48 comments

[ 3.0 ms ] story [ 107 ms ] thread
Glad to see that she's being forced to step down after such an egregious invasion of privacy.

But that's just a school. The much more important case is whether anyone in the federal government gets punished when they do the same thing without a warrant. So far, it doesn't look like it.

Ironically in both cases it was not about "finding the criminal" but about finding out who leaked a story to the press. Seems like transparency is not really popular these days.
The Dean of Harvard is stepping down not because there is anything illegal about her searching through the e-mails of faculty (your employer has every right to search your work e-mail), but because it was in bad taste in an academic institution which made the Dean ineffective as a figurehead. Similarly, there is nothing definitively illegal about the federal government asking Google to voluntarily hand over your e-mails. It is at best in bad taste.
Harvard College, not all schools at Harvard. And simply handing over emails is illegal without a warrant. The issue here was with blanket access to all emails (read: all students) without probable cause.
It should be, but is not illegal for the government to ask for private data, or lean on companies to provide it, (see the NSA Warrantless Wiretapping affair, specifically Qwest - the only telco that refused the illegal orders.)

You can be essentially compelled to break the law - and you gain no immunity for being forced. Damned if you don't, convicted if you do.

In most situations it is probably not illegal to hand over your emails without a warrant; it depends entirely on the terms of your access to your email service.
This is another area where your intuition might say A but in reality the law is !A.

Under federal law an email provider may not "knowingly divulge" the contents of email "to any governmental entity" without a court order or emergency situation involving "serious physical injury." Violations are punishable by "imprisonment for not more than 1 year" and civil liability.

It's true that there's an exception to the law. That says providers may share the contents of customers' communications only "with the lawful consent" of the user. A federal appeals court in 2003 narrowed that, saying consent exists only when the "party knew about and consented to the interception." And the FTC has said that it's unlawful for a company not "to adequately disclose" it's sharing information.

Translation: if Comcast buried a we-will-disclose-all-your-email-to-the-FBI in the fine print of its terms of service, its executives risk felony charges (and mass defections). In the real world, Comcast doesn't do that -- and it is illegal to hand over your emails without a warrant.

Employers can share email messages without any consent. IT operators do not face felony charges for establishing that term. Where is the line drawn? Where do companies cease to have the freedom to establish their own contracts with their users?

Also, what's the felony statute to which you're referring?

Sure, if we're talking about employers, the rules are different. But most of the discussion in this thread has been about non-employer email providers. The line is actually drawn pretty reasonably in that case, if you spend some time thinking about it.

The felony statute I was referring to far above was the Wiretap Act. The "not more than 1 year" in prison is from the Electronic Communications Privacy Act of 1986. Also if you're talking about cable providers you need to look at the Communications Act of 1934 and the Cable TV Privacy Act of 1984. Enjoy. :)

You're on a thread talking about employers searching mail, Declan.
Actually this thread was not about routine employer-employee searches, but Harvard College and faculty email searches. Harvard is as far as I can tell unique in providing its faculty -- thanks to a very able computer science professor there -- with contractual privacy rights that go above and beyond the rights any other university or employer provides.

(The resident deans whose email was searched were faculty, not staff employees. The 12 RDs of the Houses are faculty with a lecturer rank: two of them serve on the Faculty Council; Harvard views RDs as faculty when reporting faculty counts; Harvard tells US News and World Report they're full-time faculty, etc.)

But then of course the thread veered into other directions including Google, Qwest, shell corporations, the NSA, the British Parliament, Comcast, etc. As usual!

I wonder what one has to do to engage in a private discussion over the internet [ with some legal recourse to that privacy being protected ]

As you suggest, we rely on 'good taste' from both our employers and our governments.

Is there some way to define good taste, which can be applied in court.. do I have some legal recourse if my government acts in bad taste ?

It seems that the legal system has evolved over the years to be our best attempt to scale and codify the idea of 'good taste'.

The legal system does not codify good taste, it codifies minimum standards. The Constitution even less so--it only interdicts those actions that are deemed to be outside the power of even the elected legislatures.

As for what one has to do to engage in a private discussion over the internet, any answer involves encryption. Otherwise the question is ridiculous on its face--how can you have a "private discussion" where dozens of intermediaries have access to the plain text of your communication?

My apologies for changing the subject, but do you have any evidence at all that Google has ever "voluntarily hand[ed] over [anyone's] e-mails", or was that just a random slur?

Google's stated policy is to fight government requisition of data, but ultimately to comply with the law. That is to say, Google claims to be as anti-government-surveillance as it is possible for a corporation to be. I am aware of no evidence whatsoever that this claim is false. Admittedly, I also have no strong evidence that it's true[0].

Note that I'm not quibbling with the literal truth of your statement, since your statement deals only in hypotheticals. But it'd be pretty crass of me to say something like "I've never seen <insert name here> rape a child without offering the kid some heroin to ease the pain", even though it's technically true for every name including yours.

Also note that I'm not entirely sunshine-and-roses positive about Google's record on privacy. I think it's not as bad as the fear-mongers state, but not without any concerns whatsoever. Google management, it seems to me, pretends to believe that when users say "we want privacy" they always-and-only mean "we want privacy from the government and criminals". Which is... disingenuous. But I think that Google appears to be a relatively pro-privacy [1] organization, especially with regard to the particular slur you raised, and I've never seen a credible argument that this appearance is false.

[0] I do see some evidence that Google is truly anti-surveillance. However, all the evidence I have is also consistent with the theory that Google is willing to spend a lot of money to convince its employees that it's anti-surveillance... if Google were an NSA shell corp, maybe this is how it would behave.

[1] By "relatively pro-privacy", I mean I have to think pretty hard to think of organizations MORE pro-privacy, although eventually I remembered that mozilla exists.

Random slur.

Google fought a DOJ subpoena for search terms in court (while Yahoo, AOL, and Microsoft did not), which I wrote about here: http://news.cnet.com/FAQ-What-does-the-Google-subpoena-mean/...

It also nationalized Warshak by requiring a search warrant for the contents of archived email (anyone think Verizon/AT&T/etc. have been doing that?). More importantly, Google is currently challenging a secret NSL it received from the FBI in federal court in San Francisco, making it the first large Internet company to do so. It also became the first large Internet company to divulge summary statistics about receiving NSLs.

Twitter and Amazon.com have similarly good records. And Facebook fought a subpoena from the state of Virginia.

> Random slur.

He didn't make any claims about Google at all other than implying they might be recipients of requests, so how in the world was that a slur against Google?

In the eyes of fanboys, anything that isn't praise is a slur.
> My apologies for changing the subject, but do you have any evidence at all that Google has ever "voluntarily hand[ed] over [anyone's] e-mails", or was that just a random slur?

I didn't say they did. I said: "the federal government [has asked] Google to voluntarily hand over your e-mails." I referenced Google because of: http://cnsnews.com/news/article/13753-gov-t-requests-google-....

You misinterpreted the CNSNews.com article. You used the term voluntary but the incidents referred to in it are involuntary demands. That is, they represent legal process, such as a search warrant, a (d) order or grand jury subpoena for non-content logs, etc. If Google gets a valid court order, it is required by law to involuntarily comply. Similarly, if the cops show up at 6am at your home with a valid search warrant, you're required to involuntarily let them in and conduct their search.

Also the good folks at CNSNews.com (published by the conservative advocacy group Media Research Center) would probably not be my first choice for a survey of surveillance and electronic privacy law. For instance the article fails to mention that, at the time it was published, Google required search warrants for all e-mail -- an important detail.

Saying "there is nothing definitely illegal" about FedGov asking an email provider to let it snoop on emails without due process is like saying "there is nothing definitely wrong in saying bubble sort is the most efficient sorting algorithm." It sounds reasonable only if you're unfamiliar with the topic.

Under the Wiretap Act, an FBI agent who "procures any other person to intercept" or "endeavors to intercept" e-mail without a court order is guilty of a federal felony.

In addition, an email provider may not "knowingly divulge" the contents of email "to any governmental entity" without a court order or emergency situation involving "serious physical injury." Violations are punishable by "imprisonment for not more than 1 year."

These criminal sanctions are one reason why AT&T and other companies that opened their networks to the NSA were so desperate for retroactive legal immunity (especially after the EFF et al. lawsuit). Which Congress dutifully provided.

I should probably have used "definitely unconstitutional" since I was talking about the constitutional aspect, but in any case the Wiretap Act does not protect e-mail older than 180 days: https://www.cdt.org/issue/wiretap-ecpa.
Re: the Wiretap Act, you're quite right. But fortunately the Fourth Amendment does: http://news.cnet.com/8301-31921_3-20025650-281.html
Only in the sixth circuit (Kentucky, Michigan, Ohio, Tennessee).
Except that (from memory) Google, Facebook, Microsoft and Yahoo treat it as the law of the land for all U.S. users. And based on the DOJ's twin appearances before congressional committees in the last few months, they're not arguing.
>your employer has every right to search your work e-mail

Not in countries that care about the rights to privacy of their citizens. Where I live, the company can only look at the contents of email I send from my work account if the subject reasonably appears to be about work. If the subject is obviously personal, they can't legally read it.

