Computer Security: Un-confidentiality when using external e-mail

Using the CERN e-mail service gives you some flexibility. Maybe a bit too much, as some current practices are problematic under CERN’s Computing Rules (CERN Operational Circular No. 5) since they can have severe implications for password secrecy and the confidentiality of certain documents sent by e-mail!

E-mails are like unsealed envelopes. Everyone who has physical access to that envelope can read the letter inside. In the digital world, this means that everyone with access to your mailbox can potentially read all your e-mails. This is why the CERN e-mail service is hosted within CERN and its managers are subject to strict confidentiality rules. E-mail communication within CERN is encrypted, but easily gets lost once e-mails leave the Organization. So let’s take a look at just how easily…

To take one example, configuring a forward for all e-mails sent to your @cern.ch address towards an external e-mail provider like Gmail, Yahoo, Mail.ru, GMX.de or Outlook.com, exposes all forwarded e-mails to that third party. CERN confidentiality is left to be “just” governed by the third party’s commitment to maintain confidentiality and hence is subject to any business interest they might have. No guarantees, but plenty of terms and conditions. The confidentiality of CERN’s internal information, documents and attachments exchanged by e-mail is lost. And the original sender might not even realise this! In addition, forwarding e-mails to third parties poses a risk to CERN’s privileges and immunities as an intergovernmental organisation (as also stated on the e-mail service’s configuration page). They become void when confidential information is forwarded by e-mail, leaving the Organization unprotected (see our very old Bulletin article entitled “Don’t let your mail leak“).


home.cern,Computers and Control Rooms

Secondly, giving an external e-mail provider such as Gmail full access to fetch or delete e-mails from CERN’s mail servers and write e-mails on behalf of CERN defeats password secrecy. Your CERN password is yours and only yours. It must not be shared with anyone else. However, for the aforementioned full access the third party has to store original, plain text CERN passwords, and use them directly on behalf of the CERN user, to connect to CERN’s e-mail service and let Gmail fetch data from your CERN mailbox. This is different from configuring your local (local!) mail client to fetch these e-mails as your local mail client resides on your local laptop, smartphone or tablet, and is not handed out willingly to any third party*.

Thirdly, e-mails with confidential content leaving the Organization require special care. Encryption of the confidential contents is the usual (but difficult) remedy. Better is to avoid e-mail as a communication channel for such data at all. For personal data, CERN’s Office for Data Privacy (ODP) recommends avoiding wherever possible the use of e-mail to communicate personal data. In any case, secure collaboration workspaces are the preferred mechanism (see our Bulletin article entitled “A ‘file drop’ for confidential data“).

What next? Help us to protect CERN’s data, operations, and privileges and immunities. Reconsider your working principles:

  • Avoid forwarding e-mails to a third party e-mail provider. If you are employed by CERN, the CERN e-mail service should be most appropriate for your professional needs;
  • Do not allow a third party e-mail provider to automatically fetch and process your CERN e-mails. Keep your password and access to CERN protected;
  • Refrain from sending confidential documents, in particular those containing personal data, via e-mail. Instead, use CERNbox as a secure alternative.

The CERN Computer Security Team, in collaboration with the CERN account management service, the e-mail services and the CERNbox team are always actively looking into providing you with the best ways to keep your communications secure.

_________

*Interestingly, Google has started doing exactly the same: restricting remote API access calls to its Gmail service. Until now, for instance, you could configure any third-party e-mail app to access your Gmail account in order to send, read and delete e-mails remotely. But that has ceased due to Google’s privacy concerns.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report

/Public Release. View in full here.