UC Berkeley bConnected Transparency Report

Privacy is fundamental to the University of California, Berkeley. It underpins academic and intellectual freedoms, which are key to the University mission. The UC Electronic Communications Policy (ECP) establishes policy on allowable use and privacy of electronic communications, and also clarifies limits on privacy protections.

Like any other large organization, UC Berkeley sometimes receives requests for account information or access to the content of an account from internal and external entities such as University or external counsel, Audit, Investigations, Human Resources, department management, law enforcement, and federal officials. What do we do when this happens?

The University does not examine or disclose electronic communications records without the holder's consent, except under the limited circumstances defined in the UC Electronic Communications Policy.

CATEGORIES OF REQUESTS

The requests we receive for access to student, faculty, and staff email accounts fall into several categories:

  • Consensual: Some access requests have the person's consent. Most consensual access is for legal defense involving active employees.
  • Non-consensual: UCB sometimes gets requests from government, law enforcement, or an internal source asking for access regardless of the record holders knowledge or consent. When required by law or UC policy to comply with such a request, we will do so.
  • ECP Not Applicable: In this category, when an account holder has separated from the University, or the account does not belong to an individual (such as an automated response inbox for a University business function), consent is not required by the ECP. In these cases, the campus still seeks to maintain the privacy of the community by making relevant persons aware of the need to access a resource and by reviewing only the minimum amount of information necessary to perform a specific action, when feasible.
  • System Administrator Access Requests: There are certain instances when system administrators can access an account. Examples include when a user is actively compromised by phishing and the account must be disabled and then re-enabled by the administrator to restore secure service, or when a supervisor requests a vacation message set from a user's account (staff or faculty). If there is a problem with file ownership or permissions, IT Policy allows for administrators to log into an account to change ownership of a file or document. In all these cases, system administrators remain bound by the principle of least perusal -- fixing a technical issue does not open up the content of electronic communication to inspection beyond the minimum necessary to resolve the technical problem at hand. In some cases, system administrators are authorized to access a user's account to delete a message accidentally sent to the wrong person, the reasoning being that the bulk of ownership of a message belongs to the sender, and this type of request is typically initiated by the author of the accidentally transmitted communication.

NON-CONSENSUAL ACCESS PROCESS

The Policy states that the University permits the examination or disclosure of electronic communications records without the consent of the holder of such records only when:

  • Required by and consistent with law;
  • there is substantiated reason to believe that violations of law or of specific University policies have taken place;
  • there are compelling circumstances; or
  • under time-dependent, critical operational circumstances.

Requests for Non-Consensual Access require completion of the following approval form: Campus Approval of Non-Consensual Access to Electronic Communication Records (PDF).

The form must be signed by the organizational head of a department or unit. Once the Privacy Office receives the form, we confirm that it meets the standards of the ECP. This means that the reason for access meets one of criteria listed above and access will be "limited to the least perusal of contents and the least action necessary to resolve the situation," also known as "least privileges." Non-consensual access requests must be approved by the Campus Privacy Officer, the AVC-CIO, and sometimes Campus Counsel or Academic Senate Chair. After approvals are obtained, the form is sent to the email administrator for bMail, who manages the requests.

Our Commitment to You

We believe that you should know as much as possible about the requests we receive. That is why we've committed to sharing this Transparency Report and updating it at least every six months.

The data in this document covers formal requests for non-consensual access, as well as requests from those who asked about access, but did not submit a formal request.

Scope of this Report

The scope of this Transparency Report is for all bConnected requests except National Security Letter, or via a subpoena with a gag order. The report is similarly silent on requests that may be being fulfilled outside of the University process, such as vendors being served with National Security Letters or subpoenas subject to gag orders. The University will have no knowledge of requests for information from law enforcement that are delivered directly to vendors, including Google under those terms. We recommend you read Google's Transparency Report for more information on how Google handles these requests.

Information provided in this transparency report does not reflect security monitoring conducted by UC Berkeley's Information Security and Policy team or by the UC Office of the President under the Coordinated Monitoring and Threat Response Initiative.  For more information, see the FAQ: Is my email accessed for security monitoring?

Also see the ECP Transparency Report, which includes requests for access to computing devices and other electronic communications not included in the bConnected report.

