Our employers in higher education share lots of information about digital security, most of it is focused on protecting institutional data. This is important stuff, always, especially as it can involve student, financial, and health information that is protected by law. There are also risks of major DoS attacks made more likely by walking through doors one shouldn't be opening, and theft of proprietary research by domestic and foreign actors is a growing challenge at many research universities.
What is not addressed by all this training, however, is how the members of the university community might best protect themselves independent of the institution—and increasingly in some states from the university itself.
Since early 2025, faculty and graduate students have been dragged into the digital public eye as never before. We are very much in need of more guidance on how we might protect ourselves. This is especially the case for those involved in political organizing or work on "controversial" research (like, you know, "how will this medication impact women differently than men"). But in truth, it applies to everyone working in academia today, as we are identified as "the enemy" and scrutinized by everyone from random folks on social media looking for a good gotcha to well-funded think tanks and legislative aides. And then of course there is Silicon Valley itself. As is probably clear from other posts, I am deeply suspicious of the motives of many of those who sit in the highest echelons of power in the digital kingdom. I am not at all hostile to technology, just to those who wield it in the service of their own power and against the interests of the vast majority of humanity.
We all have some colleagues who are good at working social media, building their "brand," and even getting trotted out as a talking head from time to time. Few of us, however, went into the profession to be public figures. If we did, we wouldn't be publishing academic monographs which can count their readers in the dozens, or spending most of the daylight hours in labs or archives.
Below are some of my practices developed over the years, as I try and find a balance between privacy & safety on one hand and avoiding the rabbit-holes of paranoia and conspiracy-thinking that are everywhere around us in the 21st century. Your mileage may vary and all that, and ultimately everyone needs to find their own comfort zone between those two poles. No judgment if you would rather not think about worst-case scenarios, or if you would prefer to go full-on tinfoil hat. What I describe below and in what follows works for me, at least for now. If you have strategies or tools that you have found helpful, please do share.
A Short History of Email Vulnerabilities
Of all the technologies with which faculty engage every day, email is the most widely-used and most unavoidable—and also the most insecure. Unless you are writing in a fully encrypted email platform to someone else similarly encrypted, the content of your email is exposed at numerous times along its passage from here to there. And it sits, unencrypted, on your devices and in the servers of your university or the private company who provides you email services, such as google.
I have been a daily email user for 40 years, since the early days of ELM, a Unix client introduced in 1986. At this time, email existed largely within academic environments with presumably trusted clients on both ends of the exchange. So confident were we in those early days in the integrity of the relatively small network that the protocol that allowed email exchanges, SMTP (Simple Mail Transfer Protocol), had no authentication and no sender verification. Any message from anyone was accepted, because any message from anyone was assumed to be easily traceable back to a particular sender. By the late 80s, there were a couple of incidents that suggested that SMTP might need some updating—including in 1988 the first use of email to distribute a virus.
But it would not be until the 1990s with the mainstreaming of the Internet far beyond its academic origins that the vulnerabilities became impossible to ignore. By the late 90s, 10% of all email traffic was spam; ten years later it was over 80% of all traffic. In the end, of course, spam is an inconvenience that can be addressed with some meaningful effectiveness with whitelists and third-party spam filters.
It was the emergence of virus and phishing attacks in the late 1990s that upped the stakes, most spectacularly with the Melissa virus in 1999 which got infected users to spread malicious messages via their own address books. In the 2010's more sophisticated attacks found ways around increasingly sophisticated countermeasures to engage in ransomware and targeted attacks on corporate emails and servers. The 2017 WannaCry and NotPetya ransomware attacks demonstrated how targeted email attacks could paralyze global systems.
Of course, all of this is why the university where you work likely has increasingly strict email rules, including in many cases restricting mail forwarding to a personal account and even the local mail client you are able to use for university mail. None of it is ever going to be enough, especially in the age of AI where spearphishing attacks will soon have none of the telltale signs of old and can glean enough information about you to spoof you well beyond the usual scripts. For that reason alone, all email should be treated with suspicion.
