Harvard University officials scrambled Monday to contain the fallout from a damaging report in The Boston Globe over the weekend disclosing how administrators secretly accessed email accounts belonging to 16 resident deans at the university.
In a statement Monday, Harvard Deans Michael Smith and Evelynn Hammonds acknowledged that the search described in the Globe report had happened. However, they maintained the search was done in an extremely limited and thoughtful manner to identify an individual who shared a confidential email with an unauthorized person.
[ ROUNDUP: 13 of the biggest security myths busted ]
Though the specific email was inconsequential, the fact that it was forwarded word-for-word to someone else was concerning, the deans said in their statement. The disclosure prompted concerns that other information, especially sensitive student information, was also at risk of similar disclosure.
"The search did not involve a review of email content; it was limited to a search of the subject line of the email that had been inappropriately forwarded," Smith and Hammonds noted. "To be clear: No one's emails were opened and the contents of no one's emails were searched by human or machine."
The statement appears to be an attempt by Harvard to put a lid on what's quickly turned out to be a major embarrassment for the prestigious university.
The Globe on Saturday reported that Harvard administrators had secretly accessed the email accounts of 16 resident deans at the university last fall. The university was looking for the source of a leak to the news media about a cheating scandal at the university, the Globe reported.
Resident deans serve on Harvard's Administrative Board, the university's disciplinary body, and are responsible for working with students to discuss such issues as academic requirements and personal concerns, according to a university description. Resident deans, who are basically non-tenure track teachers, work with students in preparing academic petitions and in responding to disciplinary actions.
None of the resident deans whose emails were searched were informed about the access prior to the search and only one was told about it after the search was completed. The individual who was notified about the search was a resident dean who had forwarded a confidential email pertaining to the cheating scandal, to a student. The contents of that email -- basically advice on how to counsel students accused of cheating -- later found its way to the Harvard Crimson student newspaper, and from there to the Globe.
According to the Globe, each of the deans had two Harvard email accounts, one for administrative duties and another for personal use. Only the administrative email account was accessed in each case, the newspaper noted.
The story prompted an immediate response from faculty members and the news media. In a blog post, Harry Lewis, a former dean of Harvard College and a professor of computer science at the university, questioned whether administrators decided to access the emails because they thought that the privacy policies protecting faculty members from such snooping, did not apply to resident deans.
According to Lewis, Harvard's faculty email privacy policies prohibit administrators from accessing faculty emails without notice except under a narrow set of circumstances. The university's policies for staff emails are less robust from a privacy perspective.
"Whichever policy is applicable, this way of handling the situation seems to me -- well, dishonorable," Lewis said in his blog, in response to the Globe story. "Why not tell people you are reading their email? Other than avoiding, perhaps, the embarrassment of acknowledging that you are doing something to which the targets would reasonably object if they knew it," he wrote.
Michael Mitzenmacher, a Harvard professor of computer science, disagreed that the incident represents a moral failing on the part of the university. However, the university should have informed resident deans of the search all the same, he said in a blog post on Monday.
Even though the search was targeted and only involved a search for subject lines and not email content, the fact remains that a search was conducted, Mitzenmacher said.
"I don't think this care offers an excuse for not following the policy of informing the Resident Deans of the search. I would still say a search on their email had been performed and, from my understanding of the policy, they should have been notified. This is something the faculty and administration can and should discuss further," Mitzenmacher said.
The New York Times quoted Harvard law professor Charles Ogletree as expressing shock and dismay over the incident. "I hope that it means the faculty will now have something to say about the fact that these things like this can happen."
In Monday's statement, Smith and Hammonds acknowledged the university had bungled in not informing the resident deans of the search. But they maintained that they remained silent to protect the privacy of the dean who had forwarded the email. The fact that no human had looked at the emails was another reason for remaining silent.
"We understand that others may see the situation differently, and we apologize if any Resident Deans feel our communication at the conclusion of the investigation was insufficient," the university noted.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is email@example.com.
Read more about privacy in Computerworld's Privacy Topic Center.
This story, "Harvard scrambles to explain why it secretly searched deans' emails" was originally published by Computerworld.