Yale students’ email accounts are subject to search without consent or notification by the University, as outlined in a publicly available but little-publicized document.

Under the University’s Information Technology Acceptable Use Policy, the University maintains the right to access not only employee accounts, but students’ accounts as well. While 55 of 73 students interviewed were unsurprised that the University can monitor their correspondences, few were clear on the specifics under which Yale can search their accounts.

Only three students of 73 interviewed were aware of the specifics of Yale’s policy, with one adding that he learned about the University’s regulations through a class.

“I feel like the University should make clear under what circumstances they consider searching emails,” Sherry Du ’17 said. “The school should do more to publicize this.”

Most students said they were not taken aback by the policy because the email account is provided by Yale.

Graduate students who came to Yale after working in the corporate world expressed especially little surprise over the policy. Ashlee Tran SOM ’14 said employees at large corporations assume their emails are monitored.

“It doesn’t shock me at all that they can do that,” Acer Xu ’17 said. “It’s Yale email, it’s an internal server.”

According to its Acceptable Use Policy, several circumstances warrant access to students’ emails: “preserv[ing] the integrity of the IT systems,” complying with “federal, state, or local law or administrative rules,” carrying out “essential business functions of the University,” “preserv[ing] public health and safety” and producing evidence when “there are reasonable grounds to believe that a violation of law or a significant breach of University policy may have taken place.”

Administrators did not define what actions constitute a significant breach of University policy, though ITS Director of Strategic Communications Susan West described these circumstances as “specific and unusual.”

For the University to access a student account, two administrators must give their approval: University Provost Benjamin Polak as well as the dean of Yale College or the appropriate graduate or professional school, though deans are allowed to delegate this task.

However, in situations where “emergency access is necessary to preserve the integrity of facilities or to preserve public health and safety,” systems administrators may access an account without approval.

No explicit mention is made in the Undergraduate Regulations of the University’s right to access student accounts, though the Appropriate Use Policy is accessible through a link on page 128 of the 131-page document.

In 580 pages of similar regulations for graduate students, there is no mention of or link to the University’s information technology privacy policies.

Yale College Dean Mary Miller, who is responsible for approval requests for access to the accounts of any undergraduates, declined to comment on the number of instances in which she has approved non-consensual access to an account. Miller also declined to say whether she has ever denied a request for monitoring. Miller said she did not know who ultimately reviewed the contents of any accounts accessed.

University Vice President for Human Resources and Administration Michael Peel said that the University rarely accesses emails without consent, adding that during five years in his position it has been done only six times for staff.

According to University Vice President and General Counsel Dorothy Robinson, the Acceptable Use Policy was first adopted in 2000 by a committee led by Yale Information Technology Services and the Office of the Provost.

“The policy was reviewed by Yale faculty members, and privacy was one of the most important issues discussed,” Robinson said in an email to the News.

The University’s ability to monitor internet activity is not limited to email. The University’s firewall logs the websites visited by users of the Yale network, Robinson said, though she added that these logs are overwritten daily, meaning the University does not store the web browsing histories of its network users for longer than a day. Robinson added she is unaware of any instances in which the University has viewed those logs without consent.

While most students interviewed said they thought accessing students’ accounts was within the rights of the University, they added that Yale should exercise discretion in choosing whether or not to look at an email account.

“[I] would hope that it would only be used in extreme cases, things like breaking University regulations or state and federal law,” Drew Morrison ’14 said.

But others were adamant in their opposition to the policy, in part because the policy has been poorly publicized.

“It’s an infringement. If I was aware of it somehow, when I signed up for the Yale email, then it would be different,” John Lee ’14 said. “They should have made it clearer.”

Lee added that he sees no circumstances under which Yale should be able to access students’ accounts without consent. Calling the policy “antithetical to the University,” Brett Tolman GRD ’15 said it represents an overreach on Yale’s part into students’ personal lives.

Like many others, Lee and Tolman suggested that the policy is not publicized well enough for students to take notice.

“Universities always have this fine print where they give themselves permission to do things under extreme circumstances,” Iva Popa ’14 said of the monitoring abilities. “I think it’s a slippery slope to allow the University that much freedom.”

Yale defines its IT systems as the servers, personal computing devices, applications, printers, networks, online and offline storage media, software and data files that are owned, managed or maintained by the University.

 

Greg Cameron, Nicole Ng and Larry Milstein contributed reporting.

  • theantiyale

    Rebel by getting
    the entire campus to switch to Gmail. Then only the government can read your
    stuff.—or troll your contacts.

    It is intolerable
    and outrageous that Yale has wheedled this access.

    After the Kent State shootings I remained a counselor
    in residence halls there. The rumor was that the FBI had tapped all our phone
    calls. I was coordinating a nationwide student petition for a federal grand
    jury investigation of the shootings. After the person on the other end of a phone call hung up, I stayed on the line and then ended every call by saying, “Fuck you J. Edgar Hoover” just for whoever might be listening.

    See my FBI file at http://edgarseyes.blogspot.com/

    I guess this passive acceptance of surveillance means Yale won’t be making Edward Snowden an Honorary Visiting
    Professor at your Singapore
    campus as I suggested a few days ago.

    Where have all the flowers gone?

    • Guest

      And give up the @yale.edu address? Fat chance.

      • theantiyale

        That IS a point, isn’t it.

    • yalengineer

      Alternatively, you can use your gmail to forward your yale email and then use an alias to send emails using your @yale.edu address. This way you can maintain privacy while taking advantage of the Yale system.

      n00bs.

      • theantiyale

        You’ve lost me.

        • 13

          You can give gmail permission to send mail under the alias anti.yale@yale.edu, if you have access to that email address.

          Of course, what the “engineer” has missed is that anyone replying to anti.yale@yale.edu is (usually) sending your original message back through the Yale servers anyway, and if not, their own correspondence could presumably be used as evidence against you anyway (I’m not a lawyer, so don’t fault me if I’m wrong on that one).

      • 13

        Assuming this gives you any privacy except in the case of one-way correspondence is more foolish than using the Yale system with the knowledge that there is the possibility of being snooped on.

        Knowing you’re safe is far more dangerous than assuming you’re not.

  • Chicken

    was this not already obvious…?

  • ldffly

    Ok Yale owns it. Clear enough and fair enough. Still, if I were a student these days, I would not use their system unless absolutely necessary.

    • 13

      Or just don’t allude to anything illegal on it… which you wouldn’t do anyway cause of the old NSA, right?… Right?

      They’re not going to ping you for chatting to a friend about how you skipped Intro Micro to get stoned. They might ping you for mentioning that you cheated on an exam, but they’d have to have good reason to have looked in the first place… and wouldn’t you prefer those people get caught anyway?

      • C. H.

        It’s an accident of technology that “Yale owns” this new medium of communication. And faculty and staff are required to use it. A couple of decades ago faculty, staff, and students communicated by letter, over the phone, and face to face, and none of these things could be mined for info without the consent of those involved (or without a warrant). Why should there be a different expectation about privacy now?

        • 13

          That’s like saying it’s an “accident” that trees grow upward. We could have all brought our own servers and hosted our own email accounts, but this wouldn’t allow for us to (as easily or safely) have our @yale.edu accounts.

          Do you really assume that Yale’s central phone system — which has been no doubt owned by Yale in the same way their servers are now — could not have been set up to be tapped quite easily? (Of course with the requisite signed university regulations stipulating so in the small print.)

      • ldffly

        “. . . . … and wouldn’t you prefer those people get caught anyway?” You’re not implying that if you don’t have anything to hide you won’t have anything about which to worry, are you? Members of the administration would never violate the protocols governing access to a student or faculty account, would they?

        I would prefer that faculty and students who are doing research into areas that might affect the university’s reputation or its income or the work of other influential faculty be able to do so without the potential of the administration snooping into their electronic communications. It’s not beyond the will of the human character for this sort of thing to happen.

        • 13

          “faculty and students who are doing research into areas that might affect the university’s reputation or its income or the work of other influential faculty”

          What does this even mean? Like, they’re being funded by the university to do research that the university might not like? I have more faith in Yale than to stop something like that (I realize that this will be regarded as naïve by some).

          Don’t conflate this with what people are up in arms at the NSA for; Yale is not systematically reading every email for keywords like “bomb” or “cheat-sheet,” they are doing the same thing that the NSA (et al.) should have the ability to do, which is: In certain circumstances, gain access to the emails to gather evidence towards a case, given they have “reasonable grounds to believe that a violation of law or a significant breach of University policy may have taken place”.

          This is (very roughly) the equivalent to the police issuing a warrant to seize a computer.

          • ldffly

            The meaning of the sentence is clear enough for this argument. The university does not fund most research unless you consider paying a salary to be research funding.
            Are any faculty members currently looking into Yale-NUS? Might their research/studies affect the university’s reputation as defined by the administration? Might someone within the administration see a “need” to violate protocols and check on these people?

            Yes, your faith is naive. Tensions between faculty and administration are legion, and always have been. Tensions among faculty can become cutthroat. Some might not be beyond violating private communications. If any readers of this discussion can remember faculty or administrators from the pre digital era revealing confidential communications (and I can), then faith in Yale should look quaint at best.

  • guest1420

    The administration has accessed staff accounts without consent SIX TIMES in the last five years? For what???

    Also the idea that “breaking university regulations or state or federal law” is an “extreme case” is weird. Drinking under the age of 21 is a violation of all those things but is not an extreme case.

  • theantiyale

    “It’s an accident of technology that ‘Yale owns’ ”

    It is an “accident” of the booboisie that our culture (and the world) has put all its eggs in one digital basket. H.L. Mencken warned us about the booboisie. I am resigned to being the victim of ignorance in the name of democracy. It’s the price you pay—and it may be an apocalyptic price.

    However, stupidity at YALE is not an “accident”. It may be many things but “accident” is not one of them. You do have a Law School full of professors on the premises y’know.

    I wonder if the text messages sent by the Yale Daily News editorial board to colleagues around that fancy board room table are monitored as they deliberate the contents of the next edition?

    The very IDEA of such a possibility has a “chilling effect:” on freedom of expression:
    Wouldn’t want to offend the powers that may pave my way to being the next Henry Luce or Wm. F. Buckley, — now, would I ?