News

Arbritrator Rules Lakehead University Can Switch Email System to Gmail

A Canadian labour arbitrator has ruled that Lakehead University can outsource its email system from an internal system to Google's Gmail (coverage from the Chronicle of Higher Education; note that I served as an expert witness in the case).  The Lakehead University Faculty Association (LUFA) argued that Lakehead violated the privacy rights and academic freedom of its members in making the switch to Gmail.  LUFA maintained that the switch raised concerns about the prospect of surveillance by U.S. authorities under laws such as the USA Patriot Act.  The arbitrator dismissed the claim, arguing that the collective agreement did not create an obligation to provide an email system nor guarantee absolute privacy.  The arbitrator concludes:

While I am sympathetic to their plight and the fact that big brother could be watching over their e-mail communications, it simply brings to the fore the caution advanced by Mr. Pawlowski when he commented upon e-mail systems generally before the Senate. One should consider e-mail communications as confidential as are postcards.

19 Comments

  1. Darryl Moore says:

    Which is why email services and programs should provide encryption by default. I’m disappointed the arbitrator did not require this. Allowing Lakehead to use Gmail, but at the same time require them (or Google) to provide easy encryption, would have been a reasonable comprise.

    I am always astonished at the number of businesses that are married to blackberries because “they are so secure”, but at the same time treat email as though it were just as secure, when it is not.

  2. Not Impressed
    “One should consider e-mail communications as confidential as are postcards.”

    So in other words, no expectation or right to privacy.

    I think this is flawed.

    There is a reasonable expectation to not have your private correspondence put into some US database

    There is a reasonable expectation that the sender who wraps this up in packets wants its contents that’s intended for the destination not to opened and snooped by 3rd parties.

    There is reasonable expectation that the destination does not want the mail service to open the packet envelope to read the contents.

    This is so flawed.

    I think the privacy commissioner ruled something similar to this (don’t recall) with Canada.com

    Its wrong.

    If there is a US postal service opening envelopes and reading mail, then its a concern.

    May a well rule that DPI is cool. Lets open everyone’s packets (envelopes) and read the contents.

    This is not a postcard analogy. He is so wrong.

  3. I Agree
    “One should consider e-mail communications as confidential as are postcards.”

    I can’t agree more. People need to understand that email is not the same as postal mail, but rather more like sending postcards. When you send a letter you “secure” the letter in an envelope. When you send an email, unless you are using encryption, then you are sending it as a postcard, and there is no expectation of privacy when you send postcards. The people at large need to understand the technology that they are using. I educate my kids all the time on the fact that with email, there is no expectation of privacy, and that anything they send to another person, can and probably will be, read by other people without their consent.

    While you might not agree with the fact that email is flawed from a security point of view, you need to understand how it is flawed so that you can better protect yourself and educate others.

  4. Emails go into databases all the time
    “There is a reasonable expectation to not have your private correspondence put into some US database ”

    Except email’s privacy depends on a tacit agreement that system and network administrators do not look. There is nothing stopping (save technical limitations, time, and ethics) backbone providers from logging everything that looks like email, and it’s even easier for the people at either end to do the same thing. Do you know what route your email takes when it transits from here to there? Do you know the backup policies of the people at either end of every email you send? Do you know what sort of monitoring your ISP may be doing, regardless of legality?

    If you truly want to keep your email private, you’d best be encrypting it with something strong, and then it doesn’t really matter where it’s stored.

    You may argue that you should not *have* to worry about all the points I mentioned, and you’re right – you shouldn’t have to worry about the mail carrier or anybody else reading your postcard either. But you wouldn’t send anything you truly wanted kept secret on a postcard, would you?

  5. Darryl Moore says:

    OTOH, say what has a point. What is the legality of authorities looking at postcards you send through the mail? If they are not allowed to look at postcards without a court order then the analogy becomes flawed, as the US government IS ALLOWED to look at your email without a warrant.

    This would therefore make email even less private then postcards.

  6. Darryl Laonge says:

    What are you talking about “big brother could be watching”
    Listen to any academic talk giving by CSIS or CSE, they actively monitor foreign traffic, and gmail is foreign traffic. Sure they don’t keep everyone’s emails but they can sniff a header or two and build up their association network.

    Don’t pretend big brother isn’t watching, they are and they admit it.

  7. I, for one, welcome our new Google overlords. Seriously, would Google Apps for our university email allow the system to retain more than six months worth of back-ups? Our current email server set-up deletes everything over six months old and it drives me nuts!

  8. Secure? Not!
    The new US anti-terrorism laws allow the US government to access to any and all information stored in, or passing though, the US.
    There are no warrants’ needed. No reasons have to be given.

    Now, consider that virtually ALL internet traffic to/from your computer travel’s though (a device in) the US, and in a case like email, is probably being stored on a computer located in the US.

    If ‘they’ want to read your email, they will.

  9. email more similar to phones?
    I think email is closer to phone calls than post cards.. There is no security on phone calls either, but they are generally considered private by the users, as are emails. Anyone could theoretically plug into your phone line, or record your conversations at operator hubs. Anyone could theoretically pluck your emails off the wire.

