Loading ...
Sorry, an error occurred while loading the content.
 

Re: [WWWEDU] online privacy and school monitoring

Expand Messages
  • Art Wolinsky
    ... There are two sections of our AUP that say all that needs to be said: 1) The Southern Regional High School District provides computer equipment, computer
    Message 1 of 5 , Jul 31, 2002
      At 12:13 PM 7/31/2002 -0700, you wrote:
      >What and how do you tell your students and staff about their privacy
      >expectations when using the Internet on the district system?

      There are two sections of our AUP that say all that needs to be said:
      1) The Southern Regional High School District provides computer equipment,
      computer services, and Internet access to its students and staff for
      educational purposes only.

      2) Southern Regional has established procedures to comply with the
      Children’s Internet Protection Act (CIPA), which mandates that:
      · All computers incorporate technology to protect students from obscene
      material, child pornography, and other harmful material,
      ·Student online activity is monitored, and
      · The district establishes an online safety policy.

      As long as they pay attention to #1 and are aware of #2, little else needs
      to be done. The law says it is up to the district to determine just about
      every step and that the key to compliance is "good faith effort". Since
      much of this is site based, there is on lock step procedure for
      everything. Using my radar analogy. Speed checked by radar is all a
      motorist need know. The police need not elaborate on where, when, and how
      that monitoring will take place.

      In schools, constant monitoring is impossible, or in my opinion
      advisable. Hence the most effective monitoring my not be an established
      schedule. It should be periodic, but not regular and my be increased or
      decreased depending on activity.

      Additionally, when we train students and staff we stress that email is NOT
      private. We tell them not to put anything in e-mail that they don't want to
      read in the NY Times on Monday. We also stress that we monitor for safety
      purposes, but e-mail that passes through servers outside our district can
      be read by people who administer those computers and if they are
      monitoring, it isn't likely to be because they want to protect them.

      >How is student and staff usage monitored (by this I mean, after the
      >fact, not supervision)?

      Inspection of log files.

      >Who is authorized to conduct individual searches of Internet usage
      >records of students and staff?

      Technical staff under the direction of administration.

      >What records are required if an individual search of Internet usage of
      >students or staff occurs?

      Isn't that like saying, what evidence is gathered and required if there is
      a crime? It depends on the nature of the crime. In some cases, such as
      access to inappropriate material, a single log section may be all that is
      necessary. In other cases such as credit card fraud or threats to the
      President, obviously outside agencies and records will be accessed.

      >Are there provisions in the collective bargaining agreements with staff
      >that address individual searches of their Internet files?

      I would think the due process clause in most agreements would cover that.

      >Do you provide parents with access to their child's Internet usage
      >records, if they request such access? Do you tell them they have a right
      >to such access?

      No, because in our system, that is a virtual impossibility. Individual
      transactions are not routinely tied to student accounts. A violation
      carries with it a time stamp, computer IP, and other information that will
      allow an investigation to uncover the person who made the violation, by
      comparing that information against multiple logs. Tying a single log entry
      to a student or teacher account can take an hour or more. A SINGLE
      violation is the trigger that allows for the identification of the
      student. The radar analogy comes into play again. Let's say that police
      are using radar and video. Speeding triggers the identification of the
      speeder. That same speeder may have gone through the radar trap a hundred
      times that day at a legal speed, but if you asked the police to provide the
      information about what the speeder did properly, they only way they could
      do it would be to review the tape and look at every single car that went by
      that day. On a give day there may be a a few thousand cars going through
      radar. On a give day, there may be a few MILLION log entries.

      >

      ******************************************************************
      Art Wolinsky
      OII Technology Director Big6 Associate
      http://oii.org http://www.big6.com
      awolinsky@... Web-and-Flow Team
      (609) 597-9481 ext
      337 http://www.web-and-flow.com

      ******************************************************************
      I am perfectly capable of learning from my mistakes.
      I will surely learn a great deal today.
      ******************************************************************
    • Nancy Willard
      ... I am basically not talking about compliance with CIPA. As long as you have a policy that says you are monitoring, you are in compliance with CIPA. I
      Message 2 of 5 , Jul 31, 2002
        Art Wolinsky wrote:

        > At 12:13 PM 7/31/2002 -0700, you wrote:
        > >What and how do you tell your students and staff about their privacy
        > >expectations when using the Internet on the district system?
        >
        > There are two sections of our AUP that say all that needs to be said:
        > 1) The Southern Regional High School District provides computer equipment,
        > computer services, and Internet access to its students and staff for
        > educational purposes only.
        >
        > 2) Southern Regional has established procedures to comply with the
        > Children’s Internet Protection Act (CIPA), which mandates that:
        > · All computers incorporate technology to protect students from obscene
        > material, child pornography, and other harmful material,
        > ·Student online activity is monitored, and
        > · The district establishes an online safety policy.
        >
        > As long as they pay attention to #1 and are aware of #2, little else needs
        > to be done. The law says it is up to the district to determine just about
        > every step and that the key to compliance is "good faith effort".

        <snip>
        I am basically not talking about compliance with CIPA. As long as you have a
        policy that says you are monitoring, you are in compliance with CIPA. I am
        actually trying to get a better sense of where the boundaries between
        appropriate monitoring and the protection of personal privacy in this area
        are. Are students and staff to expect no privacy whatsoever when they use the
        Internet at school and can any staff person track any individual user or have
        access to any user's e-mail files at any time, for whatever reason, without
        any necessity to justify such access to information?

        Is staff use monitored? Basically, I do agree with the fact that you have
        given notice regarding the fact that monitoring is occurring. But are students
        and staff aware of what circumstances might warrant an analysis of their
        individual online activities or access to their e-mail files? Are such
        standards expressed anywhere?

        > Additionally, when we train students and staff we stress that email is NOT
        > private. We tell them not to put anything in e-mail that they don't want to
        > read in the NY Times on Monday. We also stress that we monitor for safety
        > purposes, but e-mail that passes through servers outside our district can
        > be read by people who administer those computers and if they are
        > monitoring, it isn't likely to be because they want to protect them.

        So if you have an administrator who is having a disagreement with several
        teachers it would be perfectly OK under your policy for this administrator to
        review the contents of the e-mail files of these teachers?

        > >How is student and staff usage monitored (by this I mean, after the
        > >fact, not supervision)?
        >
        > Inspection of log files.

        Do you mean log files or blocked URL reports or both?

        > >Who is authorized to conduct individual searches of Internet usage
        > >records of students and staff?
        >
        > Technical staff under the direction of administration.

        Under what circumstances? The whim of administrators? Or if there is
        reasonable suspicion that the search will reveal activity in violation of
        school policy or the law? (The latter is the standard that I think should be
        in place for any individual search.)

        > >What records are required if an individual search of Internet usage of
        > >students or staff occurs?
        >
        > Isn't that like saying, what evidence is gathered and required if there is
        > a crime? It depends on the nature of the crime. In some cases, such as
        > access to inappropriate material, a single log section may be all that is
        > necessary. In other cases such as credit card fraud or threats to the
        > President, obviously outside agencies and records will be accessed.

        I am not talking about evidence of violations of policy or laws. I am taking
        about documentation related to the search. So let's make this personal. If
        your administrator were to authorize a search of your personal e-mail files,
        under what circumstances do you think this would be appropriate and what
        documentation, if any, do you think ought to be created and filed somewhere to
        verify the circumstances underwhich your e-mail files were accessed, for what
        purpose, what was found, and what the consequences were? Now, the same
        question for students.

        > >Are there provisions in the collective bargaining agreements with staff
        > >that address individual searches of their Internet files?
        >
        > I would think the due process clause in most agreements would cover that.

        What do others think? Are there provisions in most cbas that would address
        access to staff internet usage files, including e-mail files?

        > >Do you provide parents with access to their child's Internet usage
        > >records, if they request such access? Do you tell them they have a right
        > >to such access?
        >
        > No, because in our system, that is a virtual impossibility. Individual
        > transactions are not routinely tied to student accounts. A violation
        > carries with it a time stamp, computer IP, and other information that will
        > allow an investigation to uncover the person who made the violation, by
        > comparing that information against multiple logs. Tying a single log entry
        > to a student or teacher account can take an hour or more. A SINGLE
        > violation is the trigger that allows for the identification of the
        > student. <snip>

        I am assuming by violation you mean a report of blocked access by the
        filtering software. Given the amount of time it takes to identify a potential
        violator, I am assuming that you have very little intentional misuse. If you
        were having to identify lots of violators I suspect that you would have
        changed the system to one that requires individual log-ins.

        Does anyone have any sense of how many schools in the US have individual
        log-ins and how many basically have to use the process outlined by Art? I
        believe that in the district my kids go to elementary students do not have
        individual log-ins, but secondary students do.

        Thanks Art. Anyone else with thoughts on this?

        Nancy

        BTW, at NECC a person in the audience challenged me by saying that I was a
        university person, not in public schools, so I really did not understand.
        Thanks to John Elfrank-Dana who told the lady that I regularly consult with
        folks in the field and I do understand (hopefully a correct statement). And
        thanks to the folks on WWWEDU who are willing to help me to better understand.



        Nancy Willard, M.S., J.D.

        Center for Advanced Technology in Education
        University of Oregon, College of Education
        E-mail: nwillard@...
        URL: http://netizen.uoregon.edu

        Responsible Netizen Institute
        URL:http://responsiblenetizen.org
      • Art Wolinsky
        ... There is nothing specific, anymore that there is anything specific about what is done to monitor for different types of inappropriate such as drug use,
        Message 3 of 5 , Aug 3, 2002
          At 03:51 PM 7/31/2002 -0700, you wrote:
          >But are students
          >and staff aware of what circumstances might warrant an analysis of their
          >individual online activities or access to their e-mail files? Are such
          >standards expressed anywhere?

          There is nothing specific, anymore that there is anything specific about
          what is done to monitor for different types of inappropriate such as drug
          use, smoking in the lav, fights, etc. I was always under the impression
          that the more things you list specifically about what you do or don't do,
          the more you leave yourself open to liability if an issue arises that you
          don't list. I think the implied standard is that something was done that a
          reasonable person would take to mean that a violation might have taken
          place. It would seem to me that in any investigation, one of the first
          questions asked would be what prompted the investigation.

          > >We also stress that we monitor for safety
          > > purposes, but e-mail that passes through servers outside our district can
          > > be read by people who administer those computers and if they are
          > > monitoring, it isn't likely to be because they want to protect them.
          >
          >So if you have an administrator who is having a disagreement with several
          >teachers it would be perfectly OK under your policy for this administrator to
          >review the contents of the e-mail files of these teachers?

          Absolutely not. That does not equate with monitoring for student
          safety. However, the issue of administration monitoring the email of
          teachers during contract negotiation has come up in several school
          districts that I am aware of. In one case a negotiator asked a union rep,
          "Do you think the Superintendent would read our mail to find out what we
          are planning?" He answered with a grin and said, "No way, but if I were
          him, I would make sure someone was."

          What we do say, especially to students is that during the course of an
          investigation, something you did wrong that is unrelated to the
          investigation could easily surface. The example I use is this. Suppose on
          Oct. 1, Johnny sends a pornographic picture to a dozen people. Eventually
          it makes the rounds to 100 different people. Eventually it offends someone
          and the picture is called to the attention of a teacher and an
          investigation is started. In our case this investigation is relatively
          simple because every message carries with it a complete history of who read
          it, who sent it, and other things. It doesn't matter whether Johnny and 98
          other people deleted their copy. As long as one person in the system
          retains that message, the history grows. In this case there are varying
          degrees of violations. Technically, anyone who received the picture,
          trashed it, and didn't report it is in violation of the AUP, but they would
          probably only get a warning. The more serious violations would be the
          original sender, anyone who forwarded it, or any teacher who received it
          and didn't report it.

          > > Inspection of log files.
          >
          >Do you mean log files or blocked URL reports or both?

          In our system they are one and the same. Every transaction carries with is
          a code number that indicates how the transaction was handled. A code of
          216 indicates the transaction was "Blocked due to rating check."

          > > >Who is authorized to conduct individual searches of Internet usage
          > > >records of students and staff?
          > >
          > > Technical staff under the direction of administration.
          >
          >Under what circumstances? The whim of administrators? Or if there is
          >reasonable suspicion that the search will reveal activity in violation of
          >school policy or the law? (The latter is the standard that I think should be
          >in place for any individual search.)

          The latter, and then only after reporting the initial suspicion and being
          directed to move forward with an investigation.

