Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gmail for students and IMAP

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Wed, 29 Jul 2009 22:02:55 -0400
Yes, we do .. the only exceptions are for LE, Subpoenas and if asked to look for technical reasons (the student thinks 
something is broken)

Policy Text

The following lists the acceptable use and security measures that one must exercise when using Columbia University's 
email.

1. Messages sent and received via Columbia's email system should be kept as private as possible by senders and 
recipients, as well as by Columbia University
Information Technology (CUIT). The University and its email system administrators will not read email unless necessary 
in the course of their duties (e.g.,
including investigation, inappropriate contents or as directed by Office of the General Counsel, and will release email 
as required by an executed subpoena
valid in the State of New York).

...

<http://www.columbia.edu/cu/administration/policylibrary/policies/cuit/00bb9c6718c92f6e011933c4b6b30008.html?base=category>


Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Thursday, July 30, 2009 1:38 AM +0000 "James M. Dutcher - Assoc of IS/IT & CIO" <james.dutcher () sunyorange edu> 
wrote:


On a related note...especially for schools who host their email internally...does your school have as part of its 
policies, to ensure that all email
correspondence is kept private? Not subject to inspection?

(I think that I'm stirring the pot now...my apologies, but am curious to know what other security folk think of this in 
terms of their student, faculty and
employee expectations as well as how you all address this with them)


James M. Dutcher - Assoc.VP IS/IT & CIO - SUNY Orange

-----Original Message-----
From: "James M. Dutcher - Assoc of IS/IT & CIO" <james.dutcher () sunyorange edu>

Date: Thu, 30 Jul 2009 01:27:43
To: The EDUCAUSE Security Constituent Group Listserv<SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Gmail for students and IMAP


Ummmm...I believe I mentioned that....you cut off my email after the "(but" in your reply

Regardless if email is internally or externally hosted, it is always subject to inspection (both with/without 
permission).

I know of a good many higher ed orgs where they host email internally AND the primary email sys admin habitually 
inspects their co-workers and managers
emails.....and why do they do this....because they can....

Jim
James M. Dutcher - Assoc.VP IS/IT & CIO - SUNY Orange

-----Original Message-----
From:         John Kristoff <jtk () DEPAUL EDU>

Date:         Wed, 29 Jul 2009 20:19:32
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Gmail for students and IMAP


On Wed, Jul 29, 2009 at 10:13:40AM -0400, James M. Dutcher - Assoc. VP IS/IT & CIO wrote:

Our Gmail setup is as such there is no advertising, hence no snooping (but


There is most certianly snooping going on, you should bank on that.
This isn't the first R&E IT response that insinuates that because
Google doesn't resell addresses, share with third parties and apply
targetted advertising everything must be A-OK.  Maybe, maybe not.

Google uses all that email.  They may not use it for direct advertising,
but they use it.  Search for:

  Google reserves the right, but shall have no obligation, to

You'll find a few policies including one for Google Mail that applies
to the student email outsourced to Google in my experience.  Pay
particular attention to where it says:

  "pre-screen, flag, filter, refuse, modify or move"

You'll also find this:

  "Google maintains and processes your Gmail account and its contents
  to provide the Gmail service to you and to improve our services"

Its automated and perhaps even innocuous taken one user at a time, but
consider why Google and these other providers provide this service for
free.  Why would they do that?  There are all sorts of ways to build
a business around this flow of meta data and the email content that does
not result in direct marketing and advertising.

Should you worry?  I don't know.  You might be worried that someone
at Google can potentially look at all this stuff.  You might be
worried that Google could get owned.  You might be worried that policies
and/or ownership could change without warning.  You might just be
paranoid.

Should you use them anyway?  Maybe, but I would recommend you give
people an opt-out.  I'd be curious if its written into your agreement
that you can't do that.  Can people say whether or not this is in their
agreements?   I've been told by two institutions you can't opt out of
theirs so I'm curious if thats them being lazy, annoyed with me or if
its part of the agreement.

Finally you should realize that they are getting a much better deal
than you are in the long run.  They absolutely *love* that you're
letting them do this for free.

John




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Previous By Date Next
Previous By Thread Next

Current thread: