Analysis of the Policy on the Privacy of Electronic Information at UNC
The policy I decided to analyze was the privacy policy for email and other electronic information at UNC. This was pertinent to me for obvious reasons. As UNC provides all of its faculty and students with email accounts, storage, and web space, it is important for the university to outline the rights and responsibilities of the people who use them. The following policy outlines what UNC email users can expect in terms of privacy and security. This deals with not only privacy from outside threats but from people within the University as well.
The Policy
The website with the policy can be found at http://www.unc.edu/campus/policies/elec_info.html. It runs approximately three pages in paragraph format, with one list added to enumerate the circumstances for a certain action. For the most part, it seems like a disclaimer that clears up any illusions of complete privacy and security. Most of the privacy issues mentioned involve electronic mail system administrators have access to.
The introduction to the policy outlines its purpose and the intended usage for UNC email accounts. The implication here is that so long as usage falls under these guidelines, the university will do what it can to respect the users' privacy as stated in the policy. According to the statement, these guidelines include:
The wording for the last purpose is somewhat strange, considering this may constitute the bulk of the email sent over UNC accounts. Still, it serves to remind the reader of what the email service is there for. Having outlined all of this, the introduction ends with the standard non-discrimination statment, which guarantees equal information privileges to all types of people and groups.
The first part of the actual policy seems more of a set of reminders and warnings for the reader. First off, it affirms that the University's primary interest is to respect and uphold the users' right to privacy. In line with this, the statement goes on with a reminder that the University is thus not responsible for the contents of any email sent through its services. The first warning in the policy points out the inherent lack of security in the email system. It warns the reader of the openness of email to third parties, and advises that people treat email with the same scrutiny that they would printed documents.
The policy then steers more deeply into the particulars of the UNC email system. First, it warns the reader that, though they may have deleted the email from their inbox, emails may remain on the mail server and thus be available to others. This helpful reminder helps segue into the meaty part of the policy, which begins to deal with the University's role in handling the mail stored on the servers. The first part of this deals with the "incidentral personal purposes" emails, which are within safe harbor so long as they do not "burden the University with incremental costs, or interfere with the user's employment or other obligations to the University." The policy statement does not delve any deeper into what would constitute interference, or what kinds of emails would incur extra costs.
The next part of the policy enumerates instances which call for the handling of private emails by University administrators. In many cases, as mentioned in the statement, workers must handle and move around these emails on the server. Though they handle the emails, the policy is quick to point out that they do not actually read them. The next part of the policy points out situations where University employees may actually have to read the emails. This is where the ordered list comes into play, listing situations where the University has the right to read otherwise private emails. To provide further detail, the statement puts asterisks on instances where official approval from higher authorities is necessary to breach the normal privacy standards. Again, the statement is very clear in reassuring readers that all employees have signed and are bound by strict confidentiality agreements.
The email section of the policy ends much like it began. It details the standard policy for handling accounts of people no longer with the University. Again, it warns of emails remaining on the servier after people are gone, and suggests that outgoing people clarify the details of how their email will be disposed. The email section ends with the familiar statment that any remaining emails may be used if they pertain to university business. Again, though this sounds reasonable, the concept of university business may be interpreted narrowly or broadly depending on the circumstances.
The next section of the policy details the privacy of other data stored on University computers. This section runs much like the one before it, stating that the University reserves the right to access this data if necessary, but will respect users' privacy until that need arises. The interesting and somewhat disturbing line at the end states clearly that the University makes no guarantees of either privacy or confidentiality. This probably could have been inferred from the rest of the policy, but the outright statement of it makes it very clear to the reader that privacy is a best effort affair for the University.
The conclusion repeats the disclaimer that there is no guarantee of privacy. It also sets forth the possible penalty of restricted access for anyone who violates the policy. There are no real guidelines on what types of offenses justify what types of penalties, but the statement ends with an invitation for anyone to report suspected violations to the postmaster.
The Criteria
The criteria I used to judge the policy are as follows:
The clarity of language deals with the basic presentation of the policy. It deals not only with the writing style and setup of the policy, but straightforwardness of it. For instance, a policy with a good deal of legalese and fine print would most likely be far from clear. Thus, clarity isn't just a matter of being easy to read and understand, it's and indication that nothing is hidden that would make it harder to trust the policy.
The detail of the policy differs from the clarity in that it considers more what is left out of writing. Something could be very clear and well-written without covering all of the possible areas. This takes possible loopholes into account and assesses the potential for abuses of the policy. Perhaps this criterion is more the realm of paranoids, but being cautious is part of what information security is about.
The privacy ensured by the policy is probably the most obvious issue at large. After all is said in done, it is important to see what kinds of rights are afforded to users so that they can trust the email system and use it in good faith.
