Harvard scrambles to explain why it secretly searched deans' emails
Search was done out of concern for sensitive information leaks
Computerworld - Harvard University officials on Monday scrambled to contain the fallout from a damaging report in The Boston Globe over the weekend disclosing how administrators secretly accessed email accounts belonging to 16 resident deans at the university.
In a statement issued on Monday, Harvard Deans Michael Smith and Evelynn Hammonds acknowledged that the search described in the Globe report had happened. However, they maintained the search was done in an extremely limited and thoughtful manner to identify an individual who shared a confidential email with an unauthorized person.
Though the specific email was inconsequential, the fact that it was forwarded word-for-word to someone else was concerning, the deans said in their statement. The disclosure prompted concerns that other information, especially sensitive student information, was at risk of similar disclosure.
"The search did not involve a review of email content; it was limited to a search of the subject line of the email that had been inappropriately forwarded," Smith and Hammonds noted. "To be clear: No one's emails were opened and the contents of no one's emails were searched by human or machine."
The statement appears to be an attempt by Harvard to put a lid on what's quickly turned out to be a major embarrassment for the prestigious university.
The Globe on Saturday reported that Harvard administrators had secretly accessed the email accounts of 16 resident deans at the university last fall. The university was looking for the source of a leak to the news media about a cheating scandal at the university, the Globe reported.
Resident deans serve on Harvard's Administrative Board, the university's disciplinary body, and are responsible for working with students to discuss such issues as academic requirements and personal concerns, according to a university description. Resident deans, who are basically non-tenure-track teachers, work with students in preparing academic petitions and in responding to disciplinary actions.
None of the resident deans whose emails were searched were informed about the access prior to the search and only one was told about it after the search was completed. The individual who was notified about the search was a resident dean who had forwarded to a student a confidential email pertaining to the cheating scandal. The contents of that email -- basically advice on how to counsel students accused of cheating -- later found its way to the Harvard Crimson student newspaper, and from there to the Globe.
According to the Globe, each of the deans had two Harvard email accounts, one for administrative duties and another for personal use. Only the administrative email account was accessed in each case, the newspaper noted.
The story prompted an immediate response from faculty members and the media. In a blog post, Harry Lewis, a former dean of Harvard College and a professor of computer science at the university, questioned whether administrators decided to access the emails because they thought that the privacy policies protecting faculty members from such snooping did not apply to resident deans.
According to Lewis, Harvard's faculty email privacy policies prohibit administrators from accessing faculty emails without notice except under a narrow set of circumstances. The university's policies for staff emails are less robust from a privacy perspective.
"Whichever policy is applicable, this way of handling the situation seems to me -- well, dishonorable," Lewis said in his blog, in response to the Globe story. "Why not tell people you are reading their email? Other than avoiding, perhaps, the embarrassment of acknowledging that you are doing something to which the targets would reasonably object if they knew it," he wrote.
Michael Mitzenmacher, a Harvard professor of computer science, disagreed that the incident represents a moral failing on the part of the university. However, the university should have informed resident deans of the search all the same, he said in a blog post on Monday.
Even though the search was targeted and only involved a search for subject lines and not email content, the fact remains that a search was conducted, Mitzenmacher said.
"I don't think this care offers an excuse for not following the policy of informing the Resident Deans of the search. I would still say a search on their email had been performed and, from my understanding of the policy, they should have been notified. This is something the faculty and administration can and should discuss further," Mitzenmacher said.
The New York Times reported that Harvard law professor Charles Ogletree expressed shock and dismay over the incident. "I hope that it means the faculty will now have something to say about the fact that these things like this can happen," Ogletree told the Times.
In Monday's statement, Smith and Hammonds acknowledged the university may have bungled the approach to the search. But they maintained that they remained silent to protect the privacy of the dean who had forwarded the email. The fact that no human had looked at the emails was another reason for remaining silent, they said.
"We understand that others may see the situation differently, and we apologize if any Resident Deans feel our communication at the conclusion of the investigation was insufficient," the university noted.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.
Read more about Privacy in Computerworld's Privacy Topic Center.
- Combating Identity Theft in a Mobile, Social World Offering identity theft protection and remediation allows businesses to give their workforce the confidence to efficiently engage while bringing financial reward to the...
- After a Breach: Managing Identity Theft Effectively This white paper from LifeLock Business Solutions notes that FIs in addition to managing fraud should strive to turn a negative event for...
- Combating Identity Fraud in a Virtual World This slide presentation reveals findings from the Javelin Strategy & Research 2012 Identity Fraud Report about mobile and social trends, the real risks...
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!