Catherine Kvam also contributed to this article.
Last semester, Vanderbilt’s Psychological & Counseling Center (PCC) sent out a mass email to various students who had visited the center, only to have it disappear shortly after.
While emails to listservs and wide groups of students are routine, a major issue arose when the names of the email’s recipients were not kept anonymous. Every student who had received the email could see the other addresses the message was sent to, possibly violating procedures of privacy including HIPAA protections.
The email vanished, both from students’ inboxes and from their email histories, as it was retroactively deleted, an act of justified interference to protect confidentiality. On the heels of a presidential campaign season plagued by issues concerning emails and cybersecurity, some students were aware of the incident, while others had no knowledge that Vanderbilt monitored email accounts at all.
“(It was) necessary but definitely unusual to actually erase an email from existence,” said first-year student John who gave his thoughts to VPR on condition of anonymity. While John commented that he didn’t receive the email himself, he stated that he was aware of the situation when it happened. “I feel that’s a pretty big mistake, and I’m surprised it hasn’t been talked about more.”
Section III of Vanderbilt’s guidelines regarding electronic communications and information technology resources outlines the University’s policy on Vanderbilt’s rights to access electronic communications. The policy states employees “should not have any expectation to privacy,” as Vanderbilt is permitted by state and federal law to monitor activity made “in the conduct of its business.” Vanderbilt uses the policy to implement investigations and assess online conduct in possible violation of the law.
Students are subject to the Acceptable Use Policy, which specifies that online activity must be in accordance with state and federal law, Vanderbilt’s Institutional Policies, and the Student Honor and Conduct Codes. Part III A of the policy details how investigations are “governed by professional IT forensic protocols,” while automated systems are used to detect “viruses, malicious software, or privileged information.”
The University’s policy is in accordance with those of numerous colleges around the nation, as Yale Daily News reported student emails at Yale were “subject to search without consent or notification from the University.”
“Since I really have nothing to hide in my emails, I feel it’s okay that they do monitor for my safety and the safety of other students,” said Lowry Mays, a first year student. “If they monitor emails for 10 years and get nothing but on the 11th find one threat that could save as little as one life through it, I would consider that a success.”
“I’m not surprised (since) the email is created through the school system,” said Allison Trager. “People can use other emails if they want to be [more private].”
In regards to monitoring of emails and internet activity, the Vanderbilt University Police Department told VPR that they do “not conduct ongoing monitoring of Vanderbilt email accounts or Internet activity” but added that due to the prevalence of Internet use, Internet activity has been used to “establish certain details during a law enforcement investigation.”
VPR reached out to Vanderbilt Information Technology and the Office of General Counsel, but neither office responded to our request for comment.