An Immodest Proposal

Iowa State’s wrestling with a student group that advocated the use of an anonymizing technology, Tor, is a model in how higher education can address the complex questions of technology, law and policy.  Everyone involved in the event deserves a gold star: the students who formed the association, the administration that was willing to change its mind and the CIO and staff who provided solid information and facilitated the education.   Athena – i.e. law, philosophy and justice – in the Internet Age does not materialize out of the head of Zeus, unless we deconstruct this myth to appreciate that balance and understanding of the issues will take effort, data, flexibility, patience, communication and good will (remember Athena won the competition with Poseidon to be the patron of Athens with an olive branch, not a sword).  In short, Iowa State did exactly as the MIT Report suggested: educating the entire community on issues of technology, law and policy related to the Internet.

Privacy became the headline for the story.  That theme set me to thinking about what higher education can do for U.S. society.  A great deal, I believe. First, and I know that I am repeating myself ad nauseum, higher education associations should be actively calling for the reform of U.S. surveillance laws. The projected loss of revenue to U.S. companies without the fix to surveillance laws is very significant, and the loss of innovation from Internet companies would be a loss to higher education as well.  Moreover, we already have some very good modeling in this particular space on how to manage the contracts between vendors and institutions.  Internet 2’s Net+ has been working as the consortium broker with cloud vendors to structure contracts that respect privacy and security of institutional information and regulated data.   A new legal paradigm on surveillance (that IMHO would dismantle FISA, fundamentally restructure ECPA, and introduce serious oversight from privacy legal scholars as well as scientists from the National Academy of Science to test and verify the technology) would complement those efforts by re-establishing trust in U.S. Internet companies both in the U.S. context as well as in being good partners with higher education … globally.

Second, higher education should do more collectively and individually to manage its own privacy practices. I have no doubt about any one registrar’s ability to meticulously protect a student’s transcript.  But I know of no one institution with a humming lifecycle process for the acquisition of information technologies that: (1) begins with the goal of matching need with functionality; (2) assesses information management including legal, security and policy issues from the start of the procurement process right through the development of business processes; (3) works with the community to align contract provisions, set technological settings, maintain security safeguards, establish policy and communicate effectively with data stakeholders and constituent groups about all of these issues to the satisfaction of the community.

There may be many reasons why this process tends to be so uneven: legacy lag in a common understanding of all the issues involved in aligning information and technology to a diverse and opinionated community, a particular failure to align legal, policy and security issues across institutional information technology, including if not especially for the research community, and finally, with all of the other fiscal pressures upon us, too few “cycles,” in a day.

Privacy used to be a dirty word in this space, at least at some private universities.  Why?  For starters, it is a complicated – and potentially politicized – concept.  (See previous blogs in which I break the legal concept of privacy down into five separate categories for clarity.)  More specifically, because private universities are not subject to the constitution on matters of “privacy,” some members of our university counsel community developed an allergy to using the word at all, even when it was meant to address required privacy practices in public law such as HIPAA or GLBA.  This allergy created unnecessary obstacles to addressing the regulatory issues, threw conversations off track, which can be fatal when attempting to deal with complex issues that require focus, not red herrings and distractions.  Distributed powerbrokers on campus that feel threatened about anything that is perceived to challenge their fiefdom can also toss dazzling roadblocks in the way of progress on these issues.  That is a particularly unfortunate dynamic, because one has to believe that everyone has the institution’s best interest at heart.  Personalizing those interests with individual egos undermines that aspiration, however.

But privacy can also be a phoenix that rises from these ashes.  In the age of Snowden especially, a heightened awareness of what is at stake from the lowest levels of mere compliance to the alignment of privacy as a human value that supports higher education’s missions, can be used as a concept to energize the community, find common goals and encourage stakeholders to work more productively together on these multifaceted challenges.  Upon this hopeful foundation, I will now offer an immodest proposal to take the challenge one step further.

Higher education should adopt in a general way – not chapter and verse – the privacy standard practices observed by every other developed nation in the world except our own.   It would make business sense to do so. U.S. education relies on international students attending its colleges and universities.  Many institutions call themselves international or are launching broad initiatives by that name.  If we are going to truck in a global community, we best become more accustomed to playing by those rules.   Enough with the “safe harbor” exceptions driven by the market sector, let’s demonstrate a collaborative spirit and a willingness to share practices with international partners. Also, it is not hard for higher education to establish notice, relevancy, transparency and security practices around the personally identifiable data that we maintain. If you want hard, try working out each technical, security and user practice sectorally, and then run that exercise through constituent and stakeholder review.  That’s hard, that’s unnecessarily complicated, and that’s what creates divisions within our community.  We defeat ourselves in trying, and unnecessarily.  There is a relatively more simple solution right before our eyes.

Of course, I simplify.  Athens, after all, was not built in a day.   (I know, it’s Rome, but I am trying to be consistent with my original metaphor.) But after tilling these fields for many years now and having experienced more than a few sleepless nights sorting through the interpersonal, institutional and intellectual challenges of this process I have come to the conclusion that taking these issues to a higher level is in the best interests of higher education.  Of course that recommendation and a dollar will probably only get me a cup of coffee.  But at least today we have the example of Iowa State, where we observed that even when issues are complicated, there are win-win approaches that show us the way.