Skip to main content

WashU Expert: Work vs. private email — even at the White House

Employees can lose control over who has access to their information if it’s not sent over a secure email system

Crowley

Members of the House Oversight and Government Reform Committee plan to investigate the use of private email services at the White House, in the wake of news regarding Ivanka Trump’s email trail, and it may have some people asking, What’s the big deal?

Maybe you’ve intentionally or accidentally sent an email containing work information from your Yahoo or Gmail account. To a Washington University in St. Louis cybersecurity expert, there is a reason many companies’ workplace rules forbid employees from sending work-related emails from a private account: security risks.

And the consequences of breaking the rules intentionally or accidentally can be all the more perilous when that employee works for the federal government.

“The security risk is really a loss of control over who has access to that info,” according to Patrick Crowley, professor of computer science & engineering at the Washington University School of Engineering & Applied Science.

Crowley, who is also the founder and chief technology officer of a cybersecurity firm, said there is always a risk that an employee can lose control over who has access to their information if it’s not sent over a secure email system. When a person sends an email using Yahoo, for instance, the email is first sent to a Yahoo server before being delivered to the intended recipient.

“If that third-party service got hacked and some criminal broke into their system and started stealing attachments, or an employee abusing privileges and sifting through emails, that would be bad,” Crowley said.
“We only want to share information that’s appropriate to share,” Crowley said. “When someone is using a personal email account to share personal news or information, it is up to that person to decide what’s appropriate.”

At work, however, an employee typically agrees to adhere to the rules about who owns what information, what can be shared outside of the company and what information must remain internal. There also is usually technology in place to detect when sensitive information has been wrongfully shared.

In contrast to a personal email account, Crowley said, “when you’re using work email and sharing work information, it’s generally subject to rules beyond your own personal judgement.”

For the the extremely special and sensitive case of federal employees and officials — particularly those who have access to or work with defense or intelligence operations — “the rules, expectations and indeed the laws around classification and who can share what information are very, very real.”

Crowley may be reached for further comment at pcrowley@wustl.edu.


The School of Engineering & Applied Science at Washington University in St. Louis focuses intellectual efforts through a new convergence paradigm and builds on strengths, particularly as applied to medicine and health, energy and environment, entrepreneurship and security. With 96.5 tenured/tenure-track and 33 additional full-time faculty, 1,300 undergraduate students, 1,200 graduate students and 20,000 alumni, we are working to leverage our partnerships with academic and industry partners — across disciplines and across the world — to contribute to solving the greatest global challenges of the 21st century.


 Other News