The Patriot Act and Higher Education
Wednesday, February 27, at 1 p.m. U.S. Eastern timeHow should colleges respond to the USA Patriot Act? Will the new law force colleges to compromise their principles?
In the wake of September 11, Congress passed and President Bush signed the USA Patriot Act, designed to give law-enforcement officials a variety of new tools to track down terrorists and to prevent terrorist attacks. The law is only now beginning to be studied by college officials, and some of them -- especially librarians -- are worried that the law may force changes in the culture of academe. They fear that provisions in the law could lead to colleges disclosing information from students' files without their permission, reporting on the library books checked out by some scholars, and collecting data on who on campus is sending e-mail to whom.
» Colleges Fear Anti-Terrorism Law Could Turn Them Into Big Brother (3/1/2002)
Tracy Mitrano is co-director of the Computer Policy and Law Program and policy adviser in the Office of Information Technologies at Cornell University, one of the few institutions that have adopted specific procedures on how to comply with the Patriot Act. Ms. Mitrano has taught American history, religious history, social history, and constitutional law at Cornell and at Syracuse University. She has a Ph.D. in American and women's history from the State University of New York at Binghamton, and a law degree from Cornell. Ms. Mitrano will respond to questions and comments about how colleges should deal with the Patriot Act on Wednesday, February 27, at 1 p.m. U.S. Eastern time. Advance questions are encouraged and may be posted now.
Andrea Foster (Moderator):
Hi. This is Andrea Foster. I write for The Chronicle of Higher Education.
Today the topic we will be discussing is the USA Patriot Act, the new anti-terrorism law that has many colleges concerned that the government will be intruding on the privacy of faculty, staff, and students.
Our guest today is Tracy Mitrano, co-director of the Computer Policy and Law Program and policy adviser in the Office of Information Technologies at Cornell University. Tracy has lectured extensively on how this law is expected to affect college networks, and she is here to answer questions from our audience.
Welcome, Tracy.
Tracy Mitrano:
The Patriot Act joins other historical governmental emergency actions such as the Alien and Sedition Acts of the 1790's, the suspension of habeas corpus during the Civil War, the Abrams decision muting free speech during WWI and the Palmer Raids immediately following it, Roosevelt's New Deal legislation and then the internment of Japanese peoples during WWII, the McCarthy hearings that followed and the FBI intimidation of civil rights and anti-Vietnam war protesters in the 1950's and 1960s. How we, as citizens, and historians after us, will come to consider this legislation depends on the success or failure of our military and foreign policy efforts, the future of terrorist attacks on American soil and the degree to which this legislation is found to conform to, conflict with, or alter altogether contemporary constitutional standards.
Question from Amy Metcalfe, University of Arizona:
Do you anticipate differing reactions to the Patriot Act from various administrative units (e.g. libraries, computer centers, international student affairs offices, registrar's offices, etc.)?
Tracy Mitrano:
It's possible that there will be differing reactions for a couple of reasons. The Patriotic Act affects those administrative offices differently, and of course one must always take into account individual reactions and responses. But having said that, I do not believe that there are a priori set differences that need be the case, and would suggest that could communication and cooperation among different administrative offices can go a long way in harmonizing a college's or universities's response.
Question from John Young, Southern CT State University:
Under what circumstances are Information Technology professionals required to comply or assist with a request from University officials or law enforcement personnel that involves investigating personal data on University computers? Has this changed since the Patriot Act?
Tracy Mitrano:
There are no pro-active measures that IT systems must make in their design or architecture, or in data retention policies, pursuant to the Patriot Act. Prior to the Patriot Act, law enforcement with proper authorization could acquire any variety of information transmitted or stored on IT systems. The Patriot Act does not change that pattern. What the Patriot Act is alleged by observers to do is to lower the standard by which law enforcement acquire supeonas for pen registers and trap-and-trace devices. Please note that the Patriot Act explicitly excludes "content" for pen register and trap-and-trace devices, although the law is not clear on what constitutes "content," for example, subject lines in email communications, or URLs in web-based uses. Critics of the Patriot Act have observed that judicial oversight traditional to 4th Amendment juris prudence is significantly minimized or possibly even negated in these circumstances. Consequently, it is not so much a difference for colleges and universities as it is in the facility with which law enforcement can acquire authorization that they then can bring to bear upon colleges and universities to produce information residing on IT systems.
Question from Abel Adekola, U. of Wisconsin, Stout:
What are the signs to look for in realizing a legitimate inquiry that supports The Patriot Act without being drawn into responding to every governmental agency questions about our International students?
Tracy Mitrano:
Individual administrations should pro-actively consider what kinds of law enforcement requests that are not compelled by subpoenas, warrant, or other authorizations,in anticipation of non-required requests that may come from various government agencies. It was not uncommon before the Patriot Act, and it may be now increasingly common after 9/11 and the Patriot Act, for law enforcement agencies to request that colleges investigate matters on behalf of the agency. The question of whether or how to respond to such requests are then policy questions to be answered by the appropriate administrative members of a particular college or university. I would recommend that all requests for information about international students especially, be directed to college or university counsel to be sure that the request meets all legal requirements.
Question from Andrea Foster and Scott Carlson:
Are there parts of the Patriot Act that you view as particularly antithetical to the traditions of academe?
Tracy Mitrano:
Patriot Act provisions that provide for the acquisition of business records under the Foreign Intelligence Surveilance Act, and that furthermore require colleges and universities not to disclose those requests, may strike many people in academe, who prize free speech and expression, as antithetical to the mission of colleges and universities. The Patriot Act states that the request not obviate the First Amendment -- but without free inquiry, how can that very question be properly tested? The Patriot Act amendments of the Electronic Communications Privacy Act to allow for federal investigation of computer trespass without authorization, but only at the request of the owner or operator of an IT system, not withstanding restrictions to the specific investigation built into this amendment, may cause observers of 4th Amendment juris prudence to pause: on the one hand whether a potentially innocent defendant of computer trespass enjoys full constitutional protection , or on the other hand, whether a potentially guilty defendant may enjoy the exclusionary release of a finding that the section of the Patriot Act is unconstitutional. The Patriot Act adds a new exception to the already existing exceptions under the Family Education Records Privacy Act. The new exception is narrowly tailored to an investigation of terrorism, and is designed to assist the health and safety of anyone who may be affected by a potential terrorist attack. Some observers have objected to this new exception, claiming that the already existing health and safety exception suffices. I disagree with that position, because the purpose of the already existing health and safety exception was intended for the individual students. The new exception is designed to protect the health and safety of everybody else. Moreover, this new exception has the benefit of being narrowly tailored to an investigation of terrorism.
Question from S. Frishman, Oakland University:
Do you recommend that the Family Education Rights and Privacy Act (FERPA) be part of or referred to in an institution of higher ed's Patriot Act policy? Do you think that FERPA prevents records from being disclosed under the Patriot Act? Thank you.
Tracy Mitrano:
Please see the last paragraph to the above answer. The Patriot Act amends FERPA. The new exception is narrowly tailored to an investiagion of terrorism, and I recommend that attorneys and registrar administrators study the provisions in the Patriot Act concerning the requirements for a proper request under this new exception. As such, I do not think that the Patriot Act offends FERPA, because it explicitly amends it.
Question from Russell Dennis, Bucknell University:
What information do you think higher education administrators should give current students and faculty about the USA Patriot Act, concerning which most students and faculty have very little or no knowledge?
Tracy Mitrano:
I am less versed in the sections of the Patriot Act concerning foreign nationals, but understand through secondary sources, that there is much to be concerned about in the Patriot Act for them. With respect to students at large, and the administrators who represent their interests, it may be significant to note that the former confidentiality that had protected statistical information that colleges and universities sent to the National Center for Education Statistics routinely is now obviated by the Patriot Act. In short, that stastistcal information is no longer confidential. The Immigration and Naturalization Service has given notice to colleges and universities that it intends to fully implement existing law with respect to reporting on foreign students. It is ironic that a number of years ago the INS asked colleges and universities to stop sending that information to them, because the INS could not manage the volume. Now the INS has turned around and requested that colleges immediately begin supplying them with that information, without providing colleges and universities with the resources that would now be necessary in order to track foreign students. The American Council on Education website is a good resource on this particular question.
Question from David Netz, St. Lawrence university:
I am heading an ad hoc committee to begin a plan for developing a campus privacy policy. Any tips for integrating privacy policy development and Patriot Act response plans?
Tracy Mitrano:
Pro-active measures to coordinate response to law enforcement requests for information or legal papers should go a long way in preserving the privacy of all college and university constituents. The main connection between the Patriot Act and privacy here would be the potential inadvertent, but unfortunate, release of information for failure to know in advance how to properly process such a request.
Question from Doug West, University of Richmond:
Are "Campus Police Departments" having these same conversations? And if so, shouldn't we expect that any Gov't agency wanting information would work through them?
Tracy Mitrano:
This question raises a very hot issue related to the Patriot Act: the new provisions that allow for the sharing of information between federal and local law enforcement authorities. These new provisions are in sharp contrast to the regulations under which federal agencies operated in the wake of the church committee findings in the 1970's of FBI and local law enforcement abuses of power during the Civil Rights and anti-Vietnam War protests. The first question that administrators should ask themselves is whether their campus security units are bona fide law enforcement officials and therefore whether their principle allegiance will be to other law enforcement officials or to administrators. If the campus security are bona fide law enforcement officials, I would recommend that university attorneys and administrators treat request s from them as they would any law enforcement agency -- in order to provide the greatest degrees of proper procedure and policy, especially in the area of privacy, for the university as a whole and for all of its constituents.
Andrea Foster (Moderator):
We have so many people interested in asking Ms. Mitrano questions that we are going to try to get a few more questions in past 2 p.m.
Question from Kim Milford, University of Wisconsin-Madison:
Do you have any information (statistical or anecdotal) on how many universities have received requests for information under the Patriot Act? If so, do you know how these requests have differed from previous requests from law enforcement? Were the requests handled differently by the universities?
Tracy Mitrano:
Unfortunately, I do not have any statistical or direct information about requests at other colleges or universities, although I am very interested in that question and would welcome any listener to contact me with that kind of information. There are some requests that would be distinct under the Patriot Act, for example under the new exception FERPA, or the business records provision under FISA, but many of the other more generic requests would probably not appear all that different to ones that colleges and universities had received before the Patriot Act. The difference is in the standard that the law enforcement used to make the request for the authorization, a process that is not transparent to the college or university.
Question from Ena Haines, Teachers College, Columbia University:
Can you describe what Cornell has decided to do in the event of gov't requests for information pursuant to the USA Patriot Act, and how the procedure may differ from previous response procedure?
Tracy Mitrano:
I am aware of the protocol that our IT systems has implemented in order to funnel requests up to the security coordinator or the policy advisor, and ultimately to the vice president, on their way (without stopping at Go, or collecting $200) to university counsel. That procedure is available on our website at www.cit.cornell.edu/oit/PatriotAct/ I cannot speak for the registrar's office or the business office as to how they intend to handle those kind of requests.
Question from Chris Cramer, Duke University:
Do you believe that the Patriot Act will increase the importance of having written policies on system log rotations. For example, having a written policy on the length of time that system access logs are maintained? In your opinion, is a University likelier to have issues with the FBI if it does not have such a policy?
Tracy Mitrano:
The Patriot Act has made us all more aware and self-conscious about our policy and procedures for responding to law enforcement requests and policies and procedures regarding retention of data. On the one hand, a policy should make clear, for better or for worse, how long the IT system maintains its data. On the other hand, the specification of a certain amount of time could create the legal liability for the university to honor its own policy, particularly in the light of a law enforcement request. As a rule, I would generally go for a clear and well-implemented policy to avoid questions, suspicions, or the potential for too much cleverness by half that could lead to university liability.
Question from Paul Rothi, Clackamas Community College:
Has Cornell or other institutions you aware of made their Patriot Act policy available on a web site as a potential model?
Tracy Mitrano:
Cornell has -- that's the website I mentioned earlier.
Question from Kim Milford, University of Wisconsin - Madison:
Does the Patriot Act potentially override conflicting state privacy protection laws? Any examples of how this might work?
Tracy Mitrano:
I am not aware that the Patriot Act overrides any New York state privacy laws, and that would be the only set of state laws with which I am familiar. I think the main critical questions about the Patriot Act tend to be about the constitutionality of some of its provisions. It is worth noting that the Patriot Act contains a severability clause, which means that if one part of it is found by the courts to be unconstitutional, that part is severable from the Act as a whole, and does not affect the enforceability of the rest of the Act.
Question from Fred Badders, Appalachian State University:
What impact or changes will the Patriot Act have on state or other privilege laws protecting confidentiality of records in certain privileged relationships such as Counseling Centers (i.e., counselors and clients)?
Tracy Mitrano:
I am aware through secondary sources that some of the Patriot Act's sections on immigrants, including foreign students, may violate attorney-client privledge laws, but in my research of the Patriot Act, because I have focused on IT and higher education, I have not studied these provisions.
Question from Barbara Fister, Gustavus Adolphus College:
The Chronicle story mentions federal agents being allowed to "install technological tools to intercept and collect information from Internet traffic." Libraries have designed systems to prevent tracing specifics of what is being read to the individual reader after a certain period of time has elapsed. But many of us now route our transactions over Internet connections through the campus Web. Does this, in some sense, imperil the library's control over who gets access or not? Ideally, a campus should have campus-wide consensus on how to deal with these issues, but could a library resist a request only to have it satisfied by another college unit that handles such traffic? And in absence of campus-wide discussion, could an agent get library patron information from, say, the campus IT or Telecomm department without the library's knowledge or agreement?
Tracy Mitrano:
That's a terrific question, and it suggests a variety of answers. I would first recommend a strong push for libraries and IT administrators to work together in the interest of the university to come to a common understanding of policy and procedure in this area. Just this morning, for example, I met with the IT professional in university libraries at Cornell to discuss these very questions, and we look forward to working together to satisfy the very legitimate concerns that libraries have to preserve the privacy of their patrons. University liability, or even non-compliance, to authorized legal requests, should not be at the expense of these privacy concerns. I have full faith that with studied cooperation, the interests of the university and the interest of libraries can both be met.
Question from Susan Palmer, The Five Colleges of Ohio:
Could Ms. Mitrano comment on (1) how the Patriot Act has changed Family Educational Rights and Privacy Act (FERPA) and its potential effects on the confidentiality of student information and educational records (other than computer and phone) and (2) whether colleges and universities are likely to be affected by the power granted to the government by the Patriot Act to collect business records (reported to include educational, medical, financial, mental health, and travel records).
Tracy Mitrano:
Please see responses above.
Question from Sydney Greenish, on behalf of Susan F. Martielli, Johns Hopkins University:
What has the pattern been as far as instituting criminal background checks or drug testing of employees in response to the Patriot Act? Has anyone instituted these checks?
Tracy Mitrano:
I am not in a position to answer that question -- my focus is on the Patriot Act's impact on information technology in higher education. Anecdotally, I will mention that almost immediately after 9/11, but before the Patriot Act, I was approached by campus police and asked to have a poem on a student's web site removed, because it was an ode to terrorism. On first ammendement principles, I rejected that request, but it is interesting that the request was made, and an indication that somehow, someone was either directed to look at that student's web site, or that there was some form of investigation of this student and their web site.
Andrea Foster (Moderator):
Well, that's all the time we have for today. Unfortunately, we did not have enough time to answer all your questions. Tracy -- Thank you for answering our listeners' questions. And thank you, all, for your thoughtful questions.
Tracy Mitrano:
Franklin Delano Roosevelt said when he got into office in the midst of the Depression that he honestly did not know how to remedy the Depression, but he had to try something -- anything -- until the country found something that would work. The New Deal was his attempt to remedy it. To some degree we, the government and people of the United States, may be approaching terrorism in the same way by using emergency legislation to confront an emergency situation. Should we find that the Act, or parts of it, ironically undermine the very cultural values that it is designed to protect then we must revisit it in the name of the Constitution.
Copyright © 2008 by The Chronicle of Higher Education