The University has accessed e-mails sent and received on brown.edu accounts 11 times since July 2008, according to David Sherry, chief information security officer for Computing and Information Services. According to the University's e-mail policy, Brown accounts may be accessed "by authorized University officials for purposes related to University business."
Sherry said no one should be surprised that the University has access to e-mails. "What Brown has the ability to do, every company, every school and every place that has an IT infrastructure has the ability to do," Sherry said. "You have to support the system. You have to have people to help with troubleshooting."
But students said they did not know the University could access their e-mail accounts.
"If they're going to do this, they should let us know," said Sam Helman '12, a computer science concentrator.
Accessing e-mail
Though CIS usually accesses accounts for health and safety reasons, they may also review Brown e-mails if, for example, the Department of Public Safety were investigating someone, Sherry said.
"Most of the time, it's for a staff member who became ill very quickly, and so we have to go through his or her e-mail for business-related purposes," he said.
But Sherry said the University rarely has to access student, staff or faculty e-mails.
"Since July of 2008 — my arrival — we have had 11 instances of emergency access. All were for the continuation of urgent University business, or life and safety. Only one was a student," Sherry wrote in an e-mail to The Herald.
The University's acceptable use policy states that people using Brown e-mail accounts cannot be involved in any illegal activity, which includes "sending spam messages and if someone uses their brown.edu address to send stuff when they're running for office," Sherry said.
"It's very rare that this process is used," Sherry said. "We don't want to be looking in people's e-mails, nor do we have the time to do this."
CIS places restrictions on who can access e-mails, wrote Michael Pickett, vice president for CIS and chief information officer, in an e-mail to The Herald. "With the proper high-level authorization, e-mail accounts can be accessed," he wrote, but added that staff members must sign an annual confidentiality agreement.
Though CIS does have access to e-mails, messages are encrypted and stored on Google's servers, not Brown servers, Pickett wrote. E-mails are broken up and "stored in different data centers to increase security and ability to survive potential disasters," he wrote.
The University does not have a regular screening process or system to monitor e-mails, Sherry said.
"We don't screen for content or for wording," he said. "When DPS or the Office of Student Life approaches me with something, it's usually through a complaint."
"We would need substantiation or receive authorization from (the Office of Student Life) if there was an imminent health and safety issue," Sherry wrote in an e-mail to The Herald.
Requests to have access to an e-mail account come from the chief of Brown police at DPS, the director of health services, the vice president for campus life and student services, the provost, the vice president of CIS or the vice president of human resources for staff, Sherry said.
Exercising caution
"There is always a risk that someone could access your e-mail, regardless of what program you use," Google spokesperson Kat Eller wrote in an e-mail to The Herald.
CIS policy states that the University cannot guarantee the full security and privacy of its e-mail service, and users should "exercise extreme caution in using Brown e-mail to communicate confidential or sensitive matters."
"The security is reasonable for normally confidential University use, but we recommend that users not consider University Gmail as a good tool for private, personal matters," Pickett wrote. But Sherry said the University is careful to restrict Google's access to brown.edu accounts.
"They have access to servers but not individual accounts. They hold themselves to very high standards," he said.
Sherry said if students are concerned about having their accounts accessed, they should open a personal e-mail account.
"With private data, I never send e-mails through my brown.edu account. It would bother me," said Ryan Kaplan '12, a mathematics and computer science double concentrator. Instead, Kaplan forwards his brown.edu e-mails to his personal Gmail account.
"I mainly use it for employers," said Victor Vu '12, a philosophy and computer science double concentrator. He also said he does not do anything financial through his Brown e-mail.
The privacy policy
Sherry said that since he has been at the University, he has not received any complaints about the University's e-mail security policies.
"When we update a policy by a statement or a word, we send it out for University-wide comments. We didn't get any negative feedback from the Google update," he said. "People have to run the system that need access for troubleshooting and help."
"I believe the freshmen that are coming in are made aware of all the policies through the Office of Student Life," he said. "We hope that the message is getting out."
Both Kaplan and Vu did not know about the University's policies concerning e-mail privacy.
But Vu said the policy concerns him. "If you don't know about the policy, it's a privacy issue."
— With additional reporting by Herald staff
