Harvard Defends Email Search
Harvard faculty reacted angrily to Harvard’s search of Resident Deans’ emails. (Resident Deans are administrators who oversee the affairs of Harvard’s residential dorms.) Harvard conducted the search, without notice to the deans whose accounts were searched, in order to determine how confidential information regarding last year’s cheating scandal leaked to the press. Through the search, Harvard determined that the memo was forwarded by one Resident Dean to two students.
Harvard faculty criticized the search on the ground that it violated Harvard policy, which guaranteed faculty members that their Harvard email accounts would not be searched except in “extraordinary circumstances” and only then with prior notice. (See, for example, computer science professor Michael Mitzenmacher’s post, which describes Harvard’s email policy.) Harvard countered that the policy was not violated because Resident Deans were assigned two email accounts – a personal account and an account to use in connection with their responsibilities as Resident Deans, and only the Resident Dean accounts were searched. Additionally, the email searches accessed only the subject lines and not the other content of the emails.
Much of the debate over the search has focused on whether Harvard violated its own email policies and guarantees to its faculty. But the story brings up a number of interesting what-ifs that are interesting to contemplate. If Harvard had been a public institution instead of a private university, the search might have violated the Fourth Amendment. (See City of Ontario v. Quon.) If Harvard had stored its emails on a third-party service rather than its own server, accessing the communications might have violated the Stored Communications Act. Even if Harvard’s IT department offered email accounts to the public rather than only to Harvard employees, the IT department may have been required to keep the content of the emails confidential. Another interesting aspect of the case is that Harvard defended its actions in part by saying it only accessed the subject lines of emails and not the “contents” of the emails – but the DOJ considers subject lines “content.” (See page 123 of the DOJ manual on obtaining electronic evidence in criminal investigations.)
Report on China Cyberattacks Renews Discussion on Cyberespionage Law
In other news, the security group Mandiant released a report that traced the majority of the cyberattacks originating inside China and targeted at Americans to a neighborhood in Shanghai where a unit of the People’s Liberation Army is located. The attacks originating in the neighborhood, tied circumstantially to P.L.A. Unit 61398, included intrusions on American government, infrastructure, and companies. One of the most surprising items in the report was that the P.L.A. allegedly deployed its hackers to give Chinese beverage company Huiyuan Juice Group an advantage in negotiations with Coca-Cola, by accessing Coca-Cola’s servers to steal confidential company files. According to the report, five legal services organizations were also targeted. The information renewed the discussion on creating new international law on cyberespionage.
Higher Standard for Search of Computers at Border in Ninth Circuit
The border-search exception, a doctrine allowing Border Patrol agents to conduct routine searches of closed containers at an international border or airport, was qualified by a Ninth Circuit decision last Friday requiring that agents have “reasonable suspicion” of wrongdoing before searching electronic devices. The “reasonable suspicion” standard is lower than the “probable cause” standard for a warrant, but is a higher standard than not requiring any suspicion at all. The decision was limited to “comprehensive searches,” leaving undecided the question of what constitutes a comprehensive search. But for now, travelers leaving or entering the country from a point within the Ninth Circuit can be slightly more assured of the privacy of their computer files.
Digital Rights Management Feature Makes SimCity Fans Angry
The newest version of SimCity, SimCity 2013, was released on March 5, only to be pulled on Amazon a week later. The cause? Complaints of SimCity fans, many of whom probably started their connection with the franchise before they had a home Internet connection. To prevent pirating and protect digital rights, SimCity used a common technique – requiring a persistent Internet connection during gameplay to verify that the copy was legally obtained. But the plan turned out poorly for many SimCity players, who had trouble connecting to SimCity’s servers and in some cases lost games when their connections failed. Although SimCity’s manufacturer, Electronic Arts, says it has by now addressed most of the problems, the case illustrates one of the pitfalls of a technological safeguards for digital rights management. This could provide fodder for either those who argue that EA should try less hard to prevent piracy or those who believe that government should step in with harsher or more-enforced penalties to dissuade would-be pirates in the absence of hardwired safeguards.