Early this fall, my email address was spoofed to send out email to dozens of random colleagues across campus. The email claimed that I had learned they were being "reported" for something (unspecified), and in the message "I" asked them to sign in with their university login at a portal effectively spoofed our actual secure gateway. I still have no idea how I ended up among those whose accounts were spoofed in this attack, but as I was secretary of the university senate my emails solicited trust (and fear) in many recipients who later told me they were on the verge of signing in and thereby giving away access to their OSU credentials. Fortunately, I was alerted early to the fraud and was able to let the university's IT folks know. They shut down any messages resembling the one my email address had spawned. After changing passwords and alerting all recipients of the fraudulent mailings, the attack was over. However, had I not been in front of my computer when I received the alert it is very likely it would have spread more broadly.
All of which is to say, your institution's increasingly byzantine email guidance is a good thing and any inconvenience is justified by the nightmares you haven't experienced.
All of this is one reason I recommend keeping your personal email (gmail, etc) off your work laptop entirely. The 2020 ransomware attack on the University of Vermont health system is a good example of why strict segregation of personal and work email is a good practice. In early October 2020, a UVM Health Network employee took their work laptop on vacation and accessed personal email while away. They opened an email from their local homeowners association, which itself had been compromised precisely with the goals of being able to cross the corporate barrier into the health network. The email contained malware that infected the work laptop and remained dormant until the employee returned from vacation and connected to the University of Vermont Network via VPN. The Ryuk ransomware was then released within the system, costing the UVM Health Network over $60 million.
Other assaults on university networks have continued throughout the 2020s, including an attack on student data via email ransomware at Michigan State in 2020 and the "Accellion" Extortion Wave that hit students at several campuses in 2021. Increasingly these attacks are targeting "proxy" login pages so as to steal both the password and the Multi-Factor Authentication (MFA) code in real-time. With those tools in hand, the attackers can gain access to systems like Workday, payroll and banking data, and so much more.
Keeping personal and work email separate used to be a challenge, but today most of us have a smartphone with which we can check personal email while at work. If you are traveling with work laptops, I recommend using a phone or tablet to read personal email. Assume your work and personal email addresses are doors whose locks are constantly being tested by malicious actors. Eventually someone will break through and with luck you will be able to deal with it quickly. But if the doors are connected by having personal email on the work machine you are risking one picked lock opening up not only your university life but your personal life as well.
Email as Public Record
Which brings us to another issue, crucial to think through in 2025 when folks who would love to get their hands on faculty emails have a very easy tool to do so legally in most states: public records laws. With few exceptions, those of us working at public institutions are subject to public records requests that can be exceptionally broad in nature. In my own state, requests can be anonymous, and a requester doesn't need to explain why they want records or how they will use them. The only requirement is that requests be "clear and specific enough" for the public records office at the university to identify what's being requested.
I was a faculty member at Ohio State—and thereby a state employee—for a quarter century before I got the first public records request for my email. I am quite certain it won't be my last, not as the current assault on higher education continues to escalate. I was fortunate enough to have a friend who worked in this space who early on in my senate work gave me some advice: don't put anything in writing you would not be ok with seeing in the papers the next day. As it turns out, I am find with most things I say being in the papers, but that is largely a consequence of a) having no filters and b) being sufficiently senior and protected by tenure (what remains of it, in any case) that I have little to fear in terms of my job.
In this environment, of course, a much bigger fear than one's own employer at many institutions is the Internet mob and state legislatures eager for any opportunities to leverage hostility to higher education for their own political advantage. As a result I have become more cautious in what I put down in email, knowing that I am more likely to face a public records request from a political motivated "think tank" or some rando looking for clickbait for his "newsletter" than I am from an actual journalist. I am very open and transparent with the press when they come calling, but I am giving nothing to those who seek to fan outrage and fake scandal. Public records laws, however, make no distinction between the two.
