When a St. Olaf student was summoned to a January Honor Council hearing for a suspected Honor Code violation, they were perplexed by the council’s accusation — that the student had accessed a class document during a November exam, information which their professor found by checking the student’s Moodle history.
The incident provides a window into the College’s vast surveillance capacity: if it so chooses, the institution can gather community members’ web traffic, access all emails and content stored in Google accounts and obtain granular data on students’ Moodle activity.
Moreover, few limits exist to curb the scope of surveillance. Anyone that uses College networks or technology “automatically consents to the monitoring of their activities in the course of systems maintenance or security related investigations,” the Information Technology (IT) computing policy states.
St. Olaf’s General Council Carl Lehmann ’91 has unilateral authority to approve the search of a community member’s digital content and data, which is sometimes requested for investigations into potential crimes or policy violations.
Alongside the legality of the request, Lehmann determines whether a student’s actions violate College computing policy – an area with ample room for interpretation. While the document describing “Appropriate Use of Campus Technologies” bars straightforward infractions – such as copyright infringement and “breaking system security” – it also prohibits aiding “unethical” behavior or posting material that is “offensive, pornographic, libelous, or intended to harass.”
The College has no obligation to alert a community member when it searches their data, unless it does so at the request of an attorney or judge, Lehmann said.
Only a handful of data search cases reach Lehmann’s desk each year, Information Security Officer Kendall George said. Lehmann did not immediately respond to a request for records on past data search requests.
At the end of the day, most restrictions on College surveillance are self-imposed. Based on Lehmann’s understanding of Minnesota state privacy laws, institutions must respect reasonable privacy expectations, like not putting cameras in locker rooms or dorm rooms. Electronic privacy is not included in these expectations, and “all information on St. Olaf servers, desktop computers or on computer storage medias, including electronic mail, is considered college property,” according to the “Privacy of Employee Electronic Files” policy statement.
“Google is forever”
Anything a community member creates or uploads using their St. Olaf Google account is fair game for the College to search, said Chief Information Officer for Libraries and IT Roberta Lembke. This is a broad range of data considering Google Drive’s capacity to save a wide variety of file types. Moreover, even if a community member leaves St. Olaf, the College retains all of their information.
“Google is forever,” Lembke said.
Regarding Google’s own access to the College’s data, the company is unable to collect or disseminate individual students’ data because of privacy-related provisions in the Family Educational Rights and Privacy Act (FERPA).
But Google can use student data in the aggregate – data based on summary statistics in place of individual observations. For example, Google can use students’ accounts to determine what products students might be interested in purchasing, Lehmann said.
Unlike with Google, St. Olaf’s partnership with Moodle states that students’ data, even in the aggregate, stays within the College. St. Olaf could share this data with Moodle or a similar third party educational service like some other colleges and universities do – as the sharing of student data for legitimate educational purposes is permissible under FERPA – but the College has not discussed doing so, Lembke said.
St. Olaf faculty are able to see if and when students open documents posted on Moodle, and can share this information with other professors or the Dean of Students Office for educational purposes, Lehmann said.
Professor of Religion DeAne Lagerquist uses Moodle in this capacity to avoid class discussions about readings most students haven’t accessed. She also might use this Moodle feature to tell if a student with low attendance and participation has been accessing class documents, Lagerquist said.
“All information on St. Olaf servers, desktop computers or on computer storage medias, including electronic mail, is considered college property,”
– Privacy of Employee Electronic Files policy statement
Associate Professor of English Rebecca Richards, on the other hand, doesn’t use Moodle to track student participation.
“I don’t believe in surveilling my students,” Richards said.
Locations, web-traffic
The College reserves the right to determine individual community members’ and visitors’ locations and web traffic when they are connected with St. Olaf’s Wi-Fi, though they do not actively track community members unless an investigation has been approved, George said. The College also reserves the right to access printing data.
Omara Esteghlal ’21 saw these tracking capabilities first-hand. After downloading a pirated copy of “The Wolf of Wall Street” in the early hours of June 19, 2019, Esteghlal awoke to an alarming email from George, who told him that the College had been notified of copyright infringement which they traced using Esteghlal’s IP address and other digital markers.
Esteghlal immediately called George, who explained that the email was simply a notice that would not go on his transcript or carry any other negative repercussions, as per the “[Peer-to-peer] File Sharing Action Plan” policy statement.
He went on to recommend that Esteghlal delete the pirated files.
For Lehmann, St. Olaf’s surveillance capacities are justified because electronic communications policies are listed on the College website.
“With regard to electronic communications and electronic data, one of the things that we do is make it clear in our policies when we reserve the right to access data so that people can know that,” Lehmann said. “We don’t get at odds with them in terms of what they can expect could be kept private and what won’t be.”
