Legal/Policy Perspectives Conclusion

In general, affording students adequate privacy protection is a difficult challenge.   The two central, equally important issues are students’ right to privacy versus University proprietary rights and the University’s right to ensure security and proper usage of its network and computer resources.  It seems fair that Stanford should have the right to monitor and inspect its own computer and network resources, including a student’s emails, data files, programs, and Leland account, to enforce proper usage of its computer and network resources.  It is not clear at which point the tradeoffs between security and student privacy are fairly balanced.  In Stanford’s defense, inspection of private data or monitoring of messages is authorized only when there is reasonable cause to suspect improper use of computer or network resources (Stanford’s Computer and Network Usage Policy, Computer Security Officer Responsibilities, Inspection and Monitoring, p. 4).  Nevertheless, a more fair balance can be achieved if audit trails or logs are kept to monitor all actions of all system administrator with extra network privileges.  University authorities should attend to this issue immediately.

Also, none of the laws and policies discussed serves well to adequately protect student privacy.  Stanford policies do not explicitly forbid users from running “spy” programs to view another student’s command-line contents during a login session, which clearly violates a student’s right to privacy.  Stanford policies also do not forbid users with malicious intentions from obtaining personal information, such as addresses and telephone numbers of other users, or running zlocate to physically locate another user.  It may not be feasible to explicitly outline every action a user can and cannot perform on the Stanford network; perhaps a more feasible solution is to make users aware of how their privacy can be violated and what they can do to protect themselves.  Providing and distributing a document containing such information would be a major improvement in providing Stanford students adequate privacy protection.

Finally, we suggest that Stanford officials : limit what types of subpoenas can warrant disclosure of student information; establish a formal interpretation of FERPA, educate students, faculty, staff and system administrators about it, and put it into practice in a timely fashion; and expand Stanford’s Principles of Privacy in the University to address computer and network privacy issues to protect students from other students, faculty, and staff.