Educause Security Discussion mailing list archives
Re: Email Forwarding
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Thu, 17 Feb 2011 09:28:13 -0800
Hi Quinn, Let me begin by saying that the following comments are just my personal opinion, and are not meant to reflect the opinions or practice of any institution, nor are they meant as legal advice (you've got legal counsel for that sort of thing). I just wanted to raise some issues you may want to think about or factor into the policies you're currently considering. #1. Records Retention - Emails are University business records and #ought to be treated as such. Some emails may be, some may not be (at least if you allow incidental personal use or have employees who are also students (and you don't give them a seperate institutional account for strictly student-related purposes)). Using a single email account for all purposes can be even trickier when an employee may be a student first, and then becomes an employee after some years -- at that point they may have substantial personal email already in their account as of the time when their status changes. Would you argue that the status of those earlier messages retroactively reverts from being private/protected student communications to being institutional records as of the moment of their employment? #When an employee forwards email from his #or her bu.edu account to a personal account, the University loses #control of those record and must rely on the employee to provide #records. I would argue that once a message passes to the control of the employee, the University effectively loses practical control over those records. You're concerned about the employee *forwarding* those messages, but even if you technically block forwarding, the employee will usually still have the ability to print their messasges traffic, save their messages to a regular file on their desktop or laptop (which can then be moved to another system), the ability to delete their messages, etc. Most critically, even if you outlaw .forward forwarding files (or the equivalent for other operating systems), as long as you allow POP3 or IMAP access, the user can do "email consolidation" from many popular third party providers (provided the user is willing to trust that third party provider with their email password, which most users are all too willing to do). I think allowing simple forwarding is by far the lesser of two evils (relative to things like POP email consolidation). #If the employee leaves the University, passes away, or loses #access to his or her own personal account, these records will most #likely be lost to the University. I think that if you really need assured institutional access to all historical employee email traffic, you'd need an appliance that could automatically archive all that traffic *before* the user has any ability to "manage" their content, wouldn't you? (after all, what might be "critical records" to the University some day might just look like unwanted "spam" to be dumped when viewed from the point of view of the employee, right?) #2. eDiscovery - The University is frequently asked to or needs to #collect emails for litigation. If an employee is forwarding, evidence #to support the University's claims or defenses may be lost. Again, it seems like the issue isn't the user's ability to forward traffic as much as it is an institutional responsibility to collect and maintain an immutable copy of the relevant employee message traffic for institutional purposes, isn't it? (*IF* the institution wants to do that sort of thing -- it's not clear to me that most institutions need to do so if they aren't already doing so) Moreover, I think it may be important to recognize that email is not the only communication medium that the employee's using: they're likely also doing university business on their desk phone (and potentially on their cell phone, too) -- is that message traffic also being captured? What about their voice mail? Does it get archived? Or is it subject to user deletion or automatic aging? How about any texts the employee may exchange? Employee instant messaging traffic? I think that a *lot* of communications will potentially not be captured for eDiscovery purposes at virtually all sites! #3. Contractual Obligations - The University is party to many #agreements that require the University to keep a third party's information #confidential. When an employee forwards email, that confidence is #undermined and the University may be in breach of the agreement. Should confidential information be getting sent via unencrypted email in the first place? If confidentiality is the issue, I think the push should be for ubiquitous use of PGP/GPG or other strong encryption, or to forbid the transmission of confidential information via unencrypted email in the first place. #4. FERPA - Forwarding (non-directory) personally identifiable #information ("PII") from student education records to an account #administered by a third party email provider could be a violation This seems like a specific case of the confidential information issue we already talked about in 3., above. #5. State Privacy Laws - If email contains "personal information" #(name + driver's license number, social security number or financial #account number) and the University is the owner of, or charged with #maintaining or storing, the personal information, then unauthorized #access to, acquisition of, or use of the email will violate state #law in most states. This seems like a specific case of the confidential information issue we already talked about in 3., above. #6. HIPAA - Protected health information (as that term is defined #under HIPAA) should never be sent via regular email. However, if it is, I'd stop at "should never be sent via regular email." (yet another example of the general "no confidential email via email" issue from #3 above) The rest of the hypothetical is simply an admission that a policy failure is being tolerated. #7. Confusion - An @xxxxxxxx.edu address is a reasonably reliable #indication to a recipient that the sender is a member of the given #University community. But email addresses often really don't convey adequate information about user roles, responsibilities and attributes... Is the user of a dot edu email address a senior administrator? A part time hourly employee? A volunteer? A current student? A former student/alumnus? Of course, we all know that it is trivial to forge an email message so it appears to come from anyone, anywhere. Training users to rely on putative message body From: content is a recipe for disaster given the ease with which email can be forged (even a non-technical user can go in and trivially change their identity information in a POP or IMAP client, and send email as Santa Claus or George Washington, right?) #When an email comes from a Gmail or Yahoo account, #it may be confusing to the recipient or lead the recipient to mistrust #the source of the email. I think the bigger issue with email from a generic Gmail, Yahoo or Hotmail account is that at least some sites may negatively spam filter all free email account traffic, or at least subject it to much stricter scrutiny than email from less broadly available/less widely abused domains. All this aside, however, I think you're conflating two effectively orthogonal issues when you talk about email that's being sent with a third party email address at the same time you talk about email that's being forwarded. The issues are really pretty disjoint. I don't think you'll have much success attempting to (technically) prevent university employees from sending mail from a third party account with a third party email address. You may be able to forbid that by policy, but policing that will likely be hard, and would likely create a substantial amount of ill will among users. Anyhow, just some thoughts you may want to consider. Regards, Joe
Current thread:
- Email Forwarding Shamblin, Quinn (Feb 17)
- Re: Email Forwarding Mclaughlin, Kevin (mclaugkl) (Feb 17)
- Re: Email Forwarding Shamblin, Quinn (Feb 17)
- Re: Email Forwarding Theresa Rowe (Feb 23)
- <Possible follow-ups>
- Re: Email Forwarding Joe St Sauver (Feb 17)
- Re: Email Forwarding Shamblin, Quinn (Feb 17)
- Re: Email Forwarding Geoffrey Steven Nathan (Feb 18)
- Re: Email Forwarding Joe St Sauver (Feb 18)
- Re: Email Forwarding Joel Rosenblatt (Feb 18)
- Re: Email Forwarding Geoffrey Steven Nathan (Feb 19)
- Re: Email Forwarding Volz, Donald D (Feb 19)
- Re: Email Forwarding David Grisham (Feb 19)
- Re: Email Forwarding Joel Rosenblatt (Feb 19)
- Re: Email Forwarding Mclaughlin, Kevin (mclaugkl) (Feb 19)
- Re: Email Forwarding Joel Rosenblatt (Feb 19)
- Re: Email Forwarding Mclaughlin, Kevin (mclaugkl) (Feb 17)