Welcome, Guest. Please login or register.
Did you miss your activation email?
December 14, 2017, 11:13:33 AM
Home Help Login Register
News:

CAP Talk  |  General Discussion  |  The Lobby  |  Topic: Email Access
0 Members and 1 Guest are viewing this topic.
Pages: 1 2 [All] Print
Author Topic: Email Access  (Read 1190 times)
grunt82abn
Seasoned Member

Posts: 206

« on: November 29, 2017, 01:38:10 AM »

Can anyone point me in the right direction, and give me the regulation that states it is allowed for Commanders to hack/break-in/access your Wing or Group email? Or where they are allowed to print and/or store your email messages on their personal computer to be able to track who you are speaking to and what is said?

Hypethetical example: Lets say I email the NHQ legal office and ask if it is allowed for a member to be in CAP with a felony. My email account gets hacked by the commander, who then prints off the email, shows it to me, and tries to use it to say I broke chain of command, and that by emailing NHQ, I am harassing this fine Senior Member by bringing up his past. Then states he is allowed to hack my email by USAF and CAP regulation.

BTW, I am asking for my sister's boyfriend's cousin's friend who lives somewhere out east or possibly out west. Thanks! 
Logged
Sean Riley, TSGT
US Army 1987 to 1994, WIARNG 1994 to 2008
DoD Firefighter Paramedic 2000 to Present
Mordecai
Salty & Seasoned Contributor

Posts: 1,092
Unit: SI

« Reply #1 on: November 29, 2017, 03:13:47 AM »

CAPR 120-1

4. Monitoring and Privacy.
4.1. CAP reserves the right to monitor and/or log all CAP Internet Operations with or without notice, including CAP.gov email and all website communications, and therefore, members will have no reasonable expectation of privacy in the use of these resources.

12.1. Proper Use of CAP Email Systems.
12.1.1. CAP reserves the right to review, audit, intercept, access and disclose all CAP.gov messages created, received or sent over the system for any purpose. The content of electronic mail properly obtained for legitimate business purposes may be disclosed within Civil Air Patrol without your permission. Users shall not assume electronic communications are totally private and confidential; you should transmit highly sensitive information in other ways, whenever possible using approaches such as encryption, fax machine to fax machine communications (not including electronic facsimile services), or manual means.

12.1.3. CAP Email Systems shall not be used for:
12.1.3.7. Access to another user's email account without A) the knowledge or permission of that user - which should only occur in extreme circumstances, B) the approval of General Counsel in the case of an investigation, or C) when such access constitutes a function of the memberís normal job responsibilities.
« Last Edit: November 29, 2017, 03:17:56 AM by Mordecai » Logged
Luis R. Ramos
Salty & Seasoned Contributor

Posts: 2,533

« Reply #2 on: November 29, 2017, 09:23:40 AM »

Something like this should have been handled via a telephone call, not via email.

By the way, I have sometimes called NHQ direct, and my Group commander called me with the comment "You violated the chain of command, something like this should have been called to my attention, since Region was notified who notified Wing, and they called me." Several times!

So in the end, if there is something that affects CAP and you contact NHQ without notifying your commander, probably he will get to know about it and he will be upset.
« Last Edit: November 29, 2017, 09:33:34 AM by Luis R. Ramos » Logged

Squadron Administrative Officer
Squadron Communication Officer
Squadron Emergency Services Officer
TheSkyHornet
Salty & Seasoned Contributor

Posts: 932

« Reply #3 on: November 29, 2017, 10:38:59 AM »

I would say that it's inappropriate for a unit Commander to access a unit member's official Wing-/Group-provided email account without that user's permission. It is not in the Commander's duties to use that individual's email address nor access it for reasons of inquiry.

If you contacted NHQ and they reply back and BCC your Commander, or forward the email to him/her, then it's within his privilege to discuss at that point. But aside from that, no, a Commander should not be "tapping" into anyone's user account.

When "CAP reserves the right," I take that as NHQ or officially delegated persons through memorandum, letter, or regulation.

We have Wing emails. I would expect that Wing HQ or higher may have access to go through my emails. Other than that, I would expect nobody within my unit to have access unless they are assigned to Wing IT duties.

All the "remain professional and avoid inappropriate conduct" aside, because that's not what I'm getting from the OP---If your Commander directly accessed your email, I suggest you take it up with him/her and plan to get a higher echelon involved if not resolved at the unit level. It shouldn't happen.
Logged
kwe1009
Salty & Seasoned Contributor

Posts: 758

« Reply #4 on: November 29, 2017, 10:55:35 AM »

So to answer the OP:

CAPR 120-1

12.1.3. CAP Email Systems shall not be used for:
12.1.3.7. Access to another user's email account without A) the knowledge or permission of that user - which should only occur in extreme circumstances, B) the approval of General Counsel in the case of an investigation, or C) when such access constitutes a function of the memberís normal job responsibilities.

So a unit commander can only access another member's email if:
  • The member has prior knowledge or it is an extreme circumstance (emphasis mine)
  • he/she has the approval of General Counsel
  • access is a function of the member's normal job responsibilities (like a single email shared by people with the same duties)

Any other access to a member's email is a violation of not only this regulation but CAP's Core Values.

To address the specific example in the OP, I do not see any issue with the unit's personnel/admin officer contacting NHQ to see if a person with a felony can join CAP.  It is a job function and doesn't need to go through the chain of command necessarily.  As a commander, I want my personnel officer to get me the correct answer, not go through me to get it or even copy me on everything.  If I have to be part of every inquiry, I might as well do it myself.  In this example maybe the CC should have been copied on the email to NHQ but I don't see it as being a requirement. 

I would have preferred that my personnel/admin officer contact the next person up (Group or Wing Legal/Personnel) with this question instead of going straight to NHQ.  Group and Wing staffs are there for a reason and too often they are skipped for various reasons (takes too long, they are clueless, etc.) but that just creates more work for those at the next higher level. 
Logged
dwb
Salty & Seasoned Contributor

Posts: 1,319

« Reply #5 on: November 29, 2017, 11:13:31 AM »

Language is important here. If you're using a *cap.gov email address, you don't own that email. It's not your personal email.

"Hacking" your email is illegal, even if CAP does it. That said, using the tools available to email administrators to read the contents of email mailboxes is not hacking.

Email messages are stored in the sender and recipient mailboxes, and you don't control how your recipients use that email. It's a common practice for direct-to-NHQ correspondence to get sent back down the chain of command to deal with at a more appropriate echelon.

Lastly, you don't need to contact NHQ legal to get an answer to that inquiry. You just need to read the membership regulation CAPR 39-2. Specifically, para 3.2.1.4. Felony convictions may be the basis for rejection of membership. Note that "may" is not the same as "shall".
Logged
abdsp51
Salty & Seasoned Contributor

Posts: 2,326
Unit: Classified

« Reply #6 on: November 29, 2017, 11:18:05 AM »

Another exanple of airing dirty laundry and sticking noses in where they don't belong.
Logged
Luis R. Ramos
Salty & Seasoned Contributor

Posts: 2,533

« Reply #7 on: November 29, 2017, 11:39:16 AM »

Maybe I am wrong, but I took it the OP wanted a "second opinion" after being told what the regulations said by the unit staff.

Logged

Squadron Administrative Officer
Squadron Communication Officer
Squadron Emergency Services Officer
Live2Learn
Seasoned Member

Posts: 475

« Reply #8 on: November 29, 2017, 12:05:28 PM »

Maybe I am wrong, but I took it the OP wanted a "second opinion" after being told what the regulations said by the unit staff.

So, what are the "best" alternative avenues available to the OP to find an answer to the question?  I'd have to wonder why the individual chose to call whatever happened "hacking", why going to social media (captalk is quasi-soc med... even though participants are on occasion 'un'-sociable) would be expected to result in the OP's mind a "good" opinion, and why the OP chose to not remain in the CoC and ask Group, etc.  Or, since the OP evidently feels wronged, why discussing the issue with Wing IG, a Chaplain, or asking oblique questions of friends in another venue were evidently disgarded as options?   FWIW, asking this type of question here about a specific and current concern does not give (me, anyhow) confidence in the OP's judgment.
« Last Edit: November 29, 2017, 12:08:35 PM by Live2Learn » Logged
foo
Forum Regular

Posts: 146

« Reply #9 on: November 29, 2017, 12:09:45 PM »

I assume this involves a CAP-owned e-mail account, otherwise you wouldn't need to ask.

When I'm using my employer's resources, I operate under the assumption that all of my electronic interactions (i.e., e-mail, IM, web browsing, even telephone conversations) are subject to monitoring by my boss on behalf of the company's interests. Whether that's a good use of her time or a good idea in general are other questions.

Having said that, I don't think the regulations cited here make it clear a unit CC has the right to access a subordinate's e-mail account, unless a case can be made that doing so is "a function of the [CC's] normal job responsibilities." I rather doubt that.

Logged
MSG Mac
Salty & Seasoned Contributor

Posts: 1,795
Unit: MER-MD-071

« Reply #10 on: November 29, 2017, 12:35:08 PM »

I think this might be a case of NHQ including the Chain of Command in the response, so they are informed about the issue. The example cited is whether a prospective member with a felony conviction can become a member. Since this requires a recommendation from the Wing Commander, it would be referred back to him. For that matter it should have gone to his LO in the first place along with documentation for a waiver of the membership standards. 
Logged
Michael P. McEleney
Lt Col CAP
MSG USA (Retired)
Luis R. Ramos
Salty & Seasoned Contributor

Posts: 2,533

« Reply #11 on: November 29, 2017, 01:43:49 PM »

Another point is that we are hearing this from the OP side. He presented this as the squadron commander hacking into his email.

Maybe he misunderstood his commander coming back at him after said commander received the message from NHQ through the chain of command. However the OP not knowing that NHQ could / would send his info down, just assumed the said commander hacked his account.
« Last Edit: November 29, 2017, 01:48:02 PM by Luis R. Ramos » Logged

Squadron Administrative Officer
Squadron Communication Officer
Squadron Emergency Services Officer
Luis R. Ramos
Salty & Seasoned Contributor

Posts: 2,533

« Reply #12 on: November 29, 2017, 01:55:12 PM »

Quote
Having said that, I don't think the regulations cited here make it clear a unit CC has the right to access a subordinate's e-mail account, unless a case can be made that doing so is "a function of the [CC's] normal job responsibilities." I rather doubt that.


But NHQ could have sent his unit CC a response down. This issue should have been handled at the unit first if it was not, and if the OP did not like the answer, then go up the chain. It appears the OP thought it was best to ignore the COC altogether, or did not like the answer he was given. So, NHQ involved the commander instead of the commander hacking the OP's email.
Logged

Squadron Administrative Officer
Squadron Communication Officer
Squadron Emergency Services Officer
grunt82abn
Seasoned Member

Posts: 206

« Reply #13 on: November 29, 2017, 02:18:40 PM »

I appreciate the info! Truly insightful and I will pass it along in hopes it will help my buddyís situation. Nice to have a resource to fall back on and get answers!!!


Sent from my iPhone using Tapatalk
Logged
Sean Riley, TSGT
US Army 1987 to 1994, WIARNG 1994 to 2008
DoD Firefighter Paramedic 2000 to Present
Eclipse
Too Much Free Time Award
***
Posts: 28,069

« Reply #14 on: November 29, 2017, 02:21:33 PM »

We can only address the the high level / general issue since
we have no way of knowing the particulars, and for those of us who
do user support, the things people think are "hacking" are both hilarious and troubling.

(For example, if you leave your email logged in, or are silly enough to use Outlook and
have your messages cached locally, on a shared PC, that's not "hacking" that's "reading".)

Assuming this is a CAP-owned domain, then thee is no assumption of privacy, at the corporate level,
meaning someone with the authority and the need could request that they be granted access to an individual
member's email.

I would expect that to be a Wing CC or Wing IT person, and access the messages through a means which
potentially reveals that access to the member, (i.e. password reset) not some random Unit CC, or
anyone else for that matter, just digging through messages "because".
(This can get muddier if the domain is handled at a lower echelon, which is why, even though I
am responsible for a large Group-level GSuite implementation that has been running in excess of
10 years, I think everyone should be on @wing.cap.gov, and get that email on joining.)

