A document clearly outlining UB's stance on the confidentiality, privacy and security of electronic mail and containing policy recommendations toward that end currently is being drafted, Peter Rittner, assistant to Chief Information Officer Voledmar Innus, told members of the Faculty Senate Executive Committee at the group's Oct. 25 meeting.

Rittner, along with Harvey Axlerod, university computer discipline officer; Inspector Daniel Jay of University Police, and Steven Sturman, instructional design specialist, have been working on "an email privacy position paper" in which the group "details the university's stance with regard to email privacy and also offers some background information about pertinent laws and policies, both at the federal and state levels." The group is drafting the document for the 17-member Confidentiality and Privacy Work Group, part of the Security, Confidentiality and Privacy Subgroup of the Information Technology Coordination Committee.

"We thought the document would be just a representation of the facts, but we've uncovered a number of areas that we consider fuzzy," Rittner said.

He explained that UB's policy in the making-a culmination of federal and state eavesdropping and wiretapping laws, and a SUNY computer-use policy-essentially will guarantee that one's email is private.

"It cannot be looked at by anybody at the university, except under certain circumstances," he said, noting that those circumstances would be necessitated by subpoenas and search warrants directed against email.

"If those subpoenas and search warrants include email, then there is a procedure for looking at the...affected email and filtering out those pieces of email that satisfy the subpoena or search warrant," Rittner explained.

He assured FSEC members that only the targeted pieces of mail could be used as evidence, and that "nothing else...seen in the process...is used for any purpose whatsoever."

Responding to inquiries from senators about monitoring email, Rittner said that the sheer volume of email the university processes-a half-million pieces per day-virtually precludes the university from keeping tabs on the central email servers.

Rittner called the very thought of monitoring so much mail "ridiculous" and said that despite its technical feasibility, the operation "would be enormously expensive."

As a matter of policy, Rittner also said UB will not install-if asked to do so-the FBI's Carnivore program, which allows the agency to intercept and collect electronic communication directed by court order.

"We have taken a public position...that we will refuse to install it," Rittner said of the program, noting that the FBI has approached other Internet service providers about "installing Carnivore preemptively."

Rittner also expressed concern over the lack of clearly defined procedures for obtaining email under "exigent circumstances."

If a faculty member, for example, was engaged in important business at the university and was "involved in an accident and in a coma and unavailable, and that email needs to be gotten soon," no search warrant is needed, he said, but the university still must develop a protocol for such situations.

He also rebuked department heads or managers who, on occasion, have solicited the services of IT professionals to tap into the system to monitor abuse of email and Web privileges. "I don't know of a single [IT] professional...who has any desire to fulfill any such request," he said, noting that the university is looking to adopt a policy to protect those IT professionals from potential consequences-Rittner cited possible denial of raises and promotions as two examples-of declining such a request.

He said such monitoring would prove fruitless in substantiating a claim of Web abuse-as the information most likely would have been gathered illegally-and suggested managers examine "other criteria" for gauging work performance.

Some FSEC members expressed concern that the university's email is backed up on a central system before it is discarded entirely. Rittner responded that there are competing forces that warrant such backup.

"If a faculty member inadvertently deletes an email that he desperately needs, and it's not available, then we haven't met that person's need," he said.

Ram Sridhar, associate professor of computer science and engineering, suggested the university consider "automatic monitoring of certain kinds of activities.that could be dangerous or could be for-profit or could be terrorist activities"-such as viruses, for example-but "done within the legal bounds."

Rittner said the university does comply with legal standards for issues of this nature, and suggested that UB be more proactive where viruses are concerned. He clarified that in keeping an eye out for viruses, UB looks for a set of characteristics or markers-like fingerprints-not at content directly. He called a policy of monitoring-which he described to the committee as "an intervention where you actually intercept email, (and) look at it"-counterproductive.

"I think it would have a tremendously negative impact on everybody's sense of security and morale," he said.

The university, he said, also is determining whether email is included under the Freedom of Information Act.

The draft policy on privacy, expected to be finished by mid-November, must go through a review-and-revision process before it can be adopted by the IT Steering Committee, Rittner said.

In other business, Lorna Peterson, associate professor of library and information studies and chair of the senate's Computer Services Committee, presented her panel's baseline report, which found that "all full-time faculty should minimally have what students have"-the hardware, software and support available to students through the iConnect@UB initiative.

E. Bruce Pitman, vice provost for educational technology, said that although he has allocated $200,000 for faculty computer upgrades, there still are a number of "vintage" machines that can't handle, for example, the Microsoft software recently made available to faculty, staff and students.

"Two-hundred (thousand dollars) is not going to answer the problem that's out there," he said. "It's a small attempt at starting the process."