By SHANNON O. WELLS
At its first meeting of the 2023-34 academic year, the Senate Computing and Information Technology Committee approved a draft policy that modifies language in the University’s Access to and Use of Computing Resources policy.
Brian Hart, Pitt Information Technology special projects manager and chair of the committee that shaped the draft policy, said while the policy has existed for years, its wording has been updated from the original’s “very hard, very strong language about ownership of email and that sort of thing that has always caused some concerns. So that language has been changed.”
“The purpose of the policy revision was to bring it up to date, really,” Hart said, noting the committee worked “quite a while” on language related to privacy, access and communications-related areas the policy was missing. Some restrictions the new draft policy places on computing resources at Pitt include:
-
Engaging in commercial or third-party business for private gain, except for incidental use described in Policy RI 01, Conflict of Interest for Research.
-
Engaging in political activity.
-
Performing any activity prohibited by law or any Pitt policy, including file sharing or theft of intellectual property.
-
Threatening, harassing or intimidating other University users or others not affiliated with Pitt.
-
Abusing or misusing Pitt computing resources or PittNet in a way that causes damage or system interruptions.
-
Borrowing, lending, falsifying or “hacking” into a University Computing Account or allowing/facilitating unauthorized access to University Computing Resources by a third party.
Rather than lessening Pitt’s position of responsibility for information systems, Hart explained, the policy update clarifies that while Pitt is “not in the business of conducting surveillance on people … we may have to disclose certain information if required to by a subpoena, and things of that nature.
“It’s really an informational policy (that) says these are the reasons why the University could disclose the contents of email stored on its systems,” Hart added. “We generally don’t do that, and there are prescribed ways in which that happens, so it’s not just a willy-nilly, somebody can go on a shopping expedition through your email and send things to someone else.”
Safety, security and privacy
The policy says computing resources and PittNet users are required to follow all University computer-security standards on their personally owned devices as well as those owned by Pitt.
Users must ensure their devices are free of viruses and malicious software before accessing computing resources or connecting to PittNet, it says. Device security standards can be found at the Pitt IT website.
Departments must ensure all personal data is permanently erased from Pitt-owned devices before they are reassigned to others, or work with Pitt Surplus Property to arrange proper disposal of equipment that will no longer be used.
Regarding privacy of faculty and staff, data transferred across PittNet and stored on University computing resources is “not subject to surveillance by the University,” unless Pitt needs to for legal or other reasons including:
-
When a user has separated from the University, dies, or becomes incapacitated.
-
In response to a subpoena, court order or search warrant for an ongoing or pending criminal investigation or civil action;.
-
When necessary for maintaining or troubleshooting problems with computing resources and PittNet or in conjunction with ongoing security assessments conducted by or through IT’s Information Security Department, or with research integrity assessments and investigations stipulated in Policy R1-07, Research Integrity.
In all such cases, any data accessed will be held “in confidence” and used solely for the approved purpose, the draft clarifies.
Responding to a question about political activity via email or on PittNet, Hart referred to a policy footnote regarding the Pitt’s 501(c) (3) tax status that prohibits it from engaging in certain political activities.
“Specifically, the University is prohibited from endorsing candidates,” he said, noting a distinction between an individual saying they “like candidate X or Y” as opposed to “the University likes” certain candidates.
Hart addressed another question regarding ongoing security assessments, saying Pitt IT does periodic assessments of information security on its systems, “so it may be a situation where we have to look at a particular system in order to determine (its) security and that sort of thing,” he said, adding, “it’s not a fishing expedition,” but making sure security is in place to protect data, including “the University’s data and personal data that may be stored on University systems.”
“We’re going to do what we need to do for specific reasons, and we’re trying to lay out what the specific reasons are,” Hart explained. “Just because somebody has administrator access to a system doesn’t give them the permission to go and do whatever they want, and look at whenever they want.”
Hart responded to a committee member’s initial concern that the policy seemed vague on certain points, saying, “We can’t predict any possible occurrence or every new law or regulation that may come down the pike, so we have to be a little bit circumspect in some of the language, but it’s not with an intention of sliding through anything or being intentionally vague to the point that nobody could understand the policy.”
Committee volunteers
In other business, Senate Council President Robin Kear requested volunteers for two new committees. Kear said additional requests had come in since computing committee member Klaus Libertus, assistant professor of psychology, had volunteered earlier to serve on an Identity Theft-oriented committee.
Ken Fish, associate professor of psychiatry, agreed to serve on the Privacy Policy Charter Committee, and Ilia Murtazashvili, associate professor in the Graduate School of Public and International Affairs, volunteered for the Information Technology Security Policy Committee.
“I know that this is an additional ask on top of your (committee) service,” Kear acknowledged, “but it helps when faculty who care about these issues — and it is elected faculty that I’m looking for — volunteer to be part of these policy committees, because you’re also bringing it back through the (computing) committee, so you can speak to questions and (contribute to) the discussions.”
The Privacy Policy is intended to govern how Pitt “safeguards non-public, protected information and its records,” as well as establish a privacy-based framework to build upon, Kear said. She described the committee as an “umbrella” group to cover various privacy-related policies at Pitt.
The Information Security Subcommittee of the Information Technology Advisory Committee, chaired by Laurel Gift, assistant vice chancellor for compliance, investigation, and ethics, recommended that Pitt implement “sort of a master information security policy,” Hart explained. “There’s this sort of mishmash of security-related policies, and different groups have pointed to the need to call on information security issues.”
Creating an “overarching” master policy, he added, will streamline efforts related to information security, so that “anybody else who wants to can refer to the master policy when it’s in place,” Hart said. “That’s why there’s a need for it.”
Shannon O. Wells is a writer for the University Times. Reach him at shannonw@pitt.edu.
Have a story idea or news to share? Share it with the University Times.