Loading ...
Sorry, an error occurred while loading the content.
 

Re: [WWWEDU] online privacy and school monitoring

Expand Messages
  • Nancy Willard
    ... I am basically not talking about compliance with CIPA. As long as you have a policy that says you are monitoring, you are in compliance with CIPA. I
    Message 1 of 5 , Jul 31 3:51 PM
      Art Wolinsky wrote:

      > At 12:13 PM 7/31/2002 -0700, you wrote:
      > >What and how do you tell your students and staff about their privacy
      > >expectations when using the Internet on the district system?
      >
      > There are two sections of our AUP that say all that needs to be said:
      > 1) The Southern Regional High School District provides computer equipment,
      > computer services, and Internet access to its students and staff for
      > educational purposes only.
      >
      > 2) Southern Regional has established procedures to comply with the
      > Children’s Internet Protection Act (CIPA), which mandates that:
      > · All computers incorporate technology to protect students from obscene
      > material, child pornography, and other harmful material,
      > ·Student online activity is monitored, and
      > · The district establishes an online safety policy.
      >
      > As long as they pay attention to #1 and are aware of #2, little else needs
      > to be done. The law says it is up to the district to determine just about
      > every step and that the key to compliance is "good faith effort".

      <snip>
      I am basically not talking about compliance with CIPA. As long as you have a
      policy that says you are monitoring, you are in compliance with CIPA. I am
      actually trying to get a better sense of where the boundaries between
      appropriate monitoring and the protection of personal privacy in this area
      are. Are students and staff to expect no privacy whatsoever when they use the
      Internet at school and can any staff person track any individual user or have
      access to any user's e-mail files at any time, for whatever reason, without
      any necessity to justify such access to information?

      Is staff use monitored? Basically, I do agree with the fact that you have
      given notice regarding the fact that monitoring is occurring. But are students
      and staff aware of what circumstances might warrant an analysis of their
      individual online activities or access to their e-mail files? Are such
      standards expressed anywhere?

      > Additionally, when we train students and staff we stress that email is NOT
      > private. We tell them not to put anything in e-mail that they don't want to
      > read in the NY Times on Monday. We also stress that we monitor for safety
      > purposes, but e-mail that passes through servers outside our district can
      > be read by people who administer those computers and if they are
      > monitoring, it isn't likely to be because they want to protect them.

      So if you have an administrator who is having a disagreement with several
      teachers it would be perfectly OK under your policy for this administrator to
      review the contents of the e-mail files of these teachers?

      > >How is student and staff usage monitored (by this I mean, after the
      > >fact, not supervision)?
      >
      > Inspection of log files.

      Do you mean log files or blocked URL reports or both?

      > >Who is authorized to conduct individual searches of Internet usage
      > >records of students and staff?
      >
      > Technical staff under the direction of administration.

      Under what circumstances? The whim of administrators? Or if there is
      reasonable suspicion that the search will reveal activity in violation of
      school policy or the law? (The latter is the standard that I think should be
      in place for any individual search.)

      > >What records are required if an individual search of Internet usage of
      > >students or staff occurs?
      >
      > Isn't that like saying, what evidence is gathered and required if there is
      > a crime? It depends on the nature of the crime. In some cases, such as
      > access to inappropriate material, a single log section may be all that is
      > necessary. In other cases such as credit card fraud or threats to the
      > President, obviously outside agencies and records will be accessed.

      I am not talking about evidence of violations of policy or laws. I am taking
      about documentation related to the search. So let's make this personal. If
      your administrator were to authorize a search of your personal e-mail files,
      under what circumstances do you think this would be appropriate and what
      documentation, if any, do you think ought to be created and filed somewhere to
      verify the circumstances underwhich your e-mail files were accessed, for what
      purpose, what was found, and what the consequences were? Now, the same
      question for students.

      > >Are there provisions in the collective bargaining agreements with staff
      > >that address individual searches of their Internet files?
      >
      > I would think the due process clause in most agreements would cover that.

      What do others think? Are there provisions in most cbas that would address
      access to staff internet usage files, including e-mail files?