One mistake many make is assuming that they can use text messages or gmail as a workaround the possibility of their university email being make public. The reality is that any discussion of your work for and at the university (with the exception, in most states, of sensitive intellectual property and protected student information) can be requested and accessed, whether on university email or on some alternative private platform.
You might imagine that no one can find your gmail correspondence on a given topic. It is true that this is less easily accessible and so one might be tempted to bury sensitive work conversations in gmail or a related private email account. You know that all discussion of university business is a public record, but you assume that in the case of a personal email account this is not really practical to enforce. As has always been the case, however, the greatest vulnerability with email lies with other people in our correspondence chain, and the care and integrity they bring to the massive percentage of their worklives they conduct on email. When it comes to trying to squirrel email relevant to a public records request away on your gmail, however, you are much more likely to be caught out by a correspondent who is more compliant with the law than you are intending to be.
Here is how it would play out. You have been conducting email conversations with a couple of colleagues on gmail in which you discuss your serious reservations about, say, the fiscal leadership of a high-ranking administrator. At a dinner party of non-academics, one of your correspondents mentions the email exchange and your concerns. As it happens, one of the people at the party is a journalist who covers higher education, and so the next day they file a public records request for your friends' emails as well as emails of those (yourself included) with whom your friend has been corresponding about this topic.
Since you all had been using your gmail for this thread, you figure those are safe. Unfortunately for you, one of the other people in this exchange includes an email they had sent early on from their work address that lists your gmail among the recipients. Now, not only will you be required to send on any correspondence related to this topic from your gmail, but you are likely to be investigated by your university for failing to disclose relevant correspondence in responding to the original request. Meanwhile, the journalist is consulting with a lawyer at their paper as to whether to take you and the university to court for obstructing the request, which would allow them to broaden the inquiry considerably—even potentially subpoenaing your laptop and phone. What once seemed a convenient bypass for public records has now become a major issue which will dominate your work life and even threaten your employment.
As that horrifying old anti-meth PSA insisted, "Don't do it!" In the olden days of, say, 2023, the odds of a scenario like the above ever happening were extremely low for most faculty. But in today's environment it is safest to assume it will happen (and likely not initiated by a responsible journalist, as in the above scenario). Always assume that anything you write in email has the potential to be quoted in next month's local paper.
Rediscovering Pre-email Communication
Here is how I currently manage this reality without becoming a paranoid basketcase. I draft an email, and then I have text-to-speech app read it back to me in a voice as far from my own as I can find. As I listen to it read out loud, I imagine a blogger with an ideological ax to grind getting hold of it. Most of the time I am fine with it, even when I am being snarky (as often I am). They might learn I can be foul-mouthed, or that I am often frustrated with various self-serving "critics" of higher education, or that a certain colleague is annoying me at the moment (or, more likely, that I have annoyed a colleague). I can live with that. If however the prospect of a possibly ill-intentioned stranger reading this message makes me queasy, I instead turn the email into something considerably shorter: "Do you have time to hop on a call sometime today?"
Phone, Zoom, or in-person meetings are the most secure way to communicate something you do not want made public. Like the majority of states in the U.S., Ohio is a one-party recording state, so phone, Zoom, or even in-person are not foolproof. But presumably you trust the person on the other end of the line or across the table or you wouldn't be sharing with them something you don't want to see in the morning paper.
I will also add: In the age of email, we have become accustomed to believing email or text is the most efficient way to communicate. It took me a while to concede the point, but I have come to accept that in a majority of cases—certainly anything that requires replies or deliberation—talking (in-person, phone, zoom) is far more efficient for arriving at an actionable end of the conversation. And it is undeniably more secure in terms of controlling who has access to sensitive information.
Listservs
Of all the spaces in which I have seen things go wrong with email over the decades, listservs are the most common minefields. This includes department and university lists, but also listservs associated with scholarly organizations.
