CONTACT: Stanford University News Service (650) 723-2558
President Gerhard Casper released a report today on Stanford's electronic record-keeping and the implications for the privacy of faculty, students and staff.
Last spring, Casper commissioned law student Leslie Hatamiya to prepare the report to address his concern that neither he nor most people on campus were sufficiently knowledgeable about the subject.
"He felt it important that all of us faculty, staff and students be well-informed about policies and practices in an electronic environment," said Terry Shepard, director of university communications.
In hundreds of hours of research, Hatamiya reviewed how information ranging from computer files and e-mail messages to logs of computer traffic flow and data access and telephone records is collected or backed up in different forms, for varying lengths of time.
Hatamiya's 21-page, single-spaced memo covers five sections: computer services, including electronic mail and access to the Internet; the telephone system; the cable television system; the universal electronic identification card; and library circulation systems.
The report outlines the types of electronic records maintained by the university, the reasons for maintaining them, who has access to them and what the university's ability is to trace and monitor activity that takes place over its information and communication systems.
University guidelines state that the information should be collected only to serve "clearly defined purposes," which primarily involve ensuring smooth operation of systems, minimizing the losses from operational failure and providing billing information. In some cases, a designated official may retrieve certain information for example, to investigate accusations of forged e-mail messages and account break-ins.
And the collection of such records, officials note, could have "unintended consequences" that could implicate the privacy interests of users of the university's computers, telephones, cable television and other technological services. For example, the report emphasizes that Stanford networks are subject to local and regional laws and, under some circumstances, Stanford could be required by law to produce electronic records in a legal proceeding.
"People should realize that whatever they do on the computer may never disappear" and could be subpoenaed, said Hatamiya, a third-year law student.
In the introduction of her report, Hatamiya notes that the privacy implications of electronic record-keeping may differ for students, faculty and staff.
"Depending on the circumstances, an employer can be held liable for the actions of employees under the legal doctrine of respondeat superior, she wrote. "Consequently, the university can and does limit faculty and staff use of its information resources, such as computers and telephones, to university business.
"Students, on the other hand, are not Stanford employees (except when employed as staff or instructors), and the university views its relationship with them, with respect to many of its information resources, as one of service provider, at least in a dormitory and non-employee capacity."
But in a footnote, Hatamiya points out "that university liability for student activity on its online resources, however, is an unsettled area of law. Although the university may view itself simply as a service provider of computer services and therefore not liable for student use of and conduct on them, external legal bodies might take a contrary view and even try to hold the university responsible for a student's activity in cyberspace."
For truly private information, she suggests old-fashioned pencil and paper or a home computer.
By Marisa Cigarroa