Consumer Email and Government: A Dangerous Mixture

Jeff Gould by Jeff Gould, SafeGov.org
Monday, April 02, 2012

As followers of SafeGov.org well know, Government agencies in the U.S. are increasingly looking at "government community cloud" offerings from vendors like Google and Microsoft as a replacement for on-premises email systems. These multi-tenant but government-only services combine the cost advantages of the cloud with a degree of isolation between government and non-government users. They are not without controversy – witness the debate over Google's radical new privacy policy, which the search engine giant hastily agreed would not apply to government users. But issues with specific vendor offerings aside, most observers will agree that, if properly configured to protect government users from data mining and the "socialization of information" enabled by ad-driven consumer services, government cloud offerings are a good thing.

At the same time, however, a surprising new phenomenon is occurring in parallel that presents a real danger to the safety and security of government information in the cloud. The phenomenon is that of individual government employees – often of high rank – adopting the pure consumer versions of cloud email services to serve as their work email addresses. Unlike the government cloud services referred to above, pure consumer services such as Gmail, Hotmail and Yahoo Mail are provided to users free of charge, but users must in exchange grant the provider the right to systematically data mine their messages and to present "relevant" ads in their email in-boxes. It is important to understand that the ad-based consumer services do not even pretend to offer the privacy and security protections of the government cloud offerings.

This phenomenon occurs in the U.S. - witness last year's hacking of the Gmail accounts of several White House officials by suspected Chinese intelligence agents. But the phenomenon appears to be even more widespread in developing countries. For example, a glance at government web sites in India reveals that senior officials at several prominent agencies list their official email addresses as Gmail, Hotmail or Yahoo Mail. It’s hard to imagine that the Chinese hackers who targeted the White House will fail to notice that officials of their great Asian rival have exposed themselves to the same kind of attack.

Last year’s White House email hacks should serve as a warning of the real risks entailed by the creeping consumerization of enterprise IT. Although the architectural influence of consumer technology on the enterprise is a good thing (highly scalable, extremely resource-efficient multi-tenant clouds), there must be a clear demarcation between dedicated infrastructure used by government and public infrastructure open to all comers. Likewise, government cloud services must be contractually guaranteed to be free of all data mining or implicit exploitation for advertising purposes. Government officials around the world would be well advised to avoid the lure of free consumer email.

More information

Post a comment

Sign in to comment.

Not yet registered? Join the debate