/>
X

How universities spy on student (and staff) email

Exploring how email administrators can spy on the inboxes of their organisation's employees or university's staff and students.
zack-whittaker-hs2016-rtsquare-1.jpg
By Zack Whittaker, Contributor on
490913.png
1 of 9 Zack Whittaker/ZDNET

In this screenshot, I am logged in as the Administrator and am sending an email to Test.Account.1 which is a user in this hypothetical university. You can see that I am emailing a notice about a hurricane warning as there is bad weather on the way. After I wrote this, I hit send. Immediately it will be in the inbox of Test.Account.1.

---
Colour key for viewers:Red border is the administrator's email view. Green border is the student user's email view. Blue border is the administrator's console.
---

For more background on this screenshot gallery, head over to the iGeneration blog which explains all.

490914.png
2 of 9 Zack Whittaker/ZDNET

Now I am logged in as Test.Account.1 and have received the email from the Administrator. Note that this was sent late in the evening, and that it remains along with the other email in the Inbox of my account.

---
Colour key for viewers: Red border is the administrator's email view. Green border is the student user's email view. Blue border is the administrator's console.
---

For more background on this screenshot gallery, head over to the iGeneration blog which explains all.

490915.png
3 of 9 Zack Whittaker/ZDNET

Logging back in as the Administrator, I go to the Options area as I normally would to access email settings. But as the administrator I also have other management settings such as those of the entire email organisation - this hypothetical university. 

---
Colour key for viewers: Red border is the administrator's email view. Green border is the student user's email view. Blue border is the administrator's console.
---

For more background on this screenshot gallery, head over to the iGeneration blog which explains all.

490916.png
4 of 9 Zack Whittaker/ZDNET

The Administrator can control users, groups and certain other features which manage the mailboxes of its users. In this scenario, the administrator goes to Reporting then Mailbox Searches, a feature which is built into Exchange Online and other versions of Exchange Server. This allows the administrator to search for certain text in any mailboxes across the organisation, or to wildcard search across any number of users' folders.

---
Colour key for viewers: Red border is the administrator's email view. Green border is the student user's email view. Blue border is the administrator's console.
---

For more background on this screenshot gallery, head over to the iGeneration blog which explains all.

490917.png
5 of 9 Zack Whittaker/ZDNET

The New Mailbox Search dialog has a series of options. The administrator can legitimately recover mailboxes for users' who have lost their data, or they can search all the mailboxes across the organisation. This could have an important function if there is an epidemic of swearing at a K12 institution, for example, or bullying and suchlike. In a university setting where academic freedom is a right as well as a privilege, perhaps not.

The Search name is the name of the folder in a separate 'discovery' account where the mailbox search is stored, and in Exchange, the separate account where the results are stored is in the standard Discovery Search Mailbox

---
Colour key for viewers: Red border is the administrator's email view. Green border is the student user's email view. Blue border is the administrator's console.
---

For more background on this screenshot gallery, head over to the iGeneration blog which explains all.

490918.png
6 of 9 Zack Whittaker/ZDNET

The administrator can be informed when the search is complete by an email to the administrator's email address, as in large organisations, a search could take overnight, even though the process is done in the cloud. Either way, a status is displayed informing the administrator of how long things may take, the size of the search and whether any errors are occurring.

---
Colour key for viewers: Red border is the administrator's email view. Green border is the student user's email view. Blue border is the administrator's console.
---

For more background on this screenshot gallery, head over to the iGeneration blog which explains all.

490919.png
7 of 9 Zack Whittaker/ZDNET

Once the search is done and the email comes through (or not, you can access it through the status page still), you can open up the results directly from your own inbox. In this scenario, only 29 mailboxes were searched, the total number of 'students' in this hypothetical university.

---
Colour key for viewers: Red border is the administrator's email view. Green border is the student user's email view. Blue border is the administrator's console.
---

For more background on this screenshot gallery, head over to the iGeneration blog which explains all.

490920.png
8 of 9 Zack Whittaker/ZDNET

By clicking on the Results string, a new window will open to display the Discovery Search Mailbox. Within this, you have the standard inbox which should be empty as it is a new and unused account, strictly for searches only. 

However, you will see the search folder labelled allEmailBoxesAcrossOrganisation which was created earlier; a search which spanned across all 29 mailboxes in the university. This displays everyone's username or full forename and surname, and the time and date of when the search was carried out. These sub-folders include each individual mailbox and user created folders that the user has made.

In this screenshot, the names are concealed.

---
Colour key for viewers: Red border is the administrator's email view. Green border is the student user's email view. Blue border is the administrator's console.
---

For more background on this screenshot gallery, head over to the iGeneration blog which explains all.

492590.png
9 of 9 Zack Whittaker/ZDNET

Here you can see the inbox of Test.Account.1 which has been accessed, along with the emails of that user including Bing news alerts, Twitter messages and school notices - including the one sent just before the search had been carried out. 

This is how administrator's can read your emails - in Live@edu, at least. The same applies to Google Apps and other cloud hosted and most in-house products for email communications.

---
Colour key for viewers: Red border is the administrator's email view. Green border is the student user's email view. Blue border is the administrator's console.
---

For more background on this screenshot gallery, head over to the iGeneration blog which explains all.

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza
img-8825

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza

26 Photos
A weekend with Google's Chrome OS Flex
img-9792-2

Related Galleries

A weekend with Google's Chrome OS Flex

22 Photos
Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup
shutterstock-1024665187.jpg

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos
Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup
Asian woman working at a desk in front of a computer and calculator

Related Galleries

Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup

8 Photos
Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup
Person seated at a booth in a cafe looks at their phone and laptop.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup

10 Photos
Drive Electric Day: A dizzying array of EVs in sunny Florida
ca3b4019-26c5-4ce0-a844-5aac39e2c34b.jpg

Related Galleries

Drive Electric Day: A dizzying array of EVs in sunny Florida

16 Photos