When the Ashley Madison data breach occurred in 2015, it made headline news around the world. Not just infosec headlines or tech headlines, but the headlines of major consumer media the likes my mum and dad would read. What was deemed especially newsworthy was the presence of email addresses in the breach which really shouldn't have been there; let me list off some headlines to illustrate the point:
- Ashley Madison Hack: 10,000 Gov’t Officials’ Email Addresses on Leaked Ashley Madison List
- RCMP, military email addresses in Canadian Ashley Madison data
- Senior CE Industry Executives Exposed In Ashley Maddison Saga As New Data Dumped Online
Government, police, military, and corporate accounts. Now, keep in mind that Ashley Madison's mission statement back then was the same as it still is today: "Life is short. Have an affair." So, it's pretty clear what the goal of using the service is. Should work email addresses be used on a site of this nature? Does your place of work have a right to know? The ability to know? And for that matter, can we pose the same questions for less salacious online services?
Let's start with a poll:
At your place of work, does your employer have the right to access the contents of your corporate email account if necessary?— Troy Hunt (@troyhunt) July 19, 2021
The result of the poll is crystal clear but what's much less clear is the answers to the other questions above. Just read through the responses to that poll and you'll get a sense of just how nuanced the issue really is. Part of the problem lies in the fact that I've used a global platform to ask a question of people all over the world and the answers can differ significantly based on jurisdiction. But there's also a lot of consistency, for example, here's a piece on whether it's legal to access an employee's email account in Australia:
The short answer is yes. As an employee’s email account is the employer’s property, they have the right to access an employee’s email account.
Or perhaps a more US-centric view:
Emails sent or received through a company email account are generally not considered private. Employers are free to monitor these communications, as long as there's a valid business purpose for doing so.
Let's head over to Europe and see a Norwegian view:
An employer is entitled to access employees' emails or other private files when there is reason to believe that information in the individual's work email account is necessary for operational purposes.
There are, of course, many nuances to the discussion. What corporate policies does the employee agree to, what's the basis of the access to the employee's account, what controls exist to limit inappropriate access and so on and so forth.
But what's not nuanced and not up for debate is whether the employer has the ability to inspect the email accounts on their domains. Not only do they control the access rights to the mailbox, they also control DNS and MX records therefore they control the routing of emails. If accessed on a corporate device, then they also control the endpoint and there's a good chance they also have the ability to inspect the contents of both outbound and inbound emails via security appliances. That's not to say there are deliberate spying regimes designed to invade the privacy of workers, rather it's a recognition that many threats enter the organisation via email. Likewise, plenty of data that should never leave the organisation exits via email. There are very valid and reasonable reasons for email inspection and there should be no doubt whatsoever that employers have the ability to do it.
This discussion originally came about after someone questioned whether Have I Been Pwned's (HIBP) free domain search feature should return email addresses exposed in breaches flagged as "sensitive". This is a concept I introduced in 2015 specifically to deal with the Ashley Madison breach and have used it many times since to keep sensitive breaches out of public view. As of today, anyone who can demonstrate control of a domain can retrieve every alias on it and every breach that alias was exposed in, sensitive or not. Here's why:
Firstly, for all the reasons mentioned above. The employer already has full control of the domain and therefore full control of all the email addresses on it. They have the ability to inspect email therefore the ability to see inbound messages from the likes of Ashley Madison.
Secondly, there are very good business reasons why employers want visibility to the exposure of corporate accounts in data breaches. In the case of Ashley Madison, there was a huge amount of blackmail:
Amazing that 3 years on we're still seeing Ashley Madison blackmail scams. This one is especially nasty having tailored the email with other personal attributes not in the original breach such as their job title and place of work. Someone sent this to me just today: pic.twitter.com/1ukVDcMKZT— Troy Hunt (@troyhunt) July 17, 2018
I had a lot of discussions with companies trying to work out how to handle this incident as it relates to employees using their work addresses. I recall one in particular where a company was in talks to be acquired and one of their executives had an account. They were worried it could pose a material impact to the sale due to reputation damage. I heard another company say that Ashley Madison falls within their acceptable use policy as it's a "relationship site" (ok, that's a very specific type of relationship but it's not up to me to cast judgement on that). Another company was only interested in the email addresses of executives where the aforementioned reputation damage was riskier. And yet another company didn't want to know about it at all as it was too much of a hot potato.
Thirdly and finally, it's up to organisations to self-govern. They already have the technical ability to read everyone's email but if that's inconsistent with local laws or corporate policies then the only thing stopping them from doing it is the same thing stopping them from running domain searches on HIBP: self-governance.
The challenge with running a platform used globally is that it spans every conceivable geographic location, regulatory regime, and legal construct. The way a topic such as this is viewed in Germany is fundamentally different to the way it's viewed in China and it's not to say that one or the other is wrong or right, rather that they both have access to the same global service. And again, it's up to them to decide how to use the tools at their disposal whether it be the ability to directly control their employees' mailboxes or identify their presence in data breaches.
To be honest, what surprised me most in the discussion following that poll was that some people had an expectation of conducting personal activities on work accounts without the oversight of their employer. Especially in an era where we're walking around with super computers in our pockets and on our wrists and free personal accounts by the likes of Gmail are ubiquitous, there's very rarely a need to conduct personal affairs under a work identity. This is especially true when it's common for workplaces to have acceptable use policies that permit personal use of corporate systems to some extent, for example popping open personal mail in a browser or your online banking on the work PC over your lunch break. (Sidenote: there's a whole other discussion about active interception of encrypted communications that may also give an employer access to this.)
Finally, if you're in any doubt about who owns your work email address, ask this one simple question: can you take it with you when you leave your job? There's your answer 🙂