When I started at OSU in the late 90s, I was a bit of a hot head, inclined towards using the department listserv to talk politics or complain openly about some policy or another. Looking back at it now, I can't believe how patient my senior colleagues were with me. After all, these listservs often included among their recipients faculty, staff, and graduate students in the department along with some administrators who had until recently been faculty but had not been removed. My messages could and likely did circulate to all manner of places I did not intend. That my email flaming resulted in no meaningful consequences for me as an untenured faculty member speaks to the very different climate of the 90s compared to where junior faculty find themselves today.
One of the biggest mistakes I made then—and colleagues continue to make today—is in assuming everyone on an individual listserv shares their opinion on X. Getting two faculty members to agree on the order of the alphabet is a challenge at the best of times, so the odds that everyone on any listserv agrees on anything is slim. In these worst of times, it only takes one disgruntled recipient who vehemently disagrees to forward the whole chain on to an administrator, a trustee, a legislator, or to post it on social media.
Email is Not your Friend
From all of this it might sound like I am spiraling into the paranoid rabbit holes I vowed early on to avoid. But in truth, I find this all strangely reassuring. By treating my work-related correspondence as business correspondence and subjecting all I put into digital print to the "Chronicle test"—that is, would I be okay were I to read what I am writing in next week's Chronicle of Higher Education?—I can quickly determine what is best managed in email and what is best dealt with in conversation. After a couple of years of practice, it is almost unconscious to know which modality makes sense for any given communication. And the added payoff is that instead of still more email threads that need to be juggled into the future, much of the big stuff gets dealt with in a 30-minute chat.
Email has come to dominate the lives of faculty in ways I could not have imagined when I first started using it 40 years ago. Each year we spend more and more of our workday trying to keep up with messages from colleagues, students, editors, administrators, organizations, and the like. In 1999, the same year I arrived at Ohio State, a study by Ananda Mitra found that more than half of faculty never used e-mail to communicate with on-campus colleagues or with their students. By the 2010s, email demands had exploded into every corner of our professional lives, such that faculty now identified email as the bane of their existence. Today no one is even trying to quantify the pain attributable to email, as far as I can find. It is both too obvious and too pervasive to pin down with any precision, and no one has the time to answer any more email surveys on the topic.
In the 2020s, the growth of email's demands has perhaps slowed somewhat, but it is still expanding even if less dramatically. There are days—and I am far from alone—where I spend more time on email than I do with students, in meetings, or engaged in research. Meanwhile, the threats and dangers that lie in the dark corners of our inboxes continue to proliferate, and they will grow more deadly in the years to come thanks to AI and the magnifying glass currently hovering over higher education.
We can't refuse to use email. But we can approach it as we would a minefield, slowly and deliberately and doing everything we can to reduce the risk to making a false step.
Email bankruptcy
Inevitably, a slower approach to email means you will be even less able to keep up with it all. It means you will almost certainly need to declare email bankruptcy every few years. Unlike financial bankruptcy which is harder to declare than ever, email bankruptcy involves nothing more than taking everything that has piled up in your inbox and moving into your email archives, and dumping it into some random folder. You then add to your email signature something along the lines of: "“Sorry if I didn’t get back to your last email. To become a more responsive communicator in 2026, I’ve recently declared email bankruptcy.”
I confess I have only declared email bankruptcy twice in my career, and the first time was an accident that cannot be repeated in the age of cloud computing. This was around 20 years ago, when I was serving as vice chair in my department, and I had my mail client (Eudora) set to download all my email off the university's mail server to my local machine. It made sense at the time, or did until my computer bricked and I lost hundreds of emails at once which could not be recovered. I wrote to everyone in the department and beyond, apologizing for my mistake and asking folks to re-send anything urgent. I received maybe 20 emails, which begs the question as to the reasons for the other 680+.
The second time was during COVID, and I was struggling with some significant mental and emotional health challenges while juggling—as were we all—new work modalities and a dozen hours straight at the computer every day. I just... archived everything. I vowed to let everyone know of my bankruptcy but somehow never got around to it. Aside from a few kind souls circling back with a reminder of an email they wanted me to follow up on, I never heard a complaint.
