10/8/2015: This is from the trial transcripts, which I’m slowly getting through:
8/4/2015: UO administrator accessed employee email account without notice
Here’s the description of recent events, from an anonymous correspondent:
Administrators Are Permitted to Monitor Emails without Notice or Authorization
Consider the following scenario: Alice,* a staff member with a disability, has been ordered by her doctors to utilize her federally protected leave in order to recover from symptoms emerging from a potentially hostile work environment. Alice has been in contact with the Union, who are investigating the climate at her department for possible discrimination.
While Alice is away in recovery, Bob,* her supervisor and a department administrator, somehow acquires full access to all of Alice’s emails. Bob does not notify Alice that he intends to access her information, nor does he seek authorization from Information Security, General Counsel, or the Union. Rather, Bob simply unilaterally seizes full, unsupervised, and ongoing access to the entirety of Alice’s email account, including her correspondences with the Union.
Such an obvious conflict of interest and invasion of privacy would seem ludicrous if it wasn’t for the fact that it recently occurred at the University of Oregon.
As soon as this data breach came to light, the Union contacted UO’s Chief of Information Security Officer (CISO) to clarify what exactly the criteria were for an administrator gaining access to an employee’s email. The CISO responded that the UO does not offer “wholesale access to another employee’s email.” There would have to be a “specific request” driven by a “business need” and submitted through the proper channels. If such criteria are met, then Information Security will attempt to provide the specific information, and only that information, which was requested. The CISO continued, “The only time we would give over all email would be in the case of a subpoena or other legal request.”
Under such criteria, Bob had obviously violated university policy by accessing and monitoring all of Alice’s emails during her absence from the office. The Union reported the data breach immediately, in conformity with the newly minted executive policy on Data Security Incidence Response.
A few weeks later, the Union inquired with the Director of Employee & Labor Relations (DLR) at Human Resources to inquire after the progress of the investigation. What a difference a few weeks can make! The DLR responded that there had been no violation of policy, because UO in fact has no policy at all restricting administrator access to an employee’s email.
The Union reached out again to the CISO to clarify. The CISO responded that he believed that the situation was handled poorly, and that he did not believe that Bob was “philosophically” justified in accessing Alice’s data. Unfortunately, he admitted, there are no “specific policies” in place at UO at present to prevent, discourage, or reprimand an administrator who unilaterally decides that they have a “business need” to access and monitor an employee’s personal data without their prior knowledge or consent. Obviously, if the University were using software similar to a keylogger (pcTattletale explain what a keylogger is here if you are unfamiliar) then they would need a policy in place but as he has directly accessed the emails, there is less of a need for a policy, although there still is one.
The CISO seemed as disturbed by this state of affairs as the Union, noting that it “raises a need for a procedure to be put in place regarding access to an employee’s email account” and that he “intend(s) to write up a procedure for situations like this” which will “hopefully alleviate situations like this in the future by providing a standard process.”
The Union applauds the CISO’s pledge to put policies in place that will provide the necessary checks and balances to reign in administrators who feel justified in violating their employee’s privacy at will.
The response at HR has been less encouraging however. As of this writing, the DLR has chosen to fully back management in this matter. Amazingly, rather than stand up for the rights of one of the most vulnerable members of the UO community in a case of discrimination, harassment, and gross invasion of privacy, HR has chosen instead to escalate the harassment by pursuing disciplinary action against Alice on behalf of Bob.
And as of this writing, Bob still retains full access to Alice’s email.
So, until the new policies are in place, be careful what you write and who you write it to.
* All names have been changed.
It’s more than two years since I started the thread below, trying to find out UO’s policy for email monitoring and access. Page down for the entire history. Obviously there are situations when supervisors need access to an employee’s email, e.g. a public records request or a court order, an emergency illness or death, etc. On the other hand there are situations where that access would be very problematic, e.g. like that above, or when an employee has a complaint about the supervisor, or has used UO email to contact a doctor or counselor or lawyer, etc. So most universities have a sensible policy along the lines of UC’s, here:
An electronic communications holder’s consent shall be obtained by the
University prior to any access for the purpose of examination or disclosure of the
contents of University electronic communications records in the holder’s
possession, except as provided for below. …
1. Authorization. Except in emergency circumstances (as defined in Appendix
A, Definitions) in accordance with Section IV.B.2, Emergency
Circumstances, or except for subpoenas or search warrants in accordance with
Section IV.B.6, Search Warrants and Subpoenas, such actions must be
authorized in advance and in writing by the responsible campus Vice
Chancellor or, for the Office of the President, the Senior Vice President,
Business and Finance (see Section II.D, Responsibilities).1
This authority may not be further redelegated. Authorization shall be limited to the least perusal of contents and the least action necessary to resolve the situation. …
3. Notification. The responsible authority or designee shall at the earliest
opportunity that is lawful and consistent with other University policy notify
the affected individual of the action(s) taken and the reasons for the action(s)
taken.
Each campus will issue in a manner consistent with law an annual report
summarizing instances of authorized or emergency nonconsensual access
pursuant to the provisions of this Section IV.B, Access Without Consent,
without revealing personally identifiable data.
UO’s policy is here. It’s not as cogent, but it also seems to ban the sort of blanket access that is described above. And UO IT also passes on the following helpful advice, here:
- Never share your password with anyone. This includes your supervisor, co-workers, and IT staff.
- There may be some destinations (such as China, Russia, and other areas overseas) where it may be difficult or impossible to prevent your computer from being attacked and electronically compromised.
China and Russia indeed.
8/2/2013: UO has no policies limiting which administrators can read your email or monitor your web use, or why. From Dave Hubin’s PRO:
On 7/13/13 you were provided with a link to the Data Access policy in the UO Policy Library, in response to your public records request for “documents showing current UO policy and practices regarding access by UO administrators outside the IT department to
a) uoregon.edu email metadata
b) uoregon.edu messages
c) logs of internet use by IP address or UO login name,
d) use to the Duckweb “Financial Transparency Tool“
The office has searched for, but has been unable to locate, additional documents responsive to your request. Therefore, the office considers the information already provided to you to be fully responsive to your request, and will now close your matter. Thank you for contacting the office with your request.
The policy they note is here, and it does not address these questions.
7/13/2013 update: I’d like to thank UO CIO Melissa Woo for sending the email below, giving what she has on UO policies and practices, and offering to provide more information as she is able to collect it. Read the current UO policy in her link. It is about secure access to things like accounting and employment records, and does not give the UO administration the powers that Gottfredson and Geller are now trying to impose on the faculty, such as the ability to read our email and monitor web use without notice, and generally own everything “bargaining unit faculty” might store on a UO computer.
For an example of a reasonable policy, see the one below at President Gottfredson’s former university, UC-Irvine. It is much more complete, rational, and much more favorable to privacy rights and academic freedom.
From: Melissa Woo
Subject: RE: public records request, admin access to email and computer logs
Date: July 13, 2013 8:35:03 AM PDT
To: Bill Harbaugh , Public Record Requests Cc: Randy Geller
Good morning all,
The only relevant policy document maintained by Information Services/Office of the CIO of which I am aware is the Data Access policy in the UO Policy Library (http://policies.uoregon.edu/node/215). Currently existing procedure documents relevant to the Data Access policy are identified within the body of the policy.
I am waiting for a member of our staff to return from vacation to double-check, but this is what I know at this time.
Best,
Melissa
—
Melissa Woo
Vice Provost for Information Services & Chief Information Officer
University of Oregon
The UC system policy is here:
An electronic communications holder’s consent shall be obtained by the
University prior to any access for the purpose of examination or disclosure of the
contents of University electronic communications records in the holder’s
possession, except as provided for below. …
1. Authorization. Except in emergency circumstances (as defined in Appendix
A, Definitions) in accordance with Section IV.B.2, Emergency
Circumstances, or except for subpoenas or search warrants in accordance with
Section IV.B.6, Search Warrants and Subpoenas, such actions must be
authorized in advance and in writing by the responsible campus Vice
Chancellor or, for the Office of the President, the Senior Vice President,
Business and Finance (see Section II.D, Responsibilities).1
This authority may not be further redelegated. Authorization shall be limited to the least perusal of contents and the least action necessary to resolve the situation. …
3. Notification. The responsible authority or designee shall at the earliest
opportunity that is lawful and consistent with other University policy notify
the affected individual of the action(s) taken and the reasons for the action(s)
taken.
Each campus will issue in a manner consistent with law an annual report
summarizing instances of authorized or emergency nonconsensual access
pursuant to the provisions of this Section IV.B, Access Without Consent,
without revealing personally identifiable data.
7/12/2013 update: Geller and Rudnick want language in the UO faculty contract that would allow our Johnson Hall administrators to monitor computer use and read our emails, in secret and without notice. See below for the proposed language. Why would they restrict this to “bargaining unit faculty”?
It’s looking more and more like an attempt to punish the faculty for signing union cards, and to limit academic freedom. They can’t do this for UO staff – page 67 of the SEIU contract says:
Section 2. The university will inform employees if it is using computer monitoring. Notice will include what is being monitored and its intended use.
President Gottfredson should fire the fools on his bargaining team – every day brings another embarrassment. Thanks to Anon for the tip. I’ve also heard that Geller proposed requiring faculty to tell UO their gmail and social media usernames and passwords – but that got shut down by HB 2545, signed by Kitzhaber in May, effective 1/1/2014.
Join the union and help tell Geller, Rudnick and Gleason where they can file this one.
7/12/2013: The latest proposal from President Gottfredson’s crack bargaining team claims UO owns everything we put on a UO computer:
Stuff like this raises the perennial question of our General Counsel’s competence. I’ll let Apple’s lawyers take a stab at it, when they discover Geller thinks UO owns all the Johnny Cash albums I licensed from iTunes. Rudnick and Geller also say the administration can read the @uoregon.edu email of “bargaining unit faculty”, and everything else, without even telling us they are doing it:
Surely Randy’s set up checks and balances to prevent administrative abuses? Let’s find out:
Subject: public records request, admin access to email and computer logs
Date: July 11, 2013 11:23:44 PM PDT
To: Lisa Thornton Cc: Randy Geller , Melissa Woo
Dear Ms Thornton:
This is a public records request for any documents showing current UO policy and practices regarding access by UO administrators outside the IT department to
a) uoregon.edu email metadata
b) uoregon.edu messages
c) logs of internet use by IP address or UO login name,
d) use (of) the Duckweb “Financial Transparency Tool”
I am ccing GC Randy Geller and CIO Melissa Woo as they may be able to easily provide this information. I ask for a fee-waiver on the basis of public interest.
“The proposal prohibits bargaining unit members from intentionally accessing material which is harassing, discriminatory, or threatening; is obscene, defamatory or fraudulent; is illegal or promotes illegal activities; is intended for personal profit or gain; is confidential; or facilitates Internet gaming or gambling.”
“Discriminatory”? “Obscene”? Isn’t this fraught with legal, even constitutional issues?
“personal profit or gain? gaming?”
Does this apply to looking at financial news?
Do these prohibitions apply equally to all university employees and students?
The general UO policy is here: https://it.uoregon.edu/acceptable-use-policy and is very different.
This CBA article proposal from the admins reads like retaliation, specifically addressed to the bargaining unit faculty for joining a union.
Does anyone have experience or knowledge of surveillance or snooping on faculty, students, staff, etc?
UO’s old PR officer, Liz Denecke, seemed to know when I used the FTR tool on duckweb.
What is the FTR tool? Can you say more about this?
Wow, I posted the question “what is FTR?” here, and it appeared, and then disappeared!
Is someone trying to make me feel paranoid?
It was the automatic spam detection, sorry!
Yes. I was personally on the butt end of a snooping expedition. It happens more often than you might think. Obviously, I’ve found other employment.
To be clear, it was email.
ditto
sEIU Contract – Section 2
ARTICLE 59 – COMPUTER WORKSTATIONS
Section 1. The university will make a good-faith effort to create and maintain safe computer
workstations.
Section 2. The university will inform employees if it is using computer monitoring. Notice will include
what is being monitored and its intended use.
Section 3. The university will not use subliminal software.
Section 4. The Employer and the Union agree that employees who are assigned full time to
continuously work at a computer performing such duties as data-entry or similar tasks may be more
productive if provided short periods of assignment to other duties throughout the work shift. Subject to
operational needs, managers will arrange other work assignments so as to provide ten (10) minutes of
relief for each hour worked continuously at a computer.
Section 5. Upon request, employees who operate a computer shall be provided available wrist rests
for trial usage. If the wrist rest is determined to be beneficial a permanent wrist rest will be assigned to
the station.
Thanks, this is very helpful. I notice that OUS wants to reopen this article for the current bargaining. Does anyone have a copy of the OUS proposal?
Spreading FUD to drive union membership???
There’s a link to the admin’s proposal – what’s your interpretation?
Administration proposal, Section 11: “…systems shall not be used to …persuade for or against…political causes or outside organizations.” Apparently, the Administration (which sounds a lot like Randy Geller) prefers we not share any thoughts regarding matters of societal interest with our colleagues or with the world at large. Old Man will use his expletive allowance on this one. Here goes: Why, for Goodness Sake, are we here?
“Why, for Goodness Sake, are we here?”
Eventually, to follow all rules ordained from above and be a mind-trained, self-censored cog. To be subservient, unoriginal and, yes, uninventive. To ask no questions and cause no problems. If someone wants you to do or say something, the cloud will tell you.
Where in the world does this kind of thinking come from? When I was at another (more highly ranked) institution, we were actually paid small bonuses for writing columns and articles in major news and opinion publications. And people who gained political appointments had their jobs protected while they served. It was taken for granted that professors should if possible also be public intellectuals–which, in a democracy, includes being involved in politics.
This kind of Administration Proposal is, frankly, ugly and anti-intellectual. It’s a very bad sign that someone on that team has some profoundly wrong ideas.
They hate us for our freedom.
I saw what you did there. :)
One of the great frustrations of the bargaining process is that only one party to the conversation is participating in its own behalf. The ventriloquists participating on behalf of the entity calling itself “The University,” though no beacons of wisdom and insight themselves, are often visibly pained by the bullshit they are obliged to represent. Consider the contrast between our Administration and the University of California Board of Regents are seeking to inoculate the campuses under its authority from abuses of the Garcetti v. Ceballos — a dagger pointed at the heart of academic freedom and shared governance. Meanwhile whoever is telling Sharon Rudnick what to say seems determined to expose the University of Oregon to those same hazards, perhaps to ensure that our own board has unlimited power, unconstrained by academic freedom or shared governance, before it starts working next summer.
Maybe the new black complex is really harboring an NSA annex and Geller is their agent attempting to perfect his skills.
So what you are saying is that you want every document at a University to be public and open as long as it is not your email? Remember anything you send on your university email is a public document. It just seems the process to “request” your email is a bit easier than anything else.
Maybe you should read the post again. The issues seem pretty clear to me.
I have read. I agree it is a pretty seedy practice and I would never endorse it as an administrator. You should only go into an employee’s email for cause and the search should be narrowly tailored.
However, it still seems a bit hypocritical to cry foul constantly about everything being a public record, then insist something be private. Just pointing out the irony.
I would just remind everyone who works at a public institution that if you plan on using your public email for private purposes, don’t count on it being private forever.
I don’t understand why this is even an issue. I’m a lot more concerned about mysteriously disappearing public records than whether the university reads employee emails. It’s a given that your uoregon account isn’t yours–it’s strictly for the purpose of conducting university business, which is and should be accessible through public records. You can’t have it both ways.
There’s a difference between an open and transparent request for specific and targeted email data being submitted through appropriate channels, and a supervisor being given full read/write access to everything in an employee’s inbox at will. The potential for altering or deleting emails is enough to raise concerns, especially during a departmental investigation.
OK, agreed. Perhaps I’m cynical because I’ve become accustomed to many employers doing even more invasive things such as tracking internet use. There should definitely be protocols and standards in place for what constitutes legitimate access to employee email, and a supervisor helping himself doesn’t qualify. But I still don’t think that a public employee has any expectation of privacy or needs to be notified if there is legitimate access.
So the university has an email policy, and the supervisor broke it to snoop through an employee’s emails on the sly. Sounds pretty creepy. Good thing the staff has a union.
Joe H: Note, it comes down to the UO *not* having policy, from the above:
—————————-
Unfortunately, he admitted, there are no “specific policies” in place at UO at present to prevent, discourage, or reprimand an administrator who unilaterally decides that they have a “business need” to access and monitor an employee’s personal data without their prior knowledge or consent.
—————————–
This, of course, goes for any employee, covered by any of the Unions or not covered by any Union.
It seems clear that the manager violated the SEIU contract. That person should be disciplined, to say the very least. President Schill, I hope you are listening.
I don’t think anyone at the university is listening.
I think they broke their own policies, and even though the Director of Employee & Labor Relations is claiming there are NO POLICIES. This is not what certain IT managers at IS thought, at first anyway.
Another slippery UO policy.
Not just how many careers have been ruined or impacted but how many departments are affected? I can think of several.
UO is trying some very sneaky and pathetic tactics in an attempt to reverse the unanimous jury verdict. UO is hoping to use the federal award to block the state trial, and afterwards to get a retrial on the federal award on a technicality. It’s hard not to see it all as continued retaliation, as well as the administration being a bunch of sore losers. More billable hours for HLGR though.