During spring 2008, Physics Prof. Blaine Norum received an e-mail from a student about an in-class cheating incident during the final exam period for his Physics 142E class. The student overheard a group of his peers discussing an incident in which someone used a smart phone to access the web solutions to a midterm posted on Collab during the final exam, which included questions identical to ones on the midterm.

In an e-mail exchange with the informant, Norum inquired whether he knew the suspect. The student said he did not.

This left Norum with little proof that the incident even occurred. Hence, he turned to the University’s Information Technology and Communication department for an Internet paper trail of the events.

Eventually, the University Counsel­ — the University’s team of legal advisors — approved Norum’s request for information, and ITC provided him with the name of one student who accessed the solutions page during the exam. This student also was correctly identified by the anonymous tipster in a photo line-up of other randomly-selected students in the class.

But Norum opted not to bring charges against him.

And although Norum said he “knew exactly who had done it,” without a time stamp on the turned-in finals or willing testimony from the anonymous tipster, he did not believe he had enough evidence to take the case to the Honor Committee. The student could argue, for example, that he accessed the page after he turned in the exam.

In addition to issues with honor code compliance, the incident spotlights the University’s information technology capabilities, which can track student activity online. It also brings into question the ethics of the situation: Was the University authorized, via ITC, to grant Norum’s request to identify the cheating student?

Students often forget about the Student Handbook for Responsible Computing distributed by ITC. According to the handbook, “the University owns the University network — all the wires, wireless hubs, cables, and routers that connect the central computers, computer labs, microcomputer sites, and perhaps your personal computer to each other and, beyond the Grounds, to the Internet.”

Rules of engagement
When asked about student privacy within the University’s Internet policy, Susan Davis, assistant vice president for student affairs, said all requests for student IT data must comply with particular specifications before her office will grant them.

“If you’re looking for [evidence of] cheating in an in-class exam, we would want the date, we would want the time, we would want to know and hear directly from the professor, ‘Why do you believe the basis for this request?’ ‘Why did you find the anonymous student that [is] reporting credible?’” she said.

Requests can be made for log information, such as when the individual accessed an account and content information, including items both produced and received.

“If the request is for content information, then those privacy interests are even more in play — we’re required by policy to get General Counsel approval,” Davis said.

Additionally, Davis said there are times when the office will grant access to much less than what the request initially wanted.

“What I’m looking at while we’re reviewing it to be approved here is, ‘Have you asked for the least amount of information that you truly need?’” she said. If that first request is granted, then additional requests for information can be made.

Even so, third-year College student Ben Wilkes finds this bit-by-bit approach to accessing student information unsettling.

“I feel like that’s a slippery slope,” he said. “Where do you draw the line? What’s a small detail and what’s invading privacy?”

Nevertheless, Davis insists that the Office of Student Affairs and ITC submit narrowly tailored requests to minimize intrusions.

“We try hard not to make it feel or seem like an invasion of privacy. What we’re really after is credible, factual, objective information — evidence. And I have to believe that most students get that or would understand it if they found themselves in a particular situation,” she said, explaining that if a student were falsely accused, he “would want information to come forward so they could credibly prove” their innocence.

False leads, however, could result in the unwarranted search of a student’s information. It is up to the Office of the Vice President for Student Affairs to determine whether leads are credible, Davis said.

Honor, UJC and ITC
During the course of an approved University Judiciary Committee or honor investigation, Davis said her office will sometimes disclose additional information not requested initially that her office thinks might become relevant to the case. She believes that such digital records could provide the purest evidence both for convicting those guilty of honor and disciplinary cases and proving suspected persons innocent.

“If [IT information] were presented in trial and there was substantial evidence that a violation of the Standards of Conduct had occurred, then we would likely take that into consideration,” UJC Chair Will Bane said.

He also noted that if student juries think IT requests are an unwarranted invasion of student privacy, then they may factor that into their decision.

“The UJC is a student-run organization, and judges who are determining guilt and sanction are going to be peers of these other students,” Bane said. “So I’ll tell you that they certainly will be sharing any concerns that the student body is sharing at the time.”

Honor Committee Chair Charles Harris said he believes that in the age of advanced technology, requests for student information to support charges for honor offenses is fighting fire with fire.
“When we operate under those systems, we kind of do it under the assumption that U.Va. can access some of what we do and that they’ll allow the [honor system] to use it since it’s there,” Harris said.

He suggested that false accusations leading to fruitless searches of student Internet information could be prevented by the same processes the Committee uses to punish those who make malicious honor accusations. But Harris added that ethical questions are out of the domain of the Honor Committee.

“The privacy questions [and] all the questions that stem from ‘Is this fair?’, ‘Is this right?’ are questions that the University gets to answer,” he said. “If the University allows for these tools to be employed, by the Honor Committee and the investigative [and reporters], I think that’s fine.”

Harris added that students should operate under the assumption that information exchanged via University servers could be accessed by the University.

If there is not already suspicion that a student committed a violation, though, Davis noted that requests for information would not be granted.

“I’m not going to approve a request on behalf of this office if we’re starting from ground zero and there’s no threshold inquiry or basis to believe this is relevant,” she said.

Security and precautions
Although the University can access stored student information, few people within ITC have permission to access those databases at any given time, said Shirley Payne, assistant vice president for information security, policy and records.

“If you have a direct need to have access to that data — a legitimate business need — then you can have access,” Payne said. “But if you don’t, you don’t. So for example, I don’t have access to the Student Information System — I don’t need it and I wouldn’t ask for it — but if I did, there’s a whole approval process that I would have to go through to get that access.”

Payne also noted that this approval process is carefully documented at every step.

Additionally, IT professionals are reminded of the Standards of Conduct tied to their inquiries each time they are granted access to such information.

“They have to abide by the policy by the University that deals with things like not using another person’s password to get at their information,” Payne said. “That’s a clear violation of our employee Standards of Conduct.”

Davis and Payne repeatedly emphasized that an investigation will always precede a request for student information.

“We’re not just going to open up somebody’s e-mail and begin digging in review,” Davis said. “That’s a phishing expedition and we just don’t [do that].”

Widespread phishing is not only inconsistent with their policy, Davis said; it also is logistically impractical.

“We don’t have unlimited time to conduct record review for unlimited periods of time,” she said.

Finding a “balance”
Third-year College student Matt Jibilian said he felt IT record-checking was an “aggressive” measure in the Norum case but still expressed faith in the University’s safe handling of sensitive student information.

“The ability to see or access any website that you’ve visited while on the University server? It’s just like everything, you give and take,” he said.

Third-year College student Eman Niazi was “very surprised” to learn that ITC was involved with cases like Norum’s.

“The only way I thought ITC was used was for security,” he said. “I don’t think it’s concerning since I don’t think people at ITC normally go through student files. Obviously they can’t functionally do that, but still, I’m shocked.”

Graduate Nursing School student Kate McCrady supports electronic searches to uphold the tradition of honor at the University.

“I think it’s important that that is upheld … even in context of an electronic [search],” she said.

In terms of transparency, Payne believes these computing policies are widely available to students to see.

“I think we do our best to get that information across,” she said. “The Responsible Computing Handbook is out there. And a lot of this information is put, not just on the IT web pages, but also appears in the Student Record and different places.”

Still, Bane believes the line denoting the breach of privacy should be more clearly defined.

“The University is going to have to find a sort of balance between ensuring to protect student privacy and also ensuring that these violations are not necessarily occurring, and I don’t know necessarily know where that middle balance is,” Bane said. “But I’m sure that as these cases, if they’re filed, continue, as the University administration deals with these new levels of technology, that they will eventually strike some kind of balance in between there.”