Site
Index



THE GROSS INADEQUACY OF THE PRIVACY AND CONFIDENTIALITY PROVISIONS OF THE PROPOSED UT IT ACCEPTABLE USE POLICY (AUP)


To: Members of the Faculty Senate
From: Thomas Y. Davies, Professor of Law
Date: April 3, 2003


This memorandum sets out objections to the proposed AUP to be considered by the Senate at our Monday meeting. The provisions of the proposed AUP that deal with largely technical matters such as protecting system security may be fine. However, the provisions in the proposed AUP that relate to the privacy and confidentiality of computer contents are totally defective and/or inadequate. Thus, I propose that all of the latter provisions be deleted entirely from the proposed AUP, and that those matters be addressed more sensitively in the future.


The anti-privacy implications of the AUP
Under "purpose," on page 2, the proposed AUP states that it seeks to "protect the confidentiality of data and privacy of its users to the extent allowed under state law, including the Tennessee Public Records Act." The proposed AUP also states at page 6 that "System and network administrators shall respect the privacy of users unless investigating reports of abuse . . ." (page 6), and further, on page 10, that "(q) No one shall compromise the privacy of others or the confidentiality of the information contained on UT IT resources."

But the thrust of the proposed AUP is quite different. There do not appear to be any provisions that actually undertake to protect the confidentiality of faculty computer files. Instead, after setting out the broadest possible definitions of "UT IT resources" and "UT IT data resources" on page 3 -- definitions that were clearly meant to cover every aspect of computer use on the campus -- the proposed AUP states on page 7:
While the University recognizes the role of privacy in an institution of higher learning and every attempt will be made to honor that ideal, THERE SHOULD BE NO EXPECTATION OF PRIVACY OF INFORMATION STORED ON OR SENT THROUGH UNIVERSITY-OWNED INFORMATION SYSTEMS AND COMMUNICATIONS UNLESS A PRIOR WAIVER HAS BEEN OBTAINED.
This is Orwellian. This statement that there should be no expectation of privacy -- especially when combined with the extremely broad definitions of UT IT resources and data resources -- threatens, as a legal matter, to compromise the expectation of privacy and confidentiality that would otherwise be associated with professional offices and workspaces, including those of government employed professionals.

In that regard, it should be noted that the Fourth Amendment's protection against unreasonable searches applies to the offices and work spaces of state government employees; the degree of privacy protection varies according to the usual practices, policies, and expectations that apply to the work setting in question. O'Connor v. Ortega, 480 U.S. 709 (1987). Under that treatment, one would expect that faculty computer files would enjoy substantial protection -- at least in the absence of an employer policy that repudiated privacy expectations. That, however, is exactly what the above statement does; it repudiates privacy expectations and undermines the privacy protections that would otherwise apply.

In addition, the reference to "a prior waiver" from the non-privacy rule in this passage is noteworthy. It does not appear to have any substance. Specifically, there is no indication of how, or from whom, with regard to what, or on the basis of what such a waiver could be obtained. In the absence of any such standards, there is no waiver that could be obtained that any one could expect to be effective.

Moreover, the reference to a "waiver" is fundamentally puzzling. If the AUP was written with the understanding that state law limits the University's ability to afford privacy and confidentiality to faculty computer files, then it is mystifying how anyone in the University could have the authority to create any "waiver" that would confer privacy protection. On the other hand, if the University has the authority to create such a waiver, then it is not apparent why it would lack authority to grant across-the-board privacy protections to faculty computer files. The reference to an undefined "waiver" in the proposed AUP strongly suggests that it was written without any understanding of what the University's authority actually is in this area.

There is no indication that the AUP was written on the basis of any understanding of relevant state law. My own quick perusal of relevant statutes suggests that it is far from clear that the computer files of individual faculty members would constitute "public records" under Tennessee Law. As defined in Tennessee Code Annotated 10-7-301 (6) "public records" includes documents and electronic data files only if they are "made or received pursuant to law or ordinance or in connection with the transaction of official business by any government agency." The scope of the term "official business" is not clear. One recent Tennessee court opinion has stated that the meaning of "public records" depends upon "the totality of the circumstances" -- a "standard" that means determinations regarding what constitutes a public record are essentially ad hoc. Thus, if the University were genuinely concerned with faculty privacy, there would appear to be ample room for it to take the position that such files are not public records (especially because there is legal precedent that the First Amendment includes some degree of protection of academic freedom on the part of university faculty). However, the proposed AUP appears to reflect an underlying willingness to concede that faculty files would constitute public records.