          >I am not talking about evidence of violations of policy or laws. I am taking
          >about documentation related to the search. So let's make this personal. If
          >your administrator were to authorize a search of your personal e-mail files,
          >under what circumstances do you think this would be appropriate and what
          >documentation, if any, do you think ought to be created and filed somewhere to
          >verify the circumstances underwhich your e-mail files were accessed, for what
          >purpose, what was found, and what the consequences were? Now, the same
          >question for students.

          I think we are getting into legal territory in which I don't have the
          expertise to answer, but I'm getting better by watching The Wire of HBO.
          <grin>

          The best I could say is that as soon as you "inspected" email, which is
          considerably different from electronic monitoring you are setting the stage
          for a serious legal battle, whether it is a teacher or a student.

          I believe most districts tread VERY lightly when it comes to email and hold
          MUCH higher standards to moving into an investigation than they would for a
          web access violation.

          Art


          ******************************************************************
          Art Wolinsky
          OII Technology Director Big6 Associate
          http://oii.org http://www.big6.com
          awolinsky@... Web-and-Flow Team
          (609) 597-9481 ext
          337 http://www.web-and-flow.com

          ******************************************************************
          I am perfectly capable of learning from my mistakes.
          I will surely learn a great deal today.
          ******************************************************************
        • Nancy Willard
          Art, if you ever get tired as a teacher, I think you would do well in law school. You have basically outlined what I consider to be the appropriate legal
          Message 4 of 5 , Aug 4, 2002
            Art, if you ever get tired as a teacher, I think you would do well in law school.
            You have basically outlined what I consider to be the appropriate legal analysis
            of this situation. Your interpretation -- we make individual investigation when
            there is a suspicion of wrongdoing -- is, in fact, the basic general legal
            standard. This is the same standard that provides the basis for the locker and
            desk searches.

            I do disagree with you regarding the need for a specific guideline and standard
            practices. The problem that I see is that many districts simply say "no Internet
            privacy." This allows for many different intrepretations of what may or may not be
            appropriate by different folks within the district and the potential for those
            folks to get the district into trouble if they inappropriate invade the privacy of
            students or staff. So my reason for more specific standards and processes is to
            seek to prevent problems, not cause them.

            Interestingly, like you, I also think that there are higher privacy interests with
            respect to e-mail than web searches. I have been trying to figure out why I think
            this. I am thinking that we all know that our activities searching the web are
            pretty much being tracked by lots of folks, so this may be relevant. And when
            students use the Internet in school there are generally lots of graphics, so
            information on where they are going is pretty much in plain view (another legal
            concept related to search and seizure). It may be that we all just feel that our
            personal communications deserve more privacy than someone watching where we are
            going on the Internet -- but I am not totally sure why. Other thoughts on this
            would be welcome to me.

            Here is the privacy standard I am advocating. It is a translation of the
            locker/desk search standard into Internet lingo and realities.

            "Users have a limited expectation of privacy in the contents of their personal
            files or record of web research activities on the district's Internet system.
            Routine maintenance and monitoring, utilizing both technical monitoring systems
            and staff monitoring, may lead to discovery that a user has violated district
            policy or the law. An individual search will be conducted if there is reasonable
            suspicion that a user has violated district policy or the law. In certain
            circumstances, a building administrator has the right to eliminate any expectation
            of privacy by providing notice to the students. Students' parents have the right
            to request to see the contents of their children's e-mail files. Staff should be
            aware that their communications are subject to public records disclosure laws."

            Nancy

            Nancy Willard, M.S., J.D.

            Center for Advanced Technology in Education
            University of Oregon, College of Education
            E-mail: nwillard@...
            URL: http://netizen.uoregon.edu

            Responsible Netizen Institute
            URL:http://responsiblenetizen.org



            Art Wolinsky wrote:

            > At 03:51 PM 7/31/2002 -0700, you wrote:
            > >But are students
            > >and staff aware of what circumstances might warrant an analysis of their
            > >individual online activities or access to their e-mail files? Are such
            > >standards expressed anywhere?
            >
            > There is nothing specific, anymore that there is anything specific about
            > what is done to monitor for different types of inappropriate such as drug
            > use, smoking in the lav, fights, etc. I was always under the impression
            > that the more things you list specifically about what you do or don't do,
            > the more you leave yourself open to liability if an issue arises that you
            > don't list. I think the implied standard is that something was done that a
            > reasonable person would take to mean that a violation might have taken
            > place. It would seem to me that in any investigation, one of the first
            > questions asked would be what prompted the investigation.
            >
            > > >We also stress that we monitor for safety
            > > > purposes, but e-mail that passes through servers outside our district can
            > > > be read by people who administer those computers and if they are
            > > > monitoring, it isn't likely to be because they want to protect them.
            > >
            > >So if you have an administrator who is having a disagreement with several
            > >teachers it would be perfectly OK under your policy for this administrator to
            > >review the contents of the e-mail files of these teachers?
            >
            > Absolutely not. That does not equate with monitoring for student
            > safety. However, the issue of administration monitoring the email of
            > teachers during contract negotiation has come up in several school
            > districts that I am aware of. In one case a negotiator asked a union rep,
            > "Do you think the Superintendent would read our mail to find out what we
            > are planning?" He answered with a grin and said, "No way, but if I were
            > him, I would make sure someone was."
            >
            > What we do say, especially to students is that during the course of an
            > investigation, something you did wrong that is unrelated to the
            > investigation could easily surface. The example I use is this. Suppose on
            > Oct. 1, Johnny sends a pornographic picture to a dozen people. Eventually
            > it makes the rounds to 100 different people. Eventually it offends someone
            > and the picture is called to the attention of a teacher and an
            > investigation is started. In our case this investigation is relatively
            > simple because every message carries with it a complete history of who read
            > it, who sent it, and other things. It doesn't matter whether Johnny and 98
            > other people deleted their copy. As long as one person in the system
            > retains that message, the history grows. In this case there are varying
            > degrees of violations. Technically, anyone who received the picture,
            > trashed it, and didn't report it is in violation of the AUP, but they would
            > probably only get a warning. The more serious violations would be the
            > original sender, anyone who forwarded it, or any teacher who received it
            > and didn't report it.
            >
            > > > Inspection of log files.
            > >
            > >Do you mean log files or blocked URL reports or both?
            >
            > In our system they are one and the same. Every transaction carries with is
            > a code number that indicates how the transaction was handled. A code of
            > 216 indicates the transaction was "Blocked due to rating check."
            >
            > > > >Who is authorized to conduct individual searches of Internet usage
            > > > >records of students and staff?
            > > >
            > > > Technical staff under the direction of administration.
            > >
            > >Under what circumstances? The whim of administrators? Or if there is
            > >reasonable suspicion that the search will reveal activity in violation of
            > >school policy or the law? (The latter is the standard that I think should be
            > >in place for any individual search.)
            >
            > The latter, and then only after reporting the initial suspicion and being
            > directed to move forward with an investigation.
            >
            > >I am not talking about evidence of violations of policy or laws. I am taking
            > >about documentation related to the search. So let's make this personal. If
            > >your administrator were to authorize a search of your personal e-mail files,
            > >under what circumstances do you think this would be appropriate and what
            > >documentation, if any, do you think ought to be created and filed somewhere to
            > >verify the circumstances underwhich your e-mail files were accessed, for what
            > >purpose, what was found, and what the consequences were? Now, the same
            > >question for students.
            >
            > I think we are getting into legal territory in which I don't have the
            > expertise to answer, but I'm getting better by watching The Wire of HBO.
            > <grin>
            >
            > The best I could say is that as soon as you "inspected" email, which is
            > considerably different from electronic monitoring you are setting the stage
            > for a serious legal battle, whether it is a teacher or a student.
            >
            > I believe most districts tread VERY lightly when it comes to email and hold
            > MUCH higher standards to moving into an investigation than they would for a
            > web access violation.
            >
            > Art
            >
            > ******************************************************************
            > Art Wolinsky
            > OII Technology Director Big6 Associate
            > http://oii.org http://www.big6.com
            > awolinsky@... Web-and-Flow Team
            > (609) 597-9481 ext
            > 337 http://www.web-and-flow.com
            >
            > ******************************************************************
            > I am perfectly capable of learning from my mistakes.
            > I will surely learn a great deal today.
            > ******************************************************************
            >
            >
            > WWWEDU, The Web and Education Mailing List
            >
            > To unsubscribe from this group, send an email to:
            > wwwedu-unsubscribe@yahoogroups.com
            >
            > To access the archive, please visit the list homepage:
            > http://edwebproject.org/wwwedu.html
            >
            >
            > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
          Your message has been successfully submitted and would be delivered to recipients shortly.