Abstract (Students)

Did you know that other students can and do violate your privacy on the Stanford network?  For example, students can discover your personal information, including your home and school addresses, your class schedule, and your email log.  They can also find out on which terminal you are located and then learn exactly what applications you are running.  Serious implications of these undesired access privileges include stalking and harassment by both on- and off-campus individuals.

The Stanford Student Computer and Network Privacy Project is a student-lead initiative to create campus-wide awareness of the importance of protecting student privacy[1].  We conducted a pilot study that serves to investigate and isolate student privacy issues and concerns.  First, we surveyed a small sample of the student body to consider their expectations and perceptions of student privacy rights on the Stanford network.  We found that while most surveyed students know little about their privacy protection rights and the degree to which these rights can be compromised, they assign importance to privacy protection and agree that the University should do more to increase awareness of this issue.  Second, we investigated the current state of computer and network privacy at Stanford.  In this section, we attempted to identify and expose many of the privacy risks associated with the Stanford University Network (for example, zlocate).  Third, we considered various laws and policies aimed at protecting the privacy of Stanford students.   In addition to discussing privacy protections afforded by current laws, such as Family Educational Rights and Privacy Act (FERPA) and Electronic Communications Privacy Act (ECPA), the project also examined Stanford’s “Privacy Policy” and “Computer and Network Usage Policy” to evaluate whether these policies provide adequate privacy protection.  We found that Stanford policies do not explicitly forbid malicious users from obtaining personal information.  While it may not be feasible to specifically outline every action a user can and cannot perform on the Stanford network, a possible solution is to alert users to how their privacy can be violated and what steps they can take to protect themselves.  Fourth, we attempted to analyze where Stanford is headed in its protection of students' privacy.  Through interviews with several Stanford officials, we found that the University acknowledges the significance of student privacy protection and plans to revise Stanford’s outdated Privacy Policy.  We also considered other universities’ privacy policies and how they compare to Stanford’s.   We determined that while Stanford is up to par with other universities’ privacy policies, several improvements could be made.   Finally, we concluded with recommendations on what Stanford can do to provide more privacy protection and suggestions on future studies.

Based on our study, we suggest that the University place greater emphasis on increasing awareness of student privacy issues through literature distribution and funding, that students play a part in their own protection through revealing less information on personal webspace and taking other similar precautions, that the Security Office keep an audit log to ensure proper use of access privileges, and that Stanford’s official policy be revised and made available in the next two years.

The Stanford Student Computer and Network Privacy Project ‘s next steps include:  (1) gathering/analyzing comprehensive data on a larger, more representative sample of the student body and (2) performing cost/benefit analyses to assess whether students would prefer to have their privacy absolutely protected at the cost of the convenience of say easily finding the physical location of another student.