In addition, the proposed AUP fails to even mention that another relevant statute, TCA 49-7-120, provides for substantial "confidentiality of research records and materials" in "public higher education institutions" in Tennessee. What is the scope of that protection? At a minimum, the proposed AUP should seek to preserve privacy in faculty computer materials to the fullest extent possible under state laws. The proposed AUP, however, undermines privacy and confidentiality without reflecting any understanding of the relevant legal standards.

Two other statements regarding privacy in the proposed AUP should be noted. One is the following statement on page 8:
The University does not routinely examine the content of a user's account space; however, it reserves the right to investigate the use of that account and inspect the account contents when deemed necessary."
Putting aside the undefined terms "account," "account space," and "account contents" -- very few of the significant terms in this proposed AUP are defined -- this appears to be a blank check, totally discretionary inspection policy. What is the standard for "necessary" inspections? "Necessary" for what purpose? Who decides it is "necessary"?

Another statement relates to encryption. One of my colleagues has suggested that the proposed AUP may have attempted to provide some accommodation for confidentiality by including the following regarding encryption on page 3:
The University respects encryption rights on its networks and may itself encrypt information and transactions. When encryption is performed in the official capacity of a UT staff member's job, he or she is required to escrow the encryption key with the Treasurer's Office.
However, it is unclear whether this was meant to suggest that faculty could maintain confidentiality of their computer files by using encryption. Indeed, it is unclear what the term "respects" means in this provision, and whether a faculty member can use encryption without escrowing a key with the University. If encryption is meant to provide a basis for privacy of faculty files, there should be a clearer statement that encryption is permitted without any requirement of filing of an encryption key. In addition, any consideration of encryption needs to address the technical and economic feasibility (including faculty time) of using encryption. Offhand, it would appear to be a rather burdensome solution.

Overall, the proposed AUP totally fails to undertake to protect faculty privacy. It does not reflect the sensitivity to professional privacy to which a university faculty should be entitled.
The conflict with existing consulting policies
There are additional deficiencies in the proposed AUP. It states on page 9:
(e) No one shall use UT IT resources for individual financial or commercial gain; use of these resources, except for authorized University business, is prohibited.
This statement directly conflicts with existing policies that allow faculty to pursue consulting that is related to and beneficial to their academic pursuits, and to use office facilities while doing so. It also would appear to conflict with the use of office computers even for uncompensated public service work unless that were categorized as "authorized University business." As I recall, there was some recognition that this needed to be changed. However, the oversight regarding consulting also involves serious issues of legally mandated confidentiality that are not addressed in the proposed AUP.
The confidentiality of consulting materials
Faculty consulting activities will often result in a faculty member having computer files that involve legally privileged or proprietary information that the faculty member has no legal authority to disclose. For example, members of the law faculty who engage in consulting, either for compensation or pro bono, will often have attorney work product on their computers that is legally privileged from disclosure under the work product doctrine that is part of the attorney-client privilege. Because this material relates to clients' interests, the faculty members are not free to consent to disclosure of that material. This is a matter of particular concern for the legal clinic in the Law College, which has extensive legally privileged materials in the files of the cases in which it represents clients. There is no plausible basis on which such files could be deemed subject to disclosure as a state record. Indeed, the confidentiality of these files would appear to be protected by the Sixth Amendment right to counsel, which would trump any Tennessee statute on open records. But the proposed AUP does not take that into account, and does not even recognize that legally protected materials might exist on faculty computers.

Instances in which computer files are legally required to be kept confidential are not limited to the Law College faculty. I assume that faculty in forensic anthropology would also have legally privileged work product in their files. Moreover, that would likely be the case of any faculty member in any field who has acted or is acting as an expert in any litigation.

