Is NSIT Reading Your E-mails?
by Sue Khim
Call me a cynic, but market forces say that when the going rate for student information is high, people with access to it are probably selling it. And think about it: You’re tech savvy. You have admin access privileges to the e-mail of everyone you see at the gym. It’s been a long day. You want to have a little fun, harmless snooping at someone else’s expense — find out what kinds of listhosts they’re subscribed to, what websites they’ve visited recently, and whether she hasn’t responded to your e-mail because she hasn’t checked it today or if she’s simply ignoring you …. if you had the power, wouldn’t you?
I met with Bob Bartlett, the University of Chicago’s Director of Network Based Resources at Network Services & Information Technology (NSIT), to find out. Bartlett built the U. of C.’s mail system, and according to him, potential snooping by NSIT is the least of our problems, and only the tip of the iceberg. Sun MicroSystems CEO Scott McNealy is reported to have said “Privacy is dead.” Bartlett believes this is sad, but almost true. There are a handful of people at NSIT (about 4 or 5) who, by their job description, have to be able to access the mail system to do their jobs, and are able to look at our e-mails and information.
“What’s the market value of the information?” I asked.
“Market value is probably pretty good,” Bartlett replied.
“If someone were to sell this information, could we track down the culprit?”
“No. I guarantee you that nowhere could you find out what happened.”
There is a permissions system in place at NSIT, where technicians must have permission from lawyers before accessing certain information. There is auditing in multiple places, with the exception of when the system is in “imminent danger,” in which case certain people have the right to go in to fix the problem.
“But how will the lawyers know if you are looking at information unauthorized?” I asked. “They’re not techs.”
“It’s really a personnel issue,” Bartlett replied.
In NSIT’s defense, Barlett asserts that “the people who are in charge of mail systems tend to be privacy advocates.” This includes the security technicians as well as the lawyers. For the truly privacy-conscious, what should be disconcerting is that there are about a dozen places that e-mail is routed through (regardless of where you are sending e-mail to and from) before reaching its final destination, meaning there are about a dozen points at which a group of people in a room somewhere have access to the network just the same as NSIT. Mail can very easily be sniffed as it goes through.
“So if I stole 8 billion dollars from the government, and I wanted to tell somebody about it but I didn’t want my e-mail to be read by anyone else, is there any way to do it?” I asked.
“The only way to do it is to use strong encryption on your message body,” he replied.
Bartlett says that encrypting e-mail is “always a good idea.” (The idea being that if you only encrypt sensitive information … it’s pretty obvious that you’re encrypting the important stuff.) The encryption breaks down if the person who responds to your e-mail doesn’t have encryption enabled, and the body of your e-mail is sitting in the response.
The challenge with e-mail encryption is social, not technical. For the system to work, the people who send encrypted messages to each other must all exchange something called a GPG key. It is, of course, unsafe to send this key via e-mail, but transmitting a copy via a USB key would work.
The most critical security issue, however, and one that happens all of the time, is theft. The easiest way to hack into a system is at the source. The way to safeguard against this, again, is by encrypting your hard drive.
Bartlett asserts that, anyway, the NSIT staff are busy and have more important things to do than read private e-mails. Among the technical challenges that NSIT faces, 67%-85% of the mail which comes into the University is regarded as spam. This is comparable across universities. A typical day for NSITers is spent battling hackers who have set up botnets to have zombie computers send us the latest on Cialis. On Tuesday, the University received 55,000 mail messages in 20 minutes. It is not the students’ fault for signing up with too many websites. Spam is an arms race between spammers trying to make messages stealthier and counter measures. When the mail system is slow, it likely has nothing to do with the number of people on campus simultaneously clicking “Inbox” and “Send”.
“Why does the University even give us e-mail accounts?” I asked, referencing the multitude of free e-mail accounts that are available.
“Until recently, it was desirable to try to give students accounts,” Bob replied.
Now, a good half of U of C students use Gmail but this was not the case when the mail system was built.
Bottom line? Yes, some people at NSIT can read our e-mails. And see what websites we’ve been to and whether we’ve Googled ourselves lately. If you’re interested in keeping your e-mail private from someone with the power to read your e-mails at NSIT specifically, it can’t hurt to use another e-mail provider. On the other hand, if it’s important to keep the e-mail private from everyone but the intended recipient, encrypting the exchange is the only way.
Great post, I bet a lot of work and research went into this article.
This is one heck of a site and the best posts, I will bookmark you.
This is an interesting take on this topic. I am happy you shared your thoughts and I find myself agreeing. I really appreciate your coherent writing style and the effort you have put into this article. Thank you for the solid work and good luck with your site, I look forward to future updates.
This is one technology that I would love to be able to use for myself. It’s definitely a cut above the rest and I can’t wait until my provider has it. Your insight was what I needed. Thanks
This is great. Really nice post. Very Informative and helpful post. thank you.
Is NSIT Reading Your E-mails? | Diskord
Hey very nice blog!! Man .. Beautiful .. Amazing .. I will bookmark your blog and take the feeds also
I recently came accross your blog and have been reading along. I thought I would leave my first comment. Nice weblog. I’ll keep visiting this website frequently.
Outstanding share it is actually. We have been seeking for this content.
Well, it is decent, however how about additional choices we have here? Would you mind making one more post regarding them too? Thanks!
I absolutely like your website and find nearly all of your post’s to be exactly what I’m seeking. Do you offer guest writers to write articles for you? I wouldn’t mind making a post on the subject. Once again, brilliant web site!