Harvard to review privacy polices in wake of email search scandal
Lack of standard policies 'highly inadequate,' university president says
Harvard University President Drew Faust has ordered a comprehensive review of the university's email privacy polices amid disclosures that a secret search of some deans' email accounts by administrators was broader than originally acknowledged.
Speaking at a meeting with Harvard's Faculty of Arts and Sciences (FAS) on Tuesday, Faust expressed concern over the university's "highly inadequate" institutional policies and processes for protecting email privacy.
"We have multiple policies across the university that vary across schools, with some faculties lacking any explicit policies at all," Faust said in remarks posted verbatim by Harvard Magazine.
Calling the lack of email policies an "institutional failure," Faust said she would create a task force to develop recommendations on university-wide policies and guidelines for email. Those recommendations will be made available for community discussion and university consideration by the end of the fall term.
Faust's remarks come a few weeks after the Boston Globe detailed how university administrators had secretly searched the email accounts of 16 resident deans at Harvard. The university was looking for the source of a leak about a cheating scandal, the Globe reported.
Harvard acknowledged the search, but maintained it was done in an extremely limited manner and only to identify an individual who shared a confidential email with an unauthorized person. The email, which contained advice on how to counsel students accused of cheating, was shared with the Harvard Crimson student newspaper and later picked up by the Globe. Harvard administrators said they decided to conduct a search out of concerns for the privacy of students involved in the cheating scandal.
Harvard officials admitted they made a mistake in not informing the deans about the search, either before or after it took place. The university, however, insisted that it had not actually opened any emails or searched their contents. Instead, IT administrators only conducted an automated subject line search of each dean's administrative email accounts to see if they could identify the source of the leak. The university also stressed that the subject-line search only involved administrative email accounts, not a separate Harvard email account that each dean maintains for personal use.
At Tuesday's meeting, Harvard Dean Evelyn Hammond noted that two additional searches had taken place that were not previously disclosed. After the initial search identified the resident dean responsible for forwarding the email, Hammond said she authorized another search to look specifically for correspondence between that individual and two student reporters from the Crimson.
In addition, Hammond said she also authorized a search of the same dean's personal email account for correspondence with the reporters. In both cases, the search involved only the subject lines and not the actual content of the emails, she said in comments posted on Harvard Magazine. She apologized for not informing her peers or the deans about the searches, but insisted that her actions were driven purely by concerns over student privacy.
The incident has proved to be embarrassing for Harvard. Several faculty members have faulted the university for not informing deans about the searches and said they fear the incident could erode trust between administrators, faculty members and staff.
Acknowledging those concerns, Faust said Tuesday that she has also asked a leading Boston lawyer from outside Harvard to conduct a full investigation into how the searches were conducted and to verify that the information provided so far is a full and accurate description of what actually happened.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about privacy in Computerworld's Privacy Topic Center.