In my last article, I wrote about the problems of keeping church email lists up to date.
A reader responded asking “Can our web administrator read the pastor’s church email?” …and because the answer is “yes, it’s possible” I thought I’d make this separate post, though my intention is not to scare anyone. At the end of this article are some straightforward EMAIL SECURITY TIPS for church staff.
Here’s how it’s possible for your website administrator to read your staff emails:
Many churches have an internet/web space provider which also gives them an email program and email control panel. All your church email comes through that email portal. Your web administrator has gone in and sets up various email accounts, such as, office@, pastorBob@, DCE@, and assigned a password to each of you. Then they show the staff person how to open up their Outlook email program on their desktop, and point their email account settings to get email from the church’s email server/account.
There are three problems with that arrangement:
1. The web admin now knows your password because they helped you set this up, or did it for you.
2. Web-server email accounts can be set to keep a copy of your email on the server even if you have downloaded it to your desktop. Using the same password as the pastor, the admin could access the email account using the server’s email software, without interrupting access to the pastor’s email coming into their desktop email program. Because email can be set to stay copied at the server even after retrieval by Outlook (for example), this also means your emails could still be on the church server after you read them, or after you leave that position.
3. Even if your web admin doesn’t know your password, they can RESET your password using the master controls some webmail interfaces provide, …in effect, making their own and accessing your email account, let’s say, while you were on vacation. Of course, if they reset it, you won’t be able to access your own account because the old password wouldn’t work, –so I would suggest that if you are ever told that you need to reset your password, it could be because your web admin reset your password, and that would have given them access to your email account.
POINT: It’s important for the PASTOR to sit with the web-administrator and go over the web-side control panel for all staff email accounts. Your options may vary depending on the quality of the internet provider you have your account with. And no one but YOU should know your email password.
TRUST, but VERIFY.
At your church’s website control panel, there’s an option to set up email functions which include options like “auto respond”, or “add new email address”, or “forward email address”. It’s the “forwarder” option you need to examine.
Anyone with access to your church’s website control panel can set up an EMAIL FORWARDER to send A COPY of all your emails to the address of their choosing, and you might never know.
I’m not saying this happens. I just saying it’s technically possible, and quite easy to do. See my Security Tips below.
One partial solution to this privacy threat was mentioned in my previous post about church emails, but let me reiterate and add the following SECURITY TIPS:
1. DO NOT ASSUME PRIVACY. If you are on staff, and your email comes through the church’s internet provider, do not assume privacy. Don’t assume it on Gmail or anywhere else for that matter.
2. SET UP & CONTROL YOUR OWN ACCOUNT and PASSWORD. If you are on staff, and have your email coming to your church email address (like pastorBob@1stchurchdotorg) then I recommend having all your email FORWARDED to your own email account under your own control. If you ever need to give someone your password, or need it reset, change it.
Please ALSO ask your web administrator to show you the email control panel of your church’s website to VISUALLY INSPECT whether or not they have the option to set up a forwarder/copier on your email address that keeps a copy of your email on the church’s server space for you to access, but copies/forwards as well. If it has that option to keep a copy AND forward, then your content is being stored even if you delete your email on your computer. (lots of different control panel configs out there).
3. INSPECT. Perform annual unannounced audits of your website’s control panel settings.
4. SECURE YOUR PASSWORD
Years ago when I worked in the church, my senior pastor called me from his home to access his email on his computer. His password was taped to his computer monitor. Once your password is known to someone else, they don’t have to reset or set up a forwarder. They can access your email from any computer and you wouldn’t know it.
5. SET YOUR OFFICE COMPUTERS to REQUIRE A LOG IN PASSWORD. Window’s has a log in screen, use it.
6. SET YOUR CHURCH OFFICE COMPUTER TO GO INTO SLEEP MODE after 20 minutes of non-use. This will lock your computer screen so snoops can’t open your email program if you walk away from your open email program, or use your internet browser opened to Gmail that you didn’t log out of.
7. NEVER put something PRIVATE in an EMAIL that you need to keep private. Emails can be copied, printed, forwarded, and otherwise surreptitiously read.
This article is not meant to scare anyone. But I’ve heard stories. I’ve also been enough times about this subject by church staff to know some are concerned. So I’m just letting you know, that as a 20+ internet web dude who has worked with church websites and many different kinds of email accounts, providers, and pastors, –things aren’t as fool-proof as you might think.
Neil MacQueen is a Presbyterian Minister, Christian Software developer, and webmaster for several sites. In addition to his software development, among other things he writes about tech issues for the church!