Who else is reading your private e-mails?

By Anya Kamenetz

Somebody's reading your e-mail and tracking your computer use, even reaching into your computer to check files you've downloaded. Someone else is giving out your name, phone number, home address, parents' names, major, even your height and weight to anyone who calls and asks.

DAVID GEST/YH Jeffrey Rosen, LAW '91, author of 'The Unwanted Gaze,' says that there is an alarming decline in the American public's expectations for privacy.

Is this a paranoiac's nightmare? No, it's the state of student privacy at Yale in the 21st century—and according to legal experts, there's little we can do about it.

Shield outside, eyes inside

For the average student, Internet privacy has two sides. There is the protection of personal information from outside pranksters or hackers who want to gain access to Yale's entire network. Then there is protection from the supervisors of the network itself.

In the first instance, Yale's Information Technology Services (ITS) wants you to preserve the highest possible level of security and privacy, using encryption and changing your password frequently—the network, after all, is only as secure as its weakest user. This is the reason for the recent introduction of Web-based e-mail. As opposed to Pine or Eudora, which send a password and e-mail in plain text over the Internet, "WebMail encrypts the NetID, password, and the e-mail content in transit between sender and server and between server and receiver," Daniel Updegrove, director of ITS, said. "Combined with a selection of `unguessable' passwords and protection of computers and any backup storage, users can be reasonably confident that their e-mail will be read only by intended correspondents."

That is, unless Updegrove or someone else at ITS decides to read it. When it comes to protection of private correspondence from those with official access to the network, students have little or no recourse, and Yale's published policy clearly tells you so. Updegrove referred to the Section V,"Conditions of University Access," of the Information Technology Appropriate Use Policy. It spells out the conditions under which students might find their love letters and meeting reminders under the eyes of ITS officials, without their consent or knowledge until afterwards. These conditions include identifying system or security problems, "preserving health and public safety," and carrying out "essential business functions of the University."

Most disquieting, perhaps, is condition 3: "When there are reasonable grounds to believe that a violation of law or a significant breach of University policy may have taken place and access and inspection or monitoring may produce evidence related to the misconduct." The Administration, of course, has perogative to decide what is "reasonable" or "significant" when investigating student correspondence. What about student activists, for example, planning a protest on University policy? "We'd been warned by sweatshop activists at other schools who had evidence that their administrations were reading their e-mail," said Students Against Sweatshops (SAS) member Stephen Osserman, DC '02. "We had no proof here, but we were disconcerted, especially when we found that that our Administration was capable of it too."

An erosion of standards

It may seem like a violation of privacy, yet this type of e-mail monitoring is both allowed under existing law and increasingly common, according to Jeffrey Rosen, LAW '91, author of The Unwanted Gaze: The Destruction of Privacy in America. In a lecture at the Law School on Mon., Sept. 25., Rosen explained that over two-thirds of companies are now monitoring their employees' e-mail use, and that the courts have upheld companies' right to read anything that is written on networks they own. He noted that not only do universities have a similar right to supervise the traffic on their networks, but that "it would be tough to make a case that university students have a right to an expectation of privacy on their e-mail accounts in the face of warning."

So ITS can read our e-mail. What's the big deal? "I'm not planning any subversive action against the university, so I don't really care if they can read our e-mail," Helen Chiang, DC '01, said. This is an example of the increasingly prevailing line of thought—in the real world as well as at Yale—that only guilty people need privacy. Rosen pointed out that this is why encryption services, like ZipLip, Disappearing Inc., and ZeroKnowledge, which are used to cloak users' e-mail and web use, aren't more popular. The disappearance of our expectation of privacy is an instance of what Rosen called the "circularity" of privacy law: our rights are legally based on our "reasonable expecations" of privacy, but our expectations are based on our experience. The less privacy we expect, the less we're going to get.

Directing the public

Another question of student privacy is much more concrete than the remote possibility of your e-mail being a target of an ITS investigation. Every year, on their registration forms, students are invited to conceal their grades from their parents. This right was conferred on them in 1974 under the Family Education Rights and Privacy Act, commonly known as the Buckley amendment. Though it strengthened students' rights regarding disclosure of certain records, two large categories of information designated as "directory information" may be released to the public without students' knowledge or consent.

The first category includes name, address, telephone number, school or residential college affiliation, e-mail address, dates of attendance, class, major, degrees conferred, previous educational institution(s) attended, date of birth, name and address of parent or guardian, and any picture or videos they might have. Category two includes awards, honors, past and present participation in University-sponsored extracurricular activities and sports, height and weight of members of athletic teams, and place of birth.

SARAH ENGLAND/YH

So who might be interested in this kind of information? Telemarketers, prospective employers, and the press, for starters. Barry S. Kane, Registrar of the University, stressed that names and phone numbers are "never, ever" given out in bulk or for any commercial purpose. But both he and Ernst Huff, associate director of Student Financial and Administrative Services, admit that the information is available for enterprising credit card sellers, as for anyone else who wants it. "After anything is printed [in a Yale directory]," Huff said, "it's available to anyone. We don't intentionally supply it, but [companies] can pick up a printed copy, or get that information off the the Web."

Non-disclosure: an all-or-nothing plan

Unlike with their e-mail, students with a pressing need for privacy over personal information have some recourse. By writing a letter to the Registrar or filling out a form at www.yale.edu/sfas/sfas_its.html#privacy, you can be placed on "non-disclosure." You disappear from all directories, and anyone calling to inquire about you is informed that "there is no record of the student's enrollment."

This is known as an opt-out standard of disclosure—your information is released unless you specifically say no. Web sites, by comparison, are now often held to an opt-in standard of disclosure, where you must click at least one box to authorize the release of private information.

Kane spoke of the negative consequences of non-disclosure status that prevent most students from taking such a drastic step. "Most students don't want to become completely invisible. Out of the entire enrollment at Yale, at most 12 to 15 students are on non-disclosure." That number includes Kellie Martin, SY '01, Barbara Bush, DC '04, and Claire Danes, CC '02, all of whose names turn up "no matches" on a Yale directory search. "When a student has a very public profile," Kane explained, "we take the liberty of placing that student on non-disclosure, and then when they arrive they can make the choice to be taken off." He said that his office made this decision when they had an incident two summers ago in which a member of the press called the office. Without identifying themselves, the reporter "simply asked, `is this student enrolled at Yale College?' Our staffer answered yes, and it was a big problem." Privacy, it seems, is justifiable for the famous as well as the guilty.

A question of priorities

For those who do not find themselves stalked by paparazzi, issues of convenience amid the stress of our daily lives may take precedence over the shadowy threat of surveillance. There are even those like David Brinin, who, in his book The Transparent Society, argues that privacy has fallen under the wheels of modern technology. The only question that remains, he says, is who will control distribution the of personal information.

Nevertheless, privacy mavens such as Rosen continue to crusade for the preservation of a fading standard. In defense of privacy, he cited ancient Jewish law, which stipulates that a window overlooking someone else's house must not just be shuttered, but taken down. Rosen said the law recognizes that we cannot lead full lives under even the possibility of scrutiny. "`The injury caused by seeing cannot be measured,'" he quoted.

Back to News...