[CONTACT]

[ABOUT]

[POLICY]

org org talk Apr Carl New

Found at: 0x1bi.net:70/textfiles/file?internet/ncsa.em

From comp-academic-freedom-talk-request@eff.org Tue Apr 23 06:03:24 1991
From: comp-academic-freedom-talk-request@eff.org
Reply-To: comp-academic-freedom-talk@eff.org
To: comp-academic-freedom-talk
Return-Path: 
Date: Tue, 23 Apr 91 04:42:14 -0500
Sender: "Carl M. Kadie" 
Subject: New NCSA e-mail policy inconsistent with Academic Freedom
Status: R
[Enclosed is a copy of a note I posted in "uiuc.general," a campus-wide
newsgroup at the University of Illinois. I also sent e-mail copies
to the administrators who approved the policy and to several
the local chapter of the AAUP). Following this note, expect copies
of the policy in question and my notes from a conversation with
Michael Smith of the NCSA.
 - Carl Kadie]
----------------------------------------------------------------------
The new NCSA e-mail policy permits searches and punishment of
faculty, students, and researcher who "attack" the University, or the
NCSA in e-mail.
----------------------------------------------------------------------
The National Center for Supercomputer Applications (NCSA) is a department
n the University of Illinois' Graduate College. On April 1 [no kidding],
the NCSA set down a new e-mail policy. The policy was cleared by the
University's legal counsel and the Graduate College. Faculty, students,
and researchers, however, were not consulted.
Although the policy offers much good advice and addresses legitimate
nconsistent with the principles of Academic Freedom, Constitutional
and privacy.
The policy should concern all users of NCSA's e-mail facilities. It should
also concern anyone who sends e-mail to a NCSA user or through a NCSA
managed network. Finally, it should concern anyone who believes that
the principles of academic freedom (including freedom of expression and
alternate e-mail policy. Instead, I will criticize the current policy.
current policy and creation of a more balanced policy that respects
the rights of computer users.
Specifically, here are nine criticisms (in no particular order):
The faculty, students, and researchers who use NCSA e-mail should have
concerned with Academic Freedom should have been consulted.
freedom and individual rights.
One attempted justification of the policy is that the NCSA is
contractually obligated to provide security and confidentiality to
ndustry. This is no justification at all. Contracts with industry
must be made within the boundaries of Academic Freedom.
Under this policy, searches of a user's e-mail will be typically
conducted by inspecting that user's mbox file. If you send e-mail to a
NCSA user, your note might end up in his or her mbox. If the mbox file is
you and without the permission of the addressee).
balances.
No search can be done without explicit authorization from the Director
of the NCSA. The Director, however, reports to no one.
appeal. 
Also, some of the due process that is provided is not guaranteed in
cannot delegate the authority to authorize a search. This protection
The policy allows disk space to be searched, but there is no similar
to be searched. Privacy should be respected in all its forms.
this mean? It prohibits "inappropriate information disclosures," but
According to Michael Smith, the Associate Director of the NCSA,
the phrase "attempts to disadvantage NCSA" prohibits attacks in
e-mail on the NCSA and the University. This interpretation (of
a vague phrase) is inconsistent with the First Amendment, Academic
Freedom, and University policy.
The First Amendment to the U.S. Constitution says: "Congress shall
make no law [...] abridging the freedom of speech, or of the press;"
This amendment also applies to the States and to State institutions
criticize institutions such as the NCSA and the University.
The Joint Statement on Rights and Freedoms of Students it the main
the American Association of University Professors, the U. S. National
Student Association, and the Association of American Colleges.  It
"Academic institutions exist for the transmission of knowledge, the
ndispensable to the attainment of these goals its members of the
academic community, students should be encouraged to develop the
capacity for critical judgment and to engage in a sustained and
ndependent search for truth."
Faculty's freedom of expression is, of course, also protected by
Academic Freedom.
