Harvard Searched Email Subject Lines Of Faculty To Sniff Out Leak

from the why-people-keep-private-emails dept

We've written a few times about employers snooping through the emails of employees, and for the most part, courts have found this to be legal. There are a few exceptions -- such as for attorney/client communications -- but for the most part, if you're using work provided email, they can spy on it. Of course, just because they can doesn't mean they should. As we've been pointing out for over a decade, doing so probably fosters an environment of paranoia, which may not be the most productive. Still, it's a bit surprising to see that Harvard University chose to snoop through the emails of staff members in trying to hunt down the source of a leak. Specifically, the university searched the emails of 16 deans, telling them about the search a few days later. Again, even though this is likely legal, it seems odd that a university like Harvard would do it, as it inevitably creates distrust with some of its most important staffers. Indeed, the news apparently has faculty and staff up in arms.

Havard has defended the search by arguing it was very limited -- just to specific accounts and just to subject lines:
Consequently, with the approval of the Dean of FAS and the University General Counsel, and the support of the Dean of Harvard College, a very narrow, careful, and precise subject-line search was conducted by the University's IT Department. It was limited to the Administrative accounts for the Resident Deans — in other words, the accounts through which their official university business is conducted, as distinct from their individual Harvard email accounts. The search did not involve a review of email content; it was limited to a search of the subject line of the email that had been inappropriately forwarded. To be clear: No one's emails were opened and the contents of no one's emails were searched by human or machine. The subject-line search turned up two emails with the queried phrase, both from one sender. Even then, the emails were not opened, nor were they forwarded or otherwise shared with anyone in IT, the administration, or the board. Only a partial log of the 'metadata' — the name of the sender and the time the emails were sent — was returned.

"The Resident Dean whose account had been identified was asked about the incident and voluntarily reviewed his/her own sent items and confirmed that she/he had indeed forwarded the message to two students. Although the Resident Dean's actions violated the expectations of confidentiality surrounding the Administrative Board process, those involved in the review and the conversation with the individual were sufficiently convinced that it was an inadvertent error and not an intentional breach. The judgment was made not to take further action.
The issue, though, is the expectation of privacy and the level of trust built up between staffers and the university -- and actions like this, even when done narrowly and carefully, can break down that trust in significant ways.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Mar 11th, 2013 @ 4:39pm

    There is a problem in mixing work and private business in the same accounts, in that the employer has reasonable right of access to communications about the official business. Use web mail for private communications if employers policy allows.

     

    reply to this | link to this | view in thread ]

  2. This comment has been flagged by the community. Click here to show it
     
    identicon
    Anonymous Coward, Mar 11th, 2013 @ 4:47pm

    Another big yawner. I don't know why you think they should have the same privacy while using their employers email system. Moreover if you work at Harvard, presumably you're not dumb enough to use your work email to leak shit that'd get you fired and you'd also know your work email wasn't secure. Please try to find something worthwhile to whine about.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Ninja (profile), Mar 11th, 2013 @ 5:14pm

    As we've been pointing out for over a decade, doing so probably fosters an environment of paranoia, which may not be the most productive.

    That. I understand why companies choose to monitor their employees mailboxes but this will make the environment stressful. I tend to avoid companies with strict IT management.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Arthur Moore (profile), Mar 11th, 2013 @ 6:24pm

    Harvard violated there own IT policy

    To paraphrase what was said on slashdot:

    While it might be contractually legal, Harvard violated there own IT policy by not providing prior written notice.

    http://news.slashdot.org/comments.pl?sid=3533395&cid=43132925

    It's probably not actionable in the legal sense, but it tells the faculty and students what the university thinks of rules. With schools pulling these kind of stunts, is it surprising that many highly educated people treat laws and ethical rules as something to be ignored?

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Mike Masnick (profile), Mar 11th, 2013 @ 6:27pm

    Re:

    Another big yawner.

    No one made you read it.

    I don't know why you think they should have the same privacy while using their employers email system.

    Next time, before bitching, maybe read what I actually wrote. I merely pointed out the impact on morale. I didn't say they had to have the same privacy protections, but that it would impact how they felt about their employer.

    Do you deny that?

    Moreover if you work at Harvard, presumably you're not dumb enough to use your work email to leak shit that'd get you fired and you'd also know your work email wasn't secure.

    No one got fired, so, um, what was your point again or do you always post whiny comments without knowing what you're talking about?

    Please try to find something worthwhile to whine about.

    You first.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Jesse (profile), Mar 11th, 2013 @ 8:45pm

    Who is using weak email for important leaks? Tormail, Tormail, Tormail!!!

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Reality Check, Mar 11th, 2013 @ 8:52pm

    Re: Re:

    I was smirking till the last two words.

    Then I laughed.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    tqk (profile), Mar 11th, 2013 @ 8:54pm

    The issue, though, is the expectation of privacy and the level of trust built up between staffers and the university -- and actions like this, even when done narrowly and carefully, can break down that trust in significant ways.

    No. Every place I've worked in the past two decades are upright and forthcoming about this. "You may think that's your email account, but it's not." It was his institution email address, not even his personal institution email address. He had no expectation of privacy in that situation. I'm glad it worked out for him/her. Those around them who are up in arms about this are wrong.

    Yes, I think it was bungled overhandedly in this case, and I suspect that faculty member is going to want to leave now. Who wants to work for a-holes who treat their assets like this?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Mar 11th, 2013 @ 9:17pm

    Not surprising

    When there's a leak and the higher power wants to know where is the leak, they'll order to find it out by all means, sometimes even less legal ones.

    And snooping subject line is "less invasive" enough. They would have had ordered fulltext search of the mails. There are many tools out there offering to do fulltext search on mail server data files. IMO seeking for "subject" only is involves more work then otherwise.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Mar 11th, 2013 @ 9:44pm

    They should have just searched the email of everyone then key staff could not bitch about being singled out.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    special-interesting (profile), Mar 12th, 2013 @ 7:17am

    Everyone has some internal clicker or checklist on whether to trust anyone or organization and its common for many not to trust their own boss or firm.


    “comment” +/- unspecific scoring (Where n1, n2, n3 and n4 are unique to each individual.)

    +n1 “a very narrow, careful, and precise subject-line search”

    +n1 “,did not involve a review of email content, limited to a search of the subject line, the contents of no one's emails were searched,”

    -n3 “Harvard violated there own IT policy by not providing prior written notice” (thanks Arther Moor)

    -n4 “search was conducted”

    etc.

    This all adds up to some unspecific analysis different to everyone. n1 + n2 + n3 + n4 = subjective answer.


    When an employee does not trust upper management it cuts off vital internal communication. I mean, its not like one to speak to anyone who is considered hostile or as unfairly taking advantage of you. No good can come from fragmented management or isolation of personnel.

    A University might have a different level of expectation of privacy than say from a Utility company billing department's e-mails to delinquent customers. Whatevr the company policy is its how it is implementation on an individual basis that is most important.

    Most feared is probably the immediate supervisor who may be looking for the usual advantage over other managers/employees and has no scruples (read as 'bully') about privacy or your career goals.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Rebecca Olesen, Mar 17th, 2013 @ 2:10pm

    Harvard spying on its own deans does not surprise me!

    Harvard is nothing but a factory turning out fascism disguised as 'liberal' doctrine. It doesn't surprise me at all. Look at what some of the Harvard graduates are doing around the government and the supreme court.

    Allowing private developers to use IMMINENT DOMAIN to force someone to sell their home and land for the purposes of building A MALL, because 'malls' are something people (the public) like and want and need. SO even though a Mall or a Nike factory isn't publicly owned or actually publicly used, except by consent of the owners, that's still good enough to steal your property at a crappy price so some rich guy can make money. Who cares if it's the family farm your family has owned and lived on for over 100 years, that shoe factory is MUCH more important.

    Enforcing the national defense act, allowing the government to use warrantless wiretaps, detain individuals without right to trial or counsel INDEFINITELY, YEAH THAT'S all about freedoms & rights & stuff like that. Harvard sucks.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    rebecca olesen, Mar 17th, 2013 @ 2:13pm

    Re: anonymous coward

    yes, says the guy who won't even put a fake name on his comment.

    OH yeah, working at HARVARD there must be a prerequisite for not being dumb enough to use your work email to leak shit that could get you fired LMAO. Honey, there is no degree in common sense, even though people who work at Harvard do seem to have an affiliation with an egotistical arrogant sense of self-entitlement, which might actually have something to do with people being too smug to imagine they'd get caught.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This