While Harvard University administrators are taking heat after they secretly searched 16 residential deans’ e-mail last year in order to track down a leak, IT experts say that the right policies could have prevented the uproar.
University information technology experts said Harvard's action was troubling and should prompt a re-evaluation of policy there. The university confirmed elements of a Boston Globe report  that it had gone through employee e-mails to find the source of a leak about last year's cheating scandal . The administrators said it was a "fair question" to ask why Harvard never told 15 of the 16 residential deans until the Globe found out about the search.
The university defended the decision  Monday and said officials had only looked for the subject line of an e-mail  that had been shared with the student newspaper. "To be clear: No one's emails were opened and the contents of no one’s e-mails were searched by human or machine," the university said in its statement. The sender, one of the campus' residential deans, was not punished because the leak turned out to be inadvertent.
But despite the limited search, Harvard’s actions could remain troubling, said Michael Corn, the chief privacy and security officer at the University of Illinois at Urbana-Champaign.
“I think in an environment like a university, which is founded on the principles of open exchange and communication, the notion of covert surveillance is unnerving to people that live in that environment,” Corn said.
Corn said he had trouble remembering a case where Illinois looked at any employee's e-mails without telling him or her, unless the university was complying with a warrant or subpoena that prohibited that sort of disclosure.
At Illinois, Corn said there is a process officials have to follow to look at an employee’s e-mail to prevent the “unwarranted examination of content.” Typically, a department head and dean have to come to him with a written request for him to vet. He then makes sure the request is reasonable and adheres to university procedure. If the search happens, in most cases Corn informs the employee.
At Harvard, residential deans are considered "frontline administrators" rather than faculty, although they provide academic advising and sometimes teach. The university Faculty of Arts and Sciences' IT policy  says, a "faculty member is entitled to prior written notice that his or her records will be reviewed, unless circumstances make prior notification impossible, in which case the faculty member will be notified at the earliest possible opportunity." In its statement, Harvard said it did not do that. Instead, it said it was operating "without any clear precedent for the conflicting privacy concerns" it said it faced.
Tracy Mitrano, the director of information technology policy at Cornell University (and a blogger for Inside Higher Ed ), said Harvard may want to review how it handles IT issues in the future.
“Accessing content is generally a last resort in an investigation, unless the evidence at the beginning of the investigation is so overwhelming and it is of a so serious nature – for, instance, child pornography or terrorism – that immediate remediation is necessary,” she said.
Harry Lewis, a computer science professor on leave from Harvard who used to be dean of its undergraduate college, criticized the university's actions.
“In the information-control university, an email gone astray is grounds for a witch hunt,” Lewis wrote in a widely-read blog post .
Harvard said it was worried about the disclosure of confidential information, "especially student information."
But Lewis and others suggest the university was seeking only to save face.
Greg Lukianoff, the president of the Foundation for Individual Rights in Education, which advocates campus free speech, said the university’s actions were a symptom of the "over-bureaucratization of universities and the corporatization of universities.”
“When it comes to an overzealous attempt by a university to protect its brand – we see those cases all the time,” Lukianoff said.
He compared it to a 2009 incident  where Harvard’s medical school attempted to restrict students’ interactions with the media.
Other comments seemed stacked against Harvard's decision.
"I'll just bet there's a mass exodus of email users at Harvard to Gmail today,” Jeff Jarvis, the media pundit, said on Twitter . “Google is more trustworthy than Harvard.”
(In 2012, Google complied with about 90 percent of the 16,400 requests for user data  it received from the U.S. government. Its popular Gmail program also scans the full text of e-mails to sell advertisements to users.)
Valerie Strauss, an education blogger at The Washington Post, compared  Harvard administrators to President Richard Nixon’s "plumbers," a secretive group that went after the president's opponents.
Other prominent institutions have varying policies about administrators’ ability to access employee e-mails. Columbia University's policy says  its officials "will not read e-mail unless necessary in the course of their duties (e.g., including investigation, inappropriate contents or as directed by Office of the General Counsel, and will release email as required by an executed subpoena valid in the State of New York)."
Princeton University, though, makes clear  it "reserves the right to access and copy files and documents (including e-mail and voicemail) residing on university-owned equipment. This includes access without notice, where warranted."
But the university also says there are "degrees of privacy" -- more for students, less for employees -- and goes into some detail about the circumstances where it might go through employee e-mails, though none of them resemble what happened at Harvard.