The University of Illinois Code on Campus Affairs says:
"STATEMENT ON INDIVIDUAL RIGHTS
 I. Preamble
 A student at the University of Illinois at the Urbana-Champaign campus
 is a member of the University community of which all members have at
 least the rights and responsibilities common to all citizens, free from
 institutional censorship; affiliation with the University as a
 student does not diminish the rights or responsibilities held by a
 student or any other community member as a citizen of larger
 communities of the state, the nation, and the world."
 ...
"III. Campus Expression
 A. Discussion and expression of all views is permitted within the
 University subject only to requirements for the maintenance of order.
  [...]
 C. The campus press and media are to be free of censorship. The editors
 and managers shall not be arbitrarily suspended because of student,
 faculty, administration, alumni, or community disapproval of editorial
 policy or content."
 ...
"VI. Student Affairs 
 [...]
 B. Freedom of Inquiry and Expression
 1. Students and student organizations should be free to examine and to
 discuss all questions of interest to them, and to express opinions
 publicly and privately. [...]
 2. Students should be allowed to invite and hear any person of their
 own choosing. [...] The University's control of campus facilities should
 not be used as a device of censorship. It should be made clear to the
 academic and larger community that sponsorship of guest speakers
 does not necessarily imply approval or endorsement of the views expressed
 either by the sponsoring group or the institution."
The Fourth Amendment says: "The right of the people to be secure in
their persons, houses, papers, and effects, against unreasonable
ssue, but upon probable cause, supported by Oath or affirmation, and
or things to be seized."
A government institution, such as this University can not ignore these
Cir. 1978)]
University privacy policy is described in the Code on Campus Affairs.
the best model of how disk space and e-mail should be treated.
"IV. Privacy
A. Members of the University community have the same rights of
becoming members of the academic community. These rights of privacy
extend to residence hall living. Nothing in University regulations or
contracts shall give University officials authority to consent to a
living quarters leased to individuals except in response to a properly
executed search warrant or search incident to an arrest.
B. When the University seeks access to an office assigned or living
quarters leased to an individual to determine compliance with
notified of such action not less that twenty-four hours in advance.
There may be entry without notice in emergencies where imminent
for custodial service.
C. The University may not conduct or permit a search of an office
assigned or living quarters leased to an individual except in
an arrest."
constitutional rights and the academic freedom of faculty, students,
and researchers. It says that freedom of expression and the right to
-- 
Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
From comp-academic-freedom-talk-request@eff.org Tue Apr 23 06:03:24 1991
From: comp-academic-freedom-talk-request@eff.org
Reply-To: comp-academic-freedom-talk@eff.org
To: comp-academic-freedom-talk
Return-Path: 
Date: Tue, 23 Apr 91 04:42:59 -0500
Sender: "Carl M. Kadie" 
Subject: FYI: Re: New NCSA e-mail policy inconsistent with Academic Freedom
Status: R
Newsgroups: uiuc.general
Sender: kadie@m.cs.uiuc.edu (Carl M. Kadie)
Subject: Re: New NCSA e-mail policy inconsistent with Academic Freedom
Message-ID: <1991Apr23.083947.3254@m.cs.uiuc.edu>
Organization: University of Illinois, Dept. of Comp. Sci., Urbana, IL
References: <1991Apr23.082959.78@m.cs.uiuc.edu>
Date: Tue, 23 Apr 91 08:39:47 GMT
Lines: 88
[Here is text of the letter setting out the policy. Any typos are probably
  mine - Carl]
University of Illinois at Urbana Champaign
National Center for Supercomputer Applications
Champaign, IL 61820
Date: April 1, 1991
Sender: Michael D. Smith, Associate Director,
Computer Operations and System Administration
NCSA Security Officer
Re: Policy on the Use and Security of NCSA E-mail Facilities
NCSA wishes to inform its e-mail users of the primary purpose of the e-mail
facilities, as well as when and user what circumstances individual e-mail
messages may be monitored or examined.
NCSA's e-mail facilities were established and intended to be used for center
business only, as opposed to personal or private business.
NCSA does not promise or guarantee that individual e-mail messages are
may be required to monitor or examine e-mail messages udner the following
circumstances:
monitor the successful delivery of e-mail to users. Undeliverable e-mail due
to incorrect addressing, unknown users, and the like may be returned to the
minimum, read the header containing crucial information about who and
not deliver to the designated recipients(s). In the course of the above
mentioned operator, the text of the message of course is also open to view.
maintenance and problem resolution, capacity planning and product testing.
This requires watching information actually moving across NCSA networks.
messages will be part of the information packets moving across the network.
As such, this mail might be exposed to the person actually doing this activity.
[page 2]
above mentioned purpose of the system, as well as protect NCSA staff from
threats to their personal safety and well being, protect NCSA against fraud,
attempts to disadvantage NCSA, prevent and/or ensure NCSA against
nappropriate information disclosures, it might be necessary for authorized
ndividual employee's and/or user's e-mail. This type of activity is only
activity and only at the discretion of the NCSA's Director.
The users themselves can minimize occurrences of two of the three above
mentioned activities (items 1 and 3) by following common sense guidelines
First, always take care when address e-mail messages, thus reducing the
chance of the e-mail being forwarded to the system postmaster for resolution.
Not only will this reduce the chance of your e-mail being examined, but it
Second, strive to use the e-mail facilities for their intended purpose as 
E-mail is an inappropriate vehicle for the transmission of extremely personal
and/or confidential information which one would not disclosed to
others. Hardware and software problems to arise which might send your e-
mail to an inappropriate addressee whose receipt of such you might not have
ntended or desired. Good judgment should be exercised when deciding to
ncorporate such personal and/or confidential information.
cc: James R. Bottum, NCSA
    Judith S. Libman, OVCR
    Larry, [sic] L. Smarr, NCSA
    Harvey J. Stapleton, OVCR
    Steven A. Veazie, OUC
-- 
Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
From comp-academic-freedom-talk-request@eff.org Tue Apr 23 06:03:25 1991
From: comp-academic-freedom-talk-request@eff.org
Reply-To: comp-academic-freedom-talk@eff.org
To: comp-academic-freedom-talk
Return-Path: 
Date: Tue, 23 Apr 91 04:43:19 -0500
Sender: "Carl M. Kadie" 
Subject: FYI: Re: New NCSA e-mail policy inconsistent with Academic Freedom
Status: R
Newsgroups: uiuc.general
Sender: kadie@m.cs.uiuc.edu (Carl M. Kadie)
Subject: Re: New NCSA e-mail policy inconsistent with Academic Freedom
Message-ID: <1991Apr23.084510.17584@m.cs.uiuc.edu>
Organization: University of Illinois, Dept. of Comp. Sci., Urbana, IL
References: <1991Apr23.082959.78@m.cs.uiuc.edu>
Date: Tue, 23 Apr 91 08:45:10 GMT
Lines: 193
[These are my notes from my conversation with Michael Smith - Carl]
Earlier today (April 23, 1991), Michael D. Smith and I talked over the
Supercomptuer Applications (NCSA), a department of the University of
NCSA Security Officer. It is he who sent the letter setting down the
NCSA's e-mail policy.
The following is my reconstruction of the information he provided. It
s based on the notes I scribbled down as we spoke; thus it contains
no direct quotes. I will, of course, send a copy of this note to Mr.