      > >Do you provide parents with access to their child's Internet usage
      > >records, if they request such access? Do you tell them they have a right
      > >to such access?
      >
      > No, because in our system, that is a virtual impossibility. Individual
      > transactions are not routinely tied to student accounts. A violation
      > carries with it a time stamp, computer IP, and other information that will
      > allow an investigation to uncover the person who made the violation, by
      > comparing that information against multiple logs. Tying a single log entry
      > to a student or teacher account can take an hour or more. A SINGLE
      > violation is the trigger that allows for the identification of the
      > student. <snip>

      I am assuming by violation you mean a report of blocked access by the
      filtering software. Given the amount of time it takes to identify a potential
      violator, I am assuming that you have very little intentional misuse. If you
      were having to identify lots of violators I suspect that you would have
      changed the system to one that requires individual log-ins.

      Does anyone have any sense of how many schools in the US have individual
      log-ins and how many basically have to use the process outlined by Art? I
      believe that in the district my kids go to elementary students do not have
      individual log-ins, but secondary students do.

      Thanks Art. Anyone else with thoughts on this?

      Nancy

      BTW, at NECC a person in the audience challenged me by saying that I was a
      university person, not in public schools, so I really did not understand.
      Thanks to John Elfrank-Dana who told the lady that I regularly consult with
      folks in the field and I do understand (hopefully a correct statement). And
      thanks to the folks on WWWEDU who are willing to help me to better understand.



      Nancy Willard, M.S., J.D.

      Center for Advanced Technology in Education
      University of Oregon, College of Education
      E-mail: nwillard@...
      URL: http://netizen.uoregon.edu

      Responsible Netizen Institute
      URL:http://responsiblenetizen.org
    • Art Wolinsky
      ... There is nothing specific, anymore that there is anything specific about what is done to monitor for different types of inappropriate such as drug use,
      Message 2 of 5 , Aug 3, 2002
        At 03:51 PM 7/31/2002 -0700, you wrote:
        >But are students
        >and staff aware of what circumstances might warrant an analysis of their
        >individual online activities or access to their e-mail files? Are such
        >standards expressed anywhere?

        There is nothing specific, anymore that there is anything specific about
        what is done to monitor for different types of inappropriate such as drug
        use, smoking in the lav, fights, etc. I was always under the impression
        that the more things you list specifically about what you do or don't do,
        the more you leave yourself open to liability if an issue arises that you
        don't list. I think the implied standard is that something was done that a
        reasonable person would take to mean that a violation might have taken
        place. It would seem to me that in any investigation, one of the first
        questions asked would be what prompted the investigation.

        > >We also stress that we monitor for safety
        > > purposes, but e-mail that passes through servers outside our district can
        > > be read by people who administer those computers and if they are
        > > monitoring, it isn't likely to be because they want to protect them.
        >
        >So if you have an administrator who is having a disagreement with several
        >teachers it would be perfectly OK under your policy for this administrator to
        >review the contents of the e-mail files of these teachers?

        Absolutely not. That does not equate with monitoring for student
        safety. However, the issue of administration monitoring the email of
        teachers during contract negotiation has come up in several school
        districts that I am aware of. In one case a negotiator asked a union rep,
        "Do you think the Superintendent would read our mail to find out what we
        are planning?" He answered with a grin and said, "No way, but if I were
        him, I would make sure someone was."

        What we do say, especially to students is that during the course of an
        investigation, something you did wrong that is unrelated to the
        investigation could easily surface. The example I use is this. Suppose on
        Oct. 1, Johnny sends a pornographic picture to a dozen people. Eventually
        it makes the rounds to 100 different people. Eventually it offends someone
        and the picture is called to the attention of a teacher and an
        investigation is started. In our case this investigation is relatively
        simple because every message carries with it a complete history of who read
        it, who sent it, and other things. It doesn't matter whether Johnny and 98
        other people deleted their copy. As long as one person in the system
        retains that message, the history grows. In this case there are varying
        degrees of violations. Technically, anyone who received the picture,
        trashed it, and didn't report it is in violation of the AUP, but they would
        probably only get a warning. The more serious violations would be the
        original sender, anyone who forwarded it, or any teacher who received it
        and didn't report it.

        > > Inspection of log files.
        >
        >Do you mean log files or blocked URL reports or both?

        In our system they are one and the same. Every transaction carries with is
        a code number that indicates how the transaction was handled. A code of
        216 indicates the transaction was "Blocked due to rating check."

        > > >Who is authorized to conduct individual searches of Internet usage
        > > >records of students and staff?
        > >
        > > Technical staff under the direction of administration.
        >
        >Under what circumstances? The whim of administrators? Or if there is
        >reasonable suspicion that the search will reveal activity in violation of
        >school policy or the law? (The latter is the standard that I think should be
        >in place for any individual search.)

