HASCS Must Have Policy on Privacy

When Richard Steen, former acting director of Harvard Arts and Sciences Computer Services (HASCS), compared Harvard's primary computer planning and maintenance program to a sinking ship, he forgot to mention that it was also missing a compass. HASCS's lack of central direction and clear policy was never more evident than in last week's discovery and haphazard treatment of a public log file revealing the names of Harvard community members and their network addresses.

When The Crimson made present HASCS director Franklin M. Steen (no relation to Richard) aware of the existence of this file, Steen did not take any immediate action. The mere fact that the director was not aware that the log file existed is of grave concern; but the complete absence of any consistent policy defining the terms and guarantees of students' privacy, as well as the subsequently panicked manner with which the file was closed down, point to a much more fundamental shortcoming in the way Harvard manages its critical computer systems.

Steen acknowledged the ambiguity of Harvard's policies, describing the particular rules governing access to the log file simply--and too easily--as "a grey area." While users should realize that ultimately there is no such thing as network privacy, passing sensitive matters off as "grey areas" is no answer either. Many state, federal and international laws already recognize e-mail transmissions and network accounts as valid legal documents and entities. Some schools, like the Massachusetts Institute of Technology, have sensible policies which are consistently interpreted and applied. They define users' rights and responsibilities, and limit the technical capabilities available to users accordingly. There is no reason that Harvard cannot develop a similarly competent technological jurisprudence.

When the public log file was discovered, one HASCS employee said that it could have been closed down "in a matter of seconds, but that HASCS does not currently have time to be pro-active." Steen added that "it's a manpower issue." Without any central policy to guide its actions, HASCS is left to deal with problems on a "case- by-case basis." It shows itself both inefficient and ineffectual when a member of the Standing Committee on Information Technology describes the group's working guidelines as "kind of vague." Under these conditions, HASCS will be dealing with thousands of individual problems, applying no consistent standard of judgment to any of them--and in the process, drilling more holes into the already sinking ship.

When repeatedly asked about why there was a delay in the closing down of the log file, Steen claims offhandedly that there were simply no complaints about it, and that "there are technical issues involved." When the log file was finally closed down, Steen was unable to say "what impact [the closure] will have. It may affect something else that needs it. We'll have to wait and see." Such technical insecurity is cause for concern.

The body discussing these issues is a mere ad hoc subdivision of the Standing Committee on Information Technology. If the Administration takes these issues seriously, it should appoint a higher-priority committee to develop a flexible and evolving set of policies which clearly define network users' rights and responsibilities. It should mandate the institutional and technical vehicles by which these policies can be applied and implemented, instead of allowing perceived technical constraints to dictate hopelessly ad hoc policies.

Incoming Dean of the College Harry R. Lewis '68, McKay professor of computer science and co-chair of the Information Technology committee last semester, will be in the perfect position to appoint such a higher-level committee when he takes over next fall.

The College should send e-mail messages to all network users to make them aware of the system's capabilities and failures, and of their own responsibilities within that system. In addition, if HASCS makes users aware that harmless commands such as 'finger' allow others to note their last log-in times, users will not have unrealistic expectations for complete network anonymity. Without articulating exactly what constitutes inappropriate behavior on the network, there is no standard by which any behavior can be judged.