Is your university reading your emails?



With the ongoing fallout from Edward Snowden’s revelations about eavesdropping on electronic communications, I can’t be the only academic wondering about the extent to which emails are – or might be – monitored by organisations closer to home: universities.

When I spoke to colleagues, most said that although it was legitimate for universities to monitor internet use, it would be unacceptable to routinely read emails without good reason and, more vitally, without permission. They also doubted that universities had the resources for widespread monitoring.

Investigating further, I found that the Information Commissioner’s Office has a code of practice on monitoring employees’ emails. It says organisations must respect individuals’ privacy, but privacy concerns can be overridden depending on the nature of the contractual relationship and the potential for damage to the institution. Neither the code nor the Data Protection Act 1998 prohibit “covert” monitoring that is “proportionate and justified”.

Some universities openly assert their right to access staff emails. City University London, for example, says on its website that it is “obliged to monitor to fulfil our responsibilities with regard to UK law and the JANET [higher education computer network] code of conduct”. It also notes that the “misuse” of email can have “a detrimental effect on other users and potentially the university’s public profile”. For these reasons, it “maintains the right to access user email accounts in the pursuit of an appropriately authorised investigation”.

You might argue that in signing my contract of employment I have effectively agreed to permit the university to monitor my email, since any misuse – which is explicitly prohibited – could not be discovered without intrusion into my ostensibly private interactions.

When I send an email from a university address I am trading on its reputation. So university authorities might argue that I may be bringing them into disrepute if I write something they profoundly disagree with. The issue is then deciding who should make that call, and how. Is it done fairly and transparently, with regard to standards of academic freedom?

In City’s case, investigations are authorised by its director of computing services and, “if required”, deans or its director of human resources.

Like all public bodies, universities also have a statutory duty of care to their employees and clients. Such a duty might also justify the monitoring of domains once thought to be private, although hackles would clearly be raised if the rationale was unclear – just as they have been over the alleged bugging of European Union offices by the US’ National Security Agency, which hardly seems justified by security concerns.

In the case of students, a number of recent terror suspects have university backgrounds. Might this be seen as justification for monitoring email correspondence, including that with students’ academic supervisors? No doubt reasons could also be found for monitoring staff communications, although it is equally likely that the credibility of any justification would be open to question.

Among the many counter-arguments is the clear bearing that such snooping would have on research ethics. Giving third parties sight of research data relating to individuals who have been promised that their details are “secure” would be a serious breach of trust.

This issue is further complicated by debates about the “ownership” of research data. Some universities assert their property rights over data because researchers are their employees. They might also argue, therefore, that they have the right to interrogate the data – by means of email surveillance if necessary. Such an approach would render worthless the guarantees of data protection upon which ethics committees regularly insist, and it could have dire consequences for the ability of researchers to recruit willing subjects in future.

These may sound like extreme scenarios, and there is little evidence that emails are being systematically monitored by universities. But following Snowden’s revelations, it would be complacent to ignore the ethical implications.

Author Bio:Ron Iphofen is an independent research consultant, visiting senior research fellow at The Open University and ethics adviser to the European Commission.