Copyright 1990 Pat McGregor all rights reserved. "Averting One's Eyes -- Ethical approaches to Postmastering" Author Profile Pat McGregor Computing Systems Consultant II Network Systems Division of Information Technology Division 5115 IST Bldg. 2200 Bonisteel Blvd. Ann Arbor, MI 48109-2099 (313) 764-9430 Pat_McGregor@um.cc.umich.edu (Internet) UserW02V@umichum (BITNET) Institutional Profile: Name: The University of Michigan Location: Ann Arbor, MI Size: Students: 36,338 (Fall, 1989 enrollment) Faculty: 2,882.33 FTE Staff: 17,573.28 FTE The Information Technology Division supports over 50,000 users. We have no way to know how many academics, administrators, and library users we support, because we have no way to monitor usage at our over 2000 public workstations. In addition, all the offices on campus (staff, faculty, and graduate student) and every dorm room and family housing unit have data ports, of which approximately 60% are turned on. ITD Network Systems employs 198 people, both full and part-time. Abstract Being an electronic postmaster requires diligence, knowledge of mailing systems on many mail networks and host operating systems, and the ability to sit in front of a workstation, trying to decipher bounced mail headers, for long hours every week. It also requires that the postmasters be scrupulously ethical about the confidentiality of the mail that passes in front of them, despite the fact that sometimes in order to clear up a mail problem the text of the message comes up on the screen. This paper explores some strategies used by campus postmasters on several campuses, and discusses some relevant issues of security, ethics, and responsible behavior. TEXT When the best way to send information to a colleague was to type it up, stick it in an envelope and entrust it to a postal carrier, few people had worries that the contents of that envelope would be seen by anyone but the intended recipient. "Tampering with the mails" was a federal offense, and the FBI would come after an offender with sirens screaming. Now, when electronic messages containing secret research results, resumes, corporate business plans, and love letters are flying around the world, some users have valid concerns about the confidentiality of their messages. Are they really "confidential"? Can anything that passes over a phone line be considered secure? What happens if there is a machine problem, or an incorrect address, or any of a dozen known mail disasters? Who sees the mail? As postmasters at the University of Michigan, my colleagues and I see more than a hundred bounced messages a week. We have no technological mechanism to keep us from reading the text of these messages; only our personal ethical systems and a code of responsibility for postmasters at our site keeps us from reading the text of users' messages. The question of confidentiality, and what responsibility postmasters have to keep the contents of mail confidential, is one that arises in conversation between postmasters, and in inquiries from users, on a regular basis. I decided to poll a group of postmasters to see how they felt about the issue, what guidelines they used, and what responsibility they felt toward the users' text. Methodology Subjects: Sixty-nine people at academic, public, private, and commercial sites responded to a survey sent to 136 postmasters. I sent the survey to a list of postmasteres the University of Michigan postmasters have dealt with in the last year or two, or who were on a list of postmasters in Michigan. I recognize that this is by no means a majority of the available postmasters around the world, but I knew from dealing with most of them on and off through the past years that they were responsive to mail from other postmasters and from users. (This in itself may be anomalous, but I choose to hope not!) I hoped this meant I would get a large return of my surveys, and I am quite pleased with my 51% return. Distribution: The survey instrument was distributed and returned by electronic mail. In one or two instances respondents had questions about the survey, and these clarification conversations were also held electronically. Statistical method: We(1) analyzed the responses to the survey statistically with the goal of identifying and describing various groups and perspectives among the postmasters who responded. The survey combined closed-ended and open-ended questions; the former were coded for data entry directly from the survey. I grouped the open-ended responses to each question into a smaller number of categories; these categories were then coded as a series of dichotomous variables. This procedure facilitated later analysis by accepting any number of responses to a question from each postmaster who responded. After the data were entered, SPSSx (Statistical Package for the Social Sciences) was used to generate frequency and crosstab distributions. SPSSx also includes a multiple response procedure to facilitate tabulation of responses when each respondent could make any number of responses. From the (voluminous) output of these procedures, I could ascertain which attitudes and behaviors were congruent with a self-description of "confidential" and which were considered a central focus of confidentiality less often; these findings are presented in more detail below. Who responded to this survey? The average postmaster who responded is twenty-nine, has worked as a postmaster for two years, and supports 1500 users. He (only four of my respondents were female) works on a VMS or Unix machine that's devoted primarily to academic work, and has a bachelor's degree. Postmasters from all sorts of systems responded, including several from foreign countries: Canada, Ireland, Australia, and Japan. They ranged in age from twenty-one to fifty-three, and used eighteen different kinds of machines and operating systems. Only one respondent had been dealing with electronic mail for over ten years, while the majority had been in their jobs less than three years. Eighty percent had at least a college degree, but sixteen percent had only a high-school education and further on-the-job training. Some served as few as ten users, while the highest number of users was fifty thousand. The systems represented were overwhelmingly academic: fifty-three academic systems, four commercial, two public access systems, and four which were research or private use only. Defining confidentiality Overwhelmingly, when asked if they had a responsibility to keep users' mail confidential, the postmasters said "Yes". 94% of those who responded considered this a prime responsibility. (The other six percent, who were all on public or commercial systems, indicated that their users were not supposed to be using the mails for private or confidential mail, and therefore the postmasters felt no responsibility to keep the mails confidential.) Some postmasters felt this was a professional responsibility. Said one, "Unprofessionalism is the only reason for not respecting user privacy." Others cited the Electronic Communications Privacy Act of 1986, which requires that system owners keep confidential, under penalty of law, the mail messages of users on that system. Some felt that responsibility for confidentiality went beyond the message text, and extended to traffic analysis as well. To quote one postmaster: Often traffic analysis is as revealing as actual message contents. One example of this from my own experience came from an affair between a faculty member and a secretary (both are married, not to each other). I was perusing the mail logs and noticed a lot of traffic between these two, and I thought it was a little unusual since these two would not normally have any job-related reasons for such extensive communication. About six months later the affair became common knowledge, and at that point I realized I was probably the first person to know about their affair. I have a medical background, and keeping such matters confidential is second nature to me. Other postmasters without such a background would do well to examine the medical profession for some lessons on how to handle confidential material that strays into their path. To look or not to look -- that is the question When I began this survey, I was working on the assumption that most postmasters work as my colleagues and I do: that the text (2) of the message was not to be read under any circumstances, and that should we happen to see the text, we forget it immediately and do not use any information we might gain from the text of the message. I quickly discovered that we are in the minority. Most of the postmasters who said mail was confidential also said there were legitimate reasons to look at the text of messages (48 out of 69, or 78%). By far the most common reason cited was to help re-direct the message. 53% of the respondents said that they would read the users' message for clues to help send the message back to the original sender or on to the intended recipient.(3) Another common reason was to scan the messages for improper or inappropriate use of the mails -- 29% look for harassing messages, illegal transactions, attempts to break into the system, etc. (Interestingly enough, most of the postmasters who said that they regularly scan the mails say that they use something like an editor scan to do this, rather than reading the contents of all the mail messages themselves. Ten respondents, however, stated categorically that scanning the mail for any reason was improper.) Postmasters in this study leave some of the responsibility on the users, too. "Accidents happen", commented ten in their responses. One respondent put it succinctly: Electronic mail is not a secure medium. It's the senders' responsibility to ensure the privacy of their messages. If they're not sure of the address they're sending to, they shouldn't put anything confidential in the text. Anything they don't want seen, and read, should be encrypted.(4) When reading through the postmasters' comments, it was clear that most of them strongly believe that they act in a manner consistent with their ethical systems, and that they have given a lot of thought to confidentiality in mail systems. Confidentiality, it seems, consists in not looking unless you have to, and if you have to, treating what you see with respect. Or, as one of our foreign postmasters said, "... a postmaster is in the same position as a doctor -- peeking at personal e-mail is rather akin to viewing inside somebody's underpants -- there MAY be sound reasons for examining the contents but going out of one's way to do so is a bit kinky :-)"(5) Moral Dilemmas Sometimes what a postmaster sees creates ethical problems. If a postmaster sees a message in which personal or secret information is revealed, a postmaster may keep the information confidential but be troubled by it. Some find themselves in possession of information which indicates that an illegal transaction or inappropriate use of the system is going on. Most (65%) of the postmasters said that if they found information indicating a system abuse, they would immediately act on it. Their highest responsibility is to protect the system, and they take that responsibility very seriously. Personal information, like the affair that was mentioned above, is a different matter. Some of the postmasters indicated in their commentary that they tried to forget such information. Some created technological barriers for themselves to prevent the viewing of such information. Most hoped that they never had to make a decision about dealing with personal information that came into their possession.