I can think of any number of scenarios in which legitimate CAP business is conducted via CAP
email accounts, but which a local Unit CC would have no right or authority to access, not
the least of which could be complaints or other personnel actions taken at a higher echelon,
outside activity, or similar.  Members are cross-posted all over the place, and an Enc CC,
for example, dealing with a personnel issue, parental complaint, or simple logistics, would be
none of the concern of his Unit CC, since in that case he reports direct to Wing.  Same
goes for an ADY Wing ESO, or IG Augmentee, etc., etc.

At a minimum, this is a a clear breech of trust and highly unethical, not to mention
possibly illegal (lots of variables).

Sounds like a whole bunch of direct conversations need to be had, starting with this Unit CC.
Logged

"The man who does more than he is paid for will soon be paid for more than he does." - Napoleon Hill.
The contents of this post are Copyright © 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

grunt82abn
Seasoned Member

Posts: 206

« Reply #15 on: November 29, 2017, 02:21:59 PM »

I would say that it's inappropriate for a unit Commander to access a unit member's official Wing-/Group-provided email account without that user's permission. It is not in the Commander's duties to use that individual's email address nor access it for reasons of inquiry.

If you contacted NHQ and they reply back and BCC your Commander, or forward the email to him/her, then it's within his privilege to discuss at that point. But aside from that, no, a Commander should not be "tapping" into anyone's user account.

When "CAP reserves the right," I take that as NHQ or officially delegated persons through memorandum, letter, or regulation.

We have Wing emails. I would expect that Wing HQ or higher may have access to go through my emails. Other than that, I would expect nobody within my unit to have access unless they are assigned to Wing IT duties.

All the "remain professional and avoid inappropriate conduct" aside, because that's not what I'm getting from the OP---If your Commander directly accessed your email, I suggest you take it up with him/her and plan to get a higher echelon involved if not resolved at the unit level. It shouldn't happen.
Apparently it happened to a friend of mine in another wing, we were talking over thanksgiving and he mentioned something and asked what I thought about it.


Sent from my iPhone using Tapatalk
Logged
Sean Riley, TSGT
US Army 1987 to 1994, WIARNG 1994 to 2008
DoD Firefighter Paramedic 2000 to Present
grunt82abn
Seasoned Member

Posts: 206

« Reply #16 on: November 29, 2017, 02:25:00 PM »

We can only address the the high level / general issue since
we have no way of knowing the particulars, and for those of us who
do user support, the things people think are "hacking" are both hilarious and troubling.

(For example, if you leave your email logged in, or are silly enough to use Outlook and
have your messages cached locally, on a shared PC, that's not "hacking" that's "reading".)

Assuming this is a CAP-owned domain, then thee is no assumption of privacy, at the corporate level,
meaning someone with the authority and the need could request that they be granted access to an individual
member's email.

I would expect that to be a Wing CC or Wing IT person, and access the messages through a means which
potentially reveals that access to the member, (i.e. password reset) not some random Unit CC, or
anyone else for that matter, just digging through messages "because".
(This can get muddier if the domain is handled at a lower echelon, which is why, even though I
am responsible for a large Group-level GSuite implementation that has been running in excess of
10 years, I think everyone should be on @wing.cap.gov, and get that email on joining.)

I can think of any number of scenarios in which legitimate CAP business is conducted via CAP
email accounts, but which a local Unit CC would have no right or authority to access, not
the least of which could be complaints or other personnel actions taken at a higher echelon,
outside activity, or similar.  Members are cross-posted all over the place, and an Enc CC,
for example, dealing with a personnel issue, parental complaint, or simple logistics, would be
none of the concern of his Unit CC, since in that case he reports direct to Wing.  Same
goes for an ADY Wing ESO, or IG Augmentee, etc., etc.

At a minimum, this is a a clear breech of trust and highly unethical, not to mention
possibly illegal (lots of variables).

Sounds like a whole bunch of direct conversations need to be had, starting with this Unit CC.
Thank you!!!


Sent from my iPhone using Tapatalk
Logged
Sean Riley, TSGT
US Army 1987 to 1994, WIARNG 1994 to 2008
DoD Firefighter Paramedic 2000 to Present
Geber
Recruit

Posts: 12
Unit: NER-VT-009

« Reply #17 on: November 29, 2017, 03:17:46 PM »

.
.
.

