Executive Summary

Introduction

The Stanford Student Computer and Network Privacy Project conducted a pilot study that isolated and investigated student privacy issues and concerns.  Based on the study, we suggest that Stanford University (also referred to as “the University” or “Stanford”) place greater emphasis on increasing awareness of student privacy issues through literature distribution and educational programs, that students play a part in their own protection by revealing less information on personal webspace and taking other similar precautions, that the Stanford Security Office keep an audit log to ensure proper use of access privileges, and that Stanford’s official privacy policy be revised and made easily accessible in the next two years.  We hope to encourage other universities to examine the state of computer and network privacy on their campuses.

First, we surveyed a small sample of the student body to consider their expectations and perceptions of student privacy rights on the Stanford network.  Second, we investigated the current state of computer and network privacy at Stanford.  In this section, we identified and exposed many of the privacy risks associated with the Stanford Network.   Third, we considered various laws and policies aimed at protecting student privacy.  Fourth, we attempted to analyze where Stanford is headed in its protection of students' privacy.  We also considered other universities’ privacy policies and how they compare to Stanford’s.   Finally, we concluded with recommendations on what Stanford should do to provide more privacy protection and suggestions on future studies.

Survey Analysis

First, we surveyed a small sample of the student body to consider their expectations and perceptions of student privacy rights on the Stanford network.  We found that while most surveyed students knew little about their privacy protection rights and the degree to which these rights can be compromised, they believe that privacy protection is important.  Based on these findings, we suggest that the University place greater emphasis on increasing awareness of student privacy issues through literature distribution and educational programs.  

Current State of Computer and Network Privacy

Currently, Stanford students, faculty and staff can access personal student information via the Stanford network.  For example, students can access each other’s home and school addresses, class schedules, and email activity logs; they can associate a particular student with a specific computer terminal and so determine his/her physical location in addition to what applications (s)he is running. Some students may find such access privileges undesirable, if not objectionable, thereby raising potentially serious issues and concerns about privacy on campus. 

We investigated the computer and network privacy at Stanford.  After providing a brief overview of the network and the systems involved, we identified and exposed various tools and activities that can be used to reveal information about a student’s background and current academic work. 

Realizing that we are exposing ways students may violate each other’s privacy, we present this section with hesitation.  Our intention is not to cause problems by equipping students with the know-how to violate each other’s privacy.  Rather, we hope that exposing these risks will assist Stanford in its efforts to afford its students better privacy protections, while at the same time encourage students to do more to better protect themselves. 

Legal and Policy Perspectives

We considered the following laws and policies in order to investigate network privacy protections guaranteed to Stanford students:

• Electronic Communications Privacy Act (ECPA)
• Family Educational Rights and Privacy Act (FERPA; also known as the Buckley Amendment)
• Stanford’s Student Life/Codes of Conduct/Fundamental Standard/Honor Code/Student Judicial Charter/Judicial Affairs
• Stanford's Principles of Privacy in the University
• Stanford’s Computer and Network Usage Policy

We were primarily concerned with network privacy issues addressing the protection of students from other students, faculty, and staff.

ECPA is a crime bill that makes wiretapping legal under certain limitations.  Due to an increase in electronic communications, legislators subsequently expanded ECPA to address resultant privacy concerns in 1986.  ECPA specifies that “ . . . a provider of electronic communication service or remote computing service may disclose a record or other information pertaining to a subscriber or customer of such service . . . to any person other than a governmental entity.”   (18 U.S.C. Sec. 2703(c)(1)(A))  Stanford University provides such services to its student subscribers.  ECPA further specifies that when a governmental entity seeks “subscriber” information, the information may be disclosed only if the entity has obtained a warrant, court order, an authorized administrative or grand jury subpoena, or the consent of the subscriber.  (18 U.S.C. Sec. 2703(c)(1)(B))  Subpoenas, in particular, range from court orders to law enforcement subpoenas to attorney boilerplate.   (Marc Rotenberg, Executive Director of EPIC, April 23, 2001)  For example, if some arbitrary law firm were to provide Stanford with a subpoena attempting to compel the disclosure of a student subscriber’s identity or electronic communications records, Stanford Security Officers could legally provide the requested information.   Or they could ask a court to settle the matter.  Therefore, ECPA does not serve to protect student privacy.  Since ECPA does not require judicial review, ECPA provides a convenient rationalization for questionable authorizing procedures (“Electronic Communications Privacy Act”, Jones Telecommunications & Multimedia Encyclopedia, http://www.digitalcentury.com/encyclo/update/ecpa.html) in matters of the University conducting email surveillance or turning over electronic communication records.  We suggest that Stanford officials limit what types of subpoenas can warrant disclosure of student information.

FERPA is a Federal law that provides the following rights to adult students or to the parents of students under the age of 18:

(1) The right to inspect and review the information that the university is keeping on the student;

(2) The right to seek amendment to those records and in certain cases append a statement to the record;

(3) The right to consent to disclosure of his/her records; and

(4) The right to file a complaint with the FERPA Office in Washington

(Excerpted from “FERPA:  Protect Our Students, Protect Ourselves”, University of Maryland, http://ferpa.sis.usmd.edu/ferpaweb/)

An accurate interpretation of FERPA hinges on the definition of a “student educational record.”   FERPA defines a student educational record as:

(1) Directly related to a student; and

(2) Maintained by an educational agency or institution or by a party acting for the agency or institution.

(FERPA 34 C.F.R. Part 99, Subpart A-General, Sec. 99.3, What definitions apply to these regulations?, http://www.lrp.com/ed/freelib/free_regs/c34_99_3.htm)

Under this loose definition, a student’s emails, data files, programs, and network account information may be interpreted as student educational records.  However, this matter is not very clear.  Both FERPA’s definition of student educational records as well as FERPA’s provisions as to what constitutes a violation of protecting the privacy of these records is neither clear nor well defined.  We recommend that Stanford officials establish a formal interpretation of FERPA, educate students, faculty, staff and system administrators about it, and put it into practice in a timely fashion.

With respect to Stanford’s Student Life/Codes of Conduct/Fundamental Standard/Honor Code/Student Judicial Charter/Judicial Affairs, there exist certain circumstances under which a student's computer-related information such as emails, data files, programs, Leland account, and activity logs can be inspected.  Computer Security and Judicial Affairs can access such information during an investigation.  If the investigation is conducted through Judicial Affairs, a student must be suspected of violating a University policy such as the Honor Code or Fundamental Standard.  If the investigation is through Computer Security, a student must be suspected of violating a computer usage policy such as the Computer and Network Usage Policy.  Judicial Affairs and Computer Security maintain independent sets of procedures and guidelines that they adhere to when inspecting student information.  During any investigation that is conducted through Judicial Affairs, the accused student’s privacy is protected, as he or she is informed of the personal information that is inspected for the case and has access to any information gathered.  If a case is handled through Computer Security, it is not required that the student be informed of the investigation.  Nor is the student guaranteed access to the gathered evidence.  

Stanford’s two-page (available only in print and outdated) Principles of Privacy in the University outlines privacy protections afforded to students by Stanford University but does not explicitly address privacy protections guaranteed to students from other Stanford students, faculty, and staff.  For example, the policy states, “The University should obtain information only with the informed consent of the individual.”  Furthermore, if “information” can be interpreted as a student’s emails, data files, programs, and network account information, then one might argue that Stanford is compromising students’ privacy rights, since Stanford Security Officers and/or system administrators are allowed to access a student’s emails, data files, programs, and network account information without the student’s consent.  In sum, the University privacy policy needs to clearly define “information” as well as expand to address network privacy issues to protect students from other students, faculty, and staff.

Stanford’s Computer and Network Usage Policy specifies that users of Stanford network and computer resources have a responsibility not to abuse those network and computer resources and to respect the rights of others.  Specifically, the usage policy states, “users must be mindful of the rights of others to their privacy” (Computer and Network Usage Policy, Policy Purpose, p. 1).   It seems that Stanford’s Computer and Network Usage Policy attempts to provide students as much privacy protection as possible.   However, it is problematic that no audit trails or logs are kept to monitor all actions of all Stanford Security Officers (or of any system administrator with extra network privileges), especially considering that Stanford Security is authorized to access computer users’ files without notification to ensure proper computer and network usage (Computer and Network Usage Policy, Policies, Usage, p. 3).  We suggest that the Security Office keep an audit log to ensure proper use of access privileges. 

In general, affording students adequate privacy protection is a difficult challenge.   The two central, equally important issues are students’ right to privacy versus the University’s right to ensure security and proper usage of its network and computer resources.  It seems fair that Stanford should have the right to monitor and inspect its own computer and network resources, including a student’s emails, data files, programs, and Leland account, to enforce proper usage of its computer and network resources.  It is not clear at which point the tradeoffs between security and student privacy are fairly balanced. 

None of the aforementioned laws and policies adequately protects student privacy.  Stanford policies, for example, do not explicitly forbid users from running programs to view another student’s command-line contents during a login session.  It may not be feasible to explicitly outline every action a user can and cannot perform on the Stanford network; perhaps a more practicable solution is to make users aware of how their privacy can be violated and what they can do to protect themselves.  Since we felt that providing a document containing such information would be a significant improvement, we drafted and inserted such a document in orientation packets for first-year students and pointed them to our website for more information.  We were very pleased with the University’s support; we hope that the University will continue to update and distribute such a document for all incoming students.   

Future Perspectives

We went to various sources around the university to analyze what Stanford has planned both from a policy and technological point of view.  To help us understand and gain perspective on Stanford’s privacy policy, we also considered other universities’ privacy policies.

With respect to policy, a Stanford Computer Security Officer told us that the University’s privacy policy – last updated in March 1984 – has been an item on his agenda for quite some time.  When questioned about policy development, the officer told us that he would first research the privacy policies of comparable universities.  Since these policies are often very similar across institutions, his research would serve as a good basis for composing a preliminary draft.  From there, the officer would solicit input from various University constituencies (students, faculty, and staff).  The officer also recognizes the immediate need for a privacy policy and commented that we cannot wait five years before developing Stanford University’s privacy policy.

From a technological perspective, a manager in Stanford’s Department of Information Technology Systems & Services stated that his department is trying to build privacy and security into a common, campus-wide platform.  According to the manager, one of the problems affecting the Stanford campus is that many people are presently unaware and uneducated about privacy and security.  He commented that many University computer users assume that “someone” (i.e., network officials) will be constantly looking out for their best interests, which is simply not true.  Although Stanford has introduced education plans for students and staff that intend to increase awareness of security and privacy, the manager said that there was essentially little to no response from the campus community.  He also stated that the trend for the future was to avoid relying solely on education of end users, and that it is better to build higher levels of security into any service or system whenever practicable.  For example, the recently completed secure email campaign required all users to connect securely in order to retrieve email, whereas before the University trusted end users to connect securely. 

To get a clearer picture of Stanford's computer and network-related privacy practices and to devise possible strategies for future policy-making, we examined several other universities' privacy policies, including Cornell University, Dartmouth College, MIT, University of Texas-Austin, and University of Washington.  MIT's policy (http://web.mit.edu/policies/11.0.html), for example, outlines in great detail the rights of students, faculty, and staff to obtain and review information stored about them.  In addition, it states that the right of an individual whose information is being gathered includes knowing the purpose of the collection and that the information may not be used for any other reason.  MIT’s policy also details the situations in which consent is not needed to share information and discusses MIT's compliance of FERPA.  In general, MIT's policy seemed conservative and the intended audience seemed to be fairly technologically savvy.  As another example, the most direct and brief privacy policy came from the University of Washington (http://www.washington.edu/computing/rules/privacy.html).  The policy carefully listed the necessary, legal conditions for legitimate compromising of University accounts by way of inspection or monitoring.  Other schools’ policies also included this type of list, but Washington’s privacy policy was very easy to locate off their website and plainly described the University’s privacy-related obligations.  Also, Washington’s policy had a section that detailed students’ responsibilities in maintaining their own protection.  This served as a warning to students to be mindful of protecting personal data. 

In reading about other universities’ privacy policies, we discovered that Stanford is, for the most part, well informed and well prepared in the area of student privacy.  However, we feel that a revision of Stanford’s privacy policy is necessary and critical.  Currently available in print only, we also feel that Stanford's privacy policy should be made available on the web and should be easily accessible.

Conclusion

Based on our study, we suggest that the University place greater emphasis on increasing awareness of student privacy issues through literature distribution and educational programs.   Students should play a part in their own protection through: revealing less information on personal webspace; controlling what information is shared with Stanford community members and what is shared with the outside world; specifying access permissions to “Read-Only” when sharing files; and when using cluster computers, being mindful not to give sensitive information (which may be cached via cookies for example), closing browser windows, and making sure to logout from email sessions.  Regarding legal and policy issues, we recommend that Stanford officials:  limit what types of subpoenas can warrant disclosure of student information; establish a formal interpretation of FERPA, educate students, faculty, staff and system administrators about it, and put it into practice in a timely fashion; and expand Stanford’s Principles of Privacy in the University to address computer and network privacy issues to protect students from other students, faculty, and staff.  Furthermore, we suggest that the Security Office keep an audit log to ensure proper use of access privileges.  Finally, Stanford’s privacy policy should be revised and made easily accessible as soon as possible.

We hope that other universities will conduct a similar analysis of student computer and network privacy issues and make serious attempts to improve student privacy protection on their campuses.