interview with
Dr. Clair W. Goldsmith

Rob Kolstad interviewed Dr. Clair W. Goldsmith via email over the last three months. Goldsmith has held many positions in the academic and medical computing communities in the last couple of decades. Clair was also president of DECUS for several years.

Rob You are a high-level guy at the University of Texas, Austin, computing center, right? Please tell us a bit about your position.

Clair I have a typically academic title: Deputy Director, Academic Computing and Instructional Technology Services at the University of Texas, Austin. UT Austin has separate computing centers for academic and administrative computing. The differences are more apparent than real. For example, we are working to combine our Help Desk functions ­ academic computing has a much larger effort for this than administrative computing. We also use the same communications network infrastructure. I often deal with the infractions that occur on the administrative computer system as well.

Rob And UT serves a large user community? Lots of hardware?

Clair There are lots of measures of that. There are 75,000+ users who publish their email address in our X.500 directory. Probably the most interesting statistic is that there are over 34,000 computers on the campus network. Or we get about 13,000,000 hits per month to our Web site, which is 250,000+ pages on 300 servers.

Rob What sorts of interesting issues do you confront?

Clair All of the complaints about the use of technology can be sent to me via <[email protected]>. Although issues involve spam, commercial use, forged email, and harassment, the most difficult and interesting cases have to do with freedom of speech, academic freedom, copyright, and occasionally privacy.

Rob So you have to deal with all the random acts that students might commit when they can use the net to communicate via email, Web, or other standard techniques?

Clair Yes, and also faculty staff and their dependents (if the resources are being shared ­ which is always inappropriate and illegal under Texas law). In one case, a particularly colorful stream of profanity was sent to someone outside the university, who complained. When the staff member got a letter with the complaint attached, he called me to apologize. He seemed very surprised that his 14-year-old son knew those words.

I also had a case where the son of a staff member advertised video gaming equipment for sale, cashed the check, and refused to deliver the equipment, saying that he was only 16 and could not be held responsible. As it turns out, his parents can. The father got the email about this on the first day of a month-long family vacation in Hawaii.

Most recently, we have had problems with students setting up sites that distribute the intellectual property of others: games, recorded music, animation, and software. Most cases are handled by putting the student on disciplinary probation. However, in two cases we have suspended students: one for selling access to pirated software and one for repeated distribution of recorded music.

I also have had the police get a search warrant for a dorm room because a student had constructed a trojan horse to obtain the logon identifiers and passwords that he published in an alt. newsgroup.

Rob What happens when a student, faculty member, or staff member puts up a "hate" page (anti-Semitic, homophobic, etc.)?

Clair I usually get a phone call or email complaint, to which I reply that we will review the information supplied and determine if any rules or laws have been broken. However, the examples you gave do not break any rule or law. In fact, because we are state assisted, we must not abridge the First Amendment right of free speech and therefore cannot prohibit such. Private institutions might have different rules ­ but as a state institution we must follow the laws carefully.

Rob What about dirty pictures? What about really dirty pictures?

Clair Then the Web page has really dirty pictures on it. Seriously, the First Amendment requirement is very strong. And there is no definition of "really dirty pictures." As long as it's pornography, it is protected speech. There is a definition, of sorts, of obscene: offends local sensibilities. Thus, although I have seen some things that make me nauseous, there has never been anything that we have taken down because of content.

Rob What happens when a student sends out 100,000 spam emails promoting some random product or thought?

Clair Well, if it's a product, they get a mail message reminding them they cannot use state property for commercial purposes and there is a prohibition against spamming. If it is only a thought, then they just get the spamming reminder.

Rob That's it? No special "appropriate usage guidelines" or anything? Doesn't that cost you a lot of resources?

Clair We have what we call "responsible use guidelines." They can be found in "Looking for Trouble?" at <http://www.utexas.edu/cc/policies/trouble.html>. However, we do define a portion of the resources for each use ­ that would simply be unmanageable. However, we do have a rule against spam, and when it is broken, we do contact the individual. Most are surprised that we noticed and then are subsequently embarrassed. We do not often have repeat offenders; and when we do, it is likely to indicate a more serious problem for which stronger remedies are available. In any case, I do not have to worry about discipline for students, faculty, or staff. I only produce the evidence chain.

