Saskatchewan Premier Brad Wall took some heat this week from the Opposition about doing government business from a private account.
Although Wall at first said he would continue to use a private account, a spokesperson later said he would stick to a government account and server when it comes to government matters.
- Sask. Opposition blasts premier for doing government business with private email
- Manitoba NDP wants Pallister to follow Saskatchewan premier's lead on email
David Gerhard is a professor of computer science at the University of Regina.
He spoke to CBC News and broke down what all the fuss is about over private accounts — and what the risks are.
Q: What is a private account and a private server when you're a government worker?
Gerhard: The government provides email for you, just like any company would provide an email address and email access. A private server is when the person who's getting those emails has decided to do that themselves, so they'll hire somebody to set up a server or they'll set up a server themselves. They might use that to access their government email, or they might have another email address that they would forward their government email to or from.
Q: What happens when the premier leaves office?
Gerhard: This is actually the big problem with using private email accounts and private servers.The email address that's issued by the government is more connected to the office of the premier than the person of Brad Wall, and so when somebody else becomes premier, they see all of those emails, they become that person and they start to use that email account. If somebody's using their own private email accounts and their own private servers that information doesn't necessarily translate to the new premier.
Q: What if Brad Wall says he will transfer over all the emails when he leaves?
Gerhard: If he does then that's great, but again the problem is accountability and auditing. We don't know for sure if every email that he transfers is every email he's ever received on that private server. We don't know for sure the way that that private server is set up unless he gives us direct access to the entire server and lets us go through all the security and every network access that that server has ever had.
Q: Is it easier to hide emails on a private account when there's, for example, a freedom of information request
Gerhard: Absolutely. Because the server is private, we don't know the way that it's been set up, we don't know what emails go through there, so it would be possible to hide information. Now, nobody's saying that that's what happened, but that's the problem … it's at least possible and that means it's a problem.
Q: Why would someone use a private account or private server when they have a professional email account already?
Gerhard: Often, professional accounts are secured to the location that they're meant to be used from, so from government accounts and corporate accounts often you can only access those on campus, so to speak, in your office or at the place that you're meant to be using them. And if you work from home, say, or work on the road, it might be more difficult to get access to those kind of connections. That's one reason to do that.
Another reason is to do that is to try and get access … maybe in an appropriate way.
Q: Is it easy to take your laptop from work home and connect to a server?
Gerhard: These days, corporate and government clients will often set up what's called a virtual private network. That establishes a secure connection from a laptop that's owned by the organization back to the servers that are also owned by the organization. So it's possible to work from home using a VPN, but sometimes people decide to do other things instead.
Q: When you're a government worker and you use a private account or private server, there are certain measures you have to take to secure your account, right?
Gerhard: You're expected to use encryption and appropriate authentication. Encryption means that the information is sort of jumbled up when it's sent across the network and that means somebody spying in on it can't read it. Authentication means a way to prove you are who you say you are, so a password, but that's usually not good enough these days. We use two-factor authentication, which means a password and something else like access to a physical device or a biometric, like a fingerprint.
Q: If we compare private accounts or private servers to government accounts and servers, which is more secure?
Gerhard: These technologies are not necessarily limited to one organization or another, so it's possible to set up a private server that has all the same security authentication parameters as a government-issued server. The problem is accountability. We don't know what the server was like [that] Mr. Wall was using. We know what the government servers are like because they're accountable. We have records, we see who set them up, and we can tell whether they are appropriately secured. But the private system that people use, we don't know if they're secured properly or not and that's the real problem.
Clarification: Due to incorrect information provided to CBC by David Gerhard, a previous version of this story said a new premier has access to the previous premier`s emails. In fact, a new premier does not have access to emails from their predecessor, according to the government.
Due to incorrect information provided to CBC by David Gerhard, a previous version of this story said a new premier has access to the previous premier`s emails. In fact, a new premier does not have access to emails from their predecessor, according to the government.May 15, 2017 4:35 PM CT