Harvard to review privacy policies in wake of email search scandal
Lack of standard policies 'highly inadequate,' university president says
Computerworld - Harvard University President Drew Faust has ordered a comprehensive review of the university's email privacy polices amid disclosures that a secret search of some deans' email accounts by administrators was broader than originally acknowledged.
Speaking at a meeting with Harvard's Faculty of Arts and Sciences (FAS) on Tuesday, Faust expressed concern over the university's "highly inadequate" institutional policies and processes for protecting email privacy.
"We have multiple policies across the university that vary across schools, with some faculties lacking any explicit policies at all," Faust said in remarks posted verbatim by Harvard Magazine.
Calling the lack of email policies an "institutional failure," Faust said she would create a task force to develop recommendations on university-wide policies and guidelines for email. Those recommendations will be made available for community discussion and university consideration by the end of the fall term.
Faust's remarks come a few weeks after the Boston Globe detailed how university administrators had secretly searched the email accounts of 16 resident deans at Harvard. The university was looking for the source of a leak about a cheating scandal, the Globe reported.
Harvard acknowledged the search, but maintained it was done in an extremely limited manner and only to identify an individual who shared a confidential email with an unauthorized person. The email, which contained advice on how to counsel students accused of cheating, was shared with the Harvard Crimson student newspaper and later picked up by the Globe. Harvard administrators said they decided to conduct a search out of concerns for the privacy of students involved in the cheating scandal.
Harvard officials admitted they made a mistake in not informing the deans about the search, either before or after it took place. The university, however, insisted that it had not actually opened any emails or searched their contents. Instead, IT administrators only conducted an automated subject line search of each dean's administrative email accounts to see if they could identify the source of the leak. The university also stressed that the subject-line search only involved administrative email accounts, not a separate Harvard email account that each dean maintains for personal use.
At Tuesday's meeting, Harvard Dean Evelyn Hammond noted that two additional searches had taken place that were not previously disclosed. After the initial search identified the resident dean responsible for forwarding the email, Hammond said she authorized another search to look specifically for correspondence between that individual and two student reporters from the Crimson.
In addition, Hammond said she also authorized a search of the same dean's personal email account for correspondence with the reporters. In both cases, the search involved only the subject lines and not the actual content of the emails, she said in comments posted on Harvard Magazine. She apologized for not informing her peers or the deans about the searches, but insisted that her actions were driven purely by concerns over student privacy.
The incident has proved to be embarrassing for Harvard. Several faculty members have faulted the university for not informing deans about the searches and said they fear the incident could erode trust between administrators, faculty members and staff.
Acknowledging those concerns, Faust said Tuesday that she has also asked a leading Boston lawyer from outside Harvard to conduct a full investigation into how the searches were conducted and to verify that the information provided so far is a full and accurate description of what actually happened.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Franken presses Ford on location data collection practices
- Justices let stand appeals court decision on border searches of laptops
- California lawmakers move to bar state help to NSA
- Appeals court again nixes Google's bid to overturn Street View case
- Older Mac webcams can spy without activating warning light
- Update: Judge rules NSA spy efforts may be unconstitutional
- Perspective: Privacy concerns could keep Amazon delivery drones grounded
- NSA collects data from millions of cellphones daily
- Perspective: Curbing data use is key to reining in NSA
- Lavabit-DOJ dispute zeroes in on encryption key ownership
Read more about Privacy in Computerworld's Privacy Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts