The Orthodox Leader

The role that email has played in the current kerfuffle in the OCA has prompted me to reflect on a number of aspects of how we (as Church) handle digital information, whether electronic mail, documents, parishioner data, or chats. I’ll confine my thoughts to email for now, with the possibility of an expanded version of this later on.

The first question that comes up with regard to email is: Is it secure? Most individuals are not really aware of how email systems work. The diagram below shows, in simplified (and ugly) form, how a message is handled from sending to delivery. Working from left to right, the user composes a message, clicks “Send,” which causes the mail client to give the message to the mail server (a Mail Transfer Agent in technical terms) which in turn queues it up to be sent. The sender’s mail server contacts the recipient’s mail server and transmits the message. The recipient’s mail server places it in a store (a “mailbox”) until the recipient uses a mail client to retrieve, or delete the message. If the recipient chooses to forward or reply to the message, he becomes the sender and the process starts anew. If you really want to see all the details of how email systems are put together, this article has a good explanation of all the pieces.

Basics of mail transfer. Network connections are shown in blue. The mail store ("mailbox") is shown in green.

The email infrastructure on the web is old, dating to the early 1980s, when computer networks were rare, email was a novelty, and computer security minimal. What security infrastructure there is in modern email systems is generally in the form of “add-ons” to the mail clients, to include encryption and virus/spam checking. Thus, a sender can encrypt the message (but not the recipient and other “envelope” details), hand it off to the server, and let it travel to the recipient’s email server as a sealed box until decrypted by the recipient, with a password or other form of authentication. In reality, the majority of email is unencrypted, and most users don’t know how to use the encryption features in their mail readers, if present. Further, existing Internet protocols (IPv4 for those of you with propeller beanies) have no built-in encryption. Thus, the entire system is built on sending email “in the clear.” Anyone with access to the network connections can easily read your email as it goes by for the majority of systems. The only thing preventing others from reading your email from the mail store on the receiving server is the strength of the password mechanism.

In other words: it’s not terribly secure in most environments. The newest Internet protocols (IPv6, again for your nerdniks) will make encryption standard for all transmissions (securing the wires, effectively), but, despite lots of pressure from a declining pool of available network addresses, is still a ways away from full deployment. Even then, people don’t like entering passwords or using biometric cards or similar devices regularly, so the system remains vulnerable to unauthorized or unexpected access simply by using a computer that is still “logged in” or has a saved password that automates the process of logging in (i.e., without ever prompting the user, who might not be the actual owner of the email store).

The second question that comes up is: Who owns it? Well, this is thornier. In general, companies employ a simple axiom: corporate business stays on corporate systems. Thus, corporate employees may not store corporate (or customer) data on personally owned systems. Corporate employees use corporate email addresses to transact corporate business (@bigcompany.com), never using a jimbob@yahoo.cxm even if it’s more convenient. Most corporate IT policies also indicate that employees have no expectation of privacy with regard to electronic communication (e.g., email, or instant messaging, if offered) conducted with company systems. Using company systems for personal business is usually discouraged, if not prohibited outright. Additionally, the Sarbanes-Oxley legislation, which is applicable to publicly held corporations, mandates an extensive retention period for electronic communications.

Violation of these policies in a large company can lead to governmental fines or other penalties and can even lead to termination of employment for individuals.

Company ownership of these communications facilitates the handing-off of critical activities in the event that an employee is incapacitated, dies, or leaves the company unexpectedly. Previous discussions are then easily transferred from the old person to the new by system administrators. Company operations are allowed to continue with fewer disruptions.

So, in a secular environment, the company owns the email, the chats, the calendars, and so on, because those things are all related to transacting company business, even if aspects of it are confidential or proprietary. These communications are seen as the property of the company because they represent work undertaken on the  company’s behalf as a result of the employer-employee relationship.

