Yale students’ email accounts are subject to search without consent or notification by the University, as outlined in a publicly available but little-publicized document.
Under the University’s Information Technology Acceptable Use Policy, the University maintains the right to access not only employee accounts, but students’ accounts as well. While 55 of 73 students interviewed were unsurprised that the University can monitor their correspondences, few were clear on the specifics under which Yale can search their accounts.
Only three students of 73 interviewed were aware of the specifics of Yale’s policy, with one adding that he learned about the University’s regulations through a class.
“I feel like the University should make clear under what circumstances they consider searching emails,” Sherry Du ’17 said. “The school should do more to publicize this.”
Most students said they were not taken aback by the policy because the email account is provided by Yale.
Graduate students who came to Yale after working in the corporate world expressed especially little surprise over the policy. Ashlee Tran SOM ’14 said employees at large corporations assume their emails are monitored.
“It doesn’t shock me at all that they can do that,” Acer Xu ’17 said. “It’s Yale email, it’s an internal server.”
According to its Acceptable Use Policy, several circumstances warrant access to students’ emails: “preserv[ing] the integrity of the IT systems,” complying with “federal, state, or local law or administrative rules,” carrying out “essential business functions of the University,” “preserv[ing] public health and safety” and producing evidence when “there are reasonable grounds to believe that a violation of law or a significant breach of University policy may have taken place.”
Administrators did not define what actions constitute a significant breach of University policy, though ITS Director of Strategic Communications Susan West described these circumstances as “specific and unusual.”
For the University to access a student account, two administrators must give their approval: University Provost Benjamin Polak as well as the dean of Yale College or the appropriate graduate or professional school, though deans are allowed to delegate this task.
However, in situations where “emergency access is necessary to preserve the integrity of facilities or to preserve public health and safety,” systems administrators may access an account without approval.
No explicit mention is made in the Undergraduate Regulations of the University’s right to access student accounts, though the Appropriate Use Policy is accessible through a link on page 128 of the 131-page document.
In 580 pages of similar regulations for graduate students, there is no mention of or link to the University’s information technology privacy policies.
Yale College Dean Mary Miller, who is responsible for approval requests for access to the accounts of any undergraduates, declined to comment on the number of instances in which she has approved non-consensual access to an account. Miller also declined to say whether she has ever denied a request for monitoring. Miller said she did not know who ultimately reviewed the contents of any accounts accessed.
University Vice President for Human Resources and Administration Michael Peel said that the University rarely accesses emails without consent, adding that during five years in his position it has been done only six times for staff.
According to University Vice President and General Counsel Dorothy Robinson, the Acceptable Use Policy was first adopted in 2000 by a committee led by Yale Information Technology Services and the Office of the Provost.
“The policy was reviewed by Yale faculty members, and privacy was one of the most important issues discussed,” Robinson said in an email to the News.
The University’s ability to monitor internet activity is not limited to email. The University’s firewall logs the websites visited by users of the Yale network, Robinson said, though she added that these logs are overwritten daily, meaning the University does not store the web browsing histories of its network users for longer than a day. Robinson added she is unaware of any instances in which the University has viewed those logs without consent.
While most students interviewed said they thought accessing students’ accounts was within the rights of the University, they added that Yale should exercise discretion in choosing whether or not to look at an email account.
“[I] would hope that it would only be used in extreme cases, things like breaking University regulations or state and federal law,” Drew Morrison ’14 said.
But others were adamant in their opposition to the policy, in part because the policy has been poorly publicized.
“It’s an infringement. If I was aware of it somehow, when I signed up for the Yale email, then it would be different,” John Lee ’14 said. “They should have made it clearer.”
Lee added that he sees no circumstances under which Yale should be able to access students’ accounts without consent. Calling the policy “antithetical to the University,” Brett Tolman GRD ’15 said it represents an overreach on Yale’s part into students’ personal lives.
Like many others, Lee and Tolman suggested that the policy is not publicized well enough for students to take notice.
“Universities always have this fine print where they give themselves permission to do things under extreme circumstances,” Iva Popa ’14 said of the monitoring abilities. “I think it’s a slippery slope to allow the University that much freedom.”
Yale defines its IT systems as the servers, personal computing devices, applications, printers, networks, online and offline storage media, software and data files that are owned, managed or maintained by the University.
Greg Cameron, Nicole Ng and Larry Milstein contributed reporting.