We've written a few times about employers snooping through the emails of employees, and for the most part, courts have found this to be legal. There are a few exceptions -- such as for attorney/client communications
-- but for the most part, if you're using work provided email, they can spy on it. Of course, just because they can
doesn't mean they should. As we've been pointing out for over a decade, doing so probably fosters an environment
of paranoia, which may not be the most productive. Still, it's a bit surprising to see that Harvard University chose to snoop through the emails of staff members
in trying to hunt down the source of a leak. Specifically, the university searched the emails of 16 deans, telling them about the search a few days later. Again, even though this is likely legal, it seems odd that a university like Harvard would do it, as it inevitably creates distrust with some of its most important staffers. Indeed, the news apparently has faculty and staff up in arms.
Havard has defended the search by arguing it was very limited
-- just to specific accounts and just to subject lines:
Consequently, with the approval of the Dean of FAS and the University General Counsel, and the support of the Dean of Harvard College, a very narrow, careful, and precise subject-line search was conducted by the University's IT Department. It was limited to the Administrative accounts for the Resident Deans — in other words, the accounts through which their official university business is conducted, as distinct from their individual Harvard email accounts. The search did not involve a review of email content; it was limited to a search of the subject line of the email that had been inappropriately forwarded. To be clear: No one's emails were opened and the contents of no one's emails were searched by human or machine. The subject-line search turned up two emails with the queried phrase, both from one sender. Even then, the emails were not opened, nor were they forwarded or otherwise shared with anyone in IT, the administration, or the board. Only a partial log of the 'metadata' — the name of the sender and the time the emails were sent — was returned.
"The Resident Dean whose account had been identified was asked about the incident and voluntarily reviewed his/her own sent items and confirmed that she/he had indeed forwarded the message to two students. Although the Resident Dean's actions violated the expectations of confidentiality surrounding the Administrative Board process, those involved in the review and the conversation with the individual were sufficiently convinced that it was an inadvertent error and not an intentional breach. The judgment was made not to take further action.
The issue, though, is the expectation of privacy
and the level of trust built up between staffers and the university -- and actions like this, even when done narrowly and carefully, can break down that trust in significant ways.