Computer and Network Usage Policy

Stanford’s Computer and Network Usage Policy specifies that users of Stanford network and computer resources have a responsibility not to abuse those network and computer resources and to respect the rights of others.  Specifically, the usage policy states, “users must be mindful of the rights of others to their privacy” (Computer and Network Usage Policy, Policy Purpose, p. 1).  While Stanford’s Computer and Network Usage Policy takes care to afford students as much privacy protection as possible, the policy manifests several troublesome aspects.  First, it is not clear whether a student is notified when his/her electronic records are under investigation and being inspected.  Second, it is not clear whether the usage policy ensures an alleged perpetrator sufficient warnings/opportunities to rectify the situation.  Third, in the event that Stanford Security finds reasonable cause to monitor a user’s email, the Computer and Network Usage Policy does not certify that Stanford Security monitors no more emails than necessary.  For example, if a student X is suspected of sending unlawful messages to student Y, then it seems fair that student X’s emails only to student Y should be monitored.  Surveillance of student X’s emails to recipients other than student Y would unreasonably violate student X’s right to privacy.  Stanford’s policy does not clearly address this issue.  Finally, it is problematic that no audit trails or logs are kept to monitor all actions of all Stanford Security Officers (or of any system administrator with extra network privileges), especially considering that Stanford Security is authorized to access computer users’ files at any time, without notification, to ensure proper computer and network usage (Computer and Network Usage Policy, Policies, Usage, p. 3).   Specifically, Stanford Security is authorized to inspect private data or monitor messages, including email, when there exists reasonable cause to suspect improper use of computer or network resources.  We suggest that minimally, the Security Office keep an audit log to ensure proper use of access privileges.