We believe that attempts to control use will be ineffective in this environment. It is better to set standards of behavior and use and measure the complaints against those standards.

Rob How do you go about searching students' rooms to get evidence to help the authorities?

Clair Only on invitation. Normally, we do all investigating via the Net or through other records and logs. Actually, we would never go into a student's room. The police do that ­ and only with permission or a warrant.

Rob So, being 18, the students have the complete set of rights we might all expect as citizens, and you have to make the call each and every day as to whether they have crossed the thin line that divides "protected" activities from illegal ones?

Clair Yes, the serious issue for students is that they be protected appropriately. They sometimes think that because they are students, rules and laws don't really apply. They are dumbfounded to learn that they do. A case in point is the student who created the trojan horse. He didn't think anyone would notice his posting of accounts and passwords. This is against the rules and state law. When the police woke him and his roommate at 7:00 am, the first thing he said was, "I bet you're here about the accounts I posted." He learned this statement is admissible, even though he had not yet been Miranda-ized, because he was not then a suspect.

Often, finding the evidence is an interesting problem. I recently had a complaint by a computer science undergraduate student that his account in CS had been hacked. CS had blocked his account and although they found him believable, told him it was his problem to find the culprit. By the time he got to me, he had been to the source of one of the attacks, microbiology, and had the account number of the person who was logged on at the time of the attack. Under federal law, if the account owner is a student, I cannot release the name of that student. Therefore, I investigate the incident, identify the facts, and turn the information over to Student Judicial Services. In this case, a second breakin had occurred from a chemistry research area, where no account is necessary to use the computers. The attack occurred on a holiday, so it was clear whoever did it had a building key. The faculty member responsible for the area provided a list of students and staff with access. There was no match to the person who had attacked from the microbiology computer. After thinking about it for a day, I queried the X.500 directory on the telephone number of the microbiology suspect. A name on the Chemistry list did show up ­ his wife, it turns out.

Rob Do you get a lot of flak from people outside the university who do not understand the rules?

Clair Yes. Actually, once explained, there is not much push-back. Typically, it will be from other institutions who know better and try to see if they can get us to give up information. We do not give out information on students to police authorities without a subpoena or, in the case of clear and obvious need, such as a disaster or other life or death matter.

I once had a person at a premier Ivy League institution, who should have known better, tell me that there could be no such law that required the permission of students to release information about the student to him. After several email exchanges, where he repeatedly told me I was wrong, I sent him the appendix from our General Information catalog that contains the text of the federal law.

Rob How much time could it take to deal with all these sorts of problems?

Clair This is almost a full-time job. I also have a quarter-time law student who deals with routine cases. A trivial case, such as one the law student deals with, takes about 30 minutes to respond to the complainant and ask for the account number used. This may require additional effort, such as requesting the complete email headers from the complainant or searching a newsgroup archive for the complete headers. It takes an additional 45 minutes to complete the information necessary for either a referral or informational referral to Student Judicial Services.

Rob Do you have to deal with incoming spam and hate mail? What happens?

Clair I wrote about this in our November newsletter, see <http://www.utexas.edu/cc/newsletter/nov97/spam.html>. We do try to minimize spam by not accepting email whose domain names are not resolvable ­ upwards of 40,000 daily ­ and we exchange lists with others about known spam producers.

As for the hate email, this does come under the heading of protected speech. There may be cases where it is harassment, but that is a judgment made by the recipient and Student Judicial Services.

For Web pages maintained by terrorist groups, the only effective deterrent I have seen was creditable death threats to family members of the Web page owner. Unfortunately, this may be considered "terroristic threats" that are against state law, but it was not reported as such.

Rob What's the most rewarding part of your job?

Clair There are a couple of aspects that are truly rewarding.

First, when someone has received (death) threats and is genuinely upset, I can explain what is likely going on, what the person's options are, and that they are not totally in the control of someone else.

Second is dealing with those outside the university to explain what our rules are, how they are enforced, and why we have the rules. Most people really do appreciate the explanation and come to understand our position, even if they do not completely agree with it.

I very much enjoy this role of being a point of human contact for those who believe themselves injured. And, strange as it may sound, balancing that with ensuring that the accused has all the evidence so that whatever discipline incurred is justified.