Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Can My Company See My Personal Email?

//
I recently started to work at a small company – about fifteen people with no internal HR or IT department and I was requested to use my personal email account for work because my work email account was not yet ready. Although I’ve only sent work related emails on my personal account thus far (it’s been two days) and I intend to refrain from personal correspondence on my personal account (yep, quite ironic) until I switch to the office mail, I still have some concerns about privacy…

The questioner here goes on to ask some very specific questions that I’ll get to in a moment. These are really good questions, and I’m sorry to say that they’re all completely unanswerable in a very general sense.

But I do want to take them one at a time, and explain a little why you’ll be hearing me say “maybe” a lot.

Become a Patron of Ask Leo! and go ad-free!

Can they see the emails I send using my personal email account on the office server?

Maybe.

This depends on whether your connection to your email service is encrypted, but as we’ll see shortly even then your privacy is still not guaranteed in a corporate environment.

Perhaps you connect to your email via a website, like Gmail. If that connection is https (as Gmail’s is by default) then your employer cannot usually see what’s going back and forth. If, on the other hand, that connection is plain http (without the “s”) they could easily monitor everything that travels across their network or their server.

The same is true if you’re using an email program like Thunderbird or Outlook. The SSL connection is usually good; it’s encrypting the data that’s going back and forth between your computer and the remote mail server. If it’s not SSL, then that connection is in plain text and anybody in-between, including this company’s servers or network, can in fact see the data that’s going back and forth. That includes your messages, and even your account name and password.

Someone's Peeking!What about old and opened mail? Both sent and received? Can they access those too?

Maybe.

Again, this depends on how you connect and what they can capture as a side effect of that connection.

If it’s web and not https, then it’s possible that they could see things in your browser history or cache. If it’s a program and not SSL, then it’s possible that they could do things like capture your login information, log in to your account, and go spelunking.

And if, of course, you keep your mail on your work computer, then they can examine what’s on your machine with little difficulty.

Does deleting mail reflect on the office server, or will they still see everything since I first logged in?

Maybe.

Again, this really depends on how you connect to your email.

The office server that you keep mentioning may not even be involved, in which case, that may not matter.

But if it’s a company computer, they have access to what’s on it. If you’re somehow hooking into the company infrastructure to use your own email account through their server, then they could be keeping a record of anything that server has ever seen.

In general, how long do emails stay on office servers?

There’s absolutely no telling. This is completely up to the company and how they’ve configured their servers (assuming, as I said, that your personal email is even going through their servers).

It could be gone in seconds; it could be kept for years. There’s simply no way to know.

Is there a way for me to clear them off of the servers?

Finally, a direct answer: no.

Not with any guarantee that is.

If your mail is going through their servers, they could be doing things like backing up; they could be copying everything they’ve seen. There’s just no way to know that when you delete something it’s really, permanently gone, and that all copies that may have been made of it are also going to be removed. Typically, they’re not.

SSL may not be completely secure

To cap all of this off, if you are using a company computer, or if you connect your computer to the company network, it is possible for the company network’s infrastructure to actually intercept https and SSL, and still watch all the traffic going back and forth.1


Basically, in a company environment, all bets are off. Period.
Particularly when you’re using a company computer that has been configured for you, it’s also quite possible to have monitoring software installed on your company machine that watches everything you do.

Basically, in a company environment, all bets are off. Period.

Is this a real problem? Well, I have to go back to … maybe. It really depends on the ethics of the company itself and their IT staff. I know you said that they have no IT department, but someone set up that equipment.

Anything is possible, but not everything is likely. There’s simply no way to know for certain.

I know it’s kind of too late, since you’re already doing this, but my advice is if you have any concerns at all, never use your personal accounts at work.

Footnotes & references

1: It’s actually a complex scenario involving both proxying your request to the remote server, and having installed local SSL root certificates on your computer that apply to the mail service to which you are connecting. It’s detectable if you know where to look and what to expect, but it’s not obvious. And particularly if it’s a company computer they could pre-install any additional root certificates that they might like to.

38 comments on “Can My Company See My Personal Email?”

  1. My employer specifically tells all new employees and periodically reminds employees that all keystrokes are logged. Not that someone is constantly watching our every move, but just to let everyone know that those logs exist, and if there was ever something questionable, someone could review the logs.

    I appreciate knowing that.

  2. If anybody has a similar situation in the future, it would be prudent to open up a GMail or Hotmail account specifically for that purpose which you can later abandon once the company has set you up with a company account.

  3. I think this article is being a little hard on the office IT environment and support professionals when it says “Basically, in a company environment, all bets are off. Period.” the same issues exist anywhere you use a PC or Network system outwith your control be it an Internet cafĂ©, hotel or even a friends house. It can even happen in your own home if you do not take care with malware.

    • All bets are off doesn’t imply unscrupulous actions. It means that in a company environment anything is technically possible and monitoring employee computer use is legal. Some companies log every keystroke.

  4. I find the whole situation very fishy – why would a company want or even permit official company email to be sent from an employee’s personal account, even temporarily? And if there were really no way to set up the real account, they could set up a free account somewhere, as Mark Jacobs suggested. I do not trust these guys and I would not be at all surprised if they were monitoring the email, or possibly worse..

    • It’s possible that the company only wanted to use that employee’s email address for internal communication. As the company doesn’t have an IT dept, they apparently had wait till an outside contractor could set him up with a company account.

