How IT Departments Can Protect Networks While Allowing the Free Exchange of Ideas

While most university IT managers tell us that their security policies are rarely accused of impinging on academic freedom, there may be cases in which IT will need to take part in deciding whether or not to block a particular website.

Drake University CIO Paul Morris found himself thrust into such a controversy when a student gossip site made anonymous posts suggesting that specific students and professors were involved in lewd acts.
“We had to balance freedom of expression versus the harm done to the victims,” explains Morris, who says that the university decided not to block the site, reasoning that people could always go outside the university network to access it.

Vince Kellen, the University of Kentucky's CIO, says his rule of thumb in such situations is to determine if the site is internal or external to the school. Kellen says if the site is external to the school, the decision is clear: The college should not block the site.

“I always try to err on the side of supporting the free exchange of ideas,” says Kellen. “On the other hand, if the site is internal and hosted by the university, then the college is serving as a publisher and could be sued for libel,” he explains.

While these situations are rare, a more typical problem for a college IT department is deciding how to handle illegal downloading. Illegal file sharing is forbidden at most colleges, but every college must decide how to communicate the policy to students and which enforcement tools they will implement.

Paul Keser, information security officer at Stanford University, says that while the university does not use content filters, it sends out automated messages to students who have registered high levels of peer-to-peer file-sharing activity.

Keser says the e-mail message serves two purposes: First, it's a warning that the university observed what could potentially be a copyright violation and a reminder that the next message could be a complaint from the Recording Industry Association of America. Second, the traffic advisory alerts the student of a misconfiguration of their machine that may allow illegal file sharing that they are unaware of.

“We want to protect the students from being sued by the RIAA without violating their privacy or censoring their Internet connection,” says Keser.

Be Aware

Beth Ann Bergsmark, director of academic and information technology services at Georgetown University, says balancing academic freedom with security requires awareness, education, communication and stakeholder involvement.

“Many faculty and researchers especially are not aware of the increased complexity of running modern computer networks,” Bergsmark explains. “In the past, a researcher would hire an assistant who would also set up a server,” she says.

But today, with most networks under constant threat from malware and malicious code, Bergsmark says it takes a security professional to manage the network. “Our goal is to provide a systems administrator who can oversee the network so the researchers can focus on the actual research.”

Instead of coming across as draconian, the IT staff at Georgetown educated researchers about the potential security threats and set itself up as a service bureau enabling researchers to spend less time managing computers and more time on the task at hand.

IT departments must be proactive. Set clear policies on freedom-of-speech issues and illegal downloading, and then make it clear to the university community that IT does not seek to block content unnecessarily. Rather, stress that IT believes in the free flow of information, expects people to respect the law and will take the necessary steps to protect the network from malicious code.