Who the heck got Universities into the email business?

My current employer, UQAM, refuses to allow email forwarding. Students would rather forward their emails to their existing GMail accounts, for example. And the IT Department (the SITEL) agrees that it would have several benefits. However, they refuse to allow it for the following reasons:

  • Email forwarding may create infinite email loops. These may disrupt services and require human intervention.
  • Invalid or failing remote servers may saturate the local servers as they are unable to forward the emails.
  • Professors and management send confidential information by email. Yet, without full control of the email service, the University cannot ensure the needed confidentiality.
  • With email forwarding, it may be impossible to ensure and prove that an email was received and read. Thus, homework assignments, administrative inquiries or security advisories may never reach the students, or we may be unable to prove that they reach the students because of email forwarding.
  • As a Canadian University, email forwarding puts us at risk that the emails may transit on American servers, where the Canadian law on privacy is not applicable.
  • Email forwarding may put students at risk if remote accounts are stolen or lost.

Can you help me debunk or mitigate these arguments? I know that some of these arguments are bogus, but I am looking for solid references. (Not that I expect to change their mind.)

A larger issue: shouldn’t universities stick with research and teaching? I understand that we must have networks, cables, computers, firewalls, but do we need to provide our students with email services?

Update: Turns out that our IT people encourage students who want forwarding to GMail (say) to use the POP3 protocol. It is unclear to me how email forwarding can be a dangerous practice whereas POP3 “forwarding” can be safe.

10 thoughts on “Who the heck got Universities into the email business?”

  1. http://mail.google.com/mail/help/about_privacy.html

    Here is the Gmail Privacy policy, which clearly states it does protect your privacy.

    “Email forwarding mail create infinite email loops. These may disrupt services and require human intervention.”

    http://en.wikipedia.org/wiki/E-mail_loop
    Here are some measures server administrators can provide.

    “Email forwarding may put students at risk if remote accounts are stolen or lost.”

    I would pit Google security systems against any system in the world any day

    http://www.google.com/corporate/security.html

    “With email forwarding, it may be impossible to ensure and prove that an email was received and read. Thus, homework assignments, administrative inquiries or security advisories may never reach the students, or we may be unable to prove that they reach the students because of email forwarding.”
    “http://en.wikipedia.org/wiki/E-mail_tracking”

    Is more a personal issue and can always use receipts, but I do accept is a valid concern, I have had friends in Hawaii University that do get their emails late from time to time when receiving in Gmail.

    Professors and management send confidential information by email. Yet, without full control of the email service, the University cannot ensure the needed confidentiality.

    Do I really need to quote what happened recently with the so called climate gate, e-mails from a University were hacked, so being in the University offers no guarantee.

  2. To give an opposite view, I can largely see the point of the IT department there. This may have to do with me being responsible for the mail service in a university some time ago, but here goes:

    First, the difference between email forwarding from uni and reading from other clients using POP (say, gmail) is that once the email is fetched from the uni servers it is deemed to be read. In this case configuring gmail to check the uni email using POP is equivalent to using outlook or another mail client. Whether the student actually reads that is his/her responsibility. So it legally shifts responsibility from he university to the user. Of course this is subject to clarifications by your IT department and any other laws in effect (I am from the UK, no idea about Canadian laws).
    Second, my guess is that universities became involved in providing email services at a time when free email was not available or convenient. That being said, the institutional email address gives much more confidence than a free one. To the extent that this is needed by students to get university’s work done, this service is needed.
    That being said, some of the points mentioned seem to be non-issues for me.
    (1) Infinite email loops due to forwarding are automatically handled by many servers. The case when it is deliberately created as a DoS attack can happen regardless of the existence of such a service and should be treated separately.
    (2) “The University cannot ensure the needed confidentiality” whether they control the email service or not. They just try their best. If the University allows email access from outside through a web interface or POP then they are not providing more confidentiality than the assurances of servers like gmail for example. They may elect to white-list some outside services and blacklist others, but giving outside services is still an issue.
    (3) Similarly, you cannot ensure that an email is received and read. If it is opened by an email client, Delivery Status Notification can always be disabled. If received here means reached the mailbox, this applies whether the mailbox is in the uni server or forwarded.
    (4) Email forwarding may put students at risk is true, but is that risk more than the risk of them residing in the University’s servers? Security is usually about the weakest link, and I am not sure that in forwarding the weakest link will be gmail or other outside servers.
    (5) The issue of forwarding email across international boundaries is a very important one, so I am going to pass on this one.

  3. It’s a political issue, not a technical one. So, chance the policies (~-> (budget allocation) changes-> enemies), ask directly from the email server administrator, or set up an external (automatic) forwarding (fetching) from POP3/IMAP whatever. I don’t see a problem! šŸ™‚

  4. Without consideration of the technical issues, the plus side of having a uni email address is that it gives easy to see credentials to someone who is emailing you out of the blue and makes it easier to figure out where that person is from if you want to do a Google search on them (particularly useful when a person has a very common name).

    On the negative side, our IT people regularly block email from universities because they are a huge source of spam. Makes me wonder about the whole “security” issue there.

  5. I completely agree with Muhammad (no. 5), You should not underestimate the problem of who should have legal responsibility for such an operation. Pulling emails via POP3 is fine, because it is done “at the user’s own risk”, but why should the IT dept be accountable for a service they do not fully have control on?

    If we want to be picky, strictly speaking, Google and universities’ CS depts are competitors because they do research on the same field. Would you give all your work emails to your competitors even if they say “we are good guys?”

    On privacy: I don’t know how it is Canada/US, and I am not a lawyer, but if you were in Europe you would have problems in transfering personal data to non EU-entities because of different legislation. You’d need to refer to Safe Harbor and stuff like that.

Leave a Reply

Your email address will not be published. Required fields are marked *