How Private is your Wayne State Email?

This week’s blog is ‘ripped from the headlines’ (well, last week’s headlines, anyway). Most of you must have heard about recent FOIA requests from conservative/libertarian organizations to the University of Wisconsin, and, more recently, Wayne State. The requests were for email messages sent and/or received by faculty members at this university.
The Mackinac Center explained that

we thought a FOIA investigating professors’ emails on these subjects might demonstrate whether state officials should ask questions about this use of tax dollars for public universities. In the worst-case scenario, we knew these emails might suggest that the faculty had acted illegally, because certain political uses of university resources are prohibited by Michigan law.  http://www.mackinac.org/14863

Whatever one might feel about the motivations of the Mackinac Center, you may have been surprised to learn that your email is subject to FOIA requests. But, in fact, according to Michigan law, if you work at Wayne State, you are:

A state officer, employee, agency, department, division, bureau, board, commission, council, authority, or other body in the executive branch of the state government
Freedom Of Information Act, Act 442 of 1976, Section 2(d)(i)

Your email messages are a ‘public record’:

“Public record” means a writing prepared, owned, used, in the possession of, or retained by a public body in the performance of an official function, from the time it is created. Section 2(e)

And consequently

a person has a right to inspect, copy, or receive copies of the requested public record of the public body.  Section 3(1)

Now, those of us who have been using email for a long time (I have some email records saved in files going back to the late nineteen eighties) have long said that emails are not private. In fact, there used to be a an aphorism that you shouldn’t put anything in an email you didn’t want to see on the front page of the New York Times. Or that you wouldn’t put on a postcard. The recent events simply illustrate this fact. Email is not secure, and it’s not private. If you want to communicate with someone privately, don’t use email.The technology is not secure, and, if you work for Wayne State, and use a Wayne State email account, you are not legally entitled to keep the messages private. (I should add that there are, in the FOIA law, exemptions for things that actually are private, such as personal communications, communications with your doctor and so on.)
Interestingly, in the case that started this debate, at the University of Wisconsin, the General Counsel of UW argued that political discussion with peers by faculty constituted privileged communications:

http://www.news.wisc.edu/19196
For an insightful discussion of all the issues, you can read my friend Tracy Mitrano’s blog on Inside Higher Ed:

http://www.insidehighered.com/blogs/law_policy_and_it/the_cronon_case_part_i_law_policy_and_email

and

http://www.insidehighered.com/blogs/law_policy_and_it/the_cronon_case_part_ii

Because it is quite irrelevant, I have not commented on any of the political issues touched on in this blog (for obvious reasons), but the facts are quite clear–your email belongs to the world.

11 Replies to “How Private is your Wayne State Email?”

  1. Wow, I guess I should’ve assumed our emails were always read. But, how is this not considered some type of invasion of privacy? lol at least I’m thankful that I only use my Wayne email to communicate with professors. Question: Are they also allowed to read emails from a different email provider (gmail, yahoo, etc) that are linked to your Wayne State account?

    1. I absolutely did not say that emails were routinely read by any Wayne State employee. I said they were subject to FOIA requests. Nobody at Wayne State wants to read your emails (except, we hope, those who you send them to 🙂 ). However, if Wayne State receives a legal request (and a court order, a warrant, or a FOIA request is a legal request) we must ‘hand them over’. Thanks for helping me clarify this point.
      The official university position on this topic is the Acceptable Use Policy (http://wayne.edu/policies/acceptable-use.php). Note particularly Point 4.0, which points out that there may be reasons for someone at Wayne to look at email, but only under specified circumstances. This policy is not new, incidentally–it has been in effect for 11 years and was approved by all relevant bodies, incidentally, including (I am told–I wasn’t at Wayne then) the Academic Senate and other relevant consultative units.

    2. I have always wondered about the second half of your comment Ghadir.

      Geoffrey, what about email that are immediately forwarded off and not stored on WSU servers? I for one have found this interesting while talking to others at higher ed institutions. Not a single one I have talked to allows faculty or staff to forward their mail like we do. Possibly for this very reason.

      1. Many universities permit forwarding, but about as many don’t–the EDUCAUSE listervs often have this debate.
        FOIA only requires that the university provide email that it has, so it could not supply mail forwarded away from the system. On the other hand, in the case where the university receives notice of an impending lawsuit there is a requirement for ‘preservation’, and that requirement could possibly extend beyond the university’s boundaries. Here, however, you’d have to consult with General Counsel–IANAL.

  2. For personal emails at least, if it’s something sensitive, there’s always things like public key encryption (e.g. using GnuPG, gnupg.org). Might not be the most user-friendly thing to set up for non-technical types, but once it’s set up, it’s pretty easy to use. The only thing that bothers me with it is that it’s not always the easiest to use with web-based email clients.

    But, while I don’t actually know, I’d imagine if the law says a particular email is subject to inspection, you’d just be legally compelled to provide your private key, or at the very least to decrypt your email. Still probably worth doing if you have things like SSNs and the like in your email inbox to prevent accidental leaks, though, and certainly worth consideration for personal email accounts.

  3. First, I want to +1 Mike’s plug for encrypted/signed email. I agree some work needs to be done to mainstream it, but even if not for the encryption, sender identification in the form of cryptographic signing is hugely useful and overlooked.

    Also, AFAIK, a legal requirement to provide an decrypted form of emails and/or the keypair to decrypt them is not in statute and is not part of existing case law when it comes to packets gathered in the course of an investigation (contrast this to some European countries where one must, in some cases, provide a private key to authorities!), but this is very different from FOIA-land. I’d also guess that public record law can’t be skirted this way. I’d love to hear more about this if someone knows more. Geoff, would you be able to ping anyone in Law who may know?

    1. Yeah, I have no idea legally speaking, but it seems to me that if they say “You must provide email 1234”, they mean in a readable format. That’s just entirely me thinking out loud, though.

      I’d actually really like to know about the legal implications of using GPG encryption or at least signatures for university email though. I thought about creating a keypair for work, just because I think it’s “good practice”, but just never got around to it – I never considered the legal ramifications of doing so.

  4. Is anyone else interested in attempting to respond more fully to the FOIA request by voluntarily forwarding their own personal emails on this topic to The Mackinac Institute? If such were to be done, I would have to hurry up and write some emails on these topics, because I definitely would not want to be left out of such an exercise in civil disobedience. But maybe the Institute would be interested in emails on other topics? Maybe emails on the subject of The Mackinac Institute, for example?

  5. Just as a reminder, because some have asked (offline in some cases), IANAL (net acronym meaning ‘I am not a lawyer’).
    This post does not constitute legal advice, and is my personal opinion. Remember that this whole blog is my opinion, and does not represent the views of C&IT, Alan Gilmour, Wayne State or the Mackinac Institute. Or the Volokh Conspiracy (of which I am a frequent reader) or any other source other than my own perspective as a long-time faculty IT policy wonk.

  6. This is no surprise. It’s only logical that emails could be read by third parties, should there be explicit circumstances. Even aside from government or any form of authority, if someone makes it their goal to read your emails, best believe that he/she WILL read your emails. IMHO privacy does not exist.

Leave a Reply

Your email address will not be published. Required fields are marked *