Main Menu

Email Access

Started by grunt82abn, November 29, 2017, 05:38:10 AM

0 Members and 1 Guest are viewing this topic.

stillamarine

Quote from: Geber on November 29, 2017, 07:17:46 PM
Quote from: kwe1009 on November 29, 2017, 02:55:35 PM
.
.
.

CAPR 120-1

12.1.3. CAP Email Systems shall not be used for:
12.1.3.7. Access to another user's email account without A) the knowledge or permission of that user - which should only occur in extreme circumstances, B) the approval of General Counsel in the case of an investigation, or C) when such access constitutes a function of the member's normal job responsibilities.

So a unit commander can only access another member's email if:

  • The member has prior knowledge or it is an extreme circumstance (emphasis mine)
  • he/she has the approval of General Counsel
  • access is a function of the member's normal job responsibilities (like a single email shared by people with the same duties)
.
.
.

I would interpret the regulation language to mean, if one is accessing by authority of 12.1.3.7.A that BOTH of two circumstances should apply:

First, " the knowledge or permission of that user" AND second, "extreme circumstances".

A scenario that, in my opinion, would satisfy this: during a "no play" mission, a certain CAP member is the liaison with local authorities and is expecting important mission-related email to her CAP Gmail account. The member unexpectedly must leave the command post, and gives her email userid and password to a trusted member who relieves her as the liaison. (Circumstances make it impossible to inform the local agency of the email address of the relief liaison.)

How do you interpret AND when it clearly states OR?
Tim Gardiner, 1st LT, CAP

USMC AD 1996-2001
USMCR    2001-2005  Admiral, Great State of Nebraska Navy  MS, MO, UDF
tim.gardiner@gmail.com

foo

Quote from: etodd on November 29, 2017, 08:55:11 PM
Quote from: grunt82abn on November 29, 2017, 05:38:10 AM

... tries to use it to say I broke chain of command, ...

Not being military, I've never fully understood when the chain applies and when it doesn't in CAP.  Maybe I've missed the outline of it in one of the docs somewhere.

Being a business owner who deals with other business owners and execs, I've always been one to start at the top (or as close to it as possible) for both speed and efficiency. Start at the bottom and you have too many folks who can shelve it because they don't understand it like the CEO does, or who will delay it because they have too many irons in the fire, or just don't want to be bothered with an issue that might be negative. And this can happen at every step up the chain. Delaying something that could have been handled in a quick phone call or email the same day, into a weeks or even months long nightmare.  Its a huge problem in the Public Administration sector, where 9-5'ers have little incentive to move quickly.

I don't know from experience, but I have a notion chain of command works better in the military than it does in CAP.

Eclipse

You can't have 100 people all walking into the CC's office and asking questions that
have already been answered 30 times downstream.

That's not how it works in the private sector either, that's why you have managers, teams,
supervisors, etc., for span of control and management of information flow.

A rank and file member does not go to the Wing CC and ask if they can have o-rides.

The door may always be open, but it'll get swung closed quickly for stuff like that.

The chain always applies, and all issues should be handled at the lowest level possible,
or moved up the chain, by the appropriate people.  When a member disagrees with a CC
on a matter that is within that CC's authority, that's where the discussion is supposed to end,
not start with people running to Dad.

The trouble starts when the general lack of military and business experience across the board has
upstream CC's contradicting their downstream CC's, or making arbitrary decisions without consulting
the very people they have put in place to run things the other 364 days.


"That Others May Zoom"

grunt82abn

Quote from: Luis R. Ramos on November 29, 2017, 05:43:49 PM
Another point is that we are hearing this from the OP side. He presented this as the squadron commander hacking into his email.

Maybe he misunderstood his commander coming back at him after said commander received the message from NHQ through the chain of command. However the OP not knowing that NHQ could / would send his info down, just assumed the said commander hacked his account.
It was hypothetical, no misunderstanding, just threw out a scenario based upon something I was asked about and didn't have an answer to


Sent from my iPhone using Tapatalk
Sean Riley, TSGT
US Army 1987 to 1994, WIARNG 1994 to 2008
DoD Firefighter Paramedic 2000 to Present

Geber

Quote from: stillamarine on November 29, 2017, 08:57:28 PM

How do you interpret AND when it clearly states OR?

The passage in question is A) the knowledge or permission of that user - which should only occur in extreme circumstances, B) the approval of General Counsel in the case of an investigation, or C) when such access constitutes a function of the member's normal job responsibilities.

First, I break it into three parts:

A) the knowledge or permission of that user - which should only occur in extreme circumstances

B) the approval of General Counsel in the case of an investigation, or

C) when such access constitutes a function of the member's normal job responsibilities.

Since there is an "or" between parts B and C, access is allowed if any one of A, B, or C are satisfied. As I mentioned in my post, I'm only looking at part A.

Part A has an "or" between "knowledge" and "permission". So it's enough that the member that the email account is assigned to has either knowledge of the access, or has given permission for the access. Either way, the access under part a should only occur in extreme circumstances.

One could argue that everyone with an email account issued by some level of CAP knows it could be accessed under some circumstances, so the rule is always satisfied, but I don't think the regulation would be written the way it is if that were the case.

Overall, I don't feel the regulation is carefully enough written to stand up to detailed parsing.

Paul Creed III

Quote from: TheSkyHornet on November 29, 2017, 02:38:59 PM
I would say that it's inappropriate for a unit Commander to access a unit member's official Wing-/Group-provided email account without that user's permission. It is not in the Commander's duties to use that individual's email address nor access it for reasons of inquiry.

If you contacted NHQ and they reply back and BCC your Commander, or forward the email to him/her, then it's within his privilege to discuss at that point. But aside from that, no, a Commander should not be "tapping" into anyone's user account.

When "CAP reserves the right," I take that as NHQ or officially delegated persons through memorandum, letter, or regulation.

We have Wing emails. I would expect that Wing HQ or higher may have access to go through my emails. Other than that, I would expect nobody within my unit to have access unless they are assigned to Wing IT duties.

All the "remain professional and avoid inappropriate conduct" aside, because that's not what I'm getting from the OP---If your Commander directly accessed your email, I suggest you take it up with him/her and plan to get a higher echelon involved if not resolved at the unit level. It shouldn't happen.

Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.
Lt Col Paul Creed III, CAP
Group 3 Ohio Wing sUAS Program Manager

stillamarine

I'm trying to figure out how the CC hacked the account. Heck I'm a cop and I can't hack my wife's phone passcode.
Tim Gardiner, 1st LT, CAP

USMC AD 1996-2001
USMCR    2001-2005  Admiral, Great State of Nebraska Navy  MS, MO, UDF
tim.gardiner@gmail.com

dwb

Quote from: stillamarine on November 30, 2017, 01:57:09 PM
I'm trying to figure out how the CC hacked the account. Heck I'm a cop and I can't hack my wife's phone passcode.

I suspect the hacking explanation is inaccurate, which is why I said earlier that language matters. Someone is effectively being accused of a serious crime here, and I'm guessing the facts are much more banal.

kwe1009

Quote from: Paul Creed III on November 30, 2017, 01:27:32 PM
Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.

That is a great point.  I have recently seen where a squadron commander was dictating that member's email password be their CAPID and the month they joined CAP (123456May).  This basically gave him everyone's password so he had the ability to access everyone's account without "hacking."  I informed him that was not the proper way to do it and that he tell everyone to change their password immediately to something that is not easily guessed.  He was not really happy about it but when I asked why did everyone have to have their password the way he directed, his response was something like, "what if the person leaves CAP and they have important emails?"  I told him that if that ever happened, he could reset the password and access the account as long as it was done in compliance with CAPR 120-1.

Eclipse

Quote from: kwe1009 on November 30, 2017, 03:26:47 PM
Quote from: Paul Creed III on November 30, 2017, 01:27:32 PM
Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.

That is a great point.  I have recently seen where a squadron commander was dictating that member's email password be their CAPID and the month they joined CAP (123456May).  This basically gave him everyone's password so he had the ability to access everyone's account without "hacking."  I informed him that was not the proper way to do it and that he tell everyone to change their password immediately to something that is not easily guessed.  He was not really happy about it but when I asked why did everyone have to have their password the way he directed, his response was something like, "what if the person leaves CAP and they have important emails?"  I told him that if that ever happened, he could reset the password and access the account as long as it was done in compliance with CAPR 120-1.

+1 - in fact everyone should be using 2-factor authentication, specifically to reduce or eliminate this issue.
Password might be "12345" but without the second factor, no joy.

"That Others May Zoom"

Holding Pattern

I prefer "Best 2 out of 3" factor authentication.

Spaceman3750

Quote from: Paul Creed III on November 30, 2017, 01:27:32 PM
Quote from: TheSkyHornet on November 29, 2017, 02:38:59 PM
I would say that it's inappropriate for a unit Commander to access a unit member's official Wing-/Group-provided email account without that user's permission. It is not in the Commander's duties to use that individual's email address nor access it for reasons of inquiry.

If you contacted NHQ and they reply back and BCC your Commander, or forward the email to him/her, then it's within his privilege to discuss at that point. But aside from that, no, a Commander should not be "tapping" into anyone's user account.

When "CAP reserves the right," I take that as NHQ or officially delegated persons through memorandum, letter, or regulation.

We have Wing emails. I would expect that Wing HQ or higher may have access to go through my emails. Other than that, I would expect nobody within my unit to have access unless they are assigned to Wing IT duties.

All the "remain professional and avoid inappropriate conduct" aside, because that's not what I'm getting from the OP---If your Commander directly accessed your email, I suggest you take it up with him/her and plan to get a higher echelon involved if not resolved at the unit level. It shouldn't happen.

Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.

That may be true for Gmail, but with Office 365 there are multiple ways to gain access to mailboxes or messages without changing the password.

Eclipse

Quote from: Spaceman3750 on November 30, 2017, 09:18:28 PM
That may be true for Gmail, but with Office 365 there are multiple ways to gain access to mailboxes or messages without changing the password.

Which is why Congress recently mandated it only be used for the kids under age 8, and Alzheimer's patients.

"That Others May Zoom"

abdsp51

I treat my CAP email like my work email.  The powers to be are able to snoop through it and consent to monitoring is given or implied.  Therefore I don't say things I shouldn't say.  There are plenty of companies who go through employees emails and it is fully legal.

TheSkyHornet

Quote from: Paul Creed III on November 30, 2017, 01:27:32 PM
Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.

Did not know that.

Quote from: kwe1009 on November 30, 2017, 03:26:47 PM
That is a great point.  I have recently seen where a squadron commander was dictating that member's email password be their CAPID and the month they joined CAP (123456May).  This basically gave him everyone's password so he had the ability to access everyone's account without "hacking."  I informed him that was not the proper way to do it and that he tell everyone to change their password immediately to something that is not easily guessed.  He was not really happy about it but when I asked why did everyone have to have their password the way he directed, his response was something like, "what if the person leaves CAP and they have important emails?"  I told him that if that ever happened, he could reset the password and access the account as long as it was done in compliance with CAPR 120-1.

Yeah, a member's email password is not the Commander's concern.

But I can see where someone might think it would be a good idea to keep a roster of email logins just in case someone did forget their password (it's not, but I can see how they would think that). There are options for addressing a lost/forgotten password.

With our emails, our Personnel/IT Officer will send an email to a new member and explain the login process, including username and password because it's standardized. The same with IT support from Wing. But I'm very picky on communicating that information. Okay, so an email is not a big deal in the grand scheme of things, but still, it's a good practice to maintain OPSEC with even the small stuff because it keeps you practiced for the big deal items. We had an email go out to a new member, several people were copied in, with that individual's login information. I just sent a courteous reminder that it's not recommended to copy in people with SSI/access information for stuff like that. Not a big deal. It happened. Over with.

A relationship of respecting people's information, though, can maintain that level of trust between people, which impacts morale, retention, and overall mission effectiveness.

Even if someone has the ability, including permission, it doesn't mean they should.