In addition, I assume that faculty in clinic psychology, nursing, audiology and speech, and other departments might have files that contain confidential client/patient files. Similarly, I assume that faculty in education might have files that contain information on student performance that might be required to be kept confidential by federal or state privacy laws or regulations. Indeed, any researchers who have assured human subjects of anonymity or confidentiality might have computer files that they would not be permitted to disclose.

Other sorts of faculty files might also involve legally required confidentiality. I assume that faculty in engineering or the hard sciences might have proprietary information on their computers that they are not legally permitted to disclose, perhaps as an aspect of contractual arrangements or otherwise. Were UT researchers unable to guarantee confidentiality of such proprietary materials, that might make outside firms leery of engaging in research with UT faculty.

The proposed AUP, however, makes no provision at all for any of these sorts of legally protected materials -- except for the meaningless passing reference to an undefined "waiver" as noted above.

In addition, it should be noted that these confidentiality requirements cannot be satisfied simply by devising means of protecting such information in the future (e.g., use of privately owned drives for consulting materials). There is also the problem that confidential materials are already on the hard drives of many faculty computers, and it is not easily removed. (Did anyone else read the recent stories regarding identity thieves who scavenge supposedly "erased" hard drives from discarded ATM machines and reconstruct customer information?)

An informal survey of the law faculty indicates that if the proposed AUP were adopted, a number of faculty would conclude that they would have to do much or most of their work away from their offices at the Law College -- a development that would hardly enhance the academic environment. I assume similar effects would occur in other units, too.
The absence of any due process standards
Finally, the proposed AUP is notable for its complete lack of any provision of due process procedures. Put simply, under the proposed AUP faculty members could enter their offices in the morning and find that their computers had already been removed and their contents were already being examined -- without any advance notice, and without any opportunity to assert legal protections (such as the legal privileges described above) that might otherwise apply to and protect the contents of the computer. (See the provision from page 8 regarding university inspection of "account contents," quoted above.)

At a minimum, there must be provision for advance notice of any inspection of computer files by the University, and a provision for appealing the "necessity" of such an inspection prior to the inspection. However, the proposed AUP is devoid of due process considerations. (There is some irony here -- on page 7, the proposed AUP states that "Users should respect the rights of others . . . and due process," but then it provides no due process whatsoever.)
Recommendation
It appears that the proposed AUP is a mixture of three sorts of provisions: (1) those that relate to technical security and compatibility issues; (2) some basic rules against abusive use (e.g., don't create viruses; don't harass other users; don't hook up components that will interfere with the system); and (3) privacy and confidentiality matters. The provisions regarding the first two aspects do not seem to be problematic (assuming technical objections are not raised by others). Hence, there is no reason not to proceed with them.

However, the provisions of the proposed AUP regarding the third aspect -- privacy, and confidentiality matters -- are so defective that they should be deleted and discarded entirely.

To be sure that there is no confusion on this point, the proposed AUP, after editing, should conclude with a final statement that "Nothing in this AUP shall be construed to limit a computer user's privacy or the confidentiality of the content of any computer files."

Privacy and confidentiality aspects of computer files need to be addressed with considerably more thought and sensitivity than they have received in the proposed AUP. Moreover, because the proposed AUP reflects a tin ear for such considerations, it would appear that it would be best if that work were assigned to a completely different group -- and with provision for substantial input from faculty to identify and address the various ways confidentiality concerns might arise.

Future deliberations should also include consideration of possible strategies to eliminate any claim that faculty computer files fall in the realm of university property and/or state records -- the opposite tack to that taken in the currently proposed AUP which seems to assume that faculty files must be viewed as university property and/or public records. For example, one colleague suggested -- only partly in jest -- that ownership of the computers be transferred to the UT Research Foundation -- which, after all, is a private rather than state entity. Alternatively, and perhaps more feasibly, consideration should be given to transferring ownership of computer drives to individual faculty members or to permitting faculty members to purchase their office computers/drives or to use privately purchased computers or drives in lieu of university-owned components.

There simply is no reason to assume -- as the proposed AUP seems to -- that the privacy of faculty computer files cannot be protected.



Senate Directory
   Officers
   Committees
   Members
Governing Documents
   Senate Bylaws
   Faculty Handbook
   Tenure Policy
Search

Reports
Calendar

Archives
Resources

Senate Home


To offer suggestions or comments about this web site, please click here.