[plexicle]

Admin here. Of course you can. You should always assume you can.

Even if I couldn't read the email (which I can, but fortunately have never actually had the need to or done so), I can always reset a password and gain full and instant access.

You should always assume your employer can see your enterprise correspondence. G Suite or not.

[Skunkleton]

> You should always assume your employer can see your enterprise correspondence.

Just to expand here. You should assume that your employer has access to _everything_ that you do with their assets. If you are trying to maintain privacy from your employer for whatever reason, do not use your work phone/laptop/email/etc.

[fxtentacle]

You should also assume that your employer can take those things away instantly.

For example, one day your laptop forcibly restarts and afterwards you're locked out. Then a day later, you get the call that you were canned.

So always keep private communication separate and get private phone numbers / email addresses from coworkers that you get along well with. The company can delete your extension and email address, but with a bit of preparation that doesn't have to be the end of your personal relationships.

[acruns]

You should also assume that the email you "deleted", is still there.

Most email servers/services have a setting to keep deleted emails for a period of time. Most corporations also have a separate email server for execs that have different settings. This is above and beyond compliance settings that also email retention for different periods of time. Then there are also backups and archiving...you get the idea.

[crispyambulance]

> assume that your employer has access to _everything_

I hear this a lot and it seems like sound advice, but always leaves me with questions.

Sure, my employer can see what URL's I am hitting, what applications are installed, their usage, and if they want they could even decrypt https traffic, take screenshots without my knowledge, key-log, turn on microphone and camera too.

I mean, I won't hesitate to open my personal gmail, read news, make comments on social media sometimes (like this), perform online "errands". At the back of mind, however, I wonder if someone is seeing what I am doing.

It makes me wonder, what is typical? Under what kinds circumstances would the most draconian measures (like screenshots) be taken? How much latitude are IT folks given? Are there ways to detect when really ugly things like keyloggers/cameras/mics being controlled by whatever "enterprise IT" software suite?

It seems IT folks don't talk about this much. The dominant advice is always don't use work computer for _anything_ but work. The reality is that almost everyone in every profession takes that advice with a grain of salt.

[gumby]

I don't think you need worry that your employer is watching everything you do. But they can and there are some common cases:

1 - some program is scanning ingoing/outgoing data looking for compliance violations (typically finance, some classified work; should be for medical privacy/PII but I don't see much of that happening). Also scans for liability issues such as porn at work etc. Easier to screen that stuff out up front rather than later, frankly.

2 - you have a highly restrictive job (e..g call center) and are being spot monitored from time to time; statistics are likely kept continuously. Distopian but yes, happens.

3 - Sysadmin ends up looking at some of your mail while debugging a problem or doing some investigation not necessarily related to you e.g. some employee is terminated for fraud: let's look at their correspondence, some of which -- innocently -- is from you. Or there was a disk crash and some data is being reconstructed, which includes your call logs or email or whatever.

The third case is the most common and is why there is often a blanket "we can read and get all your data" statement in the employee handbook. There are others, and you can guess them.

[unicornfinder]

I think the truth is it really depends on your employer. I worked for one place that actively monitored and even recorded people's screens fairly frequently, and others where they honestly don't care in the slightest.

[crispyambulance]

I see, but what did they do with that information? Did they just randomly browse employee's screens? What triggered that level of monitoring? Are there ways to detect when a screenshot is captured?

It seems like a lot of effort to monitor screens, it makes me think there has to be a compelling reason, and not just browsing around looking for "problems".

[meowface]

I was in the position of having to review people's browsing history, and occasionally their emails, at a large company. We were in charge of all internal investigations: phishing, malware, suspicion of IP theft or misconduct, and even micromanagers who wanted to see if their employees were slacking off or working at the times they claimed.

We never looked at anyone's activity without a clear reason, but that reason wasn't always very justifiable by my personal standards. However, I'd say most of it was necessary (like when tracing root cause of an alert or infection). My naive guess is this is probably pretty close to how it is in most big US companies.

For the times that were unnecessary (assessing "productivity"), our team, including our managers, always tried to provide as much evidence and guidance as possible that would work in the employee's favor, because we all knew it was complete bullshit and a big overreach. It's also very difficult to tell exactly what someone was or wasn't doing at specific times just by their browsing history. (We didn't have screen recording spyware or anything like that.) I'd say 98% of investigations were necessary and 2% were bullshit like those.

Reading emails or IMs was extremely rare and reserved for people replying to scammers/phishers, or accusations of serious misconduct or crimes.

[astronautjones]

> It seems like a lot of effort to monitor screens, it makes me think there has to be a compelling reason, and not just browsing around looking for "problems".

depends. it can often be chalked up to management having too much time on their hands, or busy work delegated to use up part of the day.

I worked for an ecommerce site that keylogged everyone's computer and was tasked with going through the recorded input for someone that quit on bad terms to find out "if she'd done anything". it was a colossal waste of time, and we only learned that she was into furry websites

[barkingcat]

In this regards, I think IT isn't the driving force. The driving force is the lawyers/legal department and the HR department.

You should redirect this question to each HR department: how much does HR want to protect a company from its (possibly) rogue employees?

[everdrive]

Exactly, and even if your employer doesn't have logging software, they can get physical access to your laptop and look for logs and data manually. Importantly, you can't predict when and if this could happen.

[SAI_Peregrinus]

With a lot of employment contracts they not only have access to everything, but also own the copyright/patents of anything made with their equipment.

[dawnerd]

To expand, if the admin wants they can enable the vault and have access to emails, drive, etc.

[devy]

> I can always reset a password and gain full and instant access.

AFAIK, resetting an individual GSuite account's password is the only way GSuite Admin can access individual account's emails. Is there any other way to get access?

[iokanuon]

That's exactly what the article is about.

[neonate]

In this article you will see how being a G Suite Administrator you can get a copy of your users sent and received emails without knowing their passwords or putting forwarding in their mailboxes

[devy]

Got it now. Getting a copy of incoming + outgoing via BCC for an individual account's emails is not quite the same as accessing individual account's emails though.

For GSuite basic subscriptions, there is a 30GB quota per inbox, having BCCs for every account's emails will like exceed the plan allowance. I doubt it would work if you exceed the account quota allowed for the subscription plan.

[plexicle]

With the Vault I can pretty much see and do anything. I can set up hidden forwards and even look at private Hangouts chats between people. I've had to use the Vault before to go into a 1 on 1 Hangouts Chat and delete a message from one of the parties.

[cglace]

Why did you need to delete the message?

[masonhensley]

Imaging Bob from accounting pasted a customer's SSN into a chat thread, group or 1:1... there countless things that shouldn't be posted in chat messages to live for eternity.

Some companies build it into their systems to automatically catch and mask that data, sometimes someone has to rollup their sleeves and do it manually.

I'd wager that 95%+ of orgs have tons of sensitive customer data scattered into chat messages in Slack, Teams, Hangouts, etc that would horrify most of us here.

Check out this: - https://cloud.google.com/dlp - https://www.youtube.com/watch?v=MY3PjFpI3rE

[plexicle]

You pretty much nailed it. My CEO revealed something he wasn't supposed to. Asked my help in removing his own message at his own request. I'm the only one comfortable with this kind of manipulation (I'm CTO here) and I'm happy that there's an audit trail of it as well to keep my position honest too.

[rikroots]

This. One of my less enjoyable jobs, as an admin, would be going into the GSuite jungle to track down and delete emails and messages containing data that clients had sent to us, or one colleague had shared with another, which included personal information that we were not supposed to be storing or processing because GDPR. Or tracking down a former colleague's 1-2-1 email exchanges with a client which included a work spec, or agreement for a change request, which the client later denied ever agreeing to because they didn't want to pay the bill.

My least enjoyable job would be going into the admin to recover emails "deleted" by disgruntled employees who got wind that they were about to be let go. Why they tried to delete their emails - I'll never know. They should've realised that Google hates deleting anything from their clouds.

One of my happiest days at that job was the day I got told I didn't have to be a GSuite admin anymore and could go do some proper coding work instead.

[fragmede]

Not OP but if party A is harassing party B (read: "sending unsolicited dick pics"), I could imagine circumstances under which the sysadmin deletes messages that party B has received. (After HR and lawyers all around have been looped in by all parties, and copies of the messages have been forwards to the lawyers.

Also consider that the first amendment isn't absolute and there is certain material that is highly unsavory, eg child pornography, that party B doesn't even want the potential of possessing.

There are certainly nefarious usages for that level of access as well, but I can imagine legitimate usage exists as well.

[purple-dragon]

In addition to Vault, an administrator can easily set up an SMTP route through the admin interface to copy-and-forward all inbound or outbound mail (delivering copies wherever they please). Of course, this would only catch messages sent or received after setting up the route.

Edit: an administrator can also create an API token with org-wide credentials, allowing her to read, write, and delete messages from any user's inbox.

[Tomdarkness]

I'm pretty sure you can't do it via the UI but if you use the API you can delegate access to any account in your organisation without confirmation. Once you've delegated access to that account you can then login as that user via the standard user switcher that appears if you have multiple accounts.

[rednet]

My team has written an integration with Google's API[0] to explicitly pull back the full bodies of emails for all users across a whole organisation, to run some analysis on all emails.

Once our service account has been granted access, we can assume the role of any user and access anything we have permission for. So, you should assume your IT administrator can also access all your emails, since they're likely to be the person that grants permission to the service account.

[0]https://developers.google.com/gmail/api/v1/reference/users/m...

[scrollaway]

AFAIK the legality of it is not consistent.

I had an employer who insisted that after I leave, every email I receive to my corporate address be forwarded to him. I remember asking a lawyer how legal this is and not receiving a conclusive answer. (Still interested in an answer for CA+NY if someone knows)

[dekhn]

Just so I understand what you're complaining about: 1) you worked for a company 2) the company provided you with an email address via their corporate email system 3) you left the company 4) the company wants to read email sent to your work email address in their corporate email system

Yes, it is totally legal for them to do that, there is no question, and it wouldn't make sense for it to be any other way.

[e12e]

Consider this: your former employer receive a closed envelope addressed to you, c/o workplace, from a medical clinic. Would you assume the employer could open and read this mail?

I'm sure jurisdictions vary, but in Norway, excepting any written concent, your employer may not read mail addressed to you by name.

Personally addressed work email likely (but not certainly) fall in a similar category.

[mikepurvis]

I get the analogy, but I'm really not sure it applies in practice.

Like, who would use their work mailing address with a medical clinic? The only physical mail I've ever had sent to my workplace is maybe the occasional December parcel that I need to conceal from its ultimate recipient. We're long past the days where anyone's work email address is their only (or even primary) email address.

[Symbiote]

Someone working somewhere "temporarily" (however long that may be) and living in company-provided accommodation, or where that is more secure than private accommodation.

- A politician with a state-provided residence in the capital city.

- A soldier living in a barracks

- A teacher living at a boarding school during the term, or someone very senior at a university with an on-campus house/apartment. Or a PhD student.

- A vicar or priest living at the vicarage

- A diplomat or embassy staff posted abroad

[mikepurvis]

Those are good examples, though in most of them it's still clearly a residence, not a workplace. So I would expect there to be protocols in place for securely forwarding items which are personal in nature— particularly since this is not a tech problem, it's something people in these kinds of roles would have been dealing with decades ago.

Certainly for myself many years ago as a university student, I acknowledged that my lodgings were temporary and had anything of any importance at all sent to my parents' address.

[pwg]

> We're long past the days where anyone's work email address is their only (or even primary) email address.

You'd be surprised. For those of us here on HN, your statement has been true for decades (for some of us).

But for the average 'worker', there are still way too many who's only computer is the 'work laptop' and who's only email address is 'the work email address'. This tends to be the tech-unsavy and/or tech-fearful crowd that falls into this bucket (who also don't browse HN, so we never interact with them here), but they are still present, and there are far more in this bucket than most tech-savy folks realize.

[goatinaboat]

But for the average 'worker', there are still way too many who's only computer is the 'work laptop' and who's only email address is 'the work email address'

As recently as 10 years ago I would have agreed but now smartphones and tablets are so common I think more people have an email-capable personal device, and probably a “free” email address.

[saagarjha]

Perhaps an on-campus or company-affiliated clinic?

[e12e]

> Like, who would use their work mailing address with a medical clinic?

Someone hiding their visit from a spouse?

[dvtrn]

https://about.usps.com/who-we-are/judicial/admin-decisions/2...

[aklyw]

If there is no question, why is this dehumanizing practice completely illegal in many European countries?

The productive part of the population is treated like children in the US. Daddy gives you health insurance and reads you diary. If daddy no longer likes you, daddy cancels you health insurance but still reads your mail.

[Symbiote]

I think the UN Convention on the Rights of the Child, which includes a right to privacy, should restrict "daddy" from reading his child's diary, although it's not clear to me if there are limitations to this.

[zelon88]

I've had experiences where I've emailed people who left and received nothing in response, only to find out days/weeks later via other means that person left the company.

I've also experienced where I've emailed people who left and received immediate automated replies informing me of the change and providing me with a new contact person.

I've never, ever experienced a time where I've emailed person@company[dot]com and received a casual reply like "Hey man, I quit that place. Hit me up and we can grab beers!"

And I think anybody would be shocked if that were the case. Especially if you kept getting those emails as a former employee and no other current employees were getting them also. Nevermind mailboxes cost money or physical resources most of the time. To expend those resources to all former employees indefinitely is not practical. And I don't want to keep my mailboxes at former employers anyway. I have enough notifications on my phone to be batting away vendors and suppliers from previous employers.

[scrollaway]

To be clear, this was the employer refusing to close the email account / set up an out of office, they just wanted all email redirected to them. Nobody said anything about being able to continue using the email.

[dekhn]

... this is totally reasonable for an employer to do. For example, sales person at a company. Probably sent/received many emails that are relevant to sales at the company, rather than using a mailing list (I see this a lot). After the sales person leaves the company, the company needs to maintain relationship with the people who worked with the sales person. Keeping the old email open rather than dropping them on the floor makes sense (otherwise your customers will hate you).

[vidarh]

This depends on jurisdiction, so just saying "yes" is wildly misleading.

Expectations of privacy - even for corporate e-mail - is a thing some places. To what extent it applies tends to depend on a whole range of things.

[d4mi3n]

Ownership of the email address/account is important. If you're using a corporate account, communicating on behalf of your employer, and have been informed ahead of time that all emails from said account are monitored, I don't believe many people could reasonably argue an expectation of privacy for personal correspondence in such a setting.

Additionally, if you work for a company or industry where such correspondence must be preserved and tendered on request due to applicable laws or regulations, such organizations are legally required to have access to all employee emails.

[jmuguy]

That is standard practice for literally every corporate email account I've ever encountered in 15 years of IT work. You do not own your company email address anymore than you own the extension on the phone on your desk at work.

[icedchai]

It's the company's email address, they can forward it whereever they want. Forwarding an employee's email to their supervisor upon departure is standard practice is many companies.

[saagarjha]

This is one of the reasons using your corporate email address for anything outside of work is a poor idea. I know some who chafe at using a corporate email address even while doing work for the company, not because they think it's inconvenient or an invasion of privacy, but because they lose access to it and people may contact them at the old address and not be able to find them afterwards.

[there_the_and]

This is standard practice, it's not your email address, you are just using it for work, and your employer needs access for a variety of very obvious reasons. This should not be news to any technology professional and it's mind-blowing seeing these comments on HN.

[d4mi3n]

The question is fair. Capability does not guarantee legality, and there are plenty of cases where an individual who can access an email is not legally entitled to:

1. My ISP provides me internet access, but they are not entitled to collect my bank information when I access my bank account.

2. Depending on the nature of the corporation, it may not be legal for an individual to forward emails in the manner described. Consider: what if the email account belonged to a lawyer or doctor? Client confidentiality probably trumps many other legal concerns here.

3. Is said manager part of the IT/InfoSec department within this organization? If not, they may be circumventing organizational controls, which in itself may not be legal.

Context is important.

[vidarh]

Then consider that it's mindblowing to you because you're not used to any of the many jurisdictions where there is a legal expectation of (some) privacy at work.

Under European data protection laws, for example, many countries have considered the privacy restrictions to extend to employee e-mail addresses.

This includes Norway, for example, where employees have extensive rights to prevent employers from accessing their corporate e-mail accounts without substantial safeguards to prevent them from accessing personal information, and including rights to be notified where possible, be present, be able to respond and challenge the access etc.

You can find a lengthy (in Norwegian, though Google translate ought to do a decent job) walkthrough of the rules here [1].

Not everywhere treats people as serfs at work.

[1] https://www.datatilsynet.no/personvern-pa-ulike-omrader/pers...

[ska]

The confusing thing for me here is why you would assume you would be able to receive any mail addressed to your old corporate address, in order to forward it. Or did I just misunderstand what you meant?

The corporation owns the email server, so their choice when you leave for whatever reason, is either to disable the account entirely (or give a bounce message) or keep it active.

Is your question really on the legality of the latter case, i.e. once you've left a company can they keep your email address live and perhaps even respond from it?

[scrollaway]

I never assumed that. To be clear, this was the employer refusing to close the email account / set up an out of office, the CEO just wanted all email redirected to them personally. Nobody said anything about me being able to continue using the email.

[ska]

Gotcha - it wasn't actually clear from the way you wrote it originally.

So in that case it is really jurisdictional. The US falls down pretty heavily on the corporate-owns-everything, but not everywhere does.

In my experience It's pretty common for companies to retain emails of people who have had outside contacts at least for a while, so nothing gets dropped on the floor, usually redirected to a supervisor or whomever took over the projects.

[duxup]

Did the lawyers who thought it might be illegal explain their thinking?

I would assume even just to do business fluidly they might need access.

[floatingatoll]

How many hours are willing to be billed for in research, and are you willing to go to court to seek a conclusive answer if none is found in research?