Back to top

CAUT Bulletin Archives
1996-2016

December 1997

Email Security & Privacy

Email is like a postcard!" With this statement, Daniel Shap, a lawyer with the law firm of Goodman & Carr in Toronto, alerted conference delegates about the prevalent lack of privacy of electronic mail messages.

What is an acceptable degree of privacy? Determining an appropriate level of privacy of information means achieving a careful balance between the free flow of information and the right to personal control of information. Since the commodity information is fast becoming the currency of the day, society is finding it increasingly difficult to strike this balance.

What sorts of private information are recorded electronically at the university and outside the institution? Depending on the degree of sophistication of the information infrastructure within the university, a faculty member might, for example, use a desktop computer to access a bibliographic index at the library, download material from the library, incorporate some of that information into a document, and then forward that document via email to a colleague.

If the email message is unencrypted, the university electronic mail system can record a number of pieces of information about the message. This includes the body of the message itself. It also includes incidental information, such as the origin, destination, size and urgency of the message. If the message is sent to someone outside the institution, there will be a record of the electronic route taken, or "hops" from one intersection on the electronic highway to another.

After the message arrives at its destination, there will be a record made of the identity of the message, its size, time received and time a reply was sent. At any point along its journey, an unencrypted message can be easily intercepted by a third party -- the local university "postmaster," every Internet service provider (ISP) in the chain of delivery, and any other third party that can intercept the message.

The data generated by the transmission of the email message can be processed into information about staff communications. In some cases, this transmission record can be more revealing then the actual text of a message.

Assuming that the local postmaster refrains from reading email (and one assumes this is well-established practice), he or she can still generate reports for the administration about frequency of an employee's or department's usage; the identity of the people with whom employees correspond; Internet sites employees contact; the average size of transmissions; whether messages contain attachments (and the full path to attached files); and an estimate of the amount of time employees spend using the system.

What motivates a university administration, or any other employer, to keep such records and monitor email? According to Daniel Shap, a simple answer might be "because they can." Software that logs email and monitors Internet browsing is inexpensive, costing only a few hundred dollars. More reasonable factors include the concern that employees' activities could lead to loss or damage to the institution. This risk includes worries about defamatory remarks made by individuals, possibly leading to libel suits. Fear of losing valuable "trade secrets" will become more of a concern as university-business linkages and privatization efforts are strengthened. Fear of losing employees to outside competition is another issue that has arisen in certain disciplines in the university sector.

The desire to ensure a high level of "productivity" suggests that electronic monitoring can be coupled with performance measurements. Finally, the records contained in archived email correspondence can be used to substantiate or "discover" information to be used in dismissal or discipline cases.

Outside the university, there are many instances where personal information is collected and manipulated electronically. Examples include Revenue Canada records of personal finances; government records about Canada Pension Plan entitlements and disbursements; financial records maintained by banks (ie. debit cards and credit cards); computerized records kept by businesses such as telephone companies, retailers and so on. Of course, inside the institution itself, the employer will keep records on employment, remuneration, benefits, and the like.

With all this electronic data whizzing at high speed from one place to another, it is increasingly difficult for individuals to maintain control over information about themselves. Concern over the loss of privacy was recognized by the Organization for Economic Co-operation and Development (OECD) in 1969, and by the Canadian government and the United Nations in the 1970s. In Canada, a 1993 survey indicated that 90 per cent of Canadians are concerned about personal privacy issues and 50 per cent are extremely concerned.

What rights do academic staff have to control the monitoring of their email and access to personal information? In the public sector, at the federal level, the Federal Privacy Act affords protection of information held in public hands. Any trafficking of information constitutes a breach of trust. There have been some instances of information peddling, where data is sold indirectly rather than directly.

At the provincial level, provincial privacy acts do not tend to include universities. The exception is the Province of British Columbia. Privacy legislation in the Province of Alberta will apply to universities by the year 1999, but does not do so yet.

Other tools govern privacy issues in the private sector, but may be somewhat restricted in their efficacy. Edicts from the OECD might have some persuasive authority. The Canadian Charter of Rights and Freedoms does not appear to guarantee privacy of information. The Criminal Code of Canada, however, does provide that unlawful interception of information is a criminal offence where there is a reasonable expectation of privacy. Other legislation that pertain include the federal Bank Act, Insurance Companies Act, provincial consumer reporting acts, private investigators acts, and other privacy legislation.

How can the concerns of the university administration be addressed while still complying with the rights of academic and other staff to control information about themselves? Basic principles have been put forward by the Ontario Information and Privacy Commissioner. These principles include:

  • privacy of email should be respected and protected
  • organizations should create explicit policies on the use of email which address the privacy of users
  • organizations should make the policy known to users and inform users of their rights and obligations in regard to the confidentiality of messages on the computer system
  • users should receive proper training in regard to email and the security and privacy issues surrounding its use
  • email systems should not be used for the purposes of collecting, using and disclosing personal information, without adequate safeguards to privacy
  • providers of email systems should explore technical means to protect privacy and organizations should develop appropriate security procedures to protect email messages (such as encryption of messages and fire-walls).


Some universities have already established regulations governing the use of computer facilities, although these policies do not necessarily pertain to the privacy rights of the user.

CAUT's policy statement on confidentiality can be found at http://www. caut.ca.