After nearly a decade of use, Ryerson’s email service is showing its age. But as business and technology editor Matthew Braga discovered, privacy issues — and the U.S. Patriot Act — could make the switch to a newer system more difficult than it seems
Crash-prone and riddled with bugs, Lakehead University’s aging email system was in need of repair. An in-house revamp would cost at least $1-million dollars and take months to complete.
But Google made the school an offer they couldn’t refuse — for free.
Since 2006, Lakehead has used a Gmail-based service to handle all of its messaging needs. The system works similarly to the company’s consumer mail product, but with extra functionality for students and faculty. And best of all, it doesn’t crash.
But those features came at a cost; compared to Lakehead’s ancient webmail service, Gmail simply wasn’t as secure. And for some concerned faculty members, that was worse than all the school’s previous problems combined.
Their worries stemmed from the American Patriot Act, introduced in the aftermath of the September 11, 2001 attacks to grant the U.S. government access to personal or confidential information in the interest of national security. Canadians, of course are not governed by U.S. law, but American-based email services like Gmail most certainly are.
“If the U.S. government feels there’s a security concern they can read the data of a Canadian user,” explains Dimitri Androutsos, chair of Ryerson’s Advisory Committee on Academic Computing.
And that was exactly what Lakehead staff feared.
Next year, Ryerson’s own email system will turn 10 years old. By online standards that is practically a life time. And while rampant crashes are not yet an issue, it’s clear the service is beginning to show its age.
With limited storage space, barebones functionality, and a frustrating, dated interface, the school’s service pales in comparison to what companies like Google or Microsoft can offer. Yet, when it comes time to replace our aging webmail system — a possibility the school has now begun to investigate — change won’t come easy. And for that, you can blame the United States.
The problem is that personally identifiable information — including academic standing, marks and contact information — must be kept sensitive and confidential, as dictated by Ontario’s Freedom of Information and Protection of Privacy Act and the Personal Health Information and Protection Act.
“But if the data stored on their systems is encrypted, then the Patriot Act is somewhat mitigated,” explained Brian Lesser, acting director of Ryerson’s Computing and Communications Service. “If they can’t decrypt it, then it remains fairly private.”
But while this is possible with an in-house service, where mail servers are stored and operated from within Canada, Google and Microsoft’s systems are unencrypted, and predominately U.S.-based.
In Lakehead’s case, faculty were instructed not to transfer student marks or confidential information via Google’s Gmail service in order to satisfy Canada’s privacy laws — a small tradeoff in return for a free service.
But in 2008, frustrated staff filed a grievance against the university claiming it violated their right to privacy and academic freedom. The claim, however, was eventually dismissed.
“While I am sympathetic to their plight and the fact that big brother could be watching over their e-mail communications,” noted arbitrator Joseph D. Carrier in the ruling, “one should consider e-mail communications as confidential as are postcards.”
The simple fact is that services from Google and Microsoft are far more mature and comprehensive than what most universities can afford to offer in-house.
For example, under Ryerson’s current email system, students are allotted just 500MB worth of email storage — a paltry number compared to the gigabytes of space offered by other services.
But there’s more to it than that; email has grown into something much larger than the name alone implies.
“It’s more than just transport. There’s spam filtering and virus protection. There’s dealing with phishing attacks,” Lesser explained.
“There’s a lot more involved with managing a mail system than just managing the mail, and I think that’s been an increasing problem for us to find the resources to do that.”
Such vast resources are what make companies like Microsoft so attractive. Anil Verma, product manager for the software giant’s Live@edu service in Canada, notes that his team’s goal is to alleviate much of the work a school’s IT staff must do to keep their mail servers operational. Most importantly, Ryerson retains full control.
“We don’t own the data. The school owns the data. It’s simply hosted as a service from us,” Verma explained.
Convenient, perhaps. But in an interview with The Globe and Mail, Tom Puk, former president of Lakehead’s faculty association, disagreed.
“By getting this [for] free from Google, they gave away our rights.”
As far as the Patriot Act is concerned, Androutsos points to an interesting trend. A considerable number of students are already using external services like Gmail for school purposes, regardless of potential privacy concerns.
As reported by the Eyeopener last year, the ability to forward Ryerson email to an external Google or Hotmail account is just one of many ways to sidestep the limitations of Ryerson’s in-house service.
In fact, a recent survey of over 400 University of Toronto students by the school’s Information and Technology services department found that close to one quarter forwarded their school email to an external service.
By doing so, they willfully expose themselves to U.S. law.
But as both the University of Alberta and University of Toronto launch their own inquiries into the privacy and security concerns surrounding Microsoft and Google’s services, it remains unclear what real effect, if any, the U.S. Patriot Act would have upon school data.
One question in particular on the University of Alberta’s website asks whether the use of services like Gmail will increase the probability of being added to a no-fly list.
But according to the University of Toronto’s own threat assessment report, published in September, it’s difficult to gauge whether “hosting student email outside of Canada exposes that data to greater risk from governmental inquiry than at present.”
As Ryerson explores the possibility of revamping its own email system, these are questions that will need to be answered. The University of Toronto has suggested a similar solution to that of Lakehead, where student marks and information would be posted only to a secure, Blackboard-style service.
It is too early to tell whether Ryerson would follow a similar routine.
“There’s a reciprocal agreement with the Canadian government where, in theory, you could have a request from the U.S. government for private information,” Lesser explained.
“But while the Patriot Act is reality, what is the real risk?”
Illustration: Matthew Braga