Ryerson’s chief information officer wants students and staff at the university to be cautious about sending confidential information using their school emails.
Brian Lesser said students and faculty should be mindful of the contents of their emails in light of the reality that government organizations could be monitoring online communications.
Lesser made these remarks at an event held for Cyber Security Awareness Month on Oct. 6. During the talk, he addressed some of the points from a recent report in The Ryersonian about a U of T study on cloud security. The study, released in September, suggests that when organizations such as universities outsource their email service to U.S.-based organizations like Google and Microsoft, these communications are subject to U.S.-jurisdiction surveillance procedures.
Andrew Clement, professor emeritus in the Faculty of Information at U of T, and one of the study’s authors, said that in light of the access U.S. agencies have to online communications, Canadian organizations that use Gmail should be concerned about being watched.
In his Ryerson talk on IT security, Lesser said that there are many myths surrounding security, surveillance and the perceived lack of spying by Canadian government agencies.
“There is this kind of emerging myth that says your data is safe in Canada,” Lesser said. “We know that everyone is spying, and everyone is exchanging all this information constantly.”
Lesser pointed out that Canada has various intelligence agencies that track communications, just like their U.S. counterparts do. Furthermore, with the recent passing of the Anti-Terrorism Act (commonly known as Bill C-51), Canadian intelligence agencies have even more freedom to share information on Canadian citizens gleaned from their online communications.
Lesser referenced a live-streamed talk with Edward Snowden from earlier this year hosted by Canadian Journalists for Free Expression, where Snowden called the Anti-Terrorism Act “an emulation of the American Patriot Act.”
Another idea in the U of T study that Lesser took issue with, although he never mentioned the study specifically, was the assumption that there is an expectation of privacy and security when using email as a form of communication.
Lesser equated email to an electronic postcard. He said that when you are sending an email, there’s no digital version of an envelope to prevent an email’s contents from being read while it’s being sent.
“There is no guarantee of any encryption, and even if there was, you have no way of knowing what happened to it in transit.” Lesser said. “There is no feedback, no paper envelope that says, ‘Guess what, this wasn’t tampered with.’”
Another cause for concern that Lesser wanted people to be cognizant of is that email contains metadata that logs your address, the address to whom you are sending and the date and time of your correspondence. Lesser makes the case that all of this can be tracked, whether you are using email for university or for other purposes.
“Email is not a really secure, wonderful way to send confidential information,” Lesser said. He suggests that if you are working on confidential documents, use other methods of communication, such as storing data on the cloud.