Re: Email Forwarding

["Shamblin, Quinn" <qrs () BU EDU>]

Hi Joe,

I appreciate your views and the time you took to put them together.  I happen to agree with several of them, but it is 
still very interesting fuel for discussion.  Thank you for your points however.  There are a few elements I hadn't 
thought of in that way or hadn't worded in that way at any rate.  This will definitely help inform my overall response.

Warm Regards,
 
Quinn R Shamblin
-----------------------------------------------------------------------------
Executive Director of Information Security, Boston University
GCFA, CISSP, PMP  -  O 617-358-6310  M 617-999-7523



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St 
Sauver
Sent: Thursday, February 17, 2011 12:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Email Forwarding

Hi Quinn,

Let me begin by saying that the following comments are just my personal opinion, and are not meant to reflect the 
opinions or practice of any institution, nor are they meant as legal advice (you've got legal counsel for that sort of 
thing). I just wanted to raise some issues you may want to think about or factor into the policies you're currently 
considering. 

#1.       Records Retention - Emails are University business records and 
#ought to be treated as such. 

Some emails may be, some may not be (at least if you allow incidental personal use or have employees who are also 
students (and you don't give them a seperate institutional account for strictly student-related purposes)).

Using a single email account for all purposes can be even trickier when an employee may be a student first, and then 
becomes an employee after some years -- at that point they may have substantial personal email already in their account 
as of the time when their status changes.
Would you argue that the status of those earlier messages retroactively reverts from being private/protected student 
communications to being institutional records as of the moment of their employment?

#When an employee forwards email from his #or her bu.edu account to a personal account, the University loses #control 
of those record and must rely on the employee to provide #records. 

I would argue that once a message passes to the control of the employee, the University effectively loses practical 
control over those records. You're concerned about the employee *forwarding* those messages, but even if you 
technically block forwarding, the employee will usually still have the ability to print their messasges traffic, save 
their messages to a regular file on their desktop or laptop (which can then be moved to another system), the ability to 
delete their messages, etc.

Most critically, even if you outlaw .forward forwarding files (or the equivalent for other operating systems), as long 
as you allow POP3 or IMAP access, the user can do "email consolidation" from many popular third party providers 
(provided the user is willing to trust that third party provider with their email password, which most users are all 
too willing to do).

I think allowing simple forwarding is by far the lesser of two evils (relative to things like POP email consolidation).

#If the employee leaves the University, passes away, or loses #access to his or her own personal account, these records 
will most #likely be lost to the University.

I think that if you really need assured institutional access to all historical employee email traffic, you'd need an 
appliance that could automatically archive all that traffic *before* the user has any ability to "manage" their 
content, wouldn't you? (after all, what might be "critical records" to the University some day might just look like 
unwanted "spam" to be dumped when viewed from the point of view of the employee, right?)

#2.       eDiscovery - The University is frequently asked to or needs to 
#collect emails for litigation. If an employee is forwarding, evidence #to support the University's claims or defenses 
may be lost.

Again, it seems like the issue isn't the user's ability to forward traffic as much as it is an institutional 
responsibility to collect and maintain an immutable copy of the relevant employee message traffic for institutional 
purposes, isn't it? (*IF* the institution wants to do that sort of thing -- it's not clear to me that most institutions 
need to do so if they aren't already doing so)

Moreover, I think it may be important to recognize that email is not the only communication medium that the employee's 
using: they're likely also doing university business on their desk phone (and potentially on their cell phone, too) -- 
is that message traffic also being captured? 

What about their voice mail? Does it get archived? Or is it subject to user deletion or automatic aging? 

How about any texts the employee may exchange? 

Employee instant messaging traffic? 

I think that a *lot* of communications will potentially not be captured for eDiscovery purposes at virtually all sites!

#3.       Contractual Obligations - The University is party to many 
#agreements that require the University to keep a third party's information #confidential. When an employee forwards 
email, that confidence is #undermined and the University may be in breach of the agreement.

Should confidential information be getting sent via unencrypted email in the first place?

If confidentiality is the issue, I think the push should be for ubiquitous use of PGP/GPG or other strong encryption, 
or to forbid the transmission of confidential information via unencrypted email in the first place.

#4.       FERPA - Forwarding (non-directory) personally identifiable 
#information ("PII") from student education records to an account #administered by a third party email provider could 
be a violation 

This seems like a specific case of the confidential information issue we already talked about in 3., above.

#5.       State Privacy Laws - If email contains "personal information" 
#(name + driver's license number, social security number or financial #account number) and the University is the owner 
of, or charged with #maintaining or storing, the personal information, then unauthorized #access to, acquisition of, or 
use of the email will violate state #law in most states.  

This seems like a specific case of the confidential information issue we already talked about in 3., above.

#6.       HIPAA - Protected health information (as that term is defined 
#under HIPAA) should never be sent via regular email. However, if it is, 

I'd stop at "should never be sent via regular email." (yet another example of the general "no confidential email via 
email" issue from #3 above) The rest of the hypothetical is simply an admission that a policy failure is being 
tolerated. 

#7.       Confusion - An @xxxxxxxx.edu address is a reasonably reliable 
#indication to a recipient that the sender is a member of the given #University community. 

But email addresses often really don't convey adequate information about user roles, responsibilities and attributes... 
Is the user of a dot edu email address a senior administrator? A part time hourly employee? A volunteer? A current 
student? A former student/alumnus?

Of course, we all know that it is trivial to forge an email message so it appears to come from anyone, anywhere. 
Training users to rely on putative message body From: content is a recipe for disaster given the ease with which email 
can be forged (even a non-technical user can go in and trivially change their identity information in a POP or IMAP 
client, and send email as Santa Claus or George Washington, right?)

#When an email comes from a Gmail or Yahoo account, #it may be confusing to the recipient or lead the recipient to 
mistrust #the source of the email.

I think the bigger issue with email from a generic Gmail, Yahoo or Hotmail account is that at least some sites may 
negatively spam filter all free email account traffic, or at least subject it to much stricter scrutiny than email from 
less broadly available/less widely abused domains. 

All this aside, however, I think you're conflating two effectively orthogonal issues when you talk about email that's 
being sent with a third party email address at the same time you talk about email that's being forwarded. The issues 
are really pretty disjoint.

I don't think you'll have much success attempting to (technically) prevent university employees from sending mail from 
a third party account with a third party email address. You may be able to forbid that by policy, but policing that 
will likely be hard, and would likely create a substantial amount of ill will among users.

Anyhow, just some thoughts you may want to consider.

Regards,

Joe