Stanford University News Service



CONTACT: Stanford University News Service (650) 723-2558

Privacy problems may lie in wait for e-mail users

STANFORD -- Dennis Michael was suspicious.

Someone at Networking and Communications Systems had pointed out to him that an electronic mail account had been logged onto the UNIX computer for an abnormally long time.

He looked at what was being run and discovered it was "Crack," a well-known password guessing program used to break into electronic mail accounts owned by others.

"I then looked to see where the account was being logged on from," Michael says. "It was Berkeley."

Michael next typed "who is" into his computer to bring up a directory that lists information about the owners of Stanford electronic mail accounts. He called the student owner on the telephone and discovered what he suspected: Someone in Berkeley had broken into the student's account and had been reading the student's mail, as well as using the account to run other programs.

"The student had an easy password to guess," Michael said.

This is one recent example of the security problems that face campus computer system operators and the users of electronic mail. Michael manages one of the largest on-campus systems: 11,000 student and 1,500 staff electronic mail accounts for Networking and Communication Services. These are accounts known by the addresses Leland, Popserver and Jessica.

People who break into personal mail accounts not only can read your mail, they can copy it and even send messages to others as if they were you, Michael warned. Consumers should be aware that electronic mail is not foolproof, he and other operators said.

New guidelines for the protection of electronic mail were distributed recently to approximately 500 computer systems operators and 500 department heads and deans by Robert L. Street, vice president of libraries and information resources.

The guidelines are recommendations to electronic mail system operators and the users of systems that range from small, intraoffice local-area-network mail systems to larger mainframe systems owned and operated by university departments and centers. The larger systems usually are linked through the Stanford University Network (SUNET) to other Stanford mail systems and the outside world.

The guidelines outline responsibilities of electronic mail system operators to make their users aware of:

  • Special situations in which system operators enter users' password-protected mail files.
  • The system's data backup policies, which indicate to users how long copies of mail messages may still be available for retrieval after the recipient of the mail has deleted his or her electronic copy.
  • The legal obligation of systems managers to turn over electronic mail messages to law enforcement agencies or others who obtain court orders.

The guidelines also outline responsibilities of campus electronic mail users. Users should:

  • Regard electronic mail as no more secure than other types of mail and take reasonable steps to ensure that "confidential" mail cannot be read, retained or made available to anyone except the designated parties involved.
  • "Pay special attention to the electronic mail distribution of highly 'sensitive' matters, such as personnel information, salary information, financial aids data, student grades and other personal records, donor information and other data relating to individuals." In this case, it is not just the privacy of the mail user but of all persons whose confidential records are used that must be protected.

In general, the guidelines suggest, "A good test is to ask yourself if you would put the message into an interoffice memorandum; if you would not (because of concerns over privacy or confidentiality), then you should not send it via electronic mail."

Who has access?

Operators of computer systems have access to password- protected mail accounts on their system but generally consider it unethical to read mail, several on campus say. A more likely security threat comes from unauthorized users - or hackers - who guess account passwords or break into accounts in some other way.

To help prevent break-ins such as the one Michael discovered last month on a student account, he and three other programmers at Networking and Communication Systems routinely run password guessing programs on the accounts they manage.

"When we find a weak password, which is two or three times a week, I freeze the account so the account owner has to call me to find out why," he said.

His general advice is never to use a password that is in a dictionary because of dictionary-based password guessing programs.

"I suggest they use two short, unrelated words with numbers or punctuation between them."

Court ordered access is also a possibility in lawsuits or criminal investigations.

One system operator mentioned that some computer operators may be careless about locking up the tapes or discs on which they store back-ups of data files.

Some private companies have taken the position that managers have the right to access employees' electronic mail accounts without permission, and some universities have policies that allow them to read student or employee mail accounts in hopes of finding out who is misusing the computer system, said Bill Bauriedel, security officer for the Data Center, which manages the Forsythe computer system.

The Stanford guidelines are silent on this issue, leaving it up to the individual system operators to let their users know what the rules are.

The Data Center's Forsythe computer is home to more than 4,000 electronic mail accounts, mostly for staff and faculty whose departments authorize them to have an account.

Bauriedel said Data Center personnel are not authorized to read the electronic mail of others without their permission, and he has yet to face the situation where a department manager requests access to one of his or her employee's accounts.

Data Center personnel did gain access to an employee's Forsythe account last year, with the employee's permission. The account was being illegally used by a Dutch-based hacker to steal university computing capacity. Stanford also obtained a court order so Bauriedel and others on campus could trace activity on the account off campus.

Off-campus mail service providers could not voluntarily give Stanford permission to monitor the off-campus movement of the mail, he said, because the federal Electronic Communications Privacy Act of 1986 does not give public electronic mail providers legal access to the mail on their systems.

Both public systems and private systems, however, have to comply with legally obtained court orders. To his knowledge, the Data Center has never received a court order demanding access to Forsythe mail, Bauriedel said.

"I have never had to read anyone's mail in 12 years of managing UNIX systems, Michael said, adding that he can imagine reading someone's mail without their permission only in two situations: if he is under a court order to do so or in the event of the mail owner's death. So far, he said, he has not faced either situation. He does, however, follow information about the movement of mail on the system he manages in an effort to catch illegal snoopers.

How long does mail exist?

Most campus systems have some means of backing up data stored in their system in order to prevent a major data loss during a system failure. These back-up tapes or discs normally save copies of electronic mail as well as all other data in computer storage. To exampt electronic mail would add to operational costs of most systems, managers say.

Backup practices vary on campus, according to four system operators queried for this story. Bauriedel said that Forsythe keeps backup data for up to six months currently, but that does not mean all electronic mail a user received and deleted over the past six months has been saved.

All mail that existed in someone's mail account for at least 24 hours would be retrievable for a year on the Leland, Jessica and Popserver systems managed by Michael, he said. Year-old backups are trashed and the tapes reused.

The small, intraoffice "Quickmail" used by Campus Report staff is not backed up at all, according to the system operator of the Stanford News Service intraoffice mail system. In contrast, the Computer Science Department keeps backups indefinitely of all the data on its large Unix system, an operator of that system said.

Backup practices were generally created to protect users from important data losses due to system failures, and system operators say that devastating data losses are the flip side risk of security risks.

A student who has spent an entire quarter writing a computer program which she has inadvertently deleted is very happy to find that Leland has saved a copy, Michael said.

"It generally takes several hours to retrieve something from our backup system, so we only do it if it would take more time than that for the user to recreate it," he said.

In contrast, Forsythe saves information for a shorter period but is able to make retrievals faster. The Data Center charges $25 for a retrieval of mail that someone has inadvertently deleted, Bauriedel said, and the request can be made online.

Unfortunately, he added, users of Forsythe's Wylbur service may have very little mail backed up because Wylbur mail accounts are backed up weekly, and these backups catch what existed in files at the time of the backup. Forsythe's Electronic Mail System (EMS) users can retrieve all activity for 12 days because every change or addition to a file is backed up incrementally for that period. From 13 days to six months, he said, EMS backups are piecemeal as with Wylbur.

Users create security problems for themselves through careless or misinformed use of mail systems, system operators say. For instance, people frequently download or save their electronic mail messages to hard discs that are not password protected, said Dwayne Virnau, computer cluster coordinator for the School of Engineering.

Users of the Engineering School's 40 cluster work stations are encouraged to save everything they do on them to their own floppy disks, Virnau said, but the publicly accessible hard discs have to be cleaned each week of material left behind by users. This includes electronic mail, he said.

"For the most part, no one's interested in reading it, but people should be aware that downloading mail changes its access status."

Teaching assistants, he noted, are among the employees who frequently share offices and terminals and should be conscious of the lack of confidentiality on their work machines.

Another mail management problem reported by some mail users is the interconnections or lack thereof between electronic mail systems.

Forsythe's simple Wylbur and more complex EMS accounts, for example, are interconnected for users who have both services. If a user in Wylbur types EMS or RM, he or she leaves Wylbur and transfers the mail to be read into the EMS system. Deleting the mail later from Wylbur does not delete the copy transferred into EMS, Bauriedel said.

Conversely, a dean with accounts on several systems reported that she thought the accounts transferred mail into each other when, in fact, she had not made the necessary link.

To her surprise, the dean logged onto the alternate account one day and found seven months worth of unread mail.



This is an archived release.

This release is not available in any other form. Images mentioned in this release are not available online.
Stanford News Service has an extensive library of images, some of which may be available to you online. Direct your request by EMail to

© Stanford University. All Rights Reserved. Stanford, CA 94305. (650) 723-2300.