The University Record, January 31, 1994

E-mail privacy policy in place

By Rebecca A. Doyle

A new policy governing privacy of electronic mail and computer files has been incorporated as section 601.11 of the Standard Practice Guide (SPG). The policy, plus sections on guidelines and interpretations, standards for postmasters, and interpretive guidelines and procedures for system administrators and computing service managers, comprise a six-page addition to the SPG. Copies were mailed to deans, directors and department chairs earlier this month.

The policy and guidelines attempt to clarify some of the issues concerning privacy of electronic mail in the absence of any state or federal laws that would indicate whether electronic messages and conferences constitute “writing” and therefore are part of the University’s “public record.”

“This policy is the result of great deal of thought and hard work on the part of many individuals,” says Gilbert R. Whitaker Jr., provost and executive vice president for academic affairs. “It is vital that the University community understand what is expected of them regarding others’ privacy, and what they can expect in the forthcoming distributed computing environment.”

The policy states: “At the University of Michigan, electronic mail and computer files are considered private to the fullest extent permitted by law. Ordinarily, access to electronic mail or computer files requires permission of the sender/recipients of a message or the owner of the file (the person to whom the account ID is assigned), court order, or other actions defined by law. In the event of a University investigation for alleged misconduct, e-mail or files may be locked or copied to prevent destruction and loss of information.”

In a cover letter accompanying the policy, Whitaker and Douglas E. Van Houweling, vice provost for information technology, note that the topics covered in the policy will “continue to be discussed as the community and the courts strive to achieve further clarity regarding issues of privacy within electronic environments.”

Currently, the Electronic Communication Privacy Act of 1986 (ECPA) is the only federal law that deals specifically with e-mail. The act prohibits interception of electronic communications while in transmission and unauthorized intrusion into e-mail stored on the system.

The ECPA, however, allows service providers to divulge the contents of electronic mail in certain circumstances, and information requests under the Michigan Freedom of Information Act (FOIA) may affect the confidentiality of an individual’s e-mail and computer files within the University system.

Currently, the policy points out, “interpretations regarding the right to privacy are unsettled, the law is untested, and the interaction between ECPA, FOIA and privacy rights is unclear. Consequently, the creators of electronic mail or computer files should be aware that it is possible that such mail or files may be disclosed to a third party without their consent because of a future court ruling.”

Van Houweling notes that “as the United States and the rest of the world increasingly adopt this technology, it is important for the University to be clear about where it stands on the issues of privacy and security in electronic communications. This university serves as a model, and expectations set here are likely, by virtue of the role electronic communication plays in our students’ lives, to have a large impact on the way society uses it.”

By far the largest portion of the new SPG section, the policy interpretation segment strives to define the intended use of information resources, authorized access and expectations as to what is considered a public record under the FOIA. It also sets guidelines for unit managers to deal with employees who may have violated the Proper Use Policy (SPG #601.7).

A third portion of the policy statement lists standards for “postmasters,” a group of University employees with special access privileges and responsibilities, who are “expected to exercise special care in order to protect the privacy of the individuals whose electronic communications they handle.”

Finally, an interpretive guideline section for system administrators and computing service managers puts much of the responsibility for maintaining electronic mail security on individual units. In a distributed computing environment, to which the University is moving, electronic communications may be accomplished within one or several environments. Local area networks may have departmental system administrators as well as others who oversee a larger portion of the network. Messages that are sent from inside the University may travel through several machine environments before they reach an overseas destination, adding to the risk of inadvertently compromising confidentiality. Therefore, levels of security may vary from one unit to another.

This portion of the policy ensures that mail will be handled at a level that is at least as secure as the conditions listed under the standards required for postmasters. It also contains a list of questions unit managers and system administrators should answer for their computing staff in order to determine their e-mail needs and the unit level of communication security. (See box.)

The policy comes as a result of Whitaker’s charge last year to a special committee of the Information Technology Division to evaluate the security and privacy of electronic communication, implementation of appropriate policies and practice by University units supporting such communication, and adequacy of information to the community regarding security and privacy of computer-assisted communications.

“Electronic communication has become absolutely vital to this University and to its scholarly activities,” says Van Houweling. “This set of policies is designed to ensure that that this service meets the University’s needs now and in the future.”

The new section of the SPG will be distributed with the regular upgrade that takes place once or twice per year, says Carl R. Smith, director of the Office of University Audits. The most recent changes to the SPG were distributed in December.