The Stanford Student Computer Network and Privacy Project discovered that four policies--two federal and two university policies--directly influence privacy on Stanford's campus. The federal policies are the Electronic Communications Privacy Act (ECPA) and the Family Educational Rights and Privacy Act (FERPA). The university policies are the 1984 Principles of Privacy and the Computer and Network Usage Policy, last updated in 2009. Below is a summary of the Project's findings and recommendations for each of the four laws and policies.
The Electronic Communications Privacy Act is a piece of legislation that makes limited wiretapping legal. The act was revised in 1986 to account for the increase in electronic communications. The ECPA allows the university to provide student records to students, but not to government agencies without a subpoena. An example of a service provided because of the ECPA is Stanford Who, which makes public to the Stanford community certain parts of the student record, including full name, address, SUID number and major.
For a government agency to access a student record, it needs either a warrant, court order, subpoena, or consent of the student. The Stanford Student Computer Network and Privacy Project in particular took issue with the interpretation of subpoenas in the ECPA. The argued that the ECPA does not, in fact, protect student privacy, because it does not require judicial review for the university to authorize e-mail surveillance or to turn over electronic records. They argued that the university could legally disclose students' electronic communications records even if served a questionable subpoena by an arbitrary law firm. The Project's recommendation was for Stanford to limit the types of subpoenas that could warrant disclosure of student information and for the rest to be settled by a court. This would help increase student privacy by protecting against arbitrary, unfounded subpoenas.
FERPA is a federal law that provides adult students with the rights to inspect and review their student educational records kept by the university on file. They also have the rights to seek amendment to and append statements to those records, and consent to disclosure of those records. For example, on Stanford Who students are allowed to indicate what information will be disclosed to the Stanford community.
The Project took issue with FERPA's definition of "student educational record." FERPA defines a student educational record as anything directly related to the student and maintained by an educational agency or institution. This is a very loose definition that leaves room for broad interpretation. The Project recommended that Stanford promptly establish a formal interpretation of what personal data could be interpreted as belonging to the student educational record.
At the time, Stanford's Principles of Privacy was only available in print, so the university can lay claim to having made this document available online. Unfortunately, the university seems to have decided to rest its laurels on this accomplishment. Despite the Project's recommendation, the Principles of Privacy have yet to be updated since 1984. For historical context, in the same year, Steve Jobs introduced to the world the Macintosh, the first successful personal computer to run with a graphical user interface and mouse.
That said, the Principles of Privacy only outline principles. It is a two page document that outlines a philosophical stance which really should not change drastically even with the drastic changes in technology. Still, there are some ambiguities which the Project suggested should be updated. One line reads, "The University should obtain information only with the informed consent of the individual." They argue that if "information" includes e-mail, data files, and network account information, then the university is in violation of the Principles of Privacy, because as outlined in Stanford's Computer and Network Usage Policy, network administrators have the right to monitor these things without student consent. The Project recommended that the university define "information" in the document as well as include language to protect students, faculty, and staff from other students, faculty, and staff, in regards to network privacy.
This is the document that outlines specifically a guideline for the appropriate use of information technology on campus. In regards to privacy, e-mail, and protected health information, amongst other key issues, the document states what is prohibited and outlines what university and civil legal actions could be undertaken if students are found to break these rules. Most of the document can be summarized as the golden rule of network privacy: "Be mindful of others' privacy in the same way that you would like them to be mindful of your privacy."
The section that was most interesting to the Project outlined the powers of system administrators and the Security Office. The document established that system administrators have the rights to monitor student data without consent and can even suspend network access with discretion. Despite the Project's recommendation that audit trails should log the work of system administrators, no such language has been added to the Computer and Network Usage Policy since it was last updated in 2009.
These were the findings of the Stanford Computer Network and Privacy Project in 2002. Our project will explore how network privacy issues have changed since 2002 with the emergence of topics such as social networking and privacy. We will discuss if and how Stanford's policy has adapted to meet the demands of these changes.