BENCHMARKS

During the discussions of the Policy on Privacy in the Electronic Environment (Almanac, September 19) in University Council January through April, frequent mention was made of an article to accompany the policy. The purpose of this article is to provide explanations, suggestions, interpretations and best practices that do not belong in the policy itself, but are important to members of the University community who use or provide electronic communications services in seeking to protect their own or others' privacy. The following was approved by the 1999-2000 University Council Committee on Communications, who thank David Millar, University Information Security Officer, for significant contributions to its drafting.

--Martin Pring Chair, 1999-2000 Committee on Communications

Electronic Privacy in Practice

E-mail Privacy

Despite the best intentions of users and the University or other system operators, it is difficult, if not impossible, to assure the privacy of e-mail. E-mail is not a good medium to use for sensitive matters that you would not want disclosed. There are numerous ways that plain text e-mail may be disclosed to persons other than the addressee, including:

  • Sender inadvertently replies to an entire list, rather than just to one individual.
  • Recipient's address is mistyped; message is sent to someone else.
  • Recipient forwards e-mail to someone else.
  • Intruders break into e-mail system and read/disclose messages.
  • Despite owner's belief that s/he deleted it, e-mail continues to exist on computer hard drive or a copy is archived on tape backup; disclosure of such copies may be required in connection with judicial or administrative proceedings or government investigations.
  • E-mail is observed as it travels over public networks like PennNet and the Internet.

E-mail users concerned about privacy may wish to take some of the following steps:

  • Check with your mail system administrator about e-mail backup policies. Find out how long backup copies are retained and where they are stored.
  • Use a POP3 mail client like Eudora and configure it to not leave e-mail on your mail server. (Remember, though, that e-mail on your desktop computer could be backed up if your desktop computer is part of a computer backup plan. Check with your computing support provider to learn more.)
  • Use a tool like Pretty Good Privacy (PGP) to encrypt e-mail messages. PGP is a powerful cryptographic product that allows you to securely exchange messages with both privacy and strong authentication. PGP is freely available from http://web.mit.edu/network/pgp.html
  • If you are especially concerned about your e-mail being read by someone within the University, consider obtaining an account with an outside Internet Service Provider. For details, see www.upenn.edu/computing/remote/index.html.
  • Check with your Internet Service Provider to learn more about their privacy policy.

Access to Private Files

There may be times when managers need access to an employee's files during periods of absence or vacation. For paper documents stored in locked desks, the manager would reasonably require that copies of keys be securely stored in the office. Similarly, for emergency access to electronically stored documents, the manager may require that employee passwords be securely stored in the office. A good practice is to store critical passwords in a sealed envelope, kept in a locked cabinet. Critical passwords might include screen saver passwords for desktop computers or passwords for file server accounts. If emergency access is needed during a period of employee absence, then the employee should be notified of the access on return, so that he or she can choose a new password and store it in the sealed envelope. This preserves accountability by keeping shared use of the employee's account and password by the manager to a minimum.

Such problems can be avoided if critical documents are stored on a file server with permissions allowing shared access to a document from both the employee's account and the supervisor's account.

Role of System Administrators

Those responsible for maintaining Penn computers and networks have a special responsibility to be familiar with the Electronic Privacy policy. Since their privileges may afford access to private files they must make sure that their activities comply with this policy.

Systems administrators' access to e-mail and other private files must be for the sole purpose of conducting official duties. The supervisor/advisor must indicate whether the nature of the job requires access to private information. The use of privileged access for personal or other purposes unrelated to official responsibilities is prohibited. Those with privileged access must maintain in strictest confidence the information to which they have access and not share it in any manner with others who are not authorized.

Situations in which it may be necessary for systems administrators to view private files or directories as part of their official duties include, but are not limited to:

  • Mis-addressed e-mail delivered to the e-mail administrator.
  • System security problems or performance problems that appear to be the result of unusual processes run by a user.
  • Helping users with technical problems.
  • Helping users to back up/copy their data.

Systems administrators with privileged access should keep in mind the following guidelines:

  • Where feasible, ask the user's permission before viewing private files. In cases where there is suspected violation of law or policy, this will probably not be feasible, but in situations where a user requests technical assistance it is always a good idea to first ask permission before viewing private files or directories. It is also best to explicitly ask if there are any materials of a private or personal nature that they would rather not be viewed.
  • Remember that viewing private files without the user's consent and without higher authorization should be carried out only when the function or integrity of your system or the rights of other users are threatened. If you suspect inappropriate activity that does not pose such a threat inform your supervisor, the University Information Security Officer or the Office of General Counsel.
  • It may be necessary at times to view user access logs. If the user of the account believes that someone else has had improper access to the account then surely he/she will consent to the system administrator viewing the logs. If so it is consensual and not constrained by the policy. The causes for viewing access logs without the user's consent would then be either "serious infraction of University policy" or "needed to maintain the integrity of University computing systems." If the latter, the system administrator would need no special authorization. If the former, then the intent is disciplinary rather than protective and the system administrator, if he/she is the person doing the looking, should first consult with Information Security or seek higher authorization from the disciplinary authority.
  • If in doubt about the appropriateness of viewing private material, consult with a supervisor first. If a supervisor is not available, make a backup copy of the material without viewing it until a supervisor can be consulted.
  • Minimize the amount of private information that must be viewed. A keyword search of a user's home directory is less intrusive than manually searching all filenames and directories, and may be just as effective. Viewing message headers is usually sufficient to re-route mis-directed e-mail.
  • Avoid viewing any materials not clearly related to the purpose of the investigation, and immediately stop viewing any such materials once it is apparent that they are not related to the purpose of the investigation.
  • Keep confidential the content of any private materials viewed inadvertently.
  • Keep records of any private files viewed, the date, time and purpose of access.

Legal Obligations

In the course of their duties, computing support staff may inadvertently view materials that they suspect could be evidence of violations of University policies or laws. Computing support staff must realize that their job is not to monitor or actively search for misuse or violations by their users. However, when illegal activity is observed there may be a legal obligation to report it. In such situations the person viewing the material should promptly notify a supervisor and consult Penn's Office of General Counsel.

Almanac, Vol. 47, No. 5, September 26, 2000

| FRONT PAGE | CONTENTS | JOB-OPS | CRIMESTATS | BENCHMARKS: Electronic Privacy in Practice | 1999-2000 COUNCIL REPORTS: Admissions & Financial Aid, Pluralism, Communications, Community Relations, Personnel Benefits and Quality of Student Life | TALK ABOUT TEACHING ARCHIVE | BETWEEN ISSUES | OCTOBER at PENN |