Track Report - The Use and Abuse of Electronic Mail and Electronic Bulletin Boards - The Research Center on Computing & Society

Text-only Version

Jacques N. Catudal, Ph.D.

The Use and Abuse of Electronic Mail and Electronic Bulletin Boards

Bulletin board operators and e-mail managers in academic, governmental, and corporate settings are currently confronted by questions of privacy but they have few policies to guide them in framing solutions. For example, a campus bulletin board operator comes across potentially libelous information about a professor. What should she do? An e-mail manager discovers that one of her users is receiving hate mail. She is told by a supervisor to fix the problem but is given no direction amidst potentially conflicting solutions. There is a need for institutional policies regarding privacy and confidentiality. Are messages between employees private or public? Management is often reluctant both to formulate and consistently enforce policies.

When one uses an e-mail service, the assumption should be that all communications are private. In some corporate and academic institutions, the reverse holds true. The argument is that if the institution owns the hardware and software with which the service is provided, it owns all messages that are produced using them. Therefore, it has a right to read, edit, censor, or otherwise alter or destroy any message produced on its premises. Some would view this argument as involving a dazzling non-sequitur. Does it follow that because the corporation owns the telephones that employees use that it can monitor employee telephone conversations? There appear to be good reason for supporting a “default standard” that supports privacy and confidentiality.

Opponents argue that the current default standard is acceptable so long as current and prospective employees are informed that their communications may be read, edited, etc. After all, they retain the choice to work or not work for corporations that invoke the standard. If the employee then chooses to work for the corporation, they do so with a clear understanding of the organization’s policies.

Is there a problem of privacy if employees believe falsely that their communications are not being read by others? Alternatively, is there a problem of privacy if an employer does not inform her employees that she is reading their e-mail? In such cases, it may be useful to distinguish “real” from “apparent” privacy. If I take from your cash box, and you are very wealthy and don’t miss the loss, have you been harmed? Is this a fair analogy?

At some universities, there is a practice of searching student’s electronic files for “unacceptable” items, such as “four-letter words,” “pornographic” depictions, etc. Justification for the practice is sometimes given by appeal to the claim that if the University owns and operates the system, it is entitled access to all information obtained, sent or otherwise transmitted over the system. But would a university invade a student’s dorm room to search for pornographic magazines? The protections afforded students against unreasonable search of their university living quarters and seizure of their personal property apparently does not extend to computer systems. The same issue confronts faculty. Does the university or college have a right to edit, censor, or dump electronic files that contain, from its point of view, “inappropriate” materials? For example, should the university use programs that scan faculty or student files for “four-letter” words?

On the other hand, what should system managers do when they have suspicions about a particular account? For example, what should they do if they discover in a user’s account programs used to illicitly capture other users’ passwords, or actual tools for burgling other people’s accounts? If the manager does nothing and knows, is she guilty of complicity?

These cases beg a distinction between actions taken against an account for the sake of preserving the integrity of the system (as in the burglary tool case), and actions taken against an account in the name of “good taste” (as in the case of obscene language and pornographic depictions).

Much information of a personal and, sometimes, of a critical sort gets passed around on a university’s e-mail system. Criticism of the practices of a colleague, dean or president may or may not be valid; but the right to free expression, even critical expression, is protected by the Bill of Rights. Imagine a program that can scan all occurrences of the university president’s name for the purpose of determining attitudes toward the president. One of our most important goals as teachers is to teach students to respect the rights of others. The use of such a search program is blatant hypocrisy.

There are grievance procedures at most schools that give meaning to the expression “due process,” and that must be adhered to. One should not open another’s computer file unless one has reasonable cause to do so. But criteria enabling us to judge that reasonable cause exists for any given case must be clearly articulated. Further, the judgment that the criteria have been met must not fall to a single individual, a system manager or a university administrator, but must result from consensus.

Some institutions strive to eliminate the distribution of possibly offensive electronic bulletin board messages by having a faculty or staff member screen all messages prior to posting. However, while the practice may succeed in eliminating obscene language, pornographic depictions, and advertisements of the sort discussed at this conference in Leslie Burkholder’s track address (i.e., the Case of the “Filipino Love Slave For Sale,” in which a student advertises for sale the sexual services of a woman), the practice also has the effect of transposing the focus of inquiry to the moral status of the screening practice itself.

At some universities and colleges, students sign a statement which informs them that the files they create should only relate to their courses, and that their files will be reviewed by their teachers. By signing the statement, the student acknowledges that she understands the rules of file creation and management at the institution and agrees to act by their terms.

The problem of “compounded wrongs” must also be considered. Consider the secretary who discovers that there exists information portraying her as wholly incompetent and disreputable, information she discovered by reading others’ e-mail. She storms into her boss’ office and demands that he do something. What should the boss do?

System planners and policy designers should offer administrators several options from which to choose in developing e-mail, bulletin board, and other computerized systems. By the same token, administrators must choose or commit to particular policies, including policies that address privacy and confidentiality. Failure to choose is itself a choice, and a problematic one at that. The problem at many, if not most institutions, whether governmental, commercial, or educational, is that there is no upfront statement of policy regarding conditions of use, penalties for misuse, and grievance and appeals procedures. The absence of such policies represents one of the greatest threats to the integrity of our systems. For where no policies exist, those who would abuse the system may successfully defend their mischief by pointing to the void. Here it may be useful to distinguish causing another harm by exploiting her vulnerabilities, from causing another harm by exploiting her negligence. In 1991, failure to adopt appropriate policies, and to clearly state these policies upfront, may very well constitute a form of negligence.

On the other hand, we recognize that the best of policies cannot prevent those who are determined to get their way. Clearly, some students believe they should have access to all information they are capable of securing from a college or university, whether confidential or not, and that it is the institution’s job to set up appropriate mechanisms for denying access where ever appropriate. (This suggests the spirit of a game – “Catch Me If You Can” or “I Can Do You One Better”.) Are legal and technological measures the only tools at our disposal for handling problems of privacy and confidentiality? A third option is education, i.e., assisting students in reflecting about values of privacy and confidentiality. Educational tools are needed to rid some students of harmful beliefs and attitudes. In this regard, the teaching of computer ethics by computer scientists ought to be regarded as an aspect of their professional responsibilities.

Back to the top

Go to: Electronic Databases and Privacy

Home > Research Resources > Computing and Privacy > Track Report

The Research Center on Computing & Society
at Southern Connecticut State University
501 Crescent Street • New Haven, CT 06515
Director: (203) 392-6790 • e-mail: webmaster@computerethics.org

© 2000 – 2007 – Research Center on Computing & Society