Turkey trot. #falliscoming #upnorthmi #thewoods
Turkey trot. #falliscoming #upnorthmi #thewoods
Leaves are starting to turn. #falliscoming #nature #upnorthmi #nofilter
Sunset boat party. #nofilter #upnorthmi #boating #lakelife
From the bow of the boat. #boating #lakelife #upnorthmi
How we do weekends. #boating #camping #sunset #nomich #lakelife
I’m calling ‘em “Southwest Stuffed Shells.” #cooking #experimentation The pasta could have cooked a minute longer, but the stuffing is very flavourful.
Testing a new recipe. #cooking
(Screengrab from Reddit user darkf)
For reasons laid out below, I find NIU’s changes to its Information Technology policy governing acceptable use of university computer systems and networks “laughably unconstitutional” (Northern Illinois U. Blocks Access to ‘Unethical’ Websites, The Fire, August 20, 2014).
I was alerted to the alarming changes to my alma mater’s IT policy by a Jezebel article (Northern Illinois University Bans Social Media, Happiness for Students), which linked the initial BetaBeat commentary and led back to the Reddit post that brought this policy into the light of the internet.
I wrote a letter of my concerns and emailed it to pertinent university administrators and student advocates. That letter, the response I received from Brett Coryell, Vice President and Chief Information Officer (head of the Division of Information Technology), and my response to his email are below. If you are so inclined to share your concerns with the NIU community, I have included the email addresses of recipients (all of which are publicly available via the NIU Directory).
- Northern Star Editorial Board (email@example.com; Editor-in-Chief Kelly Bauer, firstname.lastname@example.org; City Editor Jenni Haish, email@example.com; Day Editor Anthony Szudarksi, firstname.lastname@example.org; Scene Editor Kevin Bartlett email@example.com; Perspective Editor Danny Cozzi, firstname.lastname@example.org; Advisor Shelley Hendricks, email@example.com)
- NIU Student Association President Joe Frascello (firstname.lastname@example.org)
- NIU Student Association Vice President Raquel Chavez (email@example.com)
- NIU Student Trustee Paul Julion (firstname.lastname@example.org)
- NIU Vice President and Chief Information Officer Brett Coryell (email@example.com)
- NIU Division of Information Technology (firstname.lastname@example.org)
- NIU President Doug Baker (email@example.com)
It came to my attention today that NIU’s Division of Information Technology has changed its Acceptable Use policy. As a proud alumna, this would not normally raise my hackles or even be on my radar, but I cringe at drop in prestige suffered by my beloved alma mater having been called out on the main page of a sensational “news” website. Mostly though, I began to seethe over the substance of those changes that demonstrates sloppy drafting at best, or an illegal over-reach of authority at worst.
The policy as written lists advertising, sales, political speech, and social media interaction (under certain circumstances) as “unacceptable uses.” It also prohibits “excessive” use, “’broadcasting’ inappropriate” messages, “intimidat[ion],” accessing “obscene” materials, and “misrepresenting” one’s identity, but fails to define any of these terms. Instead, such determinations are left up to the unfettered discretion of “NIU’s evaluation.”
A broad interpretation of the policy as written grants the university the power to prohibit students from selling their textbooks, participating in elections, hosting a podcast, posting anonymously in forums, or writing a strongly-worded letter to a thin-skinned university administrator, and could be used to stop employees from exchanging information via listserv or mass email about employment and labor laws (e.g., minimum wage, overtime, family leave, union organizing).
University spokesperson Paul Palian tries to explain away some of the troubling bullet points as merely “ethics provisions” applicable only to university employees, which is not entirely inaccurate, though it misses the essence of such provisions being confusingly vague. But on that note, the State Officials and Employees Ethics Act is applicable to NIU employees because public university employees are, by extension, employees of the state, who generally subject to uphold and protect rights guaranteed by the U.S. Constitution.
Most of the activities noted above would likely be protected by the First Amendment. To prevent us from having to ask why any user should trust the Division of Information Technology to narrowly interpret this policy during “routine monitoring,” vague and overbroad restrictions on free speech and unchecked enforcement powers are categorically deemed unlawful by the U.S. Supreme Court. Moreover, such restraint on the free flow of information, ideas, and communication is something you would expect of third-world dictator, not of an honorable American institution of groundbreaking research and higher education.
I fully support the need to protect university assets and network security, but this is not really a security issue. Lest there be any confusion, the filters are not the problem; the policy language that governs the application of those filters is. If “NIU is wholly committed to allowing free and open access to information” as NIU Vice President and Chief Information Officer Brett Coryell said, or to its educational mission and public service, the Acceptable Use policy must be rewritten to reflect those commitments.
Brooke R. Robinson
B.A. Political Science, ‘03
Brett Coryell’s response, NIU VP and Chief Information Officer (no edits made):
Thank you for including me in your letter to the editor. This gives me a
chance to correct some of the misunderstanding that has arisen from
inaccurate information put forward by the original poster, a student going
by the name Œdarkf.¹
You and I are on common ground when we say the acceptable use policy needs
to be rewritten because it does not adequately distinguish between
employee restrictions and student use.
Revising the acceptable use policy is on a long list of activities the
university needs to complete in order to catch up to standard practices in
the field of IT security. It is not, however, at the top of the list. I
expect to revisit this and many other policies over the next 12 months.
To suggest that the use of a firewall is akin to a third world
dictatorship is to fundamentally overstate the case. The firewalls
watching our Internet traffic are currently blocking attacks from external
sites at the rate of about 1000 per hour. The traffic from our own users
trying to get to sites on the Internet that are known to be malicious ‹
traffic that almost universally comes from infected machines ‹ is being
blocked at more than twice that rate. When we take out items that
represent traffic from infected computers, fewer than 1000 connection
attempts have been blocked due to illegality. That¹s 1000 out of more
than 100,000,000 Internet sessions in the last two weeks. This is
certainly not wholesale censorship.
We need these firewalls to block infections and prevent attacks that are
happening right now. I would ask that you trust the my division and the
university as a whole because this policy has been in force for years. We
need not fear overly broad interpretation and unchecked enforcement powers
for three reasons: (1) The full attention of the security team in my
division is squarely on learning to tune and operate the firewall to
prevent malicious cyberattacks and will be for the foreseeable future; (2)
there is a lengthy history of trustworthy enforcement of this policy; and
(3) similar policies and similar security infrastructure is very common
throughout higher education and indeed in for-profit enterprises
throughout the world.
I would not be able to comment on the legality of the State of Illinois¹
ethics act or whether it is an abrogation of First Amendment rights. I
can say that a quick Google search suggests to me that the law is
consistent with the ethics training I went through a few months ago as a
new employee. ILCS 430/5-15(a) states,
³State employees shall not intentionally perform prohibited political
activity during any compensated time (other than vacation, personal, or
compensatory time off). State employees shall not intentionally
misappropriate any State property or resources by engaging in any
prohibited political activity for the benefit of any campaign for elective
office or any political organization.²
To me this suggests that there are real and mandatory restrictions on the
ways that employees are allowed to use State equipment like computers and
networks. Even so, in the case of political activity, excessive use of
social media, and other elements of the policy the firewall is not being
used to block any of these state-restricted sites.
Vigilance against tyranny is the duty of the citizenry but I would
respectfully submit to you that we have no evidence for a pattern of abuse
by the university or its IT staff. Our only interest is to use technology
to inspect the wrongful attacks that are continually launched against
NIU¹s data and people or to prevent illegal activity or to prevent people
from unknowingly communicating with sites that the IT industry as a whole
has identified as malicious.
I would be more than happy to answer any other questions, to include you
in the eventual review and rewrite of the AUP, or take any suggestions you
might have for improvements in the way we try to protect the campus.
Thank you for your kind attention to this lengthy email.
My subsequent response:
Thank you for your response, Mr. Coryell. I do appreciate your attention to this issue, and I’m encouraged that we agree the policy should be rewritten.
But to further clarify the problem, I must reiterate that I do not think firewalls and content filters are the true problem. We agree that it’s important for the university to make efforts to come into compliance with best practices for network and data security. And, I fully understand the ethical restrictions placed on university employees under the SOEE — I once was also an employee of the state of Illinois subject to the same ethics training to which you refer. The firewall is not the third-world dictatorship in my metaphor; the grant of powers under the university policy as-written is.
A professor who sends out a mass-email to his POLS150 students encouraging them generally to participate in local, state, or federal elections probably would not run afoul of the SOEE, but could conceivably be in violation of the university’s policy (subject only to “NIU’s evaluation”). Similarly, a student who uses the NIU network to create and upload a podcast encouraging others to vote for a particular candidate in that election could be considered in violation of the university’s policy. The policy itself is that broad. And, to my knowledge, you are correct; there is no history of abuses by the university in enforcement of its policies, but the past is no reason to forgo present or future vigilance. Nor is it any reason to delay quashing the censorship power the university has reserved for itself.
I appreciate your invitation to be part of the solution, and I would gladly serve my alma mater in any way within my capacity. I understand you have a Computing Services Advisory Committee that includes a student representative, a staff representative, and representatives from each college. I have CC’d the known members of that committee on this email. With respect that changes to the AUP are not high on your priority list in light of the pressing security needs, my first suggestion would be that you task your committee with examining the current policy and making recommendations for revisions.
News of this policy has now proliferated across mainstream media, blogs, and social networks. Such attention rightly or wrongly calls into question NIU’s commitment to fostering critical thought and the free exchange of ideas, and it casts a cloud over all Huskies. I do urge, and will continue to urge, the university to address the concerns raised, and I again thank you for your thoughtful consideration.
All the best,
For those interested, the appointed 2014-2015 Computing Facilities Advisory Committee members and their NIU Directory email addresses are:
There are two open seats on the committee — Executive Vice President and Provost or designee, and a representative from the College of Health and Human Sciences.
Shut up and sit down, Fall! It’s not your turn! #nature #leaves
Cinnamon horchata ale. Shut. Up. It’s awesome! #beer #horchata #bluemoon #falliscoming