University logging mail to anon.penet

Thu Sep 7 01:31:22 PDT 1995

-----BEGIN PGP SIGNED MESSAGE-----

Jeff Simmons writes:

> This just came up locally, and I'd like to have some comments on it, 
> especially from people who understand the law a lot better than I do:
> 
> Our local University apparently has been logging ALL mail to anon.penet,
> including faculty, students, and off-campus users.

With respect to logging of student traffic, I'd look at the Family 
Education Rights Privacy Act ("Buckley Amendment", 20 USC 1232g) and
the California analog to it (assuming one exists; Oregon's is located
at OAR 571-20-005, et seq.). The release of information about individual
students beyond "directory information" (e.g., name, dates of attendance,
degrees granted, etc) is sharply limited without the consent of the
student. Information about mail traffic sent and received is, IMHO,
arguably (but not clearly) within "educational records" for FERPA 
purposes. 

To establish a Buckley Amendment violation (and I'm not saying there
was one here) you'll still need to find a University employee to pin
the disclosure on. If it's a University employee who posted them to
the newsgroup, it's easy. If the University employee merely maintained
those records in a place where an outsider was able to easily gain 
access to them, it seems like a bigger stretch. 

I had occasion to talk with a relatively high-level administrator in
the University of Oregon's computer center some time ago and he
explained that they've had to go to some trouble to make sure that
gopher/WWW directories and other contemporary university computing
practices don't fall afoul of the Buckley Amendment. Perhaps the
powers that be at other places aren't quite so forward-thinking 
(or don't have the questionable benefit of being next door to a
building full of law students with time on their hands). 

Perhaps an even longer stretch would be an argument that the practice
of logging (and of keeping those logs in an insecure place) violates
students (and others') right to privacy. Federal protection for a
"right of privacy" is fickle, but California protects its citizens'
right to privacy in its constitution.

(I'm not an attorney (yet), don't live in California (right now) and
consequently don't know much about CA law. So please think about this
message as maybe a hint in (I hope) a useful direction, not necessarily
the right answer. Feh.)

This concrete issue seems like a good reminder of the implications of
the way that we think about "cyberspace" and the things that happen 
when we use computers. If one thinks about a machine or a network as
"public space", logging or reporting activities which happen there
(e.g., Alice walks over to visit Bob, leaving footprints everyone can
see in /var/adm/syslog) seems reasonable or at least not offensive,
and it seems silly to talk about being angry because someone wrote down
what everyone could see. But if we think about machines and networks
as being private space, reporting on what Alice and Bob do seems
tacky and rude at best, and horrifying (and likely to create liability)
at the other end of the spectrum. As much as I dislike the 
"cyberspace" metaphor, its use or misuse has serious consequences.