On April 9, the Advisory Committee on Academic Computing (ACAC) voted six-to-one to recommend that Ryerson’s RMail service be closed in favour of using Ryerson’s Gmail service. The following is the final text of the recommendation. In addition to the letter of recommendation a more informal alternative proposal was requested from the dissenting voter. It is also reproduced below. Both the letter of recommendation and alternative suggestion were provided to the provost and vice-president academic and to the vice-president, administration and operations on April 10, 2019.
Letter of Recommendation to close the RMail service
April 9, 2019
The Advisory Committee on Academic Computing (ACAC) initiated a consultation process beginning November 13, 2018 regarding the possibility of shutting down the RMail system in favour of using Ryerson’s instance of Gmail. The consultation included:
- one mass mailing to the entire Ryerson community followed by two mass mails to all RMail users;
- use of the https://email.blog.ryerson.ca/ site to post the emails and to solicit feedback;
- a set of surveys (http://email.blog.ryerson.ca/2019/04/06/is-it-time-to-shutdown-rmail-survey-results/);
- a town hall on March 12, 2019 and March 21, 2019 attended by a total of 11 people;
- a compilation of anonymized email responses.
The primary impetus for the consultation was concern regarding the security of the RMail system. Despite significant efforts by CCS, the system has not kept pace with the increasing sophistication and persistence of attackers. Gmail has demonstrated much better security in part because of Google’s security investments and in part because the size of the Gmail system provides Google with unparalleled threat intelligence.
During the consultation there were several concerns and objections raised to shifting from RMail to Ryerson Gmail accounts. These were:
- reluctance to change systems because the change would be disruptive – especially regarding learning and adapting to a different system;
- objection to using Google because people don’t trust Google to protect their privacy (because Google has a commercial interest in selling ads based on people’s behaviour or because people believe U.S. law enforcement and intelligence agencies have direct access to Google’s systems);
- reluctance to change systems because RMail works better for some people;
- Gmail is not accessible in some countries such as China where it is blocked.
Gmail’s web interface is significantly different from RMail’s web interface and does require time to adapt. In some cases it may appear that Google is not able to do some things that RMail does. However, in every case we’ve investigated the same tasks were possible but had to be done differently. People who use email software on their computers instead of the Web interface would be less affected by the change but still must reconfigure their systems to work with Gmail. These differences mean that online information, training and consulting will all have to be available to RMail users before a change is made. The change cannot be made quickly without sufficient lead time.
Objections to Google
Based on the emails received, the surveys, and the town halls there are a small number of people who very strongly object to using Google’s services. They do not believe that Google’s enterprise service offerings and Ryerson’s agreement with Google mean Google will protect their privacy and data. For some of them, Google’s consumer services are an example of surveillance capitalism and Google’s enterprise services are unlikely to be any different.
When Google Apps for Education was first adopted by Ryerson a full privacy impact assessment was completed. The assessment included the Patriot Act in the U.S. and is available online:
Email and Collaboration Tools Privacy Impact Assessment
Recent email.blog.ryerson.ca posts discuss what has changed since then. Essentially Google has improved its resilience to nation-state spying, improved its overall security posture, and discontinued scanning related to showing ads in all its email services. (Ryerson does not use Google’s consumer Gmail system and ads have never been available in Ryerson accounts.) While people strongly object to using Google the committee has not found a factual basis for these objections. On the contrary, Google’s Enterprise services are independently audited for privacy and security:
As almost all work-related correspondence is now in Gmail there is no advantage to offering another system to people for regular Ryerson work purposes. When people have special needs for end-to-end encryption, anonymity or other features to communicate securely with people outside Ryerson, there are specialized and freely available email services available to them. A frequently cited example in our consultation was Protonmail.
Access from China and other countries
CCS has found that some Ryerson systems – such as our Central Authentication Service – are not always available from all networks in all countries. Therefore there is no 100% solution to this problem. However, for China and some other countries CCS can inexpensively setup a series of proxy systems that provide access to Ryerson’s locally and remotely hosted services internationally. Unlike Ryerson’s current solution to this problem, the proxy services do not require installation of software on user’s computers and introduce less latency.
The committee recommends the following:
- No new RMail accounts be created after this proposal is formally approved and announced on the consultation site.
- RMail users be given until July 31, 2019 to delete any email they do not want copied to Google.
- Beginning on August 1, all RMail accounts will be gradually moved to Google so that all accounts are moved before August 15, 2019.
- CCS provide updated training, online information, and consultation services to assist with the transition from RMail to Ryerson Gmail accounts.
Chief Information Officer
Chair of the Advisory Committee on Academic Computing
If Ryerson is willing to give faculty members any choice of what email platform they use, and thus the ability to opt out of Gmail, one potential solution might be keeping just an edge email system and small mailbox server on‐premise.
As we understand them, the primary arguments against having a choice for email systems primarily revolve around the University’s inability to effectively secure the alternate system and the cost of maintaining and supporting a second system. Given these considerations, a possible option that might accomplish the goal of minimizing the monetary investment and security risks associated with having a secondary system on premises could be a small hybrid Exchange and Office 365 deployment. To many at Ryerson, there are no valid arguments for everyone not going to the Gmail system, however, we have not heard from a silent majority of the faculty members that are still on RMail. There have been countless complaints about the move to compel everyone into a one‐size‐ fits‐all solution including, but not limited to:
- workflow changes between the two systems – email interactions are still some of the primary functions that faculty members use when communicating with colleagues and other collaborators
- storing their email in a Canadian jurisdiction
- accessing their emails in countries where Google is explicitly banned giving users the freedom to choose where they store sometimes‐privileged information
In addition to the concerns affecting faculty directly, there are at least two institutional concerns:
- having all of your investment and resources in one Cloud provider
- limiting the opportunity for the University to explore other Cloud options in the future
One of the primary issues with the current solution is a lack of any hybrid cloud/on‐prem option and the inability to choose the data centre within which your data will reside ‐ it is effectively an all‐or‐ nothing situation (if we eliminate RMail completely without allowing for other options). By maintaining a passthrough edge server in Toronto, we can eliminate email storage (using RMail), on‐ premise phishing attack/spam filter services and have the edge simply act as a forwarder to each respective Cloud‐hosted email system. Mail flow would be directed to the appropriate provider depending on where the user’s mailbox is located (as is done now by Ryerson’s edge servers). To meet the security requirements set out by the University, we would insist that the email goes through the Cloud spam filtration system (Gmail or Office365) to reduce the risk of viruses, phishing attacks, and spam. This would provide faculty members with an alternative rather than requiring everyone to use a Gmail account when there is some strong opposition. An on‐premises Microsoft Exchange server could be deployed and connected to the Cloud on a CCS‐managed virtual server. To minimize the cost, the Cloud instance would be the default mailbox location unless explicitly objected to by faculty members. Those concerned with having their email stored and hosted in remote data centres / off‐site could have their email housed on the local exchange server. The on‐ prem server would have no uptime guarantees or built‐in redundancy and would merely exist to meet the needs of certain academics to have their email stored on‐premises.
If ultimately, the decision is made to not host email anywhere on‐premises at least the users will have some recourse over what commercial organization they choose to store their data with.