Requests for non-consensual access to bConnected data (G Suite for Education, Box, and CalShare) Jan-June 2017

Category of RequestStudent Record Holder*Faculty Record Holder*Staff Record Holder*Total
Total non-consensual access requests 0 3 7 10
Total non-consensual access requests granted 0 3 7 10
Access taken under ECP emergency circumstances (prior to ECP approval) 0 0 0 0
Requests granted where ECP was not applicable (1) 0 2 6 8
Requests granted under ECP 0 1 1 2
Requests granted under ECP - Required by and consistent with law (2) 0 0 0 0
Requests granted under ECP - Violation of law or policy (3) 0 1 1 2
Requests granted under ECP - Compelling circumstances (4) 0 0 0 0
Requests granted under ECP - Time dependent, critical operational circumstances (5) 0 0 0 0

*includes former student, faculty or staff record holders in each associated category.

July-Dec 2016

Category of RequestStudent Record HolderFaculty Record HolderStaff Record HolderTotal
Total non-consensual access requests 2 0 2 4
Total non-consensual access requests granted 2 0 2 4
Access taken under ECP emergency circumstances (prior to ECP approval) 0 0 0 0
Requests granted where ECP was not applicable (1) 0 0 1 1
Requests granted under ECP 2 0 1 3
Requests granted under ECP - Required by and consistent with law (2) 0 0 0 0
Requests granted under ECP - Violation of law or policy (3) 2 0 1 3
Requests granted under ECP - Compelling circumstances (4) 0 0 0 0
Requests granted under ECP - Time dependent, critical operational circumstances (5) 0 0 0 0

Jan-June 2016

Category of RequestStudent Record HolderFaculty Record HolderStaff Record HolderTotal
Total non-consensual access requests 1 2 9 12
Total non-consensual access requests granted 0 1 6 7
Access taken under ECP emergency circumstances (prior to ECP approval) 0 0 0 0
Requests granted where ECP was not applicable (1) 0 1 4 5
Requests granted under ECP 0 0 2 2
Requests granted under ECP - Required by and consistent with law (2) 0 0 0 0
Requests granted under ECP - Violation of law or policy (3) 0 0 2 2
Requests granted under ECP - Compelling circumstances (4) 0 0 0 0
Requests granted under ECP - Time dependent, critical operational circumstances (5) 0 0 0 0

July-Dec 2015

Category of RequestStudent Record HolderFaculty Record HolderStaff Record HolderTotal
Total bConnected non-consensual access requests 2 1 5 8
Total bConnected non-consensual access granted 1 1 5 7
Requests granted where ECP was not applicable 0 1 5 6
Requests granted under ECP procedures 1 0 0 1
Required by and consistent with law 1 0 0 1
Violation of law or policy (3) 0 0 0 0
Compelling circumstances (4) 0 0 0 0
Time dependent, critical operational circumstances (5) 0 0 0 0

January-June 2015

Category of RequestStudent Record HolderFaculty Record HolderStaff Record HolderTotal
Total bConnected non-consensual access requests 1 0 9 10
Total bConnected non-consensual access granted 0 0 7 7
Requests granted where ECP was not applicable 0 0 4 4
Requests granted under ECP procedures 0 0 3 3
Required by and consistent with law 0 0 0 0
Violation of law or policy (3) 0 0 3 3
Compelling circumstances (4) 0 0 0 0
Time dependent, critical operational circumstances (5) 0 0 0 0

July-December 2014

Category of RequestStudent Record HolderFaculty Record HolderStaff Record HolderTotal
Total bConnected non-consensual access requests 0 0 2 2
Total bConnected non-consensual access granted 0 0 2 2
Requests granted where ECP was not applicable 0 0 2** 2*
Requests granted under ECP procedures 0 0 0 0
Required by and consistent with law 0 0 0 0
Violation of law or policy (3) 0 0 0 0
Compelling circumstances (4) 0 0 0 0
Time dependent, critical operational circumstances (5) 0 0 0 0

*This number was corrected due to a typographical error on 9/21/15

**This number was corrected due to a typographical error on 10/28/15

(1) After separation from the University or death, the former account holder is no longer considered the "record holder" and ECP procedures are not applicable, however, the campus still seeks to limit access to only the minimum amount of information necessary.

(2) Includes access compelled by search warrants, subpoenas, subpoenas duces tecum or other court orders.

(3) When there is substantiated reason, i.e., reliable evidence indicating that violation of law or of University policies listed in Appendix C, Policies Relating to Access Without Consent, probably has occurred, as distinguished from rumor, gossip, or other unreliable evidence.)

(4) Circumstances in which failure to act might result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies listed in Appendix C, Policies Relating to Access Without Consent, or significant liability to the University or to members of the University community.

(5) Circumstances in which failure to act could seriously hamper the ability of the University to function administratively or to meet its teaching obligations, but excluding circumstances pertaining to personal or professional activities, or to faculty research or matters of shared governance.