Re: Gmail for students and IMAP

[Joel Rosenblatt <joel () COLUMBIA EDU>]

I constantly remind people not to put anything in an email that they wouldn't be willing to put on a postcard - that's 
what encryption is for.

At least we make the effort to keep it private, and we really do follow this policy - no one accesses email without GC 
approval.

Take it for what it's worth.

Joel

--On Thursday, July 30, 2009 8:36 AM -0400 "McClenon, Braden" <mcclenbw () ONEONTA EDU> wrote:

> "should be kept as private as possible" and "will not read email unless
> necessary in the course of their duties" don't give me much reassurance
> of privacy.  Seems like that wording gives a lot of latitude...
>
>
> Brady McClenon
> Senior Server Administrator
> SUNY Oneonta
> 607-436-3203
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt
> > Sent: Wednesday, July 29, 2009 10:03 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Gmail for students and IMAP
> >
> > Yes, we do .. the only exceptions are for LE, Subpoenas and if asked
> to
> > look for technical reasons (the student thinks something is broken)
> >
> > Policy Text
> >
> > The following lists the acceptable use and security measures that one
> > must exercise when using Columbia University's email.
> >
> > 1. Messages sent and received via Columbia's email system should be
> > kept as private as possible by senders and recipients, as well as by
> > Columbia University
> > Information Technology (CUIT). The University and its email system
> > administrators will not read email unless necessary in the course of
> > their duties (e.g.,
> > including investigation, inappropriate contents or as directed by
> > Office of the General Counsel, and will release email as required by
> an
> > executed subpoena
> > valid in the State of New York).
> >
> > ...
> <http://www.columbia.edu/cu/administration/policylibrary/policies/cuit/
> > 00bb9c6718c92f6e011933c4b6b30008.html?base=category>
> >
> >
> > Joel Rosenblatt, Manager Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel
> >
> >
> > --On Thursday, July 30, 2009 1:38 AM +0000 "James M. Dutcher - Assoc
> of
> > IS/IT & CIO" <james.dutcher () sunyorange edu> wrote:
> >
> > > On a related note...especially for schools who host their email
> > internally...does your school have as part of its policies, to ensure
> > that all email
> > > correspondence is kept private? Not subject to inspection?
> > >
> > > (I think that I'm stirring the pot now...my apologies, but am
> curious
> > to know what other security folk think of this in terms of their
> > student, faculty and
> > > employee expectations as well as how you all address this with them)
> > >
> > >
> > > James M. Dutcher - Assoc.VP IS/IT & CIO - SUNY Orange
> > >
> > > -----Original Message-----
> > > From: "James M. Dutcher - Assoc of IS/IT & CIO"
> > <james.dutcher () sunyorange edu>
> > >
> > > Date: Thu, 30 Jul 2009 01:27:43
> > > To: The EDUCAUSE Security Constituent Group
> > Listserv<SECURITY () LISTSERV EDUCAUSE EDU>
> > > Subject: Re: [SECURITY] Gmail for students and IMAP
> > >
> > >
> > > Ummmm...I believe I mentioned that....you cut off my email after the
> > "(but" in your reply
> > >
> > > Regardless if email is internally or externally hosted, it is always
> > subject to inspection (both with/without permission).
> > >
> > > I know of a good many higher ed orgs where they host email
> internally
> > AND the primary email sys admin habitually inspects their co-workers
> > and managers
> > > emails.....and why do they do this....because they can....
> > >
> > > Jim
> > > James M. Dutcher - Assoc.VP IS/IT & CIO - SUNY Orange
> > >
> > > -----Original Message-----
> > > From:         John Kristoff <jtk () DEPAUL EDU>
> > >
> > > Date:         Wed, 29 Jul 2009 20:19:32
> > > To: <SECURITY () LISTSERV EDUCAUSE EDU>
> > > Subject: Re: [SECURITY] Gmail for students and IMAP
> > >
> > >
> > > On Wed, Jul 29, 2009 at 10:13:40AM -0400, James M. Dutcher - Assoc.
> > VP IS/IT & CIO wrote:
> > >> Our Gmail setup is as such there is no advertising, hence no
> > snooping (but
> > >
> > > There is most certianly snooping going on, you should bank on that.
> > > This isn't the first R&E IT response that insinuates that because
> > > Google doesn't resell addresses, share with third parties and apply
> > > targetted advertising everything must be A-OK.  Maybe, maybe not.
> > >
> > > Google uses all that email.  They may not use it for direct
> > advertising,
> > > but they use it.  Search for:
> > >
> > >   Google reserves the right, but shall have no obligation, to
> > >
> > > You'll find a few policies including one for Google Mail that
> applies
> > > to the student email outsourced to Google in my experience.  Pay
> > > particular attention to where it says:
> > >
> > >   "pre-screen, flag, filter, refuse, modify or move"
> > >
> > > You'll also find this:
> > >
> > >   "Google maintains and processes your Gmail account and its
> contents
> > >   to provide the Gmail service to you and to improve our services"
> > >
> > > Its automated and perhaps even innocuous taken one user at a time,
> > but
> > > consider why Google and these other providers provide this service
> > for
> > > free.  Why would they do that?  There are all sorts of ways to build
> > > a business around this flow of meta data and the email content that
> > does
> > > not result in direct marketing and advertising.
> > >
> > > Should you worry?  I don't know.  You might be worried that someone
> > > at Google can potentially look at all this stuff.  You might be
> > > worried that Google could get owned.  You might be worried that
> > policies
> > > and/or ownership could change without warning.  You might just be
> > > paranoid.
> > >
> > > Should you use them anyway?  Maybe, but I would recommend you give
> > > people an opt-out.  I'd be curious if its written into your
> agreement
> > > that you can't do that.  Can people say whether or not this is in
> > their
> > > agreements?   I've been told by two institutions you can't opt out
> of
> > > theirs so I'm curious if thats them being lazy, annoyed with me or
> if
> > > its part of the agreement.
> > >
> > > Finally you should realize that they are getting a much better deal
> > > than you are in the long run.  They absolutely *love* that you're
> > > letting them do this for free.
> > >
> > > John
> >
> >
> >
> > Joel Rosenblatt, Manager Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel