
Google allows G Suite administrators to monitor and audit user emails - kylek
https://www.goldyarora.com/how-you-can-access-your-users-email-without-knowing-their-password-in-google-apps/
======
def8cefe
If you are 'god'-level admin on any enterprise mail server I've ever used you
can read users email or even manipulate it in transit. This is intentional,
all business correspondence is property of the organisation.

~~~
Kwantuum
Also likely illegal in most of the world.

~~~
reaperducer
_Also likely illegal in most of the world._

Where "likely" means "I'm not a lawyer so I'm just guessing here" and "most"
means "I read on HN that Europe likes privacy."

~~~
Carpetsmoker
In the Netherlands there was a court case which ruled that an employer cannot
just read an employees work email, as even work-related emails are considered
private information.

There are some exceptions of course: if you notify the employee _and_ have a
justified reason you can check _some_ emails. So it's not outright forbidden.
It matters a lot on the case and _what_ you did, exactly.

I'm not aware of the situation in other countries.

(In Dutch: [https://www.cnvvakmensen.nl/nextnow/blog/2016/march/mag-
de-b...](https://www.cnvvakmensen.nl/nextnow/blog/2016/march/mag-de-baas-jouw-
e-mail-lezen) and [https://www.sprengersadvocaten.nl/publicaties/wanneer-mag-
ee...](https://www.sprengersadvocaten.nl/publicaties/wanneer-mag-een-
werkgever-zich-toegang-verschaffen-tot-de-mailbox-van-een-medewerker/))

~~~
Skunkleton
I like this personally. I can have a private conversation with a coworker in
the break room, why not by email? If I wanted to include my boss I would have
CC'd her.

This is not the current state of the law in the US however.

~~~
saagarjha
Can an employer set up a microphone in the break area without letting you
know?

~~~
mentat
Depends on the state. I believe there are several in which the answer is
"yes".

[https://www.justia.com/50-state-surveys/recording-phone-
call...](https://www.justia.com/50-state-surveys/recording-phone-calls-and-
conversations/)

Also, depends on to what extent that room can be considered public. (IANAL
TINLA)

------
plexicle
Admin here. Of course you can. You should always assume you can.

Even if I couldn't read the email (which I can, but fortunately have never
actually had the need to or done so), I can always reset a password and gain
full and instant access.

You should always assume your employer can see your enterprise correspondence.
G Suite or not.

~~~
scrollaway
AFAIK the legality of it is not consistent.

I had an employer who insisted that after I leave, every email I receive to my
corporate address be forwarded to him. I remember asking a lawyer how legal
this is and not receiving a conclusive answer. (Still interested in an answer
for CA+NY if someone knows)

~~~
dekhn
Just so I understand what you're complaining about: 1) you worked for a
company 2) the company provided you with an email address via their corporate
email system 3) you left the company 4) the company wants to read email sent
to your work email address in their corporate email system

Yes, it is totally legal for them to do that, there is no question, and it
wouldn't make sense for it to be any other way.

~~~
e12e
Consider this: your former employer receive a closed envelope addressed to
you, c/o workplace, from a medical clinic. Would you assume the employer could
open and read this mail?

I'm sure jurisdictions vary, but in Norway, excepting any written concent,
your employer may not read mail addressed to you by name.

Personally addressed work email likely (but not certainly) fall in a similar
category.

~~~
mikepurvis
I get the analogy, but I'm really not sure it applies in practice.

Like, who would use their work mailing address with a medical clinic? The only
physical mail I've ever had sent to my workplace is maybe the occasional
December parcel that I need to conceal from its ultimate recipient. We're long
past the days where anyone's work email address is their only (or even
primary) email address.

~~~
Symbiote
Someone working somewhere "temporarily" (however long that may be) and living
in company-provided accommodation, or where that is more secure than private
accommodation.

\- A politician with a state-provided residence in the capital city.

\- A soldier living in a barracks

\- A teacher living at a boarding school during the term, or someone very
senior at a university with an on-campus house/apartment. Or a PhD student.

\- A vicar or priest living at the vicarage

\- A diplomat or embassy staff posted abroad

~~~
mikepurvis
Those are good examples, though in most of them it's still clearly a
residence, not a workplace. So I would expect there to be protocols in place
for securely forwarding items which are personal in nature— particularly since
this is not a tech problem, it's something people in these kinds of roles
would have been dealing with decades ago.

Certainly for myself many years ago as a university student, I acknowledged
that my lodgings were temporary and had anything of any importance at all sent
to my parents' address.

------
otachack
As a sidenote: If you have an Android phone and your work uses Gsuite, you may
want to double check privileges you're giving your company by being signed
into your Android phone.

Your employer may be able to wipe your phone, track it, etc. Instead, I
installed a different browser dedicated to logging into work email.

~~~
Someone1234
If your employer enrolled "your" phone in MDN/Device Management, then they can
do whatever (inc. remote wipes). But more than likely it is their phone if
they did that. Simply logging into GSuite doesn't allow that.

Individual apps can wipe their own data, but apps don't have the arbitrary
ability to wipe the entire phone. Even Google's apps.

To quote the docs:

> [0] Before you can wipe a user’s mobile device, you need to turn on mobile
> management. For details, see Set up mobile device management[1].

PS - I'm responding because this myth that simply retrieving GSuie/Office 365
email allows device wipes just won't die. That isn't how any of this works.
Enterprise device management requires special device enrollment, simply
signing into a random email app isn't it.

[0]
[https://support.google.com/a/answer/7542661?hl=en](https://support.google.com/a/answer/7542661?hl=en)

[1]
[https://support.google.com/a/answer/7396025?visit_id=6372178...](https://support.google.com/a/answer/7396025?visit_id=637217898165462811-3603968334&rd=1)

~~~
csours
My employer requires MDM before allowing email client access. They don't
require it for webmail access.

~~~
reallydontask
My employer is the same, which is awesome because it means when I turn off my
laptop that is the end of the day for me :)

------
S_A_P
I think that people dont realize that they shouldnt use work email for
personal correspondence. Its even less private than a free email service like
Gmail. In the late 90s/early 2000s I was an admin at a fortune 500 company and
people would move to different geographic BUs often. When that happened, we
had to migrate their email accounts. The practice at the time was to robocopy
their home drive and export/import their exchange mailbox. We would then reset
their password and validate things were in order. I would never outright read
someones mail, but you would be surprised what was at the top of someones
inbox in their work email.

Additionally, when robocopying their profile data you would see their internet
history(each visited/cached site, cookies, etc). I couldnt believe the number
of VP/C level employees that would have vast quantities of porn and shady
history on their work machine. no judgement here, but if worker bees had the
same content they would be fired without question.

Do what you want on your own time or computer, but dont expect a work PC to be
private or not monitored.

------
LatteLazy
I came here to comment that "of course" it was both perfectly possible and in
at least some companies/roles/industries likely routine for them to do so.

I am very surprised by the number of people claiming it is illegal or not
possible.

You should always assume your email (and the contents of your hard\network
drive, your browser based activity, and everything you do, down to the key
strokes) is being recorded and may well be being actively monitored by your
employer (or anyone else with privileges on the systems you use). Similarly,
anything you delete is unlikely to be actually deleted.

Your friendly local IT guy might be stealing your bank details or checking for
people trying to unionize or just spying for a competing department. It's not
"Nice", but no one owes you nice.

Please act and plan accordingly.

------
exabrial
Why is this even a question? You're on a company asset, using company
services, doing company business, handling company IP. You should have no
expectation of privacy.

~~~
mahart
Also legal action can require the admin to have access to obtain this stuff.
Also thanks to FOIA, there are government orgs that are required to comply
with public requests for copies of emails.

------
rntksi
G Suite has implemented recently an option that lets you email sensitive
content with a timer. The user receives the email and no content is in the
email, instead a link is shown, and the content will be deleted after some
kind of triggers (e.g. after X minutes, or after having been read once)

Now I would be interested in whether Google Vault retains those. Because it's
a conundrum either way.

If google vault does retain it, you have sensitive content that people think
are private but is not.

If google vault does not retain it, then accountability, auditing, liability,
etc... goes out the window and google vault isn't a vault anymore.

Anyone on G Suite Business can check and confirm?

~~~
froindt
>G Suite has implemented recently an option that lets you email sensitive
content with a timer. The user receives the email and no content is in the
email, instead a link is shown, and the content will be deleted after some
kind of triggers (e.g. after X minutes, or after having been read once)

I knew that capability existed, and it sounds like a great avenue for
phishing. People who routinely receive highly sensitive messages like that are
going to be more apt to open a link than my mom, who is aware of phishing and
whose spidey senses would be tingling.

~~~
jedieaston
The Office 365 one (at least, for a long time) looked just about like a
phishing message because it was an email from Microsoft asking you to click on
a link. Especially if Outlook blocked the images (as it does by default).

------
manigandham
Yes. This is standard functionality of every corporate email system for
auditing, liability, security, and many other reasons.

------
nefitty
Semi-relevant, and a discussion I've had in the past in regards to Slack DM's.
My company was a guest in our client's Slack workspace so this was an internal
anxiety. Short answer, admins have the ability to view private messages after
jumping a couple of hoops:

Slack Plus/Corporate: "This type of export includes content from public and
private channels and direct messages."

[https://slack.com/help/articles/201658943-Export-your-
worksp...](https://slack.com/help/articles/201658943-Export-your-workspace-
data)

~~~
markstos
As a Slack admin, I changed the default retention period from "forever" to "1
year". Old Slack messages are more likely be a liability as a benefit, for the
company as well as individuals.

If you want to store something important for the long term, Slack is not the
place to do that.

------
mslate
Of course they can, why would anyone assume otherwise?

~~~
michaelt
I am aware it's common, and perhaps unavoidable so long as administrators can
reset users' passwords, but it's always struck me as strange.

In many organisations the guy who operates the mail server does not have the
same seniority as the CEO, and neither would they be read into every
commercially sensitive project, every HR, disciplinary, or employee medical
discussion.

So it seems odd to me that IT administrators, who are often such sticklers for
security and opponents of the idea of trustingly granting overly-broad
permissions, would even _want_ the ability to do an end-run around information
isolation.

~~~
LatteLazy
>So it seems odd to me that IT administrators, who are often such sticklers
for security and opponents of the idea of trustingly granting overly-broad
permissions, would even want the ability to do an end-run around information
isolation.

You're not wrong but:

* It's necessary for someone (or some group) to have these powers in order for anything to work.

* Usually everything you do as an Admin is logged just like for the users and you cannot purge those logs or not without drawing a lot of attention or making it obvious you did so. So you too will eventually be caught and punished if you abuse these powers. You have more power but not infinite power as there will be other admins watching you and if a log file suddenly disappears at the same time you make some strange stock purchases you may be asked difficult questions...

It's also worth noting that humans are surprisingly honest. Millions of
workers have access to your medical records, your bank accounts, information
useful for insider trading or state\company secrets. And it's pretty rare that
anyone steals any of it. If anything, humans are too willing to keep
company\state secrets and we'd be better off if people leaked MORE (e.g.
Sherron Watkins or Edward Snowden)...

------
mywittyname
Funny story: I was creating a script that would download attachments from an
arbitrary (enterprise) gmail account, then do some processing on it. This was
basically a hack we devised because there wasn't an API to fetch the file we
needed programmatically, but we could schedule an email to be sent with the
file as an attachment.

I decided that I didn't want to deal with maintaining a gmail oauth token, so
I went down the rabbit hole of getting my service auth set up as a gsuite
admin. It turned out to work fine, no more oauth token necessary. But then I
thought for a second, and changed the email address from the the junk one I
setup specifically for this task to mine, and it worked. So I tried my
colleagues (with their knowledge) and it worked as well. Turns out giving your
service account admin rights means giving them full access to the entire
company's accounts.

So with a sigh and a dammit, I went back to using the oauth token. I couldn't
find any way to be a "limited" gsuite admin over just some set of email
addresses; it was all-or-nothing. This seems like a strange oversight on
Google's part, but I also could have missed some documentation.

~~~
judge2020
Sounds like GSuite Delegation, which does allow you to perform API calls as
any user on the domain.

------
phn
I knew about the audit route, and I should add that at least for this method,
the fact that you accessed the e-mails is permanently saved in the audit
records.

While this means that yes, "the company" can read your e-mails, it also means
that they can't deny doing it if it actually happened. Neither can a rogue
employee do it without there being a record, assuming you have accounts
properly setup and don't share account passwords.

------
arkadiyt
Just assume your work has full access to every system you touch and act
accordingly.

------
netsharc
Off topic: Wow, the layout of that webpage makes me sad. I have a 27" Full HD
display, and holding a piece of A4 paper against the screen, each step takes
up about the area of said A4 paper.

------
twomoretime
I've always thought it was crazy that we are so eager to use free third party
centralized services for secure communications.

There has to be _some_ degree of corporate espionage occurring when every
startup and many mature corps are using everything from Gmail to teams to
slack to discord. It would be really difficult to sniff out if the offending
admin kept quiet. All you need is one person with access...and if you're a
less than ethical executive it isn't hard to find a dev to do your bidding
quietly.

------
jb775
I think it's safe to say you shouldn't expect any privacy when it comes to
your work computer.

If you look in Chrome's privacy settings, you may notice: "Your administrator
can change your browser setup remotely. Activity on this device may also be
managed outside of Chrome". Considering I've granted Google Hangouts
screen/webcam/microphone access, I'm assuming they can access my
screen/webcam/microphone whenever.

------
mountain_404
Yes, they can always can. They can reset your password and gain access to your
Gsuite email account.

The same thing happens to Slack where they can access to archive of all
messages, including private channel.

NEVER gossip anything with WORK account. Always assume they will see you.
Create a PRIVATE Facebook, PRIVATE Gmail, etc and discuss there.

~~~
yc-kraln
I don't know why, but the concept of a "Private" Facebook account is really
funny to me.

------
duxup
I assume work has access to any of my work tools, either directly, or
potentially legally or whatever.

------
jpswade
I would always treat emails like they are readable by anyone at any time
regardless of permissions.

~~~
carapace
Yeah, this. They are sent and stored in plaintext.

It's like if you write all your correspondence on postcards (no envelopes) and
then wonder if the mailman can read your mail.

------
Animats
It's probably best to assume that Google is reading your corporate email,
analyzing it automatically, and using that information for something that
benefits Google.

Is it insider trading if Google uses that to decide in what stocks to park
their excess cash?

~~~
carapace
A little more nuanced: Google as a whole is almost certainly _not_ doing this,
however a subset of bad actors _within_ Google almost certainly _are_ doing
this.

------
gigatexal
I've always assumed my work email was being read either by a person or some
automated process.

------
guyzero
This seems like various security "holes" in unix where once you're root that
you can do bad things. Or to quote Raymond Chen: "Well, yeah. It’s compromised
because you compromised it."

------
ArchReaper
* 2017

Article still needs proofreading lol

------
Medicalidiot
I've always assumed that my chancellor/boss/attending will read every single
email that I write. It changes the paradigm for how I write and I think for
the better.

------
pwarner
I think the admin always has the power to see things in all tools unless it's
true E2E encryption which I think is very rare in corporate environments, or
even non existent?

~~~
SanchoPanda
The admin is on the "end" portion of the E2E encryption.

~~~
thaumasiotes
What? If there's a company IRC server, and I'm using to encrypt messages
locally, send them through the server, and then my friend decrypts them
locally, where does the admin get access?

~~~
shadowgovt
Probably in your boss's office, around the time you're pulled into a meeting
with the admin, your boss, and HR, and your boss says "So that message you
sent over the company IRC on such-and-such day: what was in it?"

... with all necessary and legal steps taken regarding your continued
employment at that organization should you refuse to voluntarily divulge the
contents of the message or a way to decrypt it.

[https://xkcd.com/538/](https://xkcd.com/538/)

~~~
thaumasiotes
This might happen, but it would seem to _disprove_ the idea that 'The admin is
on the "end" portion of the E2E encryption', not support it.

------
_verandaguy
I wonder if this applies to ad-hoc Hangouts calls made using corporate
accounts as well (and specifically, ones which aren't explicitly set to record
by the participants).

~~~
nefitty
I couldn’t find a way that an admin could see any past Hangouts video meeting,
but they do have access to all metadata. They can also enforce a setting to
record Hangouts to Google Drive, which means those recordings would be
accessible by an admin. It is unclear if recording can be enforced, but
presumably, if so, Hangouts would give an indication that the meeting is being
recorded. There’s also a setting to have chat logs on, which would then make
them accessible by admins.

[https://support.google.com/a/answer/9186729?hl=en](https://support.google.com/a/answer/9186729?hl=en)

[https://www.goldyarora.com/blog/google-vault-
guide/](https://www.goldyarora.com/blog/google-vault-guide/)

------
thereyougo
It raises a few interesting questions. Shall we give employees more privacy
rights within the organization?

~~~
shadowgovt
On the specific axis of email privacy: seems unnecessary in this modern era,
where the practical solution to keeping your private correspondence private is
to log in from a second browser session to an email account other than the one
provided by your place of employment (ideally, running on a computer other
than the one provided by your place of employment, talking to a network other
than the one provided by your place of employment.

That's a lot of words to say "Use your smartphone email client and don't
connect to the wifi", but there you go ;) ).

------
artursapek
Not if your organization uses PGP!

