Arthur Chandler posted to the list:
Greetings! I'd like to solicit your/our best thoughts on the following message. San Francisco State University is considering a policy of "disclosing" private email to outside agencies. I'm aware that such a policy is yet another argument for using crypto; and the last cypherpunks meeting gave some encouraging instances of "transparent" encryption schemes that are not a hassle or a fear-barrier for newbies. But if you could post or private email me your thoughts about the legal/ethical aspects of "disclosure," I'd be much obliged. I've put a few of my own concerns at the end of the enclosed quote.
It is probably a CYA move on the part of the University....if someone at SFSU is plotting the overthrow of our (or any other) government, engaging in espionage, child porn, etc. and using their Internet account, SFSU admin probably wants a way that they don't get held liable. However, my view of this is that is sucks.
---------- Forwarded message ----------
From: "Deirdre C. Donovan" <deirdre@mercury.sfsu.edu>
I am rewriting the information handouts which we here in San Francisco give out to our students when they apply for Internet access accounts. The issue with which I am struggling is one of privacy. I have heard of universities (anecdotally only) where the administration reserves the right to read E-mail. Here, we are leaning more toward something like the paragraph below, which is taken verbatim from an Indiana University draft document.
IU computing centers will maintain the confidentiality of all information stored on their computing resources. Requests for disclosure of confidential information will be reviewed by the administrator of the computer system involved. Such requests will be honored only when approved by University officials authorized by the [President] of the campus involved, or when required by state or federal law. Except when inappropriate, computer users will receive prior notice of such disclosures.
I'm uneasy about the chain of "prior notice":
1) Does this policy give university administrators the power to read private email before the decision is made to "disclose" it to outside persons or agencies?
2) Does this "prior notice" mean "We're going to do it" or "We plan to do it, and if you disagree, let's discuss it before we release it"?
From their perspective, prior notice would probably mean they tell you before they do it. While I don't have experience specifically with SFSU, it seems as though large organizations tend to do whatever
It would have to...otherwise how would they know if they needed to disclose it. they please.
3) What constitutes "inappropriate"?
Probably anything that is involved in an active criminal investigation.
Note that any thing in this message is just my opinion, and most assurdly could prove to be different when exposed to the real world!! Brett Turcotte turcotte@io.com