Smith. I assume he will correct any mistakes I make.
q: [In his first e-mail note to me, Mr. Smith mentioned that the e-mail
a: The policy was approved by the University's legal counsel and the Graduate
College. [The NCSA is a department within the College of Graduate Studies.]
q: Was there any user input or any input from any University
committee's concerned with Academic Freedom?
a: No.
q: What was the motivation for creating this policy?
a: To stop flagrant abuse of resources. We also have contractual
obligations to industry.
q: Some of the language in the policy sounds like it is trying to
explicitly say that the NCSA is not covered by the e-mail provisions of
the Electronic Communications Privacy Act (ECPA). Was this a
motivation?
a: [Mr. Smith said he was familiar with the ECPA.] No, it wasn't.
q: Can you be more explicit about your contractual obligations?
a: We promise a certain level of security. For example, no letter
bombs, no threats, no viruses.
q: You don't mean "level of security" in any formal or governmental sense
a: No, I don't.
q: Did you consider general University privacy policies?
a: There is an article about security in the IEEE software review. Our
computers policy is consistent with the trend at Fortune 500 companies
and other Universities.
q: Has this policy ever been used?
a: It has been used once in the last six years.
q: But the policy as only been in effect for a couple months
[actually, less than a month]. Was this use after the policy was set
a: Yes
q: So, it has been used once in the last two months? [Actually,
once is less than a month]
a: Yes
[If the suspect would like to tell his or her side of the story,
 he or she could contact me (or just post a note).]
q: Can you detail how the Director authorizes monitoring of e-mail?
For example, is monitoring allowed only for a limited amount of time?
a: We should be clear here, "monitoring" is a bad word. We don't actually
file. [Note, mbox is the computer file in a user's home directory
very limited duration.
[Comment: "monitoring" is the word used in the policy letter.]
q: The mbox file can contains both mail sent *by* the user and mail *to*
to the user. Does this mean that you can look at mail send from outside
NCSA?
a: It is possible, but not likely.
q: Can the Director delegate the authority to authorize a search?
a: Absolutely not. The Director must authorize each investigation on a
case-by case basis.
q: What records are kept of the the search?
a: A full report is made. It is kept in a safe.
q: Is the user [suspect] eventually notified?
a: Yes, always.
q: Are records of the search keep confidential as required by the
Family Educational Rights and Privacy Act [of 1974]?
a: Yes.
q: Are the records available to the user as required by the act?
a: Yes.
q: Can the Director authorize the monitoring of NCSA telephones?
a: We don't control our telephones, so he can not.
q:  Can the Director authorize the search of NCSA office space?
Or campus mail or US mail sent from NCSA?
a: There is no policy about any of that, so a search cannot be done.
q: What is the relationship between the NCSA and the University?
a: The NCSA is department of the Grad College of the University.
q: The policy says that e-mail is only for NCSA business. What
s "NCSA business"?
a: You are misreading the policy. It says that when the e-mail system
t for personal business. That is OK.  Personal use can be important;
t can be used to build relationships.
q: This question may not make as much sense now, but let me ask it anyway.
Would it be OK to discuss the e-mail policy via e-mail? Would it be
OK to criticize you or the Director in e-mail?
a: Yes, of course.
q: Would it be OK to make such criticism without your knowledge? In
other words, is there legitimate NCSA business that is private from
you?
a: Yes.
q: And under the e-mail policy, might you end up reading a note between
two NCSA users criticizing you?
a: It is possible.
q: In section three of the policy, it says that one reason for a
explain what this means?
a: Here is an example, suppose the NCSA has a nondisclosure agreement
covered by the agreement. That would be an attempt to disadvantage
NCSA.
q: Let me clarify the situation. In this scenario, has the person
a: Maybe not. Suppose it is a secretary. Here is another example of an
attempt to disadvantage NCSA: suppose some is sending e-mail that
attacks a person, or NCSA, or the University.
[Mr. Smith continued:] We've been talking about section 3 of the
might be read] and 2 [e-mail may be read in the course of network
maintenance] are also important.  Lots of e-mail gets misaddressed;
Also, notes can be seen by network analyzers [A network analyzer is a
the number of packets being sent. It is like a voltmeter for
nformation.]
q: Do network analyzers show the text of packets?
a: Some do and some don't.
q: Which kind does the NCSA have?
a: We use both.
[I commented that the merits (or deficentcies) of section 3 are
ndependent of the merits (or deficentcies) of sections 1 and 2.]
-- 
Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign


AD: