Project Case Statement:
This project focuses on the reading and analysis of the UO Privacy Policy in order to better conceptualize online privacy at the university.
Project Problem Statement
Students agree to the University's online privacy policy, usually, without even understanding what they are agreeing to. What are we students actually agreeing to when we use the University's network and what ambiguities exist within that could be more precise?
Experiment Statement:
Over the course of the project, our goal will be to create an informative pamphlet outlining student's rights and liberties online along with the reserved powers and abilities of the administration that would otherwise not be apparent.
Through the process of analyzing the multiple University policies pertaining to computing privacy we analyzed four major policies:
Acceptable Use of Computing Resources
Acceptable Use of Computing Resources Addendum
UOS: Information Security
Student Conduct Code
After thorough analysis of the four pertinent policies, it was discovered that the Acceptable Use of Computing Resources and the following Addendum contained the majority of the University's actual policy regarding computing privacy. The UOS: Information Security pertained to administrative protocol in the event of a breach of security and the varying responses based on how sensitive the compromised information is. The Student Conduct Code pertained to general student conduct across all fields of activity, not specifically in regards to computing privacy.
Upon thorough examination of the Acceptable Use of Computing Resources and its Addendum, for sake of clarity and simplicity, we formulated a conceptual model that places these two policies in terms of Administrative powers and abilities and conversely the Student's rights and liberties. As far as Administrative powers go, there existed several ambiguous provisos that, if taken literally, allow the University an unproportional and intrusive insight into Students' privacy. These include:
Access and Control: "Authorized Computing Center or computer lab staff... if there is reasonable suspicion of misuse, or if such accounts, transmission, and electronic files may contain evident of prohibited, deliberatively deceptive, fraudulent, unauthorized, illegal, or criminal behavior, the staff may access them for investigative purposes."
Review/Screening of Information That Originates At, Is Intended For, or Happens to Incidentally Transit University Systems. DAS 03-21 provides notice that "The agency intends to...review, audit,...block, restrict, screen,...any information [from a state electronic information system], at any time without notice."
Procedural Issues Relating to Access to Systems: "The agency may withdraw permission for any or all personal or business use of its system at any time without case or explanation."
Privacy Expectations [DAS 03-21 "Public Records Are Controlled By the Agency"] : "User-created files or electronic messages that are solely personal in nature shall not be treated as public records, provided, however, that authorized University staff may access such materials as allowed by section 6 herein."
Section 6 being: "Provided, in the case of scrambled transmissions, it is possible to ascertain a responsible party at the University of Oregon who is originating, receiving, or controlling the scrambled transmission, and who can answer inquiries concerning those transmissions, should questions about the transmissions arise."
Regardless of any explanatory reasons underlying the above-stated provisos, the fact remains that the University administration has left in these ambiguous and sweeping policies that in the instance of questionable incidents regarding privacy, the administration has unclear limits to their power.
And on top of all of the aforementioned provisos in power, the Acceptable Use of Computing Resouces includes the fact that: "Security systems whose purpose is to identify yunauthorized users of a system may also monitor authorized users".
As the policy pertains to Students--we discovered that:
10. Permitted Personal Uses of Electronic Information Systems [DAS: "Personal Uses Restricted"] : "It is inappropriate for any third party organization's primary Web pages to be served froma University Web server, even if such pages are offered on a volunteer basis without remuneration and with no commerical content theron; exceptions to this policy need to be approved by the University."
Installation or Downloading of Software: "Users may not install or download software without agency authorization." By this section, the UO authorizes the installation or downloading of software, provided:
- Software lawfully acquired and under appropriate license
- Does not interfere with system operations, integrity, or function of other software
- Said software/download has not been prohibited by the user's department or department with authority over equipment being used
General Student Conduct Violation: "The code prohibits, among other things, lewd or indecent conduct, threat of imminent physical harm, sexual or other harassment, stalking, forgery, intentional disruption of university services, and damaging or destroying university property. Similarly, the code's prohibitions against illegal discrimination, including discriminatory harassment and sexual harassment, also apply to electronic forums.
Sharing of Accounts or Lab Passes Prohibited: "Unauthorized use or misuse of university computing resources may constitute theft of services, and may be criminally punishable. Violators may also be civilly liable for the value of the stolen resources."
Commercial Use of Resources Prohibited: "In many instances the university negotiates special acadmemic pricing agreements for obtatining the computing resources it needs...Breaching eduication licensing agreements could have serious financial consequences for the UO. Thus, commercial use of the university's computing resources is strictly prohibited."
Recognition of Copyrights: "Copying proprietary software is theft, and will not be tolerated on campus...Moreover, use of such software could result in your suspension or dismissal from the university, and either criminal prosecution or a civil suit for copyright infringment, or both."
Conclusion:
In summary, we found the University of Oregon's privacy policies to be decently organized and not overly complex to the point of inaccessability--but that there existed several glaring provisos, or loopholes, that allow the University (in undefined parameters) power over the students' expectation of privacy. While we don't expect the University to maliciously use these provisos in any context, it certainly allows them unfair abilities in a hypothetical situtation.
To understand and unpack the UO Student's privacy and computing rights into a more digestible format and to highlight and point out ambiguities in what the University's administration is allowed/permitted to do in the context of student's privacy and aspects that impact students most directly.