Finally, in relation to the privacy aspect, it is important to assess the fairness and practicality of the policy. If the policy does not allow for perfect privacy, perhaps there is a justification for it. Or perhaps, if too much privacy is awarded to users, it would be an unfair hindrance to those who must manage the system. Either way, there is a balance to the privacy issue that must be addressed.
Measuring up
With regards to clarity of language, the policy is very well-written. It is clear from the outset that while the University would like to allow for perfect privacy, it is unable to make such guarantees. There is very little space wasted on trying to sugarcoat this. At two points in the end, it goes so far as to say outright that the University can make no guarantees as to the privacy of email or any other information on University equipment. Aside from this, the statement also recognizes that electronic mail has inherent weaknesses in security, and advises readers to keep that in mind.
Overall, the policy is wrtten very clearly and concisely. Each section mentions briefly the exceptions to the privacy rules and where and how they are applied. It goes so far as to even make a special note of exceptions where provost or vice chancellor approval is necessary to attain reading access to private emails. Also, the policy is very clearn in reassuring readers that anyone who has access to their information is being held to strict confidentiality agreements. This is a bold move, directly asking users to trust the integrity of the individual workers who handle their information.
Where the policy falters somewhat is in the level of detail provided. Though the concise nature of the document makes for easy reading and understanding, it leaves a lot to be assumed. For example, in the introduction, it states that the University could give priority for resources for certain uses or groups "in support of its mission". It then moves on to the non-discrimination clause, never specifying what qualifies a group for higher priority. This leads to the possibility that designating higher priorities for resources could be highly subjective. Later on, in the email policy, it says that incidental email cannot be used for purposes that bring costs on the university or interfere with employment or obligations to the school. Again, no examples or guidelines are listed, leaving interpretation open to the whims of the people in charge. At the end of the email policy, the statement indicates that old emails of departing people may be used "as necessary for use in connection with University Business." Again, terms like "reasonably necessary" are thrown out, leaving things open to either a broad or narrow interpretation.
All throughout the document, references are made to "legitimate business purposes", "where necessary and appropriate", and "to ensure the orderly administration and functioning of" without ever bothering to give examples or more specific guidelines. These .areas of vagueness may make the policy more flexible, but they open a lot of it up to interpretation and invite fears of abuse.
The issue of privacy itself is somewhat hard to evaluate completely in the policy. At various points in the introduction and conclusion, the policy makes a point to indicate that its primary interest is in providing a reliable and secure system for its users. It does not routinely check email, and if it can be helped, does not read any email that the university is forced to handle. In the case of emails that must be read, most of them need extensive review and approval from high-ranking university officials. This seems to underscore the severity of such an action, showing that the reading of private emails is not easily or commonly done.
Still, the easy with which emails may be accessed and read is somewhat alarming. Even though there are safeguards to protect users from allowing people to officially read their emails, there is nothing stopping systems administrators from reading any email they want. That is, nothing except for a signed agreement and their own integrity. Though this should be enough to satisfy most users, it is still a weak point for the extremely private. Unfortunately, there does not seem to be much to be done about it.
The final criterion, fairness, addresses the rest of the issue if privacy. As in all other security issues, there is a tradeoff. If email accounts were perfectly private, they would be almost impossible to manage. Administrators would be unable to effectively manage files, and would have to deal with overloaded or cumbersome servers. Also, important, even vital information could be hidden and inaccessible even when it is desperately needed.
On the other hand, a severe lack of privacy undermines the basic trust on which electronic communication rests. If people cannot send and receive email in good faith, then a valuable tool of communication will be lost. Communication would either move to less efficient media or break down altogether. Therefore, a balance must exist, where administrators could work and move around easily through their field while users could continue to email without much worrying. In the end, the UNC email policy comes reasonably close to this balance. Few emails must be directly handled, and even fewer of them actually read. For the most part, too, users are unaware that their emails are anything but private. In the end, it is somewhat fair to both users and administrators, who both shoulder through their share of compromise to create a system that is heavily used and reasonably well-maintained.
Recommendations
Overall, the only real issue with the policy is the lack of detail in going over certain issues. This was probably done with common sense in mind, and with the hope of escaping a very dry, repetitive document. However, it would still be much better if many of the aforementioned exceptions and conditions were described in detail. This would not only make things more clear for the users, it would allow for a more complete document. As the policy is currently kept online, it could benefit from effective linking. It would be nice if perhaps when the policy referred to a special point, that clicking on that area could bring up the specific instances of that point. Other than that, there is not much that can be changed to increase the privacy in the email section. Along with this increased detail on what qualifies each situation, the policy should also be more specific on what they will be punishing and with what. This would help provide for a more fair system of punishment, and perhaps a better deterrent for violaters.