Is PSU reading your e-mail?
With Portland State staff members allowed access to student and staff e-mails, some students have expressed concern about their privacy, but administrators say the e-mail access is both legal and acceptable.
Craig Schiller, chief information security officer, said he must constantly look at student and faculty e-mails to protect information systems on campus. Schiller said there must be a balance between protecting the privacy of individuals and the need of the university to run effectively.
Student body President Courtney Morse said it worries her that people have access to her private e-mails.
“I think that it’s concerning that the administration has that kind of power without students knowing,” Morse said.
Schiller said working in information security is like being a plate spinner, balancing ethics with duties to the university.
”There are ethical cases where there is no right answer,” Schiller said. “In our world, it’s almost always striving for some sort of balance.”
Mark Gregory, associate vice president for strategic planning, partnerships and technology, said that information security investigates personal information if there are specific concerns of either cyber crime or issues of campus security. He said his department accesses e-mails and files in order to help effectively run the networking systems. If a file on a computer is using a high percentage of bandwidth, his office will investigate.
Gregory said the right to look at e-mails and files is clearly stated in the Acceptable Use Policy students must sign in order to use campus e-mail. He said the university has had the right to look at e-mails for years and the exact wording has existed since the late 1990s.
”It’s unlikely that a student hasn’t seen it,” Gregory said.
Jamie Ross, assistant professor in University Studies and teacher of the freedom, privacy, and technology course, said that it is the students’ responsibility to protect their own online privacy.
“You have to make an effort,” Ross said. “You can’t complain about lack of privacy when you haven’t closed your curtains.”
Schiller said that in most cases, the only people who see an e-mail are the person who sent it and the person who received it. He said lawyers tell their clients that they should never put anything in an e-mail that they would not put on a postcard.
He said that while, technically, numerous people can look at personal e-mails, it is not likely considering the professionalism of the departments.
Gregory said that by being constantly monitored, Portland State’s e-mail system is the same as all other e-mail services. He said students can opt for a privacy flag on certain e-mails that makes it less likely their information will be shared, although he said he and Schiller would still be able to read the e-mails. Gregory said PSU is right in the middle as far as aggression in their information security goes.
Schiller said if students really wanted privacy, they could encrypt their individual e-mails with software that is available for free online. He said currently PSU does not enforce any rules restricting encryption software.
“If you’re concerned about privacy, encryption is a good way to gain that,” Schiller said. “There may be occasions where an organization will say you can’t do that, but the university hasn’t taken a stance.”
Morse said she was not aware that her e-mails were not private. She said if her e-mails were accessed without her knowledge she would be very upset.
Morse said it should be the responsibility of information security to inform students that their e-mails have the possibility of being read. She said privacy is an important topic for students and she would like to know exactly who has access to her and other students’ e-mails.
“I’d like to know who these people are, and who has that power and what they would use it for,” Morse said. “When you give someone that type of control you have to know who’s responsible.”
Ross said there are illegitimate and legitimate invasions of privacy, and since there are no reasonable expectations for expecting full privacy on campus, it makes information security’s access more legitimate. She said it is important to set boundaries about what to do with information gained that might not be relevant to a specific search.
Ross said that if someone hasn’t been informed that their e-mails are being looked at, it would be problematic. She said while it is important to raise question of privacy and think critically about legitimate uses of privacy, people who are concerned have options to retain privacy.
The Acceptable Use Policy states: “The university cannot guarantee that messages or files are private or secure. The university may monitor and record usage to enforce its policies and may use information gained in this way in disciplinary and criminal proceedings.“