Re: Email Forwarding

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Hi Quinn,

Let me begin by saying that the following comments are just my personal 
opinion, and are not meant to reflect the opinions or practice of any 
institution, nor are they meant as legal advice (you've got legal counsel 
for that sort of thing). I just wanted to raise some issues you may want 
to think about or factor into the policies you're currently considering. 

#1.       Records Retention - Emails are University business records and 
#ought to be treated as such. 

Some emails may be, some may not be (at least if you allow incidental 
personal use or have employees who are also students (and you don't give 
them a seperate institutional account for strictly student-related 
purposes)).

Using a single email account for all purposes can be even trickier when 
an employee may be a student first, and then becomes an employee after 
some years -- at that point they may have substantial personal email 
already in their account as of the time when their status changes.
Would you argue that the status of those earlier messages retroactively 
reverts from being private/protected student communications to being 
institutional records as of the moment of their employment?

#When an employee forwards email from his 
#or her bu.edu account to a personal account, the University loses 
#control of those record and must rely on the employee to provide 
#records. 

I would argue that once a message passes to the control of the employee, the
University effectively loses practical control over those records. You're 
concerned about the employee *forwarding* those messages, but even if you
technically block forwarding, the employee will usually still have the 
ability to print their messasges traffic, save their messages to a regular 
file on their desktop or laptop (which can then be moved to another system),
the ability to delete their messages, etc.

Most critically, even if you outlaw .forward forwarding files (or the 
equivalent for other operating systems), as long as you allow POP3 or IMAP 
access, the user can do "email consolidation" from many popular third party 
providers (provided the user is willing to trust that third party provider 
with their email password, which most users are all too willing to do).

I think allowing simple forwarding is by far the lesser of two evils 
(relative to things like POP email consolidation).

#If the employee leaves the University, passes away, or loses 
#access to his or her own personal account, these records will most 
#likely be lost to the University.

I think that if you really need assured institutional access to all historical
employee email traffic, you'd need an appliance that could automatically 
archive all that traffic *before* the user has any ability to "manage" their 
content, wouldn't you? (after all, what might be "critical records" to the 
University some day might just look like unwanted "spam" to be dumped when
viewed from the point of view of the employee, right?)

#2.       eDiscovery - The University is frequently asked to or needs to 
#collect emails for litigation. If an employee is forwarding, evidence 
#to support the University's claims or defenses may be lost.

Again, it seems like the issue isn't the user's ability to forward traffic
as much as it is an institutional responsibility to collect and maintain an
immutable copy of the relevant employee message traffic for institutional 
purposes, isn't it? (*IF* the institution wants to do that sort of thing --
it's not clear to me that most institutions need to do so if they aren't
already doing so)

Moreover, I think it may be important to recognize that email is not the 
only communication medium that the employee's using: they're likely also 
doing university business on their desk phone (and potentially on their 
cell phone, too) -- is that message traffic also being captured? 

What about their voice mail? Does it get archived? Or is it subject to
user deletion or automatic aging? 

How about any texts the employee may exchange? 

Employee instant messaging traffic? 

I think that a *lot* of communications will potentially not be captured for
eDiscovery purposes at virtually all sites!

#3.       Contractual Obligations - The University is party to many 
#agreements that require the University to keep a third party's information 
#confidential. When an employee forwards email, that confidence is 
#undermined and the University may be in breach of the agreement.

Should confidential information be getting sent via unencrypted email
in the first place?

If confidentiality is the issue, I think the push should be for ubiquitous
use of PGP/GPG or other strong encryption, or to forbid the transmission
of confidential information via unencrypted email in the first place.

#4.       FERPA - Forwarding (non-directory) personally identifiable 
#information ("PII") from student education records to an account 
#administered by a third party email provider could be a violation 

This seems like a specific case of the confidential information issue we
already talked about in 3., above.

#5.       State Privacy Laws - If email contains "personal information" 
#(name + driver's license number, social security number or financial 
#account number) and the University is the owner of, or charged with 
#maintaining or storing, the personal information, then unauthorized 
#access to, acquisition of, or use of the email will violate state 
#law in most states.  

This seems like a specific case of the confidential information issue we
already talked about in 3., above.

#6.       HIPAA - Protected health information (as that term is defined 
#under HIPAA) should never be sent via regular email. However, if it is, 

I'd stop at "should never be sent via regular email." (yet another example
of the general "no confidential email via email" issue from #3 above)
The rest of the hypothetical is simply an admission that a policy failure 
is being tolerated. 

#7.       Confusion - An @xxxxxxxx.edu address is a reasonably reliable 
#indication to a recipient that the sender is a member of the given 
#University community. 

But email addresses often really don't convey adequate information about 
user roles, responsibilities and attributes... Is the user of a dot edu 
email address a senior administrator? A part time hourly employee? A 
volunteer? A current student? A former student/alumnus?

Of course, we all know that it is trivial to forge an email message
so it appears to come from anyone, anywhere. Training users to rely on
putative message body From: content is a recipe for disaster given the ease
with which email can be forged (even a non-technical user can go in and
trivially change their identity information in a POP or IMAP client, 
and send email as Santa Claus or George Washington, right?)

#When an email comes from a Gmail or Yahoo account, 
#it may be confusing to the recipient or lead the recipient to mistrust 
#the source of the email.

I think the bigger issue with email from a generic Gmail, Yahoo or Hotmail
account is that at least some sites may negatively spam filter all free
email account traffic, or at least subject it to much stricter scrutiny 
than email from less broadly available/less widely abused domains. 

All this aside, however, I think you're conflating two effectively
orthogonal issues when you talk about email that's being sent with a 
third party email address at the same time you talk about email that's 
being forwarded. The issues are really pretty disjoint.

I don't think you'll have much success attempting to (technically) prevent 
university employees from sending mail from a third party account with a 
third party email address. You may be able to forbid that by policy, but 
policing that will likely be hard, and would likely create a substantial 
amount of ill will among users.

Anyhow, just some thoughts you may want to consider.

Regards,

Joe