CAPR 120-1

12.1.3. CAP Email Systems shall not be used for:
12.1.3.7. Access to another user's email account without A) the knowledge or permission of that user - which should only occur in extreme circumstances, B) the approval of General Counsel in the case of an investigation, or C) when such access constitutes a function of the memberís normal job responsibilities.

So a unit commander can only access another member's email if:
  • The member has prior knowledge or it is an extreme circumstance (emphasis mine)
  • he/she has the approval of General Counsel
  • access is a function of the member's normal job responsibilities (like a single email shared by people with the same duties)
.
.
.

I would interpret the regulation language to mean, if one is accessing by authority of 12.1.3.7.A that BOTH of two circumstances should apply:

First, " the knowledge or permission of that user" AND second, "extreme circumstances".

A scenario that, in my opinion, would satisfy this: during a "no play" mission, a certain CAP member is the liaison with local authorities and is expecting important mission-related email to her CAP Gmail account. The member unexpectedly must leave the command post, and gives her email userid and password to a trusted member who relieves her as the liaison. (Circumstances make it impossible to inform the local agency of the email address of the relief liaison.)
Logged
etodd
Salty & Seasoned Contributor

Posts: 865

« Reply #18 on: November 29, 2017, 04:55:11 PM »


... tries to use it to say I broke chain of command, ...

Not being military, I've never fully understood when the chain applies and when it doesn't in CAP.  Maybe I've missed the outline of it in one of the docs somewhere.

Being a business owner who deals with other business owners and execs, I've always been one to start at the top (or as close to it as possible) for both speed and efficiency. Start at the bottom and you have too many folks who can shelve it because they don't understand it like the CEO does, or who will delay it because they have too many irons in the fire, or just don't want to be bothered with an issue that might be negative. And this can happen at every step up the chain. Delaying something that could have been handled in a quick phone call or email the same day, into a weeks or even months long nightmare.  Its a huge problem in the Public Administration sector, where 9-5'ers have little incentive to move quickly.
Logged
MS - MO - AP - MP
foo
Forum Regular

Posts: 146

« Reply #19 on: November 29, 2017, 04:57:05 PM »

Quote
Having said that, I don't think the regulations cited here make it clear a unit CC has the right to access a subordinate's e-mail account, unless a case can be made that doing so is "a function of the [CC's] normal job responsibilities." I rather doubt that.


But NHQ could have sent his unit CC a response down. This issue should have been handled at the unit first if it was not, and if the OP did not like the answer, then go up the chain. It appears the OP thought it was best to ignore the COC altogether, or did not like the answer he was given. So, NHQ involved the commander instead of the commander hacking the OP's email.

That could be, but it isn't what the OP described:

Then states he is allowed to hack my email by USAF and CAP regulation.
Logged
stillamarine
400,000th Post Author
Salty & Seasoned Contributor

Posts: 812
Unit: SER-AL-134

« Reply #20 on: November 29, 2017, 04:57:28 PM »

.
.
.

CAPR 120-1

12.1.3. CAP Email Systems shall not be used for:
12.1.3.7. Access to another user's email account without A) the knowledge or permission of that user - which should only occur in extreme circumstances, B) the approval of General Counsel in the case of an investigation, or C) when such access constitutes a function of the memberís normal job responsibilities.

So a unit commander can only access another member's email if:
  • The member has prior knowledge or it is an extreme circumstance (emphasis mine)
  • he/she has the approval of General Counsel
  • access is a function of the member's normal job responsibilities (like a single email shared by people with the same duties)
.
.
.

I would interpret the regulation language to mean, if one is accessing by authority of 12.1.3.7.A that BOTH of two circumstances should apply:

First, " the knowledge or permission of that user" AND second, "extreme circumstances".

A scenario that, in my opinion, would satisfy this: during a "no play" mission, a certain CAP member is the liaison with local authorities and is expecting important mission-related email to her CAP Gmail account. The member unexpectedly must leave the command post, and gives her email userid and password to a trusted member who relieves her as the liaison. (Circumstances make it impossible to inform the local agency of the email address of the relief liaison.)

