Discussion

It has always been the case that information transported over networks must be considered to be at risk of being misdirected or monitored. Recently this risk has significantly increased because of the ever-increasing popularity of wireless networks, public Internet access services, such as Internet cafés and new Internet-based services such as cloud computing.

Wireless networks are particularly easy to monitor since radio waves are not confined to secure areas.

There is significant risk for monitoring even where wireless networks are not involved. The user could be accessing the Internet through an Internet café or hotel network. It is less likely that environments of this type will have professional network managers that would have the inclination and tools to check for illicit network monitoring devices on their network.

It is not possible for a service provider or web server to know what type of network a user might be using to access a service because of the underlying design of the Internet technology. In most cases it is not feasible to be sure that communication is confined to a specific environment such as a data center. Thus, the design of a service must protect its communications from monitoring by encrypting all traffic. The traffic can be transported over encrypted communication channels. Examples of this include secure web (SSL or TSL also known as https), secure shell (ssh, scp or sftp) or Virtual Private Network (VPN). Information can also be encrypted before it is sent over a network (e.g., encrypted files or other secure file transport applications) but the built-in password file password protection function in Microsoft Office is not recommended.

Email has all of these security problems plus the added risks of email being sent to the wrong person or that confidential information may be forwarded to people who do not have a legitimate reason to receive it. The auto complete feature for email addresses is one specific area that has caused many problems in the past. It is too easy for a user to accept the offered address without verifying that the right address has been offered.

Versions of email that encrypt the messages and attachments can be obtained and can be used with the approval of a school and/or university CIO when email is the only practical way to communicate confidential information.

Other communication or collaboration solutions (SMS/text-messages, or public instant-messaging solutions like AIM, yahoo messenger, Microsoft Messenger, etc.) can also present an eavesdropping risk if the communication is not encrypted or the server is not under Harvard control. Most of these services do offer optional encryption of their traffic but there is still a risk of disclosure unless the server is under Harvard's control.