the information he provided. It is based on the notes I scribbled down as we spoke; thus it contains no direct quotes. I will, of course, send a copy of this note to Mr. Smith. I assume he will correct any mistakes I make. q: [In his first e-mail note to me, Mr. Smith mentioned that the e-mail policy was "University Approved"] What does "University approved" mean? a: The policy was approved by the University's legal counsel and the Graduate College. [The NCSA is a department within the College of Graduate Studies.] q: Was there any user input or any input from any University committee's concerned with Academic Freedom? a: No. q: What was the motivation for creating this policy? a: To stop flagrant abuse of resources. We also have contractual obligations to industry. q: Some of the language in the policy sounds like it is trying to explicitly say that the NCSA is not covered by the e-mail provisions of the Electronic Communications Privacy Act (ECPA). Was this a motivation? a: [Mr. Smith said he was familiar with the ECPA.] No, it wasn't. q: Can you be more explicit about your contractual obligations? a: We promise a certain level of security. For example, no letter bombs, no threats, no viruses. q: You don't mean "level of security" in any formal or governmental sense do you? a: No, I don't. q: Did you consider general University privacy policies? a: There is an article about security in the IEEE software review. Our computers policy is consistent with the trend at Fortune 500 companies and other Universities. q: Has this policy ever been used? a: It has been used once in the last six years. q: But the policy as only been in effect for a couple months [actually, less than a month]. Was this use after the policy was set down? a: Yes q: So, it has been used once in the last two months? [Actually, once is less than a month] a: Yes [If the suspect would like to tell his or her side of the story, he or she could contact me (or just post a note).] q: Can you detail how the Director authorizes monitoring of e-mail? For example, is monitoring allowed only for a limited amount of time? Is it limited to a particular location? a: We should be clear here, "monitoring" is a bad word. We don't actually read the e-mail when it is transmitted. We look at the user's mbox file. [Note, mbox is the computer file in a user's home directory where e-mail is often archived.] The investigation is, thus, of very limited duration. [Comment: "monitoring" is the word used in the policy letter.] q: The mbox file can contains both mail sent *by* the user and mail *to* to the user. Does this mean that you can look at mail send from outside NCSA? a: It is possible, but not likely. q: Can the Director delegate the authority to authorize a search? a: Absolutely not. The Director must authorize each investigation on a case-by case basis. q: What records are kept of the the search? a: A full report is made. It is kept in a safe. q: Is the user [suspect] eventually notified? a: Yes, always. q: Are records of the search keep confidential as required by the Family Educational Rights and Privacy Act [of 1974]? a: Yes. q: Are the records available to the user as required by the act? a: Yes. q: Can the Director authorize the monitoring of NCSA telephones? a: We don't control our telephones, so he can not. q: Can the Director authorize the search of NCSA office space? Or campus mail or US mail sent from NCSA? a: There is no policy about any of that, so a search cannot be done. q: What is the relationship between the NCSA and the University? a: The NCSA is department of the Grad College of the University. q: The policy says that e-mail is only for NCSA business. What is "NCSA business"? a: You are misreading the policy. It says that when the e-mail system was established, it was *intended* for NCSA business. People now use it for personal business. That is OK. Personal use can be important; it can be used to build relationships. q: This question may not make as much sense now, but let me ask it anyway. Would it be OK to discuss the e-mail policy via e-mail? Would it be OK to criticize you or the Director in e-mail? a: Yes, of course. q: Would it be OK to make such criticism without your knowledge? In other words, is there legitimate NCSA business that is private from you? a: Yes. q: And under the e-mail policy, might you end up reading a note between two NCSA users criticizing you? a: It is possible. q: In section three of the policy, it says that one reason for a search is if there are "attempts to disadvantage NCSA." Can you explain what this means? a: Here is an example, suppose the NCSA has a nondisclosure agreement with a company. And suppose someone tried to send out information covered by the agreement. That would be an attempt to disadvantage NCSA. q: Let me clarify the situation. In this scenario, has the person who is sending out the information signed a nondisclosure agreement. a: Maybe not. Suppose it is a secretary. Here is another example of an attempt to disadvantage NCSA: suppose some is sending e-mail that attacks a person, or NCSA, or the University. [Mr. Smith continued:] We've been talking about section 3 of the policy [protection of NCSA from abuse], parts 1 [misaddressed e-mail might be read] and 2 [e-mail may be read in the course of network maintenance] are also important. Lots of e-mail gets misaddressed; people should be more careful. There is no practical way to figure out where note should go without the body of the note being possibly seen. Also, notes can be seen by network analyzers [A network analyzer is a device that monitors traffic on a network. At the least, it measures the number of packets being sent. It is like a voltmeter for information.] q: Do network analyzers show the text of packets? a: Some do and some don't. q: Which kind does the NCSA have? a: We use both. [I commented that the merits (or deficentcies) of section 3 are independent of the merits (or deficentcies) of sections 1 and 2.] -- Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign