A student’s email account was accessed by computer services at the request of an unidentified university employee this past spring in order to trace a message sent regarding Senior Streak. The student was not informed of the access, and it does not appear that the access was part of an enforcement of university policy.A source familiar with the event has confirmed that the email access occurred in the following manner. A student, probably using a third-party email account like Yahoo webmail, sent an email to Lawrence students to coordinate last year’s Senior Streak. The email address did not directly identify the sender, and an unidentified university employee asked computer services to trace the email in order to discover the identity of the sender.
The tracing process is rather simple: each university computer has a unique address that distinguishes it from all other computers on the network. When a student logs onto a computer, their username, time of logon, and the computer’s unique network address are recorded by computer services automatically. Then, if one can identify the computer address from which an email was sent, computer services will simply look to see who was logged on to that computer at that time and determine who sent the email.
In order to trace the email, computer services located and accessed a separate student’s email account in which the message was saved, and then determined the address from which it was sent. The username was easily determined from logon data, and the name of the student was submitted to Nancy Truesdell at the dean of students office.
Both Truesdell and user services manager Dana Rose-Schmalz said that the agreement between the university and those who use its network allows computer services to access the personal data of anyone on the network, but only to enforce state, federal, and international law, or if university policies are violated.
Rose-Schmalz stated that she was not asked to access the email account, but that the unidentified university employee instead went directly to the network administrators and asked them to trace the email.
Truesdell also denied asking computer services to trace the email, as the student who sent the email came forward to her before the trace was completed. Of the four sources contacted for this report – Truesdell, Rose-Schmalz, and two anonymous sources familiar with the event – none knew who’d asked the email account to be tapped, or if the tap was an enforcement of university policy.
Truesdell said that there is no specific policy stating who has the authority to ask personal data to be accessed by computer services or when such requests were appropriate. Truesdell also stressed that there must be “criminal activity or a violation of the rules” in order to justify access to personal data on the network, but it is unclear that the unidentified university employee responsible for this particular access had such justification.
The university did not – and currently does not – have a policy banning Senior Streak or the coordination of such an event, and none of the sources contacted for this story indicated that the email had in some other way violated university policy or state, federal, or international law.
At the time of publication, the university employee who requested the email tap, and his or her position at the university, remain unknown.