Monday, November 5, 2018

University email accounts lack security and privacy

We should not forget that University emails are disposable, non-permanent and most importantly non-private. They should be treated with a lot of cautiousness, and distrust.

  • I have had university emails from the:
    • Lebanese American University (Permanent Email)
    • American University of Beirut (Temporarily for 1 year) 
    • Haigazian University (Permanent Email)
    • University of Southampton
    • University of Oxford
I often see my classmates, university researchers and instructors use their university emails to share private information such as emails with friends and uploading photos. Some of them use it as their primary email to sign up for Paypal and Social Media Apps (Facebook, Twitter, etc...).

This is often associated with two issues: breach of university password credentials and employee misuse.

Most universities use the same email password to authenticate to a wide range of University services, such as University Internet Services, Moodle/Blackboard access, Banner access and other endless services.

Just like any other software system in the world, those systems are not immune from breaches and in fact, they could have less scrutiny. There are hundreds of innovative ways an attacker can expose and obtain your university password.

You need to assume that this is entirely possible and make sure your email contains only trivial material that you don't give a fuck about.

What makes the situation worse, is that university email services of Office365 do not offer any multi-factor authentication feature. This has been the case for me for all the 5 different university emails I've used in the future. This was being discussed during my admission interview with Oxford University and it seems to be a current security problem.

As for the employee misuse problem, you would be surprised how easy it would be for University IT Staff to secretly gain access to your email and read every single email you've sent and received.

I have even spoken to IT officers/employees from the universities listed above and many of them illustrated to how easy the process of accessing an email is.

University emails should only be used for information that isn't sensitive and has insignificant value, examples include class assignments - communication with a supervisor or an instructor and communication with university staff. 

Similarly, any storage provided by University services such as OneDrive should only be used to store trivial academic material as well.

Personal email accounts (such as Gmail) should be used for any personal emails or files you have.



Post a Comment