Skip to main content

Faculty Question Changes to Policy on Computer Security and Privacy

Revisions aim to adapt 13-year-old policy to new computing environment

A proposal to revise Duke's 13-year-old policy on computer security and privacy at Thursday's Academic Council was met by questions by two faculty members concerned that the policy didn't provide enough protections in a legal dispute.

Discussions will continue on the policy, and it will return to the council at its May meeting. (Click here to see the current policy and the proposed revisions.)

Revisions to the policy, which is designed "to promote the ethical, legal and secure use of computing and electronic communications for all members of the university community" are needed to take into account changing legal and regulatory requirements since 1997, according to Duke officials. The new policy had the support of President Richard H. Brodhead, Provost Peter Lange and faculty committees including the Information Technology Advisory Committee (ITAC).

Paul Horner, the university's chief information security officer, told council members that the policy also needs to adapt to the changing computing environment where access to the Internet is ubiquitous and a range of materials from data to e-mail is stored on Duke servers.

The bulk of the revisions to the 1997 policy are in two additional paragraphs encouraging appropriate use of computer passwords and outlining a Duke community member's responsibility if their electronic records must be preserved by a third party because of legal investigations or even a threatened lawsuit.

Horner said both provisions underscore that in the changing computer environment, people can't rely solely on university practices to guarantee the safety or privacy of electronic content.

"These areas were gaps in the current policy," Horner said. "One message we have is the importance of a strong password. The password is the entry way into the Duke system, and it's the entry way into a lot of personal information about us."

It was the second revision, though, that caused the greatest discussion.

Professors Richard Hain and Roxanne Springer questioned whether documents collected because of an investigation would be secure. Horner replied that all material would be kept as secure as they currently are on Duke servers, but Hain pressed for the policy to state that the material would be encrypted, giving it a higher security status.

"What assurance do we have that this material is well kept?" Hain asked. "Is it encrypted to keep it from prying eyes?"

In addition, Springer also questioned who was making the decisions to collect electronic information and who decided what was in Duke's interest when legal matters required such collection.

In the end, Academic Council Chair Craig Henriquez said the discussion would return to the council in May. He said the policy reinforced the need for people to think what material they want to keep on Duke servers, where it can become subject to legal matters involving Duke.

"Some of these are legal issues outside of Duke IT," Henriquez said. "In a legal case, they are compelled to make [material on Duke servers] available. We have a choice we can use these or not or delete things or to store them on our own personal computers. This policy tells us that we need to be vigilant of the things we put on Duke servers."