He is referring partly to recent actions by the Recording Industry Association of America, which has subpoenaed universities for the names of students allegedly engaging in music piracy. Techs must comb through saved logs for personal information to fulfill the subpoenas’ demands. Some schools, including MIT, have refused to hand over the information by arguing that it is protected under the Family Educational Rights and Privacy Act. FERPA is designed to stop students’ personal data from being handed over to third parties, and no one has yet challenged the use of FERPA in these copyright cases.

But there is a little-discussed section of the USA-PATRIOT Act that renders FERPA completely useless when federal officials subpoena personal student information for terrorism-related investigations. Not only do these federal subpoenas bypass FERPA, but the people served are not permitted to discuss them with anybody.

“You can’t challenge [these subpoenas] because you can’t tell anyone you’ve received them,” says Lauren Gelman, an attorney with the Center for Internet and Society at Stanford. “At a university, one administrator can’t even tell another administrator about these subpoenas, so there is no way to know how many have gone out.” While university administrators want to comply with federal laws, many are wary of handing over private data in such a secretive manner.

And if the experiences of MIT computer network director Jeff Schiller are any indication, USA-PATRIOT Act subpoenas are being used on a regular basis to gather information about student online activity. “Things have definitely changed around here since 9/11,” Schiller says. “Nobody has come around with a blanket subpoena looking for e-mails sent by Muslims [on campus]. But we’d never seen subpoenas for information related to national security before, and now we do.” He couldn’t reveal how many of these subpoenas he’s received, but he did confirm that there has been a marked escalation in the electronic investigation of people at MIT “on terrorist grounds.”

The only way to defend student privacy against USA-PATRIOT subpoenas, says University of Michigan public policy professor Virginia Rezmierski, is for university IT departments to stop saving their logs. You can’t subpoena information that doesn’t exist. Rezmierski is the lead author of a 2001 National Science Foundation study of network monitoring and logging practices on college campuses.

“I don’t think this study made people very happy when it came out,” she says. “A lot of our findings were very disturbing.” She describes interviewing a college systems administrator for the study who told her that he had singled out one student and periodically logged everything he did on his computer “because [the student] was really competent with network operations and he seemed a suspicious type.”

She and her co-researchers also discovered that many schools routinely kept records of everything people did on campus networks. Worse, they saved this information without stripping personal identifiers out of it. “People don’t realize there are different levels of monitoring and logging,” Rezmierski says. “You can save logs in order to analyze them for technical and security purposes without saving personal information.” When schools must save logs, she emphasizes, it’s crucial that they remove any markers that connect their data to particular individuals.

She adds that if colleges don’t have policies regulating who has access to such logs, students are left vulnerable to censure by politically motivated administrators who deem certain students or student groups “suspicious” enough to monitor.

Perhaps most disturbing to critics and privacy advocates is the fact that schools are responding to subpoenas from the music recording industry with as much alacrity — and as many privacy-invading techniques — as they are to subpoenas related to national security. In their efforts to ferret out pirates, administrators are violating their own campus privacy policies, treating students who use P2P software the same way they would treat potential terrorists.

Earlier this year, administrators at Penn State decided to hunt down and punish students on the campus network who were using Direct Connect, a program that can be used to trade music files. Although Penn State promises students that their computer use won’t be monitored, administrators tracked down over 200 students using Direct Connect in April and shut down their campus network accounts. Contrary to its expressed policy, the school was retaining logs of network activity that could be traced to individual students.

Penn State’s vice provost of information technology, Russell Vaught, refused to say how the students had been identified, explaining only that his office had “acted within the law.” But undergraduate Mike O’Connor, director of technology affairs for Penn State’s undergraduate student government, showed me an e-mail he’d received from Vaught that acknowledged university techs had watched the online activities of students to find out which ones were using Direct Connect. Vaught’s office may not have broken the law, but O’Connor says that he and other students believe that “Penn State violated its own policy in using these methods.”

For a few months last year, the University of Wyoming used a program called AudibleMagic to look at the content of every piece of data traveling over the campus network suspected of containing copyrighted material. Administrators could gain access to any student’s private data if they suspected he or she might be pirating music. Lambasted in the press, administrators stopped using the program in May. Robert Aylward, the vice president of information technology at the university, says that it no longer uses AudibleMagic and has switched to a program called Packeteer, which tracks data flow on the network but doesn’t look at the content of that data.

However, an AudibleMagic rep says that other universities are adopting its technology.

There are countless products and services like AudibleMagic on the market, all enabling network administrators to place students under surveillance in the name of copyright protection, network monitoring and national security. On college campuses today, the question isn’t whether your computer activity is being watched; it’s who might use your private information against you.