Sept. 23, 2013
The National Security Agency scandals involving Edward Snowden over the last several months have prompted much skepticism about security and privacy within the United States.
On campus, some students may wonder about the level of privacy surrounding the university’s access to email accounts and Z drives.
The IT department is currently transitioning student accounts from Office 365 to Office 2013. This will include new security features that will block malicious emails and other potential threats, officials say.
But what about the process in place to protect the privacy of the accounts from those on campus? School officials contend that in general, students’ emails remain private.
“We don’t actively investigate any [accounts]. We don’t read peoples emails on a whim,” said Greg Williams, IT security principal. “We don’t read anybody’s email. Period.”
The Administrative Policy for Electronic Mail, located on the IT website, states the campus email system “should in no way be regarded as a secure medium for the communication of sensitive or confidential information.”
It goes on to explain “the University can assure neither the privacy of an individual user’s use of the University’s electronic mail resources nor the confidentiality of particular messages…”
Instead of personally inspecting email accounts, the IT department has an automated system that scans messages for signs of viruses or phishing scams, which targets people via email with users requesting sensitive information to steal identities.
According to the IT help desk, phishing is “the act of attempting to acquire information such as usernames, passwords, and credit card details…by masquerading as a trustworthy entity in an electronic communication.”
“I can see where the students are concerned and that [they think] IT is sitting back here and monitoring their email,” said Kirk Moore, director of computer services, “but unless there’s an investigation going on, we are not monitoring email at all.”
“The only time we actually do investigate is if there’s something malicious happening,” Williams said.
An example of malicious activity would be if a student has responded to a phishing attempt.
“We go in a try to clean up that infection so that more people aren’t compromised,” he said. However, the automated system takes care of most of the work, therefore preventing IT from actively looking through all the emails.
The computer eliminates most of the guesswork so that the problem may be solved more quickly. In the event of such an issue, the student would be sent an email notifying them of the virus or phishing scam.
The department has also looked into student accounts for more serious reasons, though Williams did not disclose specific information. “It was only with the approval of either the vice chancellor or legal. Those are really the only two people who can approve that,” he said.
“It does happen from time to time,” Moore said. He explained IT would be notified of an active investigation and that the student’s email is being reviewed. “We don’t do it. We have to turn it over to somebody else.”
Depending on the investigation, the student may or may not be notified. It is, however, stipulated within the email policies (that students agree to when they get their account) that the messages are not actively looked through but that during the course of investigation, the tech department may examine specific data.
There have also been instances of students having their email privileges revoked. “It doesn’t happen very often,” Williams said, “but we have guidelines all listed on our website explaining what you can use your account for.”
Students are not permitted to use their account to make money, send documents that violate copyright laws, harass or intimidate others, to “spoof” (sending an email as if from someone else)and other prohibited activities.
“You have to sign our computing responsibility form at the beginning,” Moore said, “and if you do violate what it explains, then you can have your email revoked.”
“We also shut down people’s accounts in the case of somebody [getting] attacked,” Williams said. “They may have accidentally responded to something, or someone guessed their password. That would be the best scenario that we can give … to say we’re shutting down their account.”
Williams assured the process is an effort to protect the students and the college community, not to make people “jump through hoops.”
According to an IT email sent to students last week, upgrading all student mailboxes, which began Sept. 20, may take “several days,” though each account will be unavailable for about 10-15 minutes. Most will be unaffected, but those using Thunderbird or a Blackberry may need to update their settings.