Last week, the Internet got wind of Northern Illinois University's (NIU's) Acceptable Use Policy for "information technology resources," which lists prohibited uses of NIU's network and hardware. As I explained the other night on The Torch (the blog of the Foundation for Individual Rights in Education, or FIRE, where I work), the policy became news after a NIU student posted a bizarre warning notice he reportedly received while trying to use NIU's network to access the Wikipedia page for the Westboro Baptist Church (WBC). The warning tagged the page as "Illegal or Unethical" and informed the student that the page had been "recorded for review." Most chillingly, the notice stated that unless the student was attempting to visit the page for "legitimate business purposes," it was "highly probable that the access would violate the Northern Illinois Acceptable Use Policy."
Unsurprisingly, media outlets including the New York Observer's Betabeat, Jezebel and Reason slammed NIU -- a public university bound by the First Amendment -- for restricting access to a broad range of constitutionally protected expression as an "unacceptable use" of the Internet.
NIU should have simply admitted that it had erred by using an Internet filter seemingly designed for corporate use on public university students in a misguided attempt to enforce a broad, subjective policy. But instead, hours after the story broke, NIU issued a limited denial, arguing that it doesn't prohibit students from visiting social media sites, Wikipedia or political websites, as students had claimed. NIU's statement, however, at best glosses over the enormous problems with NIU"s actual policy, which (for now) is still live on the university's website. (FIRE has a copy, in case it vanishes.)
First, NIU's denial opens by explaining that the policy is necessary to thwart hackers and prevent users from accessing sites that "pose an active security risk." But surely the need for information security does not justify broad content-based restrictions on websites that students and other network users visit. Why would a student accessing Wikipedia receive a warning about "Illegal or Unethical" content if NIU is just trying to address sites that "pose an active security risk?" Does the WBC page on Wikipedia host malware of some kind?
Second, NIU's statement claims that students are allowed to access social media sites:
"I want to assure students that -- contrary to some Internet reports -- they will have access to social media websites such as Facebook, Twitter, Instagram, Pinterest and others," said NIU Vice President and Chief Information Officer Brett Coryell. "NIU is wholly committed to allowing free and open access to information and only considers blocking network traffic that constitutes a well known threat as determined by the broader IT security community."
According to Betabeat, though, students reported being unable to access social media. Were they lying? Or is NIU scrambling to figure out what its new firewall system -- which it admits is "still in its early phases of tuning" -- does and doesn't allow students to access? One would hope that a university would default to allowing access until sites are determined to be harmful -- not vice versa.
And despite NIU's assurances to students, the following "unacceptable uses" are explicitly enumerated in NIU's policy:
Use of personal social media sites, following specific direction to cease or not utilize university equipment or time to an extent or during time periods that would interfere with professional responsibilities, including, but not limited to, Facebook, Twitter, Flickr, Pinterest, LinkedIn, Foursquare, etc., unless associated with professional responsibilities.
So it is unacceptable to use social media "following specific direction to cease or not utilize university equipment or time to an extent or during time periods that would interfere with professional responsibilities." But this makes no sense as applied to students -- they don't have "professional responsibilities." If this section of the policy was meant only to be for employees and not students, it should say so. But it doesn't -- the policy says it is applicable to "faculty, staff, emeritus personnel and students in good standing." And students, not employees, are the ones reporting that they can't access social media.
NIU's flawed policy goes further than attempting to regulate access to social media. It also covers a wide range of protected political speech:
Using the resources for political activities, including organizing or participating in any political meeting, rally, demonstration, soliciting contributions or votes, distributing material, surveying or polling for information connected to a political campaign, completing political surveys or polling information and any other activities prohibited under the ethics act and/or other state/federal laws.
Under this policy, student members of, say, the NIU College Democrats can't send out emails to their membership announcing their next meeting. That's ridiculous.
NIU's statement then attempts to explain away the warning notice the student received when he tried to visit the WBC Wikipedia page:
Portions of NIU's longstanding acceptable use policy are shown when users encounter a blocked site. However, it is important to note that some aspects of the policy are addressing employees, such as the ethical issue of excessive use of state-owned equipment for browsing personal web sites.
Characterizing that ominous notice received by students attempting to visit such "Illegal or Unethical" websites as Wikipedia as simply "portions of NIU's longstanding acceptable use policy" is an impressive exercise in damage-control spin, but it certainly doesn't fix the problem. The bottom line is that a firewall maintained by NIU, a public university, is telling students that clearly protected content, like a Wikipedia page, is probably "Illegal or Unethical" and students risk punishment by going there. That's a problem. And that kind of bizarrely threatening and heavy-handed warning will likely achieve the same result as simply blocking the website, at least for students who value their academic careers.
The text of the policy emphatically does not support the claim that the policy addresses employees and not students. It states that "all individuals, including, but not limited to, employees, students, customers, volunteers and third parties, unconditionally accept the terms of this policy." (Emphasis added.) The policy does not indicate that certain provisions apply only to employees. If parts of the policy concern only employees, they should be clearly labeled as such. They aren't. If NIU wants to regulate staff use of the Internet, it should write a separate staff policy -- making sure that it applies only to non-academic staff, of course, since professors also shouldn't have to receive warnings when trying to visit Wikipedia!One other issue: As this controversy hit Twitter the other night, NIU's Twitter account wrote, "The restrictions are on NIU computers, not personal computers, etc used by students":
@TheAxisOfEgo @sarahemclaugh The restrictions are on NIU computers, not personal computers, etc used by students. http://t.co/fThJ1AJ7Dl
-- NIU (@NIUlive) August 21, 2014
That also doesn't appear to be the case. The policy begins:
Northern Illinois University information technology resources, including the electronic communications network (NIUnet) on the NIU campus and off-campus education and research centers, computers attached to this network, and any associated computational resource or service are for the use of persons affiliated with Northern Illinois University, including faculty, staff, emeritus personnel, and students in good standing. [Emphasis added.]
The policy itself says that it applies to "computers attached to this network" (which would include students on campus Ethernet or Wi-Fi) and to the network itself. Perhaps NIU's current IT staff intends to apply it only to NIU-owned computers, but that doesn't appear to be what students are experiencing, and it's not what the policy says.
FIRE often warns that as long as poorly-written written policies exist, the possibility that they will be enforced exists -- and here, we're seeing what happens when they are. If NIU truly does not intend to apply the policy to students, then it should take it down from the university website and stop threatening to punish students when they try to access Wikipedia or any other websites containing clearly protected content.
Nobody should be reassured by NIU's mealy-mouthed responses. NIU must revise its policy and ditch its firewall to make sure that neither the policy nor the firewall is being used to censor certain viewpoints or to deter students from accessing constitutionally protected expression online.