Harvard scrambles to explain why it secretly searched deans' emails

Search was done out of concerns for sensitive information leaks

Harvard University officials scrambled Monday to contain the fallout from a damaging report in The Boston Globe over the weekend disclosing how administrators secretly accessed email accounts belonging to 16 resident deans at the university.

In a statement Monday, Harvard Deans Michael Smith and Evelynn Hammonds acknowledged that the search described in the Globe report had happened. However, they maintained the search was done in an extremely limited and thoughtful manner to identify an individual who shared a confidential email with an unauthorized person.

Though the specific email was inconsequential, the fact that it was forwarded word-for-word to someone else was concerning, the deans said in their statement. The disclosure prompted concerns that other information, especially sensitive student information, was also at risk of similar disclosure.

"The search did not involve a review of email content; it was limited to a search of the subject line of the email that had been inappropriately forwarded," Smith and Hammonds noted. "To be clear: No one's emails were opened and the contents of no one's emails were searched by human or machine."

The statement appears to be an attempt by Harvard to put a lid on what's quickly turned out to be a major embarrassment for the prestigious university.

The Globe on Saturday reported that Harvard administrators had secretly accessed the email accounts of 16 resident deans at the university last fall. The university was looking for the source of a leak to the news media about a cheating scandal at the university, the Globe reported.

Resident deans serve on Harvard's Administrative Board, the university's disciplinary body, and are responsible for working with students to discuss such issues as academic requirements and personal concerns, according to a university description. Resident deans, who are basically non-tenure track teachers, work with students in preparing academic petitions and in responding to disciplinary actions.

None of the resident deans whose emails were searched were informed about the access prior to the search and only one was told about it after the search was completed. The individual who was notified about the search was a resident dean who had forwarded a confidential email pertaining to the cheating scandal, to a student. The contents of that email -- basically advice on how to counsel students accused of cheating -- later found its way to the Harvard Crimson student newspaper, and from there to the Globe.

According to the Globe, each of the deans had two Harvard email accounts, one for administrative duties and another for personal use. Only the administrative email account was accessed in each case, the newspaper noted.

The story prompted an immediate response from faculty members and the news media. In a blog post, Harry Lewis, a former dean of Harvard College and a professor of computer science at the university, questioned whether administrators decided to access the emails because they thought that the privacy policies protecting faculty members from such snooping, did not apply to resident deans.

According to Lewis, Harvard's faculty email privacy policies prohibit administrators from accessing faculty emails without notice except under a narrow set of circumstances. The university's policies for staff emails are less robust from a privacy perspective.

"Whichever policy is applicable, this way of handling the situation seems to me -- well, dishonorable," Lewis said in his blog, in response to the Globe story. "Why not tell people you are reading their email? Other than avoiding, perhaps, the embarrassment of acknowledging that you are doing something to which the targets would reasonably object if they knew it," he wrote.

Michael Mitzenmacher, a Harvard professor of computer science, disagreed that the incident represents a moral failing on the part of the university. However, the university should have informed resident deans of the search all the same, he said in a blog post on Monday.

Even though the search was targeted and only involved a search for subject lines and not email content, the fact remains that a search was conducted, Mitzenmacher said.

"I don't think this care offers an excuse for not following the policy of informing the Resident Deans of the search. I would still say a search on their email had been performed and, from my understanding of the policy, they should have been notified. This is something the faculty and administration can and should discuss further," Mitzenmacher said.

The New York Times quoted Harvard law professor Charles Ogletree as expressing shock and dismay over the incident. "I hope that it means the faculty will now have something to say about the fact that these things like this can happen."

In Monday's statement, Smith and Hammonds acknowledged the university had bungled in not informing the resident deans of the search. But they maintained that they remained silent to protect the privacy of the dean who had forwarded the email. The fact that no human had looked at the emails was another reason for remaining silent.

"We understand that others may see the situation differently, and we apologize if any Resident Deans feel our communication at the conclusion of the investigation was insufficient," the university noted.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags harvard universitysecurityDesktop Appsprivacy

More about Harvard UniversityTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place