News

Garber Announces Advisory Committee for Harvard Law School Dean Search

News

First Harvard Prize Book in Kosovo Established by Harvard Alumni

News

Ryan Murdock ’25 Remembered as Dedicated Advocate and Caring Friend

News

Harvard Faculty Appeal Temporary Suspensions From Widener Library

News

Man Who Managed Clients for High-End Cambridge Brothel Network Pleads Guilty

E-mail Switch Draws Security Concerns

1Uncaptioned photo
1Uncaptioned photo
By Naveen N. Srivatsa, Contributing Writer

When Faculty of Arts and Sciences Information Technology held a focus group last spring to discuss a potential new e-mail system, Trevor J. Bakker ’10 had his share of complaints to voice.

The current junior says he was so concerned about the limited quota on the existing Faculty of Arts and Sciences Webmail client that when FAS IT announced the creation of a new e-mail service with the domain name @college.harvard.edu in November, he signed up the next day.

Since then, Bakker says he has had no problems with the 10-gigabyte mailbox size. And despite one or two minor problems, he calls the @college service “superior” to his old service.

But it wasn’t until after he received a message from a technician with a non-Harvard domain name that Bakker realized an outside company was now storing e-mail from Harvard’s new service.

While he doesn’t believe that Harvard is selling or distributing his information, he says he had no idea that an outside vendor was involved when he signed up for the @college service.

Bakker isn’t alone. The decision to outsource undergraduates’ e-mail—made partly due to cost constraints—was unknown to many students using the service, and the revelation has raised privacy concerns among some, despite assurances from administrators that their correspondence will remain safe.

THE SEARCH

Mail2World is a Los Angeles-based e-mail services company that provides e-mail accounts and capabilities to individuals and institutions. According to Mail2World spokeswoman Carol A. Mason, the company has about 300 corporate and institutional clients that use its servers and services to provide e-mail to their employees and affiliates. Among those clients are other colleges and universities, such as the University of Illinois, Rensselaer Polytechnic Institute, and the University of California, Davis.

It is Mail2World’s technologies and servers in Orange County, Calif. that FAS IT has chosen for the @college service, according to Noah S. Selsby ’94-’95, senior client technology advisor for FAS IT.

The search for an e-mail vendor began last summer, according to Selsby. He says that the decision—a departure from the in-house storage used for FAS Webmail—was made for reasons that ranged from the financial to the technological.

“Certainly the economy wasn’t in the state that it was then,” says Selsby, “but there were definitely questions of cost savings. There were definitely questions about ease of management. There are things about outsourcing that make it easier to support in a certain way.”

Furthermore, were FAS IT to create a new e-mail client from scratch, Selsby says it would amount to “reinventing the wheel.”

“There are people who are dedicated to creating these products,” he says. “Creating one in-house takes a lot of staff time. It’s much, much simpler, and in any case, it’s better to take a product that’s been tested quite thoroughly than it is to do something from the ground-up.”

‘SERIOUS CONCERN ABOUT PRIVACY’

Joshua A. Kroll ’09, a former president of the Harvard Computer Society, says he is none too pleased about the outsourcing of student e-mail to Mail2World.

“With any outside vendor, there’s a serious concern about privacy and data ownership,” he says, “which is to say that from a legal perspective and from a Harvard policy perspective, it’s necessary for Harvard to maintain ownership and full control over data even when it’s handled by an external organization.”

Kroll, who says he has plans to pursue a Ph.D. in computer science at Princeton next year studying the intersection of security and technology policy, says that any contract between FAS IT and Mail2World would have to ensure that Mail2World does not turn over student data in the case of a legal investigation or a subpoena. But even then, he cautions that there is a risk that Mail2World may not honor the contract.

David J. Malan ’99, a lecturer widely known on campus for teaching Computer Science 50: “Introduction to Computer Science I,” says he thinks outsourcing e-mail is not a concern. But he adds that students may not know that e-mail sent via the Harvard domain leaves Cambridge.

“Outsourcing of e-mail has at least one important implication that students might have to be cognizant of, and that is if they have the expectation that e-mail sent from their college.harvard.edu address to other users within harvard.edu will remain private,” he says.

Malan says students need to understand that using an outside vendor means that every message, regardless of sender or destination, will leave Harvard but thinks that educating students about this would be an easy task.

Kroll says he believes that not having the e-mail server at Harvard runs the risk of a different type of misconception—the belief that FAS IT is simply unable to manage student e-mail. He says this is false, and that judging from his interactions with members of FAS IT, the technicians wanted to keep e-mail in-house.

“A lot of these people don’t want to see the mail outsourced. They want to do it themselves because they feel like they could build something that is better, but they don’t have the funding to do it,” says Kroll. “And it’s not even that the fault is at the top. I think people like [Associate Dean for IT and FAS IT Chief Information Officer] Larry Levine would say that they would prefer not to outsource the mail, but the realities of the budget being what they are, it is the most efficient way to provide services that students are actually likely to use.”

In an e-mail, Levine wrote that the decision to outsource e-mail was not based on cost. Rather, the choice of an outside provider was made in order to “provide the best solution” to students..

NO ONE KNEW

Like Bakker, Ana I. Mendy ’09 and Yijing Zhang ’11 use the @college service. None of them knew when they signed up that their e-mail was going to be outsourced.

But Mendy says she isn’t concerned about the outsourcing because of the way she handles e-mail.

“There are certain things that are private, but I wouldn’t use e-mail for that,” she says. “So I don’t really care.”

Bakker says he doesn’t have concerns about outsourcing either, but only because he trusts Harvard.

Zhang, on the other hand, said that FAS IT should be able to handle and manage their own e-mail client and servers. If they didn’t have a contract, she says that she would be disconcerted about the privacy of her messages.

“In terms of my privacy, there are obviously very confidential things that could go through my college account, whether it is my school or my personal e-mail,” she says.

A ‘ROCK SOLID’ PROVIDER

Selsby calls concerns about privacy “legitimate” but says that measures taken by the Office of General Counsel (OGC) ensure that student privacy is maintained.

“There is a very strong contract which OGC and Mail2World spent months drafting, and it addresses specifically issues of security, issues of ownership of data, issues of FERPA, issues of DMCA notices,” he says, referring to the Family Education Rights and Privacy Act and the Digital Millennium Copyright Act. “We want to make sure that the experience of the student is the same in terms of the protection they received under our systems in-house. From a legal perspective, we feel that’s rock solid.”

The measures that have been taken, according to Selsby, acknowledge that data stored on Mail2World’s servers are Harvard property and prevent Mail2World from mining data, passing it on to other parties, or turning it over to authorities.

In response to a follow-up e-mail about whether students who signed up for the @college service knew about Mail2World’s role in managing their e-mail, Selsby wrote that FAS IT has featured Mail2World in literature about @college. He cited a press release issued by FAS IT that called @college “a product of Mail2World” and noted that Mail2World already provides services to the Law School and the Divinity School. Besides these two references and an expression of confidence from Levine, the press release said nothing else about the e-mail vendor.

Harry R. Lewis ’68, a computer science professor and former dean of the College, says he has confidence in the negotiations that took place and the contract that came out of it.

“My sense from knowing what I know and reading the press releases is that the people who negotiated this contract with Mail2World have done an extremely careful job,” Lewis says. “That’s why they went to this company, because they had a track record and they were apparently able to accommodate some of the expectations and demands. I don’t want to unnecessarily alarm people.”

Lewis says the fact that Harvard is Mail2World’s client carries greater weight when it comes to maintaining privacy and reliability since a failure to accommodate a prestigious university could discourage other colleges to outsource e-mail services to Mail2World.

Mason, the company’s spokeswoman, says that Mail2World has never had a privacy breach. Data such as a user’s name, password, and e-mail messages are given the distinction of “personal private information,” which is protected by a password that, according to Mason, is only known to two people within the company.

Mason also says that the servers are protected by multiple layers of redundancy, a backup generator, and a backup server located at their headquarters in Los Angeles. Mail2World is in the middle of constructing a new server in Dallas, but this server will be used to serve new clients, particularly those from Latin America.

When asked what she would say to a student who was bothered by the potential privacy risk of e-mail outsourced to Mail2World, Mason says that there is very little to fear.

“Well, I would say, ‘Don’t use webmail then,’” she says. “But I could also say that with millions and millions of people using the system from mobile devices or desktops or internet cafes all over the world and the eight years we’ve been in business and millions of happy customers that continue to use that service, I would say that’s a pretty good risk.”

Want to keep up with breaking news? Subscribe to our email newsletter.

Tags