    I would think the two could be handled similarly legally.

  10. Jason Walton says:

    Email and phones
    @crade: From an end-user perspective, email might look more like a phone than a postcard. From a technical standpoint, emails are more like postcards. You might like to think of them as private, but they really aren’t.

    The big problem with email is that an email may pass through dozens of different carriers and ISPs before reaching its final destination, and any of those carriers may read the contents of the email.

    Fortunately, much like the postal system, there’s an easy way to protect yourself. If you have something secret you want to send by post, you put it in an envelope. If you have something secret you want to send by email, you encrypt it.

  11. Email and phones again
    “The big problem with email is that an email may pass through dozens of different carriers and ISPs before reaching its final destination, and any of those carriers may read the contents of the email. ”

    VOIP phones are becoming more and more common and, of course are routed the way emails are, although personally I don’t think the way the circuit switching phones work is any more secure.

    “You might like to think of them as private, but they really aren’t”
    Well I think intent plays a part in determining what is private. Just because someone can listen in on my private conversations doesn’t mean they aren’t private. It just means they aren’t secure.

  12. Mr. Hicup says:

    so umm I have a thought (yeah it hurt)
    So umm, intercepting and storing private communications on some homeland security system (along with millions of phone calls) is ok.

    ISOhunt has to go to court to store some links on their servers.

    Pirates Bay need to pay millions and go to jail.

    k. I got it now.

    What do I need to do to sue the states? put the copyright symbol in my Email?

    Anyone want to be my lawyer and sue them for storing and intercepting my copyright Emails (or anyone want to invest in my future lawsuit at a 30% return?)? ;P

    My captcha word was: cornball 🙁

    🙂

  13. Read EFF’s Surveillance Self-Defense
    Read the EFF’s Surveillance Self-Defense website at https://ssd.eff.org/

    In particular, “Information Stored by Third Parties” https://ssd.eff.org/3rdparties

    This https://ssd.eff.org/tech/email should explain you why e-mail is not just postcards, but postcards that can be ALTERED on transit without anyone realizing it.

  14. I find the comparison to postcards… strange. In a postcard the information is visible by principle of the format, it is incidental that someone might view the information on it. With e-mails, even unencrypted, someone has to have intent and act to intercept the e-mails (an automated system still has to be setup), it’s not incidental. Effectively, if you continue the analogy, it would be like someone setting up interception of post mail, but using methods to render the interference invisible. To give another example, in the days of switchboards I’ve been told it was possible for the operator to listen into calls that they were processing if setup correctly. Would anyone at that point have simply shrugged off the privacy of the phone call?

    To say it simply, the security of a system, does not directly relate to the expected privacy of a system. Yes, you should encrypt your e-mails if you are especially concerned or dealing with sensitive information. No, not encrypting your e-mails does not mean you have given up your rights.

    I find the arbitrators decision very short sighted.

  15. Encryption
    Folks, the weakness of encrypting email is that it require the ability of the recipient to decrypt it. This works fine for the contact(s) that you always send mail to, or an enterprise where a public key can be used.

    However, for day to day business with clients and quite often infrequent (or unknown) contacts, this does not work.

    This, in a nutshell, is why PGP and other encryption scheme are not default and why it would not work.

  16. Maynard G. Krebs says:

    Echelon, Industrial Espionage, and all things ‘spooky’
    Canada & the US share ‘signals intelligence’ and phone/e-mail ‘taps’ via Echelon. The US loudly complains when they accuse the French of industrial espionage by reading e-mail, but the US does it too. Woe to the Lakehead professor whose research is ‘scooped’ by the US.

    I don’t see the rationale for intra-campus e-mail to be routed to the USA, to be read by the NSA, and create profiles on 17-year old freshmen which can be used some day to deny them boarding on flights between Toronto & Vancouver, or Toronto-Jamaica or Mexico, just because the flight passes over US territory for a short time.

  17. please profile me
    @Maynard G. Krebs

    And that would be a best case scenario.

    Lets not forget the Canadian guy who was sent to some Arab state and tortured due to errors between Canada and the US.

    May as well just start fingerprinting Canadian law students again. What’s the diff?

  18. Emails are equivalent to postcards because our legislators, north and south of the border have decided that’s the way it is going to be. If you don’t like what is happening, contact your “representative” and tell him that you expect privacy above all else, or you will work tirelessly to make sure they are never elected again.

  19. William Ashley says:

    Awstruck, google also forced on students
    It appears I’ll be filing a claim against lakehead over its gmail policy but I am a student. They effectively force students to agree to a third party google contract after the university email agreement is presented guaranteeing FIPPA protections. I think that the use by google falls well out of line with FIPPA. It appears another stance on this issue will appear again. None the less they should have let me known and presented the google contract at before applying or atleast before accepting the offer of admission or registration. It feels like a hidden third party contract, and I’m not an employee or member of LUFA with an agreement, I have individual contract for services from the University that don’t even mention any google contract it is just slipped in. Then they say that you have to use gmail or else you are in violation of university policy, which is indicated no where in the policy. I am so struck that this is being used as a basis to prevent me from beginning my program in September.