I am a more efficient emailer now than I ever was, able to get through up to 50 emails a day. Unfortunately many days I receive more than twice that number, and so the deficits continue. Bankruptcy is coming up again, I am certain, as soon as the semester is over. I will catch up with all I can of the 900+ currently in my inbox, and then I will start fresh, committing anew to inbox zero. I will feel guilt and shame, no doubt, because that is what email does to us. But I will also feel confident that I can do a better job going forward responding to all the folks who need and deserve a timely response. With luck it will be more than five years before i have to do it again, by which time I can shield myself behind the geriatric defense.
Quarantining your email
As mentioned earlier, I do recommend keeping personal email off work devices entirely. If you need to check your personal email account on the university laptop, use the browser (and clear the cache before you go home). Preferably, you have a smartphone on which you can read your personal email, and presumably an iPad or computer at home. Here is my current approach:
- Work computer: work email on the only approved mail client, which at my university is Microsoft Outlook. Everything work-related remains within a secured cloud and is protected from outside actors and malicious attacks. Since everything I write on my university email account is a potential public record, I don't have to think about the distinction. And I don't use my work email for e-commerce or personal correspondence unrelated to university or research business. Easy. And if I somehow have my laptop stolen or subpoenaed, I don't have to worry about the personal email account to which someone might now have access.
- Non-work email I keep on my personal devices (home desktop and iPhone, in my case). I have a few accounts which I am currently in the process of consolidating:
- gmail: after 20 years on gmail, I am in the midst of a slow and messy divorce. Any company whose founding motto was "Don't Be Evil" but who then found it reasonable to take that motto down is, at minimum, worthy of some skepticism. And my skepticism has blossomed into open distrust, about which more in the next post. At this point, gmail is my junkmail box—a place to receive coupons, sales, and whatnot. But even this feels like too much information to share with a company whose business model is primarily predicated on mining and monetizing my data. So I am moving to a newer email server.
- Fastmail: My gmail replacement is Fastmail, which has been around forever but which—like something out of a rom com—I never new I needed until I realized I had hitched myself to a creep. Effectively, Fastmail is like gmail without the data mining, and with the added bonus of the ability to create many aliases to keep your actual email address out of the clutches of the darkweb. I am still mostly using it for junk mail and bland correspondence with various service providers, but if my mom feels inclined to forward an email to me and dozens of relatives and random people I've never met, this is where it will go. There are lots of other equivalent mail services that do not mine your email for data or profit, including Mailbox.org (Germany) and StartMail (Netherlands) which have the added 2026-style bonus of having their servers in Europe.
- Proton Mail: There is one more email category aside from work and personal, although it is one I need very rarely. Every now and then one might well need to send an email you really don't want anyone else to access other than the intended recipient—for example, if you are organizing a protest or are engaged in interviewing someone whose safety needs to be protected. I use Proton Mail for this purpose, in those rare cases where total privacy and encryption is required. I subscribe to their larger suite of tools (about which more in the next post on this topic), which includes VPN, password manager, and an encrypted drive. As a result I don't mind that I use it only rarely, because I use the other tools—especially the password manager—regularly.
I have spent a lot of time on the unglamorous topic of email here because, unfortunately, for faculty this is our primary digital workspace, even as it is by far the most vulnerable.
In the next two installments I will move quickly through a range of other hygiene issues and solutions, including browsers and search engines, VPN's, messaging, social media, password management, and care for devices on home networks and while traveling. And I'll share additional resources for those who want to dive deeper into the realm of tinfoil than I myself care to go (although most of my friends reading this probably think I have already gone too far).
DISCLAIMER: I am not a legal, digital security, or (fill in the blank) expert. I spend a lot of time thinking about and researching these issues, and all of the above is simply my personal solution to the challenges working in increasingly precarious digital realms during an increasingly fraught time for higher education workers—and frankly everyone else as well. If you find any of it is useful, I will be so happy I could be helpful. If you think I got something terribly wrong, I'd love to hear from you.
Subscribe (always free)
Subscribe (free!) to receive the latest updates
Member discussion