Virtual Eyes

Virtual Eyes

Higher ed tiptoes into e-mail surveillance.

The internet and e-mail are a blessing and curse. Both improve communication and access to information; they are the de facto communication and entertainment tools of modern life.

But when personal communication and entertainment cross into professional hours, the employer can suffer. Online shopping, gaming, and chatting are fairly innocuous ways to waste time.

Other network-based activities can be more problematic for colleges and universities. For example, if faculty or staff use the university network to gamble, download music, or view child pornography, it can harm the university's reputation or possibly result in a lawsuit. Any of the scenarios cost time and money. At the same time, higher ed operates with a sense of freedom unmatched in the corporate and K-12 arenas.

Objectionable content to the corporate or K-12 world can be considered academic research.

The business world has tapped into software solutions to help curb online behavior and catch those who fail to abide by policy. The Center for Business Ethics at Bentley College (Mass.) says 90 percent of employers observe electronic behavior. Virtual oversight can go several steps further. More than three-quarters of employers watch web surfing. "About one-third of large commercial enterprises monitor [or sift through] staff e-mail," says Craig Carpenter, senior director of corporate marketing with Mirapoint, an IT security company.

Higher ed has been slow to embrace high-tech surveillance tools. Monte Robertson, president and CEO of Software Security Solutions, surveyed the company's higher education customers and found that none scanned e-mail for content. Carpenter hypothesizes that higher ed is reluctant to deploy surveillance software because it smacks of censorship. Academic freedom is a right in the university environment, explains James Hammond, vice president of Information Technology at Winthrop University (S.C.).

Content that is objectionable in the corporate or K-12 environment can be considered academic research. For example, a faculty member may view child pornography websites to conduct research for a psychology or sociology course.

"Higher ed cannot draw too many lines in the sand because it encroaches on academic freedom," continues Hammond. Academic freedom can become a rallying cry for monitoring foes. The University of Southern Mississippi endured a firestorm when its president directed a lawyer to monitor some faculty e-mails during an internal investigation.

The ideal solution balances academic freedom and protection. Most colleges and universities do require faculty and staff to agree to policies about e-mail use. The typical policy specifies that the employee does not own e-mails and permits the employer to read e-mails.

At this point, however, few universities enforce these policies with monitoring software, says Carpenter. Is higher ed flirting with danger by not using surveillance solutions? "Absolutely," opines Carpenter. But the tide could turn as universities wrangle with compliance issues.

One reason behind the near-universal business use of surveillance technology is the need for regulatory compliance. Similarly, universities could begin to adopt technology to boost compliance. FERPA (Family Education Rights Protection Act) will influence universities, predicts Carpenter. "Universities have not gotten their arms around FERPA and need to develop an understanding of its requirements," he says.

Initially passed in 1974, FERPA protects the privacy of student information such as health records and grades. Surveillance technology could be used to identify FERPA breaches. Winthrop currently complies with FERPA through policies that describe how to handle and release sensitive information. In addition, software "flags" alert users to sensitive information and tell any employee how to view the information.

Similarly, the post-9/11 SEVIS (Student and Exchange Visitor Information System) requires all colleges and universities receiving government funding to monitor foreign students' e-mail communications and transmit student information to the Department of Homeland Security. Surveillance programs could help colleges comply with SEVIS by tracking and organizing online communication and activities, says Chronicle Solutions Chief Operating Officer Sophie Pibouin.

But sweeping changes and a draconian monitoring system may not fly at most colleges and universities. Instead, higher ed may be best served by adapting surveillance solutions and developing policies to meet their unique needs rather than simply mirroring corporate practices.

Colleges and universities do have a number of options for monitoring e-mail and internet use. In fact, some may already own options. A number of higher ed customers, for example, rely on Mirapoint's Email Server and Edge Security Appliance for protection against spam, viruses, worms, and hacker attacks. Those features comprise 95 percent of the product's functionality. The other 5 percent? E-mail surveillance. But few higher ed users opt to turn on the surveillance functionality.

One plus of the surveillance system is that it can be used on an as-needed basis. Winthrop University relies on Mirapoint's Email Server and Email Security Gateway for multiple purposes, including monitoring ingoing and outgoing mail for spam and viruses. University policy defines e-mail as private except in the case of an ongoing legal or internal policy investigation.

At Winthrop, if campus police present a valid request or an employee is suspected of violating policy, the university maintains the right to wiretap a mailbox. For example, if a full-time faculty member begins teaching at another university without securing appropriate approval, the university could launch an investigation and tap the employee's inbox. The university might turn on surveillance functionality if a faculty or staff member is engaged in activities that conflict with the university's mission.

"We monitor for investigative purposes only."

- James Hammond, Winthrop University

In addition to e-mail monitoring, the system can create rules to scan for specific objectionable words or block attachments or certain addresses. "We don't monitor e-mail as a preventative measure, nor do we regulate objectionable words or contents. We monitor for investigative purposes only," says Hammond. The combination of policy and technology is a good fit for the university's needs.

Another software option is Chronicle Solutions' netReplay system. The company recently launched the network content recorder. The system plugs onto the network behind the firewall and can record all user digital communication, including e-mail, web pages, and chat messages. The netReplay system can also categorize communication to streamline network monitoring. For example, the system administrator can define policies and set the device to send an alert if a user accesses a child pornography site.

Some systems, such as Mirapoint's Email Server and Edge Security Appliance, wrap monitoring functionality into a larger package. Security, mail hardware, software, and support cost approximately $1.25 monthly for each user at a site with 10,000 users. Others, like netReplay, represent a new system. Its costs include the price of the appliance, a fee per user monitored, and an annual maintenance fee. Chronicle Solutions, a provider of network monitoring solutions, says it extends a significant higher education discount.

Employee surveillance can be a touchy subject. Poorly defined and communicated policies could have a negative impact on employee relations or lead a to a media fiasco. One need only recall the recent Hewlett-Packard corporate scandal to imagine the media and public relations nightmare that can occur in the wake of a poorly conceived surveillance program.

And like any technology, surveillance systems are not perfect. It is possible to increase the odds of a successful deployment. Insiders offer the following advice about optimizing a monitoring system:

Make sure surveillance tools are available. "Understand the local monitoring policy, or in the absence of a policy, make one," says Hammond.

Don't take faculty and staff by surprise, says Pibouin. The university needs to clearly define and communicate monitoring policies. It helps to market the system as a means of protecting employees and the university's reputation.

Be sure to research the system's accuracy and reliability, says Robertson. Calculate all costs, and investigate legal ramifications and requirements.

An online monitoring or surveillance policy that outlines the rights of the university is a 21st-century essential. Colleges and universities can tap into fairly new software solutions to support the policy and simplify the process of sifting through online communication if a need arises. The combination of a well-articulated policy and carefully deployed software need not impinge on academic freedom and can protect the university, staff, and students-without breaking the bank.


Advertisement