Gallery: How universities spy on student (and staff) email

Universities can spy on their students and staff, just as organisations can spy on their employees, by using in-built features into their in-house or cloud hosted email products. Want to see how?
Written by Zack Whittaker, Contributor

A question to the Generation Y. Your email inbox is yours, for only you to see. Nobody without your username or password can see the intimate details of your online life. Fact or fiction?

It is good news that the US Government must now obtain a court-obtained search warrant to access and sieze emails stored by service providers. However, it does not protect individual users against their own organisations searching through their inboxes, as ZDNet Networking guru Steven J. Vaughan-Nichols concurs.

Organisations and universities actively monitor their email accounts for violations of terms of service and their own policies to ensure that employees and students and so on are using their accounts fairly.

It may not be a massive surprise - the fact that your university, organisation or employer can spy on your emails, but this is yet another urban theory that people just take for granted. It's one of many, like "the government can tap into phone calls" and "mobile phones may give you cancer"; those sorts of things.

GalleryMicrosoft's Live@edu service, the most popular outsourced email service to schools, colleges and universities runs Exchange Online, a cloud based version of Exchange Server. This gallery will explain how administrators can see your email.

Recently, the ability to backup Exchange servers has caused a further rift between Microsoft and Google. Two weeks ago, Google announced its new Message Continuity Service which would backup Exchange 2003 and 2007 for a fee, with Microsoft arguing that this already exists as a built-in feature to its popular email server.

The gallery will show you exactly how Exchange, just as one example, can do this to allow email administrators to access your inbox. This is where the 'vulnerability' lies. Email administrators will naturally be vetted to ensure they can be trusted, but if the request from higher up in the management or corporate foodchain asks for a look, what are they to say?

Discussing this with my colleagues, the legal aspects are interesting. Again, a disparity between UK/EU law and US law shows a difference in principle. The vast majority of my colleagues agree that it is important for email users to restrict their activity to the appropriateness of that account, and not to consolidate multiple accounts into one as I have done before. If you have a work email address, use it strictly for work alone.

In some cases, it might be wise to use your academic email account for prospective employers, though not necessarily a good idea to email from your work account.

If you have a university email account, even though cloud based provide huge amounts of storage, not to link in Facebook, Twitter or other social networks, and to use it only for university correspondence.

On the other hand, if you really want to be secure, host your own email server with an attached domain and storage at home, take into account the bandwidth and reliability costs, and still be under the scrutiny of your host nations' laws.

Are your inboxes secure? What steps will you take to keep the potential of prying eyes away?

Editorial standards