Americans need to start standing up for their rights instead of having their rights dictated by what ever is most convenient for the corporation.

What makes you think the government is required to get a warrant to read your email? Anything older than 180 days is considered fair game.
Not after the 6th Circuit's decision in Warshak, at least for major email providers. Non-email stored data such as Dropbox or Google Drive files, on the other hand...
Egregious invasion of privacy? The dean authorized a search of the subject lines of emails sent by a specific set of employees using an email system provided by their employer. A system which based upon law and I'm willing to guess the acceptable use policy faculty agree to, they have no reasonable expectation of privacy when using. This was done in order to determine if student information, which the university has an obligation to protect, was leaked along with other information regarding the disciplinary action. Doesn't sound like an invasion of privacy at all and certainly not egregious.
I find it Ironic that the dean at Harvard has the fortitude to step down when he's caught red-handed violating the civil and constitutional rights of his employees (and yes I recognize that working for someone is not the same as being a citizen of a country), yet our elected leaders, when caught authorizing far more heinous eavesdropping, do nothing, not even so much as apologizing.

Whereas an institution MIGHT be able to justify such egregious violations of privacy, a government can have no such moral quandaries because of the exacting detail of our laws; and yet, here we are.

Steal a little and they call you a thief. Steal a lot and they call you King.

Searches of e-mails are not clearly unconstitutional under our laws.
Furthermore the constitution protects you from the government. It doesn't protect you from a private entity like Harvard.
While this is true, I find it to only be true under the guise of tortured logic (emails left on my server are hardly the same as abandoned mail).

That being said, I wasn't trying to draw a direct comparison, and I realize that an employment contract has nothing to do with the constitution. My point was that someone lost their job while holding themselves to the standards of an employment contract which one would assume would be more lenient than our constitution (and in my reading it is but that's a topic for another day).

In short, I agree with your point but I think it's tangential to mine.

Why would an academic employment contract be more lenient than the Constitution? The Constitution is a floor, not a bar to reach for. It's a mistake to read modern libertarian (little "l") ideas into the Constitution. While there has been a change through history in which of the federal versus state governments has exercised the police power, the Constitution has always served as a check on an otherwise expansive power. It's easy to forget that all the founders' talk of "limited government" was aimed at the states, not citizens, and referred to the federal government specifically, not the federal, state, and local governments together. The states were conceived of as inheriting the nearly unlimited powers of the British Parliament. The innovation of the U.S. was not to dramatically limit the state, but to put a powerful state under majoritarian control, with a limited set of protections from abuse.

The circle back on topic: there is nothing within the worldview of the Constitution that is inconsistent with a certain activities being allowed of the government that are outside the powers of an individual. You can argue about which entity is the right one to exercise it, but the government is supposed to have more expansive powers than any person.

(comment deleted)
(comment deleted)
"he's caught red-handed violating the civil and constitutional rights of his employees"

Dean Hammonds is a woman.

Ouch. Well I'll let my foolish, unresearched commentary stand as a monument to my failure :(. Thanks for the correction though!!
I'm confused. Isn't it perfectly legal for the institution to search your e-mail records? I know when you work at a company generally the company can monitor everything you do (including e-mail).
Just because you didn't do anything illegal doesn't mean you deserve to keep your post as a leader of an institution after you've lost a large part of the organization's trust.
Exactly, even more in an institution in which 'trust' and 'honesty' should be the basis of behaviour ('Veritas', you can read that on the coat of arms of Harvard...).

If you are going to act behind someone's back without telling him, you had better go to the police rather than perform this kind of 'paralegal investigation'.

Institutions have the ability to adopt more privacy protective policies, effectively relinquishing rights that they would otherwise have by virtue of owning the system.
Good to see the University making her step down
As a former professor at Harvard, this is a welcome move. However, I don't think it goes far enough, and it should have happened much sooner. One thing I will say: The fact that the administration felt the need to snoop on employee e-mail to "track down" a press leak underscores how backwards and insecure Harvard can feel at times. It's just shocking that anyone thought that this was a good idea, and that they continued to defend the practice once it came to light. Very sad.
"underscores how backwards and insecure Harvard can feel at times"

You do realize of course that most people in the world would give a testicle, a breast (or two) to be affiliated with that University, right?