        The latter, and then only after reporting the initial suspicion and being
        directed to move forward with an investigation.

        >I am not talking about evidence of violations of policy or laws. I am taking
        >about documentation related to the search. So let's make this personal. If
        >your administrator were to authorize a search of your personal e-mail files,
        >under what circumstances do you think this would be appropriate and what
        >documentation, if any, do you think ought to be created and filed somewhere to
        >verify the circumstances underwhich your e-mail files were accessed, for what
        >purpose, what was found, and what the consequences were? Now, the same
        >question for students.

        I think we are getting into legal territory in which I don't have the
        expertise to answer, but I'm getting better by watching The Wire of HBO.
        <grin>

        The best I could say is that as soon as you "inspected" email, which is
        considerably different from electronic monitoring you are setting the stage
        for a serious legal battle, whether it is a teacher or a student.

        I believe most districts tread VERY lightly when it comes to email and hold
        MUCH higher standards to moving into an investigation than they would for a
        web access violation.

        Art


        ******************************************************************
        Art Wolinsky
        OII Technology Director Big6 Associate
        http://oii.org http://www.big6.com
        awolinsky@... Web-and-Flow Team
        (609) 597-9481 ext
        337 http://www.web-and-flow.com

        ******************************************************************
        I am perfectly capable of learning from my mistakes.
        I will surely learn a great deal today.
        ******************************************************************
      • Nancy Willard
        Art, if you ever get tired as a teacher, I think you would do well in law school. You have basically outlined what I consider to be the appropriate legal
        Message 3 of 5 , Aug 4, 2002
          Art, if you ever get tired as a teacher, I think you would do well in law school.
          You have basically outlined what I consider to be the appropriate legal analysis
          of this situation. Your interpretation -- we make individual investigation when
          there is a suspicion of wrongdoing -- is, in fact, the basic general legal
          standard. This is the same standard that provides the basis for the locker and
          desk searches.

          I do disagree with you regarding the need for a specific guideline and standard
          practices. The problem that I see is that many districts simply say "no Internet
          privacy." This allows for many different intrepretations of what may or may not be
          appropriate by different folks within the district and the potential for those
          folks to get the district into trouble if they inappropriate invade the privacy of
          students or staff. So my reason for more specific standards and processes is to
          seek to prevent problems, not cause them.

          Interestingly, like you, I also think that there are higher privacy interests with
          respect to e-mail than web searches. I have been trying to figure out why I think
          this. I am thinking that we all know that our activities searching the web are
          pretty much being tracked by lots of folks, so this may be relevant. And when
          students use the Internet in school there are generally lots of graphics, so
          information on where they are going is pretty much in plain view (another legal
          concept related to search and seizure). It may be that we all just feel that our
          personal communications deserve more privacy than someone watching where we are
          going on the Internet -- but I am not totally sure why. Other thoughts on this
          would be welcome to me.

          Here is the privacy standard I am advocating. It is a translation of the
          locker/desk search standard into Internet lingo and realities.

          "Users have a limited expectation of privacy in the contents of their personal
          files or record of web research activities on the district's Internet system.
          Routine maintenance and monitoring, utilizing both technical monitoring systems
          and staff monitoring, may lead to discovery that a user has violated district
          policy or the law. An individual search will be conducted if there is reasonable
          suspicion that a user has violated district policy or the law. In certain
          circumstances, a building administrator has the right to eliminate any expectation
          of privacy by providing notice to the students. Students' parents have the right
          to request to see the contents of their children's e-mail files. Staff should be
          aware that their communications are subject to public records disclosure laws."

          Nancy

          Nancy Willard, M.S., J.D.

          Center for Advanced Technology in Education
          University of Oregon, College of Education
          E-mail: nwillard@...
          URL: http://netizen.uoregon.edu

          Responsible Netizen Institute
          URL:http://responsiblenetizen.org



          Art Wolinsky wrote:

          > At 03:51 PM 7/31/2002 -0700, you wrote:
          > >But are students
          > >and staff aware of what circumstances might warrant an analysis of their
          > >individual online activities or access to their e-mail files? Are such
          > >standards expressed anywhere?
          >
          > There is nothing specific, anymore that there is anything specific about
          > what is done to monitor for different types of inappropriate such as drug
          > use, smoking in the lav, fights, etc. I was always under the impression
          > that the more things you list specifically about what you do or don't do,
          > the more you leave yourself open to liability if an issue arises that you
          > don't list. I think the implied standard is that something was done that a
          > reasonable person would take to mean that a violation might have taken
          > place. It would seem to me that in any investigation, one of the first
          > questions asked would be what prompted the investigation.
          >
          > > >We also stress that we monitor for safety
          > > > purposes, but e-mail that passes through servers outside our district can
          > > > be read by people who administer those computers and if they are
          > > > monitoring, it isn't likely to be because they want to protect them.
          > >
          > >So if you have an administrator who is having a disagreement with several
          > >teachers it would be perfectly OK under your policy for this administrator to
          > >review the contents of the e-mail files of these teachers?
          >
          > Absolutely not. That does not equate with monitoring for student
          > safety. However, the issue of administration monitoring the email of
          > teachers during contract negotiation has come up in several school
          > districts that I am aware of. In one case a negotiator asked a union rep,
          > "Do you think the Superintendent would read our mail to find out what we
          > are planning?" He answered with a grin and said, "No way, but if I were
          > him, I would make sure someone was."
          >
          > What we do say, especially to students is that during the course of an
          > investigation, something you did wrong that is unrelated to the
          > investigation could easily surface. The example I use is this. Suppose on
          > Oct. 1, Johnny sends a pornographic picture to a dozen people. Eventually
          > it makes the rounds to 100 different people. Eventually it offends someone
          > and the picture is called to the attention of a teacher and an
          > investigation is started. In our case this investigation is relatively
          > simple because every message carries with it a complete history of who read
          > it, who sent it, and other things. It doesn't matter whether Johnny and 98
          > other people deleted their copy. As long as one person in the system
          > retains that message, the history grows. In this case there are varying
          > degrees of violations. Technically, anyone who received the picture,
          > trashed it, and didn't report it is in violation of the AUP, but they would
          > probably only get a warning. The more serious violations would be the
          > original sender, anyone who forwarded it, or any teacher who received it
          > and didn't report it.
          >
          > > > Inspection of log files.
          > >
          > >Do you mean log files or blocked URL reports or both?
          >
          > In our system they are one and the same. Every transaction carries with is
          > a code number that indicates how the transaction was handled. A code of
          > 216 indicates the transaction was "Blocked due to rating check."
          >
          > > > >Who is authorized to conduct individual searches of Internet usage
          > > > >records of students and staff?
          > > >
          > > > Technical staff under the direction of administration.
          > >
          > >Under what circumstances? The whim of administrators? Or if there is
          > >reasonable suspicion that the search will reveal activity in violation of
          > >school policy or the law? (The latter is the standard that I think should be
          > >in place for any individual search.)
          >
          > The latter, and then only after reporting the initial suspicion and being
          > directed to move forward with an investigation.
          >
          > >I am not talking about evidence of violations of policy or laws. I am taking
          > >about documentation related to the search. So let's make this personal. If
          > >your administrator were to authorize a search of your personal e-mail files,
          > >under what circumstances do you think this would be appropriate and what
          > >documentation, if any, do you think ought to be created and filed somewhere to
          > >verify the circumstances underwhich your e-mail files were accessed, for what
          > >purpose, what was found, and what the consequences were? Now, the same
          > >question for students.
          >
          > I think we are getting into legal territory in which I don't have the
          > expertise to answer, but I'm getting better by watching The Wire of HBO.
          > <grin>
          >
          > The best I could say is that as soon as you "inspected" email, which is
          > considerably different from electronic monitoring you are setting the stage
          > for a serious legal battle, whether it is a teacher or a student.
          >
          > I believe most districts tread VERY lightly when it comes to email and hold
          > MUCH higher standards to moving into an investigation than they would for a
          > web access violation.
          >
          > Art
          >
          > ******************************************************************
          > Art Wolinsky
          > OII Technology Director Big6 Associate
          > http://oii.org http://www.big6.com
          > awolinsky@... Web-and-Flow Team
          > (609) 597-9481 ext
          > 337 http://www.web-and-flow.com
          >
          > ******************************************************************
          > I am perfectly capable of learning from my mistakes.
          > I will surely learn a great deal today.
          > ******************************************************************
          >
          >
          > WWWEDU, The Web and Education Mailing List
          >
          > To unsubscribe from this group, send an email to:
          > wwwedu-unsubscribe@yahoogroups.com
          >
          > To access the archive, please visit the list homepage:
          > http://edwebproject.org/wwwedu.html
          >
          >
          > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
        Your message has been successfully submitted and would be delivered to recipients shortly.