How do you interpret AND when it clearly states OR?
Logged
Tim Gardiner, 1st LT, CAP

USMC AD 1996-2001
USMCR    2001-2005  Admiral, Great State of Nebraska Navy  MS, MO, UDF
tim.gardiner@gmail.com
foo
Forum Regular

Posts: 146

« Reply #21 on: November 29, 2017, 05:01:37 PM »


... tries to use it to say I broke chain of command, ...

Not being military, I've never fully understood when the chain applies and when it doesn't in CAP.  Maybe I've missed the outline of it in one of the docs somewhere.

Being a business owner who deals with other business owners and execs, I've always been one to start at the top (or as close to it as possible) for both speed and efficiency. Start at the bottom and you have too many folks who can shelve it because they don't understand it like the CEO does, or who will delay it because they have too many irons in the fire, or just don't want to be bothered with an issue that might be negative. And this can happen at every step up the chain. Delaying something that could have been handled in a quick phone call or email the same day, into a weeks or even months long nightmare.  Its a huge problem in the Public Administration sector, where 9-5'ers have little incentive to move quickly.

I don't know from experience, but I have a notion chain of command works better in the military than it does in CAP.
Logged
Eclipse
Too Much Free Time Award
***
Posts: 28,069

« Reply #22 on: November 29, 2017, 05:02:42 PM »

You can't have 100 people all walking into the CC's office and asking questions that
have already been answered 30 times downstream.

That's not how it works in the private sector either, that's why you have managers, teams,
supervisors, etc., for span of control and management of information flow.

A rank and file member does not go to the Wing CC and ask if they can have o-rides.

The door may always be open, but it'll get swung closed quickly for stuff like that.

The chain always applies, and all issues should be handled at the lowest level possible,
or moved up the chain, by the appropriate people.  When a member disagrees with a CC
on a matter that is within that CC's authority, that's where the discussion is supposed to end,
not start with people running to Dad.

The trouble starts when the general lack of military and business experience across the board has
upstream CC's contradicting their downstream CC's, or making arbitrary decisions without consulting
the very people they have put in place to run things the other 364 days.

Logged

"The man who does more than he is paid for will soon be paid for more than he does." - Napoleon Hill.
The contents of this post are Copyright © 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

grunt82abn
Seasoned Member

Posts: 206

« Reply #23 on: November 29, 2017, 05:31:06 PM »

Another point is that we are hearing this from the OP side. He presented this as the squadron commander hacking into his email.

Maybe he misunderstood his commander coming back at him after said commander received the message from NHQ through the chain of command. However the OP not knowing that NHQ could / would send his info down, just assumed the said commander hacked his account.
It was hypothetical, no misunderstanding, just threw out a scenario based upon something I was asked about and didnít have an answer to


Sent from my iPhone using Tapatalk
Logged
Sean Riley, TSGT
US Army 1987 to 1994, WIARNG 1994 to 2008
DoD Firefighter Paramedic 2000 to Present
Geber
Recruit

Posts: 12
Unit: NER-VT-009

« Reply #24 on: November 29, 2017, 05:46:49 PM »


How do you interpret AND when it clearly states OR?

The passage in question is A) the knowledge or permission of that user - which should only occur in extreme circumstances, B) the approval of General Counsel in the case of an investigation, or C) when such access constitutes a function of the memberís normal job responsibilities.

First, I break it into three parts:

A) the knowledge or permission of that user - which should only occur in extreme circumstances

B) the approval of General Counsel in the case of an investigation, or

C) when such access constitutes a function of the memberís normal job responsibilities.

Since there is an "or" between parts B and C, access is allowed if any one of A, B, or C are satisfied. As I mentioned in my post, I'm only looking at part A.

Part A has an "or" between "knowledge" and "permission". So it's enough that the member that the email account is assigned to has either knowledge of the access, or has given permission for the access. Either way, the access under part a should only occur in extreme circumstances.

One could argue that everyone with an email account issued by some level of CAP knows it could be accessed under some circumstances, so the rule is always satisfied, but I don't think the regulation would be written the way it is if that were the case.

Overall, I don't feel the regulation is carefully enough written to stand up to detailed parsing.
Logged
Paul Creed III
Forum Regular

Posts: 190
Unit: GLR-OH-254

« Reply #25 on: November 30, 2017, 09:27:32 AM »

I would say that it's inappropriate for a unit Commander to access a unit member's official Wing-/Group-provided email account without that user's permission. It is not in the Commander's duties to use that individual's email address nor access it for reasons of inquiry.

If you contacted NHQ and they reply back and BCC your Commander, or forward the email to him/her, then it's within his privilege to discuss at that point. But aside from that, no, a Commander should not be "tapping" into anyone's user account.

When "CAP reserves the right," I take that as NHQ or officially delegated persons through memorandum, letter, or regulation.

We have Wing emails. I would expect that Wing HQ or higher may have access to go through my emails. Other than that, I would expect nobody within my unit to have access unless they are assigned to Wing IT duties.

All the "remain professional and avoid inappropriate conduct" aside, because that's not what I'm getting from the OP---If your Commander directly accessed your email, I suggest you take it up with him/her and plan to get a higher echelon involved if not resolved at the unit level. It shouldn't happen.

Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.
Logged
Lt Col Paul Creed III, CAP
Great Lakes Region Cyber Programs Officer
Ohio Wing Group 3 Commander
stillamarine
400,000th Post Author
Salty & Seasoned Contributor

Posts: 812
Unit: SER-AL-134

« Reply #26 on: November 30, 2017, 09:57:09 AM »

I'm trying to figure out how the CC hacked the account. Heck I'm a cop and I can't hack my wife's phone passcode.
Logged
Tim Gardiner, 1st LT, CAP

USMC AD 1996-2001
USMCR    2001-2005  Admiral, Great State of Nebraska Navy  MS, MO, UDF
tim.gardiner@gmail.com
dwb
Salty & Seasoned Contributor

Posts: 1,319

« Reply #27 on: November 30, 2017, 10:24:29 AM »

I'm trying to figure out how the CC hacked the account. Heck I'm a cop and I can't hack my wife's phone passcode.

I suspect the hacking explanation is inaccurate, which is why I said earlier that language matters. Someone is effectively being accused of a serious crime here, and I'm guessing the facts are much more banal.
Logged
kwe1009
Salty & Seasoned Contributor

Posts: 758

« Reply #28 on: November 30, 2017, 11:26:47 AM »

Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.

That is a great point.  I have recently seen where a squadron commander was dictating that member's email password be their CAPID and the month they joined CAP (123456May).  This basically gave him everyone's password so he had the ability to access everyone's account without "hacking."  I informed him that was not the proper way to do it and that he tell everyone to change their password immediately to something that is not easily guessed.  He was not really happy about it but when I asked why did everyone have to have their password the way he directed, his response was something like, "what if the person leaves CAP and they have important emails?"  I told him that if that ever happened, he could reset the password and access the account as long as it was done in compliance with CAPR 120-1.
Logged
Eclipse
Too Much Free Time Award
***
Posts: 28,069

« Reply #29 on: November 30, 2017, 11:43:50 AM »

Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.

That is a great point.  I have recently seen where a squadron commander was dictating that member's email password be their CAPID and the month they joined CAP (123456May).  This basically gave him everyone's password so he had the ability to access everyone's account without "hacking."  I informed him that was not the proper way to do it and that he tell everyone to change their password immediately to something that is not easily guessed.  He was not really happy about it but when I asked why did everyone have to have their password the way he directed, his response was something like, "what if the person leaves CAP and they have important emails?"  I told him that if that ever happened, he could reset the password and access the account as long as it was done in compliance with CAPR 120-1.

+1 - in fact everyone should be using 2-factor authentication, specifically to reduce or eliminate this issue.
Password might be "12345" but without the second factor, no joy.
Logged

"The man who does more than he is paid for will soon be paid for more than he does." - Napoleon Hill.
The contents of this post are Copyright © 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Mordecai
Salty & Seasoned Contributor

Posts: 1,092
Unit: SI

« Reply #30 on: November 30, 2017, 02:39:41 PM »

I prefer "Best 2 out of 3" factor authentication.
Logged
Spaceman3750
Salty & Seasoned Contributor

Posts: 2,620

« Reply #31 on: November 30, 2017, 05:18:28 PM »

I would say that it's inappropriate for a unit Commander to access a unit member's official Wing-/Group-provided email account without that user's permission. It is not in the Commander's duties to use that individual's email address nor access it for reasons of inquiry.

If you contacted NHQ and they reply back and BCC your Commander, or forward the email to him/her, then it's within his privilege to discuss at that point. But aside from that, no, a Commander should not be "tapping" into anyone's user account.

When "CAP reserves the right," I take that as NHQ or officially delegated persons through memorandum, letter, or regulation.

We have Wing emails. I would expect that Wing HQ or higher may have access to go through my emails. Other than that, I would expect nobody within my unit to have access unless they are assigned to Wing IT duties.

All the "remain professional and avoid inappropriate conduct" aside, because that's not what I'm getting from the OP---If your Commander directly accessed your email, I suggest you take it up with him/her and plan to get a higher echelon involved if not resolved at the unit level. It shouldn't happen.

Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.

That may be true for Gmail, but with Office 365 there are multiple ways to gain access to mailboxes or messages without changing the password.
Logged
The moment any commander or staff member considers themselves a gatekeeper, instead of a facilitator, they have failed at their job.
I can't fix all of CAP's problems, but I can lead from the bottom by building my squadron as a center of excellence to serve as an example of what every unit can be.
Eclipse
Too Much Free Time Award
***
Posts: 28,069

« Reply #32 on: November 30, 2017, 07:01:03 PM »

That may be true for Gmail, but with Office 365 there are multiple ways to gain access to mailboxes or messages without changing the password.

Which is why Congress recently mandated it only be used for the kids under age 8, and Alzheimer's patients.
Logged

"The man who does more than he is paid for will soon be paid for more than he does." - Napoleon Hill.
The contents of this post are Copyright © 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

abdsp51
Salty & Seasoned Contributor

Posts: 2,326
Unit: Classified

« Reply #33 on: November 30, 2017, 08:23:37 PM »

I treat my CAP email like my work email.  The powers to be are able to snoop through it and consent to monitoring is given or implied.  Therefore I don't say things I shouldn't say.  There are plenty of companies who go through employees emails and it is fully legal.
Logged
TheSkyHornet
Salty & Seasoned Contributor

Posts: 932

« Reply #34 on: December 01, 2017, 07:10:28 PM »

Wing IT cannot access an account without changing the password of a user's account to something that the Wing IT person knows. There is no blanket ability for someone with admin privs to access an account.

Did not know that.

That is a great point.  I have recently seen where a squadron commander was dictating that member's email password be their CAPID and the month they joined CAP (123456May).  This basically gave him everyone's password so he had the ability to access everyone's account without "hacking."  I informed him that was not the proper way to do it and that he tell everyone to change their password immediately to something that is not easily guessed.  He was not really happy about it but when I asked why did everyone have to have their password the way he directed, his response was something like, "what if the person leaves CAP and they have important emails?"  I told him that if that ever happened, he could reset the password and access the account as long as it was done in compliance with CAPR 120-1.

Yeah, a member's email password is not the Commander's concern.

But I can see where someone might think it would be a good idea to keep a roster of email logins just in case someone did forget their password (it's not, but I can see how they would think that). There are options for addressing a lost/forgotten password.

With our emails, our Personnel/IT Officer will send an email to a new member and explain the login process, including username and password because it's standardized. The same with IT support from Wing. But I'm very picky on communicating that information. Okay, so an email is not a big deal in the grand scheme of things, but still, it's a good practice to maintain OPSEC with even the small stuff because it keeps you practiced for the big deal items. We had an email go out to a new member, several people were copied in, with that individual's login information. I just sent a courteous reminder that it's not recommended to copy in people with SSI/access information for stuff like that. Not a big deal. It happened. Over with.

A relationship of respecting people's information, though, can maintain that level of trust between people, which impacts morale, retention, and overall mission effectiveness.

Even if someone has the ability, including permission, it doesn't mean they should.
Logged
Pages: 1 2 [All] Print 
CAP Talk  |  General Discussion  |  The Lobby  |  Topic: Email Access
 


Powered by MySQL Powered by PHP SMF 2.0.13 | SMF © 2016, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.457 seconds with 20 queries.