(6) Another dilemma for postmasters comes when they have permission to read the contents of users' mailboxes by virtue of their position. Fifty-three of our postmasters (77%) have privileged access. (It was in asking this question that we discovered how many hats most postmasters wear. Twenty-nine of them mentioned that they are also system administrators, and have unlimited access to any system file by virtue of that position. The others have unlimited access merely to accomplish their postmaster responsibilities.) However, in comparing the folks who believed there were good reasons to look in users' mailboxes against those who had access, only eight postmasters (less than half of those who believe in regularly scanning mail) believed this access should be regularly used. Technical fixes Technical fixes were also not common for general prevention against seeing text. Less than one-quarter of the respondents considered themselves to have a technological barrier to seeing the users' text. Only 25% of those who had a technical fix had a hard fix (that is, one which they had to exert special privileges or change code in order to see the message text): 19% used a filter which kept the text out of reach, and 6% encrypted the message text, leaving only the headers in the clear. The others who considered themselves to have a technological fix were split half and half on a honor system where they only looked at bounced messages which couldn't get back to the sender or on to the recipient(7), or only read spool or file headers. "I close my eyes" By far the largest number of postmasters did not feel they had a technological barrier to seeing mail. Of those folks (80% of the total respondents), the three most common methods mentioned(8) as ways they avoided looking at text were to look away (45%), adjust the windowing on their screens to exclude the text (or attention out before the text scrolled by) (17%), or to ask the user's permission if it was impossible to fix the problem without reading the text (9%). (Interestingly enough, of those folks who said they wanted the user's permission before they went poking around in a mailbox, only two would use that permission even if they had it.) It was in asking about methods postmasters used to keep themselves from seeing users' text that the strongest statements about confidentiality and ethical behavior came out. As one of postmaster said, when asked the method he used: Self-restraint. The same thing that keeps me from performing most other unethical acts. Given my level of technical expertise, I do not regard "security systems" as any sort of deterrent. It's worth noting here that a large percentage (68%) of the respondents mentioned that they were simply too swamped with work to bother reading other people's mail, even if they were inclined to do so. Harassment, obscenity, and other inappropriate mail Unfortunately, as the telephone companies have discovered, some people want to use this marvelous new medium as a playground, or as a method of inflicting pain on another person. Electronic mail is a perfect opportunity to send harassing, obscene, or otherwise inappropriate messages to another person. While postmasters generally have given a lot of thought to their philosophies concerning what to do about user text, they are less certain about incidences of inappropriate mail. Seventeen of our postmasters (25% of the total) believe that there has never been such an incident at their site. (I confess, I'm inclined to believe that they simply don't know about it. In our experience, users will wait a long time without reporting harassment or obscene mail unless it's widely known that they have a resource for this situation. When we began advertising that there was a special office for handling these problems, reporting went up.) Some of them don't handle cases of inappropriate mail (29%). Of those who don't handle it themselves, four pass cases along to campus security or the local police, and twenty-two let some other administrator handle it. A clear division of philosophy showed in deciding what to do about abusive or inappropriate mail when it happened. When asked whether they would wait for complaints or pursue a situation if they stumbled across one, 59% said they would wait for complaints, 23% said they would pursue it, and 10% said they would have to make a case-by-case determination. By and large, the largest group were those who would wait for complaints. "One person's harassment is another's amusement" was a frequently expressed sentiment (41%). However, there were some cases where postmasters felt obliged to step in, as in this comment: Material of a libelous nature, for example, is permissible in a private communication... Certain material is not permissible .... Child pornography is a good example of this. The Supreme Court just ruled that private possession of such material is illegal (as opposed to distributing it, which has been illegal for quite some time). Although I have never encountered such material, if I happened to find some in the course of my duties as postmaster I would have to contact the person responsible and ask them to remove it from the system. Failure to do so would make me (and the institution I work for) liable in any subsequent prosecution of the people involved. Other reasons for pursuing a problem that dropped into one's lap were system abuses (such as chain letters, attempts to break into the system or propagate virii or worms) or mail that came from another system. Off-site mail would, generally, be referred back to a postmaster at the originating site. "Mail is mail" Mailing lists(9) and newsgroups constitute a large part of the traffic on the network. Except for the case of usenet news, which is read with a special program, mailing lists are indistinguishable from most other mail messages. Because of mailing lists' public nature, I wondered how postmasters at other site regarded mailing list messages in terms of confidentiality. When asked if they considered mailing list mail in the same class as "regular" electronic mail, 42% said no. Of those folks who gave reasons for this answer, sixteen said that mailing list messages were intended for public distribution and thus not intended to be confidential or private. Twelve folks compared public mailing lists to junk mail or newspapers. The 56% who said "yes" indicated that they considered mailing lists like any other mail in terms of a need for confidentiality and respect for users' privacy. Sixteen felt this way because some lists have restricted access and fourteen commented on the politically or personally sensitive contents of some mailing list discussions. Eleven postmasters felt that the identities of people who subscribed to mailing lists should be kept confidential, because of the personality or interest profile that could be inferred from a complete compilation of the sorts of lists a user subscribed to. Postmasters were sensitive to this: Although ostensibly anyone can get access to the same info by joining the list, membership itself on some lists may be considered sensitive. For instance, there is a gay-oriented list which one of my faculty members subscribed to, and the messages all began bouncing to the postmaster when he incorrectly set a forwarding address. This person may or may not care who knows about his subscription, but I can see where he might consider it sensitive information. Written ethics guidelines As networking constitutes a greater part of our lives, more and more personal information is loose on the nets. Codes of postmaster behavior, once handed down from guru to guru, may now need to be more formalized. Access to personal material is more prevalent, and mail is particularly susceptible to invisible monitoring. As one postmaster said: No byte of information in any computer system is immune to the knowledgeable systems programmer. The point here is that you can tell if your letter from Grandma has been opened, but you cannot tell if your electronic mail message has. This makes snooping easier and more prevalent by default. 83% of the respondents said they didn't have a written code of ethics for postmasters. Reasons given for why there was no policy varied across the board: 23% felt they didn't need such a thing, either because they wouldn't hire someone as a postmaster/system employee who wouldn't behave ethically or because postmaster ethics were common knowledge. 6% had orientation sessions in which postmaster ethics were discussed. 4% felt written policies of any sort were A Bad Idea. However, 15% of the total respondents wished there was a written policy, to help orient and train new postmasters or to cover gray areas. One quarter of those who had written policies felt that their general systems or employee policies covered postmasters as well as users. Two postmasters (both from religious private schools) indicated that Christian ethics covered the situation, and that they relied upon the Bible as a written policy for all occasions. Several postmasters commented that since the passage of the ECPA (10) in 1986, their sites have modified their systems use policies to include specifically use and misuse of mail. Major exceptions It's worth noting that commercial systems and public access systems had substantially differing views of user privacy with respect to mail than did academic systems. Of those who responded, nearly 10% were commercial or public access. The public access hosts were extremely sensitive to their liability should illicit activities take place on their hosts. One public access "sysop" explained his approach to confidentiality this way: The mail on [this system] is specifically disclaimed from ECPA privacy in light of the fact that I operate a BBS on the machine and have no wish to have the authorities come seize the machine if some user does something illegal. Even so, I tend to preserve the confidence of information gleaned from mail that has to be seen. I have an automatic process that scans the mail daily for particular keywords and phrases that would indicate that phreaks or crackers are communicating via my system. If there is a suspicious item, a copy is pulled for closer inspection. So far, I have only has to read mail to/from one pair of users and it turned out that they had misrepresented themselves and were kicked off the system Commercial systems were equally cautious. One postmaster who works for a company which reputedly screens its employees tightly for ethical and moral fiber had this to say: Attached you will find your mail survey. Some of the questions are rather interesting. [Our company] doesn't appear to have similar problems with ethics as do some of the universities. It probably has do with the fact that employees are screened before they are hired to ensure that their ethics fall in line with the companies. Unfortunately, universities don't have such luxury. In the questionnaire, I mention that there aren't any formal policies regarding email. I believe that email would be covered under the terms of employment, which also specify acceptable ethics behavior. If somebody was foolish enough to use a corporate asset to harass somebody, or cause harm or interruption of service due to "hacking", then they probably would be terminated. Demographic Differences I asked a number of demographic questions, intended to see if we could distinguish behaviors of philosophies based on age, gender, number of years as a postmaster, systems or software used, or number of users served. No major discrepancies in behavior turned up. It's possible that our statistical "universe" was too small to differentiate such behavior trends. It's also possible that postmasters all tend to behave in an ethically consistent manner, despite the demographic differences. "Satisfaction guaranteed" Processing this survey has been a learning experience, and not just because of learning to handle statistical analysis. My expectations of postmasters have been largely met -- I had hoped to discover that the electronic information transfer medium was watched over by folks who would respect my privacy within the constraints of the technology, and I have not been disappointed. I was surprised to see that there was no appreciable difference in approaches to ethical behavior among systems: some operating systems, such as Unix (tm), have a reputation for attracting mavericks; and some mail networks, such as BITNET, have extremely tight codes for appropriate behaviors. I was pleased to see that postmasters across the board regarded privacy and confidentiality as important, and would work to protect the system and the users' privacy equally. I would have liked to have seen more women as postmasters. Here at The University of Michigan, 50% of the postmasters and a large minority of the mail programmers are women. I hope that my sample is not representative of the larger whole, and that more than 12% of postmasters are women. (It's possible that many of the people who didn't respond to the question about gender were women. I have no way to tell.) On the whole, I think our users can be generally reassured that the electronic postmasters in their lives are concerned about the integrity of the mail system, both in terms of system security and user privacy. As electronic mail becomes a more prevalent method of communications (for both convenience, economic, and ecological reasons), it's nice to know that the tradition of confidentiality that we have grown to expect from our paper mail postmasters has been carried over into the electronic world. ---------------------------------------------------------- Footnotes (1) Erna-Lynne Bogue, a doctoral candidate in Social Work at the University of Michigan, and a SPSSx consultant, did all the SPSSx programming. She also taught me how to interpret the results, helped me pinpoint places to explore further, and encouraged me to learn a great deal about statistics while doing this project. (2) "Text" in this paper is defined to be the content of the message; the information that the user is transmitting. (3) Postmasters sometimes see messages in which the headers have been so thoroughly mangled that the origins are completely mysterious. For this reason, by the way, it's a good idea to include your name and electronic mail address at the end of your message, so that your recipient will know what you think your address is in case of problems. (4) Or, as another put it, "Users put the most astonishing things in electronic mail, and assume that nobody will ever see it. It never fails to amaze me the things that people say to each other over electronic mail that they probably don't say to each other in the bedroom." (5) For those of you who may be unfamiliar with the "smiley face" in electronic communications, turn the page sideways. The ) is a mouth. (6) One anecdote is particularly telling. To quote the respondent: [The story starts with a description of a bug in a mailer that left a number of messages in the postmaster's queue. The respondent describes his usual practice of reading only the first 30 lines, since usually those 30 lines are only header material.] One of the dead items originated locally. Hence, it had comparatively few headers, and [the first 30 lines] took care of all the headers and showed me the body as well. It was from one of my co-workers, written to a friend with whom I also work professionally on the side from time to time. Although I didn't intend to read it, certain words caught my eye without really looking deliberately, and it became immediately obvious that my co-worker and this friend were having an affair. To say that this made me uncomfortable is to put the matter most mildly. My co-worker is married and the co-worker's spouse is also an acquaintance of mine. And I have a little (but not much) professional contact with the spouse as well. It was clear that the co-worker had not informed the spouse of the matter. The friend is also married and the friend's spouse was not aware, either. I have to work with my co-worker and frequently I am in a position where I can't really afford not to work with the friend. Now, whether two people want to carry on an affair with one another is mostly their own business. Whether I agree with it or not is almost entirely irrelevant, especially considering that my beliefs do not coincide with my friend's and my co-worker's anyway. But now I was in a position where a co-worker whom I trusted was violating the spouse's trust. And likewise for the friend and the friend's spouse. It became obvious to me in rather short order that it was going to be difficult to work with either of them, knowing the lack of trust being shown to their respective spouses. After some considerable internal warring against myself over what to do, I approached my co-worker, explained what I'd learned and the (innocent) circumstances by which I'd learned it, and said that I thought there were 3 things that could be done. The two of them could break off the relationship; they could tell their spouses about it and (I suppose) get the spouses' approval for them to continue; or I could resign. There wasn't really any way I could see myself continuing to work with people that I had to trust in order to get work done, while knowing this violation of trust was going on. And I don't think I really cared which way the matter went. As it happened, they broke off the relationship. Whether spouses were told about the matter, I can't say. I have since written a small tool which looks at this type of dead letter to show me JUST the headers. (7) One postmaster called these trapped messages "bounce-o-grams". (8) Not all respondents made comments, of course, which is why sometimes the numbers in these sections dealing with commentary don't always add up. (9) "Mailing lists" are defined for the purposes of this paper to be public or semi-public lists or digests, such as Info-IBMPC, INTER-L, or other such public discussions. Private mailing lists, such as those created by individual users and which are not open for the public to join, are not included. (10) Electronic Communications Privacy Act.