Note that the notion of emails being “on” a computer is an obsolete one, particularly with the increasing use of webmail (i.e., reading email using a web browser) from services like Gmail, Yahoo Mail, Hotmail, and even the Microsoft Exchange/Outlook web interface and smart phones such as the iPhone or BlackBerry. In these cases, the mail is never really “on” the computer used to read the message, in that that computer is only displaying the message without storing it on the device. The message is kept in the mail store. For this reason, many companies will permit a company-provided web interface to be used to read company email, as perhaps the only weak exception to the “company data stays on company systems” rule, since nothing is actually “resident” on the local system.

But in the Church, we have been operating with a different standard. It is by far the norm that every clergyman and church worker has a private email address used to conduct Church-related business. (This is still true when a church-specific email address such as frjohn@somechurch.com simply forwards to a Gmail account, as the mail store is not owned by or contractually provided to the church.) Thus the messages related to the operations of the diocese or parish are diffuse – stored and transmitted on a mix of systems determined, in most cases, by the convenience of the person choosing the email address. Church communications are rarely stored on Church-owned systems, and, as often as not, are entrusted to “free” providers elsewhere.

This is problematic at a couple of levels. First, no one generally knows who has actual custody of the communication. Who is responsible for Gmail, or Yahoo Mail, etc? Are they honest? Have they been background-checked? Is the mail encrypted within the message store? (If not, system intruders can steal it. Many readers have been contacted by companies who have recently seen their email lists compromised in just this fashion. Those lists provide half the information needed to steal from the mail store.) These questions are why companies either host email internally with trusted employees running things or use other companies that provide security protections within the contractual terms of service.

Secondly, the confidentiality of the data is by no means guaranteed. (Encryption would help, but, as mentioned already, few messages are encrypted.) Gmail, in fact, is rather explicit that your email messages will be scanned for keywords that can then be used to present advertising to you. Innocuous? Maybe. But what if someone gets the idea to look for other things, or specific name and email addresses, and to perform specific actions (like forwarding it to another website’s owner) on that basis. How would you ever know?

Third, there is no clear idea of “ownership” of the communications. This is made abundantly clear in the current mess. If a diocesan chancellor or treasurer conducts diocesan business via a Gmail account, is that his personal communication, or does it belong to the diocese? If it’s sensitive information (perhaps relating to pastoral matters), what steps have we taken to safeguard that sensitivity and who is responsible for protecting it? Again: who owns that communication: the parish, the account holder, or the original sender? If a diocesan officer uses a private account to conduct both personal and diocesan business, how does one differentiate church communications from private ones without reading the messages? (As noted previously, use of company systems for personal business is generally discouraged, if not prohibited entirely by larger companies in the secular world.)

Fourth, how are transitions to be handled, especially if they are unexpected? Electronic communications, particularly email, provide a lot of documentation about current planning and policy. If the person responsible for these activities leaves or dies, how is his successor to continue the work without them? For transitions that result in any animosity (such as the forced removal of an officer), how is it possible to secure this critical information against malicious destruction or theft intended to thwart future work? Within the OCA, remember that Kondratick removed boxes of documents from the OCA Chancery following his suspension as chancellor. In a more email-centric culture, mailboxes are just as vital.

Fifth, there is no expectation of recovery in the event of loss. If a free system such as Gmail is used, there are usually no guarantees at all regarding recoverability of emails in the event the mail store is compromised or destroyed. (See paragraphs 14 and 15 in the Google Terms of Service.) The maintenance of the confidentiality of passwords is the sole responsibility of the account owner (Section 6.1 of the preceding link: “You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services.”) Gmail offers no provision to recover communications deleted from an unauthorized access. The other free providers, including Yahoo Mail, Hotmail, AOL, etc., have similar if not identical provisions.

Sixth, there is no assurance that deleted communications are deleted permanently and from all archives. There is no way for a user to know whether digital copies of emails are retained anywhere else. This has significant ramifications for anyone who has conducted extremely sensitive or regrettable exchanges using an email account from a free provider.

None of these questions and concerns has an easy answer, but they do, I think, point to the need for increased use of parish- or diocese-owned systems for handling Church-related communication, if only to provide necessary guarantees of privacy of email conversations and a clear record of “ownership” of them.)

More on this soon. Your comments are encouraged.