During the discussions of the Policy on Privacy in the Electronic
September 19) in University Council January through April, frequent
mention was made of an article to accompany the policy. The purpose of this
article is to provide explanations, suggestions, interpretations and best
practices that do not belong in the policy itself, but are important to
members of the University community who use or provide electronic communications
services in seeking to protect their own or others' privacy. The following
was approved by the 1999-2000 University Council Committee on Communications,
who thank David Millar, University Information Security Officer, for significant
contributions to its drafting.
--Martin Pring Chair, 1999-2000 Committee on Communications
Electronic Privacy in Practice
Despite the best intentions of users and the University or other system
operators, it is difficult, if not impossible, to assure the privacy of
e-mail. E-mail is not a good medium to use for sensitive matters that you
would not want disclosed. There are numerous ways that plain text e-mail
may be disclosed to persons other than the addressee, including:
- Sender inadvertently replies to an entire list, rather than just to
- Recipient's address is mistyped; message is sent to someone else.
- Recipient forwards e-mail to someone else.
- Intruders break into e-mail system and read/disclose messages.
- Despite owner's belief that s/he deleted it, e-mail continues to exist
on computer hard drive or a copy is archived on tape backup; disclosure
of such copies may be required in connection with judicial or administrative
proceedings or government investigations.
- E-mail is observed as it travels over public networks like PennNet
and the Internet.
E-mail users concerned about privacy may wish to take some of the following
- Check with your mail system administrator about e-mail backup policies.
Find out how long backup copies are retained and where they are stored.
- Use a POP3 mail client like Eudora and configure it to not leave e-mail
on your mail server. (Remember, though, that e-mail on your desktop computer
could be backed up if your desktop computer is part of a computer backup
plan. Check with your computing support provider to learn more.)
- Use a tool like Pretty Good Privacy (PGP) to encrypt e-mail messages.
PGP is a powerful cryptographic product that allows you to securely exchange
messages with both privacy and strong authentication. PGP is freely available
- If you are especially concerned about your e-mail being read by someone
within the University, consider obtaining an account with an outside Internet
Service Provider. For details, see www.upenn.edu/computing/remote/index.html.
- Check with your Internet Service Provider to learn more about their
Access to Private Files
There may be times when managers need access to an employee's files
during periods of absence or vacation. For paper documents stored in locked
desks, the manager would reasonably require that copies of keys be securely
stored in the office. Similarly, for emergency access to electronically
stored documents, the manager may require that employee passwords be securely
stored in the office. A good practice is to store critical passwords in
a sealed envelope, kept in a locked cabinet. Critical passwords might include
screen saver passwords for desktop computers or passwords for file server
accounts. If emergency access is needed during a period of employee absence,
then the employee should be notified of the access on return, so that he
or she can choose a new password and store it in the sealed envelope. This
preserves accountability by keeping shared use of the employee's account
and password by the manager to a minimum.
Such problems can be avoided if critical documents are stored on a file
server with permissions allowing shared access to a document from both the
employee's account and the supervisor's account.
Role of System Administrators
Those responsible for maintaining Penn computers and networks have a
Since their privileges may afford access to private files they must make
sure that their activities comply with this policy.
Systems administrators' access to e-mail and other private files must
be for the sole purpose of conducting official duties. The supervisor/advisor
must indicate whether the nature of the job requires access to private information.
The use of privileged access for personal or other purposes unrelated to
official responsibilities is prohibited. Those with privileged access must
maintain in strictest confidence the information to which they have access
and not share it in any manner with others who are not authorized.
Situations in which it may be necessary for systems administrators to
view private files or directories as part of their official duties include,
but are not limited to:
- Mis-addressed e-mail delivered to the e-mail administrator.
- System security problems or performance problems that appear to be
the result of unusual processes run by a user.
- Helping users with technical problems.
- Helping users to back up/copy their data.
Systems administrators with privileged access should keep in mind the
- Where feasible, ask the user's permission before viewing private files.
In cases where there is suspected violation of law or policy, this will
probably not be feasible, but in situations where a user requests technical
assistance it is always a good idea to first ask permission before viewing
private files or directories. It is also best to explicitly ask if there
are any materials of a private or personal nature that they would rather
not be viewed.
- Remember that viewing private files without the user's consent and
without higher authorization should be carried out only when the function
or integrity of your system or the rights of other users are threatened.
If you suspect inappropriate activity that does not pose such a threat
inform your supervisor, the University Information Security Officer or
the Office of General Counsel.
- It may be necessary at times to view user access logs. If the user
of the account believes that someone else has had improper access to the
account then surely he/she will consent to the system administrator viewing
the logs. If so it is consensual and not constrained by the policy. The
causes for viewing access logs without the user's consent would then be
either "serious infraction of University policy" or "needed
to maintain the integrity of University computing systems." If the
latter, the system administrator would need no special authorization. If
the former, then the intent is disciplinary rather than protective and
the system administrator, if he/she is the person doing the looking, should
first consult with Information Security or seek higher authorization from
the disciplinary authority.
- If in doubt about the appropriateness of viewing private material,
consult with a supervisor first. If a supervisor is not available, make
a backup copy of the material without viewing it until a supervisor can
- Minimize the amount of private information that must be viewed. A keyword
search of a user's home directory is less intrusive than manually searching
all filenames and directories, and may be just as effective. Viewing message
headers is usually sufficient to re-route mis-directed e-mail.
- Avoid viewing any materials not clearly related to the purpose of the
investigation, and immediately stop viewing any such materials once it
is apparent that they are not related to the purpose of the investigation.
- Keep confidential the content of any private materials viewed inadvertently.
- Keep records of any private files viewed, the date, time and purpose
In the course of their duties, computing support staff may inadvertently
view materials that they suspect could be evidence of violations of University
policies or laws. Computing support staff must realize that their job is
not to monitor or actively search for misuse or violations by their users.
However, when illegal activity is observed there may be a legal obligation
to report it. In such situations the person viewing the material should
promptly notify a supervisor and consult Penn's Office of General Counsel.
Almanac, Vol. 47, No. 5, September 26, 2000
PAGE | CONTENTS
Electronic Privacy in Practice | 1999-2000 COUNCIL REPORTS: Admissions
& Financial Aid, Pluralism,
Benefits and Quality
of Student Life | TALK
ABOUT TEACHING ARCHIVE | BETWEEN
ISSUES | OCTOBER at PENN