Q&A on electronic communications policies

Last year, Harvard President Drew Faust asked David Barron ’89, J.D. ’94, Harvard Law School’s Honorable S. William Green Professor of Public Law, to lead a 14-member task force that would make forward-looking recommendations regarding Harvard’s policies and protocols on the privacy of, and access to, electronic communications. Barron, who was acting assistant attorney general for the Office of Legal Counsel in the U.S. Department of Justice from 2009 to 2010, discussed the task force’s report and proposed policy, which were released this week, with the Gazette.

GAZETTE: Can you describe your working process with the committee?

BARRON: The idea was to have representatives from all the Schools at the University, both faculty and administrators, people within the University’s administration who would be both responsible for operating under any policy and who would also have knowledge and experience with these types of issues.

In the spring we focused on coming up with some basic ideas of an approach to the problem, which involved getting briefed by the legal counsel, by the information technology units, and by the University’s human resources vice president to understand the lay of the land, the legal structures, the technological capacities, and the existing policies here and at peer universities.

Michael Keating [the attorney charged with an independent inquiry into the handling of prior email searches] addressed the committee about the findings in his report. We also had contacts with the undergraduate leadership. They were terrific in coordinating with the student body to get a sense of undergraduate attitudes about this, and they provided us extremely helpful background information on that. We met with graduate student council representatives to get input from the graduate students. I, along with Leah Rosovsky [vice president for strategy and programs], went, with a few exceptions, to either an executive committee or the full faculty meeting of every School at the University, including the Faculty of Arts and Sciences.

We held open forums, both on the Longwood campus and here in Cambridge. We had an online open discussion board where we solicited feedback, and we had emails from and meetings with various members of the community. I am sure that either through open meetings or small, engaged contacts, we met with hundreds of members of the Harvard community over the year.

The members of the task force put in a great deal of work. There must have been more than a dozen meetings over the course of 10 months, and the work involved reviewing several drafts of the recommendations, participating in lengthy debates and discussions, and a significant amount of reading to be prepared for those conversations. I think people in the University community should be encouraged by the willingness of those faculty members and administrators to put in that kind of effort.

GAZETTE: Were there any missing pieces or glaring holes in the existing policy?

BARRON: No one thought there was an adequate policy; that was the reason the president established the task force in the first place. I think rather than starting with the existing policy and asking, “What are the holes in it?” we really started by asking, “What would make sense as a policy?” As it happens, there are many aspects of the new policy that build on or reaffirm aspects of the policy that was either formally established or was informally practiced. But there were also features that weren’t as clear, so those recommendations identify additional safeguards.

GAZETTE: Can you take me through the key recommendations?

BARRON: First, we recommended that there be one University policy. It’s a very complex organization, if you start to break it up into its component parts, and the systems aren’t organized to be self-contained to any one unit. The University is now, and the aim of the University’s future is to make it a much more porous place across Schools, across components. And as those boundaries become more permeable, the idea that you can have a self-contained policy that won’t be bumping up against another policy seems unlikely.

In addition, we thought it was important not to make the status of the user determinative of the policy. Applying basic principles regarding when access would be justified across all the actors in the University makes it a much more legible policy, rather than having a separate policy for tenured faculty that is distinct from other types of academic appointments, that is distinct from students in certain roles, that is distinct from staff. It didn’t seem a very productive way to go about it. Obviously those roles may be relevant in particular judgments and the policy is sensitive to that. But the basic idea is that we are one community, and the rules regarding access should be designed with an eye toward the University’s legitimate interests, as opposed to more formal ideas about the status of a user. Those are two big, cross-cutting ideas.

The need for there to be a legitimate purpose for seeking access is fundamental to the policy. The difficulty then, of course, is identifying contingencies that may arise in which in the particular moment, looking at all the facts, it may seem like there is a legitimate institutional interest in obtaining access. The policy’s aim is to articulate those circumstances that historical experience and our consultations with the community suggests to us are legitimate reasons for access, and to use those as anchors for testing judgments that might arise in more challenging cases.

The second stage of the process, once a legitimate reason for access has been identified, is the question of how a decision to allow access gets authorized. The basic idea there is that it needs to be a high-level and accountable actor, and it should be an actor that’s connected to the user.

So the deans of the relevant faculties are identified as the persons who are enabled to authorize access, with the exception of special cases identified in the policy, such as instances in which the user himself has consented to the access, or circumstances in which the need for business continuity or the operations of the University continue. In another example, if a staff-level person is unable to be at work or has left the University, but they have critical administrative files that need to be looked at, administrative actors are given the authority in those circumstances. Internal investigations or concerns about misconduct are different types of investigations. In those instances, there are different grounds for getting access, and a different type of actor should be responsible for authorizing that.

GAZETTE: Will these high-level actors need any kind of formal approval before granting such access?

BARRON: The reality is that in many of these circumstances the time sensitivity is such that we thought a requirement of consultation with a particular oversight committee wouldn’t be workable or practical. This was a judgment call made after meeting and talking it through with various people throughout the University. So it wasn’t just the task force on its own making this decision; this was actually a choice or a question that we put to people at faculty meetings and in smaller sessions.

We do recommend in the policy that there be an oversight committee with faculty representation that’s responsible on a periodic basis for reviewing these decisions.

Our hope is that if you know that your decision is going to have to be put in writing and will be looked at by a group that includes members of the faculty, that knowledge should cause you to reflect. It may cause you to consult. In fact, I think these decisions are often made in consultation with others, which is of course a good practice, but we don’t try to micromanage those details.

GAZETTE: Does the policy address the need to notify a person their information or account will be accessed?

BARRON: We make clear in the policy that timely notification is strongly presumed except in certain circumstances that are laid out in the policy. The idea there is that out of respect for members of the community it’s important to notify them, but also it has a disciplining effect on the decision-maker who is going to grant the access. It’s a prompt to get them to think hard about how important the access is and about alternatives to getting access without consent that might obviate the need for getting access, yet it still enables the University to accomplish its mission or meet its responsibilities.

We also address how access should be conducted. The policy lays out some guidelines and instructs the information technology units in the University to codify protocols and procedures to help ensure that when access occurs, it’s really done in the most minimally intrusive way.

GAZETTE: What were the principles that helped to guide this process?

BARRON: From the beginning, there was a sense that we really needed to understand the empirical realities of the situation. What is it that the University actually can get access to without you knowing about it? And why is it set up in a way in which that can happen? I think, delving into that, we all got a sense that the system is already structured with an eye toward the risks, that lots of sensitive and personal information may be traveling through the system, and that the operators and managers of the system are aware of that and are thinking about how to be respectful of that fact.

At the same time, the reason the system is so useful to the people who rely on it — all of us, students, faculty, staff — is in part because the network is monitored and observable and protected. So that basic understanding was a critical threshold. That being the situation, we looked at what principles should guide a policy that would manage and regulate and govern decisions to obtain that access.

We relied on three guiding principles. The first is the importance of candor. We just thought there was no way this policy can ensure or induce the kind of trust that’s necessary if it’s not honest about what it’s doing.
The second principle was the importance of the policy inducing trust. If you are honest about how the systems operate and what the capacity for access is, there is a possibility that people get alarmed. So an important feature of the policy is at the same time it’s explaining this to people, it’s making sure there are legitimate safeguards in place.

The last principle was the need for safeguards that would foster trust in an academic community. After all, we are a special kind of community as an academic institution, with a special mission in which the spirit of free inquiry is fundamental. The clearest cases in which that principle manifests itself in the policy are in the provisions regarding notice, the provisions regarding the limited set of people and the particular types of people who are enabled to grant access, and the presence of faculty on the oversight committee.

GAZETTE: How did the lessons learned from the controversy over a decision by University officials to access certain electronic information through the University’s information systems help inform your recommendations?

BARRON: The aim of the task force was to set forth a durable policy for the future. But our work was precipitated by a particular controversy of which the task force was keenly aware, which is why we met with Michael Keating and why we read his report with great interest. The lessons about the need for documentation, about the value of after-the-fact review, and I think also about the problems that can arise if the policy instructs those who are charged with implementing it to focus on the status of the user, were all, I think, taken very seriously by the committee, and the policy is responsive to those issues.

I think the task force believes that this policy, if adopted, provides a degree of clarity and proposes a range of safeguards that were not clearly in place when those decisions had to be made in the past. And so the idea is, with that kind of policy in place, that same judgment would not need to be made, because an understanding of all those protocols would lead the University to figure out a way to find out about the potential disclosure without having to access the information in a way that would cause controversy.

Or, alternatively, if the University were faced in the future with a situation of what it believed was an imminent disclosure of very sensitive or confidential student information and saw no alternative, any judgment that would be made to permit access in that circumstance would have to be made as follows. It would have to be in writing. It would have to be authorized through a more clearly identified authorizing chain. It would have to be made with an eye toward timely notification of the person whose account would be accessed (whether or not a tenured faculty member). It would have to be conducted pursuant to protocols that the information technology units had put together in advance. And it would be made with the knowledge that it would be reviewed after the fact by this oversight committee, on which faculty would serve. The key, then, is to be honest about the difficulty of identifying every future contingency, given the different facts that may be involved, but also to be clear in ensuring that decisions about access are grounded in a legitimate institutional purpose, and that they are made pursuant to a policy that is known and clear and that is more capable of ensuring that judgments, once made, occur in a manner that is understood and trusted.

GAZETTE: How did you balance concerns for privacy with the University’s commitment to academic freedom and academic inquiry in this set of recommendations?

BARRON: The University is dependent on academic freedom, and the policy has to be one that honors those values. That’s very much in the spirit in which President Faust created the task force. But I think it’s important not to assume that a respect for academic freedom necessarily precludes the permission of access.

One thing that struck all of the task force members is the circumstance in which access to user information occurs and has occurred in the context of research misconduct investigations. Those have not created controversy largely because the processes and structures through which those decisions are made, and the reasons why they are made, strike people as legitimate.

So the idea here was to come up with a policy outside those existing processes for other kinds of investigations that may need to be undertaken, one that is pursuant to structures and protocols I outlined a moment ago that have a similar kind of legitimacy.

GAZETTE: Could you envision this policy being reviewed on a regular basis?

BARRON: We don’t recommend a mandatory timeline for review. We think one of the functions of the oversight committee should be thinking not just about the individual decisions made under it, but also about how the policy is operating.

One of the things that we make reference to in the report is the rise of ephemeral email systems like Snapchat. If they become integrated into University systems, that will raise its own set of questions, and that’s just exemplary of the kinds of developments that the University needs to stay attentive to.  We discussed the idea of whether a chief privacy officer or the oversight committee or otherwise is the right mechanism for that.  We don’t try to be prescriptive on that institutional issue.  But the basic recommendation of the task force, and it was pretty strongly felt, is that while we are future-looking, it’s very hard to be truly future-looking when you just don’t know what the future looks like.

The idea is to have a mechanism in place for sustaining faculty engagement with the administration on the frontier issues in this realm so that the University is thinking about it and getting ahead of it, rather than finding itself in a position in which this policy didn’t really match the technological realities five years out.

GAZETTE: What are the next steps?

BARRON: The task force work isn’t quite done.  Although the report explaining our thinking is done, the task force felt it was very important that we try and operationalize our recommendations by actually drafting a recommended policy for the University.

We wanted to make sure that, before we made our final recommendations about what that policy should be, the University community has an opportunity to comment on it. The whole aim of the task force was to reach out and to explain our thinking, so that people could react to it and inform us. But we thought that the only way to really ensure that we got that responsiveness was to show them what we were thinking our thought process would cash out as.

There’s going to be a two-week comment period through the discussion board for members of the community to give us thoughts about it. We spent a long time thinking about it, and we heard from many, many voices in the University community, and on all sides of these issues, and the proposal is reflective of the task force’s thinking about that input. But we’re aware that the discussion is going to be richer when people actually see what the words are than it would be if it remains at a level of abstraction.

Our next step will be to take the comments that we receive from that period, make whatever revisions, if any, seem appropriate in light of the reasoning that we set forth in the report, and then to provide President Faust as our last deliverable the revised, if it’s revised, final proposed policy.

GAZETTE: How will this policy be implemented?

BARRON: We note in the report that it’s really important for the University to charge an official in the University with the responsibility for the oversight of the implementation and the education of people about the policy. There are a whole set of operational actions that have to occur if a policy in this form, or some version of it, were adopted. A policy like this, whatever it says, works only if it is understood and if it is followed.

GAZETTE: Do you think that having been an undergraduate, graduate student, and now a professor at Harvard gave you a unique perspective with your work with the task force?

BARRON: Having worked in government and having some understanding of the legal issues that were involved, but also an understanding of the limitations of looking at problems like this only from a legal lens, was helpful. Also helpful was being aware of the many different roles that faculty and students and staff play at the University, as well as an understanding from my 25 years of being here, on and off, that Harvard, like every great academic institution, depends fundamentally on a sense of trust and respect between the people who work, study, and learn here, and the people who are charged with running the University’s operations.

It’s a mutual trusting relationship that has to exist for the University to be operating in the way that everyone should want it to be operating. I think everyone on the task force came to it with an appreciation of that and a sense that this type of issue, if not handled with sensitivity in the policy, can fray that sense of trust. Everyone on the task force felt it was time well-spent because it was on a project that is worth trying to get right.

The task force as a whole was impressed by the basic goodwill and concern for these issues that was reflected in the administrators whom we spoke with, in the information technology personnel whom we dealt with. And the understanding of the operational and administrative needs of the University on the part of faculty and students was also striking. Although the controversy generated lots of worry about a breakdown in trust, our sense was that when you got into a real conversation about it, there was a sense from all the parties involved of a capacity to understand the interests of the other actors. That made it much easier for us to do our work, because I think there was a latent consensus on a lot of these issues. Really, we saw our task, once we identified that broadly shared understanding, as just to operationalize it.