  5. I have an hotmail account i just added to my outlook which already has my contractor email account on it. Which is from an exchange server. I currently work from home as a contractor and i just want to know if they can monitor the emails from my hotmail account. I wouldn’t think it would hit there server. But beings i have it tied in on outlook it just seems fishy.

    • If you are going through their server to access your email they can track you. If you are accessing privately through your own ISP, your own internet account, they will not be able to.

  6. So, it appears that employers can monitor your emails sent and/or received at work through their server. Can they open up saved emails? Emails that have been saved and put into folders? Draft folder emails? Sent emails? I think I understand that they can monitor emails you are typing and/or receiving while at work. I’m just wondering if once they do that, do they have access to ALL the past emails you have related to that account?
    I take my work computer home (MacBook Pro); when I return to work can they see the emails I sent and received while at my home? How can you tell if they have accessed your email account? Is there anything on the MacBook Pro in any of the Applications, programs, utilities, etc. that a person could look at to see if employers have been reading and/or accessing my computer while at work?
    Thanks.

    • If the emails have been routed through their servers, they normally save those emails on their server for a time. Even if they don’t keep those emails on their servers for a long time, they would most likely have backup copies stored somewhere.

    • The only safe answer to this is: YES. Depending on whose computer it is, what software – perhaps monitoring software – the company has installed on it and whatever other types of access the company may have installed on their network and your computer you need to assume that they can see everything.

  7. I use my own personal mac at work. It has 5 emails addresses. Four of them are personal and go through my own other personal business gmail and domain account.
    My question is when i send emails via my gmail account through their server (plug in LAN) can they see my emails even though it is not an email address associated to their server?

    • If you use Gmail via their web interface, all of your emails are encrypted between your computer and Gmail’s servers, so you should be safe. They would be able to see any unencrypted internet activity.

      • They can see that you are doing it though – that you are going to Gmail. Just can’t see exactly what. Just in case that’s an issue.

      • That depends on your company’s policy. If you aren’t sure, it’s always good to ask.
        It doesn’t cost anything to send or receive GMail.

      • Gmail is free. Whether or not you need permission – you’d have to ask your employer. The Gmail account is not “on” any specific computer – you can access it from any computer anywhere connected to the internet.

  8. I assume it’s an YES but want to clarify and maybe point that out as well.

    If a company (say XYZ) re-issues all https certificates (see explanation below), the situation is no different than having plain http, right?

    * A website e.g. google shows up as “https://google.com” in address bar but when you check the certificate it says “Issued by: XYZ, Verified by: XYZ”.

    • With respect to the prying eyes at XYZ, yes. With respect to someone unrelated snooping in on your internet connection, no, it;s still encrypted to them.

      • So, if I check my web-based yahoo email and the SSL certificate says Issued to: login.yahoo.com, that means that they are not re-issuing the SSL certificate and therefore they can’t read the content sent or received because it’s encrypted. Is that correct? Thanks for the article.

        • As long as it’s an SSL (https:) connection, the communication is encrypted between the computer you’re on and Yahoo. If you are using a company computer, they have the ability to see whatever you do on that computer even if you use an SSL connection or a VPN.

          • My only concern is, can they read my messages sent and received? I don’t care if they know that I am going to yahoo, but if they can read the message content over SSL/https.

          • As I said, if it’s their computer, they can read it no matter what you do. If it’s your laptop or device on their network, then SSL makes it unreadable to them.

  9. I work from home and If I am using a webmail provided by the client – can the client monitor or get a copy of all incoming and outgoing emails.
    If yes then is there a way I can check, whether I my emails are getting monitored or not ?

    • If the client has the password to the account, they can get in and monitor the emails undetected. If you can change the password, they won’t be able to get in.

    • Yes, and no. (The later really depends on how they choose to implement it, and there are many ways that could be completely inaccessible to you.)

  10. I do small personal work via Gmail from office server, I constantly download files, work on office PC and upload back via personal Gmail. Can my employer view the files I’m uploading? I delete files from harddisk after uploading. Also my employer have software like winvnc installed on PC’s.. when I try to access bank website it says connection is not secure.. So obviously I’m paranoid now employer have logged my every keystroke.

    • Yes. Your employer “can” watch. Whether they are watching or not is another question. Don’t do anything on a company machine that you feel needs to be hidden.

    • Employers can see everything, should they so desire. Your specific situation depends on EXACTLY how you’re uploading and all the other EXACT specifics, but in general — they can see all, if they’ve a mind to.

  11. I am using company laptop and I am using my personal internet connection and not connected to company internet. I had uploaded a excel from company laptop in gmail and saved as draft. This file was uploaded by mistake becuase of the file name and when I came to known that it was wrong file and I am not supposed to use this file I deleted from draft. Then I connected my laptop to company network and deleted all temp files, history and that file also since I do not wanted to repeat the mistake. My company use symantec DLP network monitor. My question is will they come to know about this incident. I was using chrome browser https conntion. If they know this happened then how much time it will take for them to know about this incedent.

      • Is there a way that I can tell my company that this was happened by mistake and it was not intensional. Its been 1 week now since this incendent happened and I dint not received any communication or alert or warning from my company IT team or security team. Yes they have a dedicated team who monitors this.

        • Finally! Checked with right person at company. He confirmed that incident has be recorded under DLP monitoring portal and it is under investigation.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.