Unintended Consequences

To millions of workers, e-mail is as important as the air they breathe. To IT managers, it's just another word for problem.

by / October 4, 2004
E-mail is the most revolutionary form of communication since the telephone's invention, but its dark side is well known to system administrators and IT managers.

That dark side is the number of complications e-mail can bring to an enterprise, requiring a CIO to strike the right balance between e-mail's usefulness and the trouble it can cause. Whether it's a security or archiving issue, e-mail creates headaches for the unprepared.

When the MyDoom worm tore through servers and PCs in early 2004, one CIO fought back with an interesting tactic.

Tom McQuillan, director of Information Technology for Grand Rapids, Mich., cut off city employees' access to Web-based personal e-mail accounts because of the danger of people bringing in viruses, worms or Trojan horses through the back door.

Oceanside, Calif., CIO Michael Sherwood had a different dilemma -- complying with public-records requests in a cost-effective way. E-mail, including citizen inquiries, complaints, contracts and interoffice communications, is part of public record, and the city's old way of archiving e-mails hampered efforts to finding specific e-mail documents upon request.

No More Web Mail
Now that e-mail is an important means of communication, many people have two, three, even four Web-based e-mail accounts, such as Hotmail or Yahoo, which can cause problems when a fast-spreading worm hits networks.

Grand Rapids' McQuillan said blocking city employees from using city PCs to access personal, Web-based e-mail accounts was the logical response when he was told how many MyDoom-infected e-mails were knocking on various city servers' doors in late January and early February.

"Our system picked up 15,289 occurrences of that virus in one week," McQuillan said. "We were getting, on average, more than 100 infected e-mails every 10 minutes. The good news was, it wasn't getting through. The bad news was, we wanted to make darn sure it wasn't going to find a way around our three layers of security.

"Knowing that we seemed to be on somebody's radar screen, we thought that was an appropriate move," he said. "City leadership supported that move, and we shut it down in basically one day."

McQuillan and Information Technology Manager Pete Sneathen said they weren't actively monitoring employee e-mail accounts, but noticed a spike in Web traffic to particular sites.

"We were looking at reports for general Internet access, and we saw quite a bit of traffic, from a percentage perspective, that was going to sites such as Hotmail and Yahoo -- a lot of traffic going to the Web e-mail portion of those sites specifically.

"Based on the traffic we were seeing and the type of new viruses out at the time, it was decided to shut down personal e-mail at that time," Sneathen said.

By using a Web browser to access an e-mail account and download attachments, employees could circumvent message scanning both at the e-mail gateway and within the city's e-mail solution itself, Sneathen said.

McQuillan said the ban on accessing private e-mail accounts hasn't been an issue for employees, adding that such precautions will likely be the norm in the near future for enterprises of all types. Despite private e-mail accounts' threat to network security, telling people they can't check personal e-mail isn't a popular policy in some organizations. Employees have a persistent freewheeling attitude toward the Internet, creating a situation in which many believe it's not culturally acceptable to ban access to private e-mail accounts.

"In the e-mail and networked world, we're still on the beginning edges of some of this," he said. "In another five to 10 years, that culture will have to change. That lackadaisical attitude by someone interacting with computer technology will have to evolve. It continues to evolve as new people come out of school with more education and more experience."

Turning Over Public Records
In Oceanside, archived e-mails in the city system could not be searched for content, which made compliance with public records requests difficult. City CIO Sherwood said a new e-mail vault system from KVS gave the city a better handle on the way it responds to public records requests.

"Before, we'd have to pull tape and do all this cumbersome overhead work, and it wasn't even precise as far as making sure all e-mails were captured when we had a public records request," he said. "If you would have asked for all e-mails regarding 'project X,' I had no way of finding all e-mails that had project X in them. It was impossible.

"The e-mail system was not designed to be a searchable archive," he said. "It was designed to be a communications platform."

That design flaw is magnified by e-mail's evolution over the years. Now that e-mail has gradually replaced the time-honored practice of communicating via memos, governments have been forced to spend more time and resources figuring out how to archive e-mail messages, how long to keep e-mail messages and educate employees on certain situations, such as employee relations -- where using e-mail to articulate a point of view may not be a good idea.

The public also is relying more on electronic communications. Oceanside has seen a steady increase in public records requests that specify e-mail records, Sherwood said, partly because people expect government to furnish e-mails and partly because people in Oceanside know they can get copies of e-mail pertaining to issues that interest them.

"Since people have become aware of it, public records requests are increasing," he said. "They know we have the capability. If I had to make an educated guess, I'd say I've seen an increase of 10 to 20 percent in public records requests for e-mail over the last three years. Before that, public records requests for e-mail were basically zero."

Governments have resisted providing e-mail to constituents or advocacy groups in the recent past, the usual reason being that they simply can't provide it. It's technologically not possible, some governments say.

Sherwood said this issue will only attract more attention, and his city bought the e-mail vault solution for one reason -- to respond to public records requests for e-mail. He said the city spent an inordinate amount of time, especially during election years, trying to produce e-mail in response to public records requests.

"It's a hot issue," he said. "I think you'll see in this election year, and in proceeding election years, that it's going to get hotter, especially in city and county government. I think you're going to start seeing either newspapers or private citizens ask for this information or related public records. They're going to want it, and you can't keep coming up with the excuse that it's not possible."
Shane Peterson Associate Editor