Google Apps for Education- Email Privacy - Can Admins read users mailboxes ?

Hi All .
We are currently running google Apps for Education .
Our executive director is in possession of the Admin credentials .
As members of the board of trustees we have been getting anecdotal evidence and a growing suspicion that our email correspondence among ourselves may have been intercepted and read by the ED. As you can understand this is of some concern .
I would like to know if this is possible .
Can someone with administrative credentials in Google Apps for Education acquire read access to a users mailbox without that users knowledge or consent ?
If so how ?
What would be the best way to verify technically that this is in fact happening ?

Thank you for your help.
Andre PAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shalom CarmelCTOCommented:
The trivial answer is no.
In a normal environment it is not possible.

However, there are 2 ways he can use to enable this:

1. Using Google Vault. Google Vault records all email correspondence for regulatory purposes, and the domain admin has access to it by default. This is a paid feature, and not a cheap one.

2. Using filters. At account setup time, the administrator can add 2 custom filters to create auto-forwarders for incoming and outgoing mail.  This obviously has the best chance to work where people access their email with outlook rather than directly, as anyone going to their gmail account settings is very likely to discover it.
0
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
There is also another way this can happen, but it involves physical access to where the other mail users access their systems.

So let's say I'm an admin of my domain, education.edu, and I use Google to host my mail. But my campus administration is also on a Microsoft AD domain, for which I am also an admin.

Google will not allow me to read user emails through my "admin" account, so unless I know the users google password, I cannot access their mail DIRECTLY...

However, because I am also an AD domain admin, I may be able to access a computer on my domain where those emails were accessed from, and I may be able to access those messages (essentially cached) there.

OR, if for whatever reason I have the password to one of those accounts, I could login to that AD account, which probably has the Gmail password cached, and access the mail that way.

In general, people FORGET all of the numerous places that COPIES of their data live on. When you delete an email on your phone, it may APPEAR deleted on your Gmail page, on your computer, and on your phone -- but there are copies in all of those places, and they're generally only MARKED for deletion, not actually deleted.

From a purely IT perspective, it's a cost/benefit analysis
 - it costs too little to store 5 copies of everything to ensure that users don't lose data

I hope this helps

Dan
IT4SOHO
0
Andre PAuthor Commented:
0
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Yes, this is basically what shalomc said in his initial response.
However, that filter (for content compliance) is an add-on (to my understanding) that has to be paid for...

If there is another admin for your gmail account - one that you trust - have him log into the google apps and look to see if filtering (or redirection) is being applied.

If there is not another admin, you need to address this with your IT department heads! :)

Dan
IT4SOHO
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shalom CarmelCTOCommented:
I just thought of another way, via dual delivery mode.
You can setup Google apps to automatically route ALL email for an organization to another mail server.
This is usually used during transition to/from google, but can be used for other means..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.