Gallery: How universities spy on student (and staff) email

Gallery: How universities spy on student (and staff) email

Summary: Universities can spy on their students and staff, just as organisations can spy on their employees, by using in-built features into their in-house or cloud hosted email products. Want to see how?

SHARE:
TOPICS: Collaboration
6

A question to the Generation Y. Your email inbox is yours, for only you to see. Nobody without your username or password can see the intimate details of your online life. Fact or fiction?

It is good news that the US Government must now obtain a court-obtained search warrant to access and sieze emails stored by service providers. However, it does not protect individual users against their own organisations searching through their inboxes, as ZDNet Networking guru Steven J. Vaughan-Nichols concurs.

Organisations and universities actively monitor their email accounts for violations of terms of service and their own policies to ensure that employees and students and so on are using their accounts fairly.

It may not be a massive surprise - the fact that your university, organisation or employer can spy on your emails, but this is yet another urban theory that people just take for granted. It's one of many, like "the government can tap into phone calls" and "mobile phones may give you cancer"; those sorts of things.

Gallery Microsoft's Live@edu service, the most popular outsourced email service to schools, colleges and universities runs Exchange Online, a cloud based version of Exchange Server. This gallery will explain how administrators can see your email.

Recently, the ability to backup Exchange servers has caused a further rift between Microsoft and Google. Two weeks ago, Google announced its new Message Continuity Service which would backup Exchange 2003 and 2007 for a fee, with Microsoft arguing that this already exists as a built-in feature to its popular email server.

The gallery will show you exactly how Exchange, just as one example, can do this to allow email administrators to access your inbox. This is where the 'vulnerability' lies. Email administrators will naturally be vetted to ensure they can be trusted, but if the request from higher up in the management or corporate foodchain asks for a look, what are they to say?

Discussing this with my colleagues, the legal aspects are interesting. Again, a disparity between UK/EU law and US law shows a difference in principle. The vast majority of my colleagues agree that it is important for email users to restrict their activity to the appropriateness of that account, and not to consolidate multiple accounts into one as I have done before. If you have a work email address, use it strictly for work alone.

In some cases, it might be wise to use your academic email account for prospective employers, though not necessarily a good idea to email from your work account.

If you have a university email account, even though cloud based provide huge amounts of storage, not to link in Facebook, Twitter or other social networks, and to use it only for university correspondence.

On the other hand, if you really want to be secure, host your own email server with an attached domain and storage at home, take into account the bandwidth and reliability costs, and still be under the scrutiny of your host nations' laws.

Are your inboxes secure? What steps will you take to keep the potential of prying eyes away?

Topic: Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • If you want to be really secure...

    Create a couple of dozen free email accounts from an IP address not your own. Use meaningless combinations of numbers and letters as the account names.<br> <br>Get your Gnu GPG privacy guard (<a href="http://www.gnupg.org/" target="_blank" rel="nofollow">http://www.gnupg.org/</a>) and you and your friends encrypt everything you email to one another, and never send plaintext.<br><br>Meanwhile, keep work and school emails 100% business.
    HollywoodDog
    • RE: Gallery: How universities spy on student (and staff) email

      @HollywoodDog I agree. It's important to keep everything separate, no matter how annoying it might be. As one of my colleagues said, "Don't put anything in Gmail/Hotmail [etc.] that you wouldn't want subpoena'd." Good advice.
      zwhittaker
  • RE: Gallery: How universities spy on student (and staff) email

    As I noted in the other post you reference, the United States Constitution only projects people from GOVERNMENT abuses. No individual or company not part of or representing the government can be found guilty of violating the Constitution.
    Some examples:
    Censorship by private companies or individuals is completely legal, if not ethical.
    A person breaking into my house and going through my belongings, even though they can be charged with multiple crimes, is not violating the 4th Amendment.
    aep528
    • And it makes sense

      if I'm running a business, and paying for your use of company email, I'd sure as heck want to know if your using it to spam people or to earn money on the side while working for me.

      I'd also want to be sure you're not using the email or my business for something that may result in a lawsuit, dragging in my business with it.
      John Zern
  • RE: Gallery: How universities spy on student (and staff) email

    You must avoid the Cloud to be secure - you need to run your own secure mail server, such as this one: <a href="http://" target="_blank" rel="nofollow">http://</a> www.mailtraq.com <br>In any case you should be using a mail server that supports two simple concepts - Temporary addresses and Concealed addresses, something like this:<br><a href="http://info.mailtraq.com/address-control" target="_blank" rel="nofollow">http://info.mailtraq.com/address-control</a><br>and then all these problems go away.<br><br>Using the right tool for the job makes life so much more simple. Enjoy.
    oldtimer1955
  • Well, Yeah, I've never ..

    I've never used a University or Employer provided asset where I DIDN'T expect the use of that asset to be scrutinized.

    It's their servers or their machines, they have cause to see how their being used. And in the case of an employer, you're on their dime.
    rmhesche