Nearly 200 State Of North Dakota Email Accounts Found In Ashley Madison Data
According to an analysis of the data released in the AshleyMadison.com hack, nearly 200 State of North Dakota email accounts were registered with the service which promises users the opportunity to have an extra-marital affair. Among the accounts found were K-12 public school email accounts, North Dakota University System accounts, 3 State of North Dakota accounts, and 1 municipal government account.
This is not an exhaustive list of government email accounts from North Dakota in the data. The various government entities in the state use a large number of domain names and email systems. My intent was to cast a wide net and see what I found. The domains I searched were nd.gov, nd.us, and nodak.edu as well as the domains used by the city governments of the state’s largest cities: Fargo, Minot, Grand Forks, Bismarck, Dickinson, Williston, Jamestown, and Devils Lake. I also searched for the domains of the state’s 11 higher education institutions, as well as the university system office domain and the domains owned by the state Republican and Democrat parties.
I’m not revealing the names or email accounts I found in the data. That information is available on the internet, if you want to find it, but I find outing these people to be problematic not the least because AshleyMadison didn’t require email verification to create accounts meaning anyone could have used a given email account to register an account. So there’s some plausible deniability here. Also, it has been revealed that AshleyMadison.com, as a company, was seemingly pretty active in creating fake accounts.
It seems unlikely that government email accounts from North Dakota were being used to create fake accounts but, again, plausible deniability.
There is a story here in the aggregate, because I find it hard to believe that all or even most of these accounts using public email accounts from North Dakota were fake or created without the user’s knowledge. Which means there are a lot of public servants in this state using their taxpayer funded email accounts, and maybe time on the taxpayer dime, to solicit extra-marital sex online.
That’s disturbing. Especially given where some of these people work.
Here’s what I found.
I found a total of 49 K-12 public school email accounts.
I spoke to John Gieser, manager of support and technical services at EduTech, a state agency which provides technology services to the schools including emails on the nodak.edu domain. Those of you who have worked in the state’s public schools, or have had kids in the public schools here, are probably familiar with the @sendit.nodak.edu accounts many teachers and administrators have.
Gieser said the email accounts are provided to anyone associated with a public school in the state, including administrators, teachers, staff, and students. He said his agency does have an acceptable use policy precluding the use of the accounts for personal reasons though he said there is some leeway for incidental use in that policy (i.e. nobody is going to get in trouble for emailing a reminder to their spouse to pick up some milk).
The EduTech website states that“All email accounts are stored on EduTech mail servers and scanned for unsafe content,” but Gieser said they mostly rely on reports of inappropriate use. “If you would see someone advertising a sendit account for a business that would be a commercial use and we would contact that user,” he said.
The acceptable use policy posted on the agency’s website states that “EduTech accounts and affiliated services may be used for K-12 education related purposes only.” It also states that, “Users should expect only limited privacy in the contents of their personal files and communications. Files may be searched if there is reasonable cause that a user has violated EduTech policies or the law.”
Gieser said his agency does not read or monitor the content of user emails.
“The Department of Public Instruction doesn’t have any authority over sendit email addresses,” DPI spokesman Dale Wetzel said when contacted for comment. “We don’t create them or supervise anyone who uses one. Basically they are outside DPI’s purview.”
North Dakota University System
I found a total of 129 email accounts associated with institutions in the North Dakota University System. Of that number, 51 were accounts on email subdomains (i.e. my.und.edu) dedicated to students.
Of the student accounts 15 were from UND, 14 from NDSU, 9 from Minot State, 6 Bismarck State, 3 from the College of Sciences, 2 from Lake Region State, and one each from Williston State and Dakota College.
Of the rest 38 were from UND (including 3 from the medical school), 24 from NDSU, 8 from Valley City State, 6 from Mayville State, and one each from the College of Sciences and Dickinson State.
Asked for comment about these accounts, many of which seem to be accounts of current or former university employees based on internet searches, NDUS spokeswoman Billie Jo Lorius directed me to the “authorized use” section of Procedure 1901.2 in the system’s Policies and Procedures document. That section states:
Use of computing and networking resources shall be limited to those resources and purposes for which access is granted. Use for political purposes is prohibited (see Section 39-01-04 of the ND Century Code). Use for private gain or other personal use not related to job duties or academic pursuits is prohibited, unless such use is expressly authorized under governing institution or system procedures, or, when not expressly authorized, such use is incidental to job duties or limited in time and scope, and such use does not: (1) interfere with NDUS operation of information technologies or electronic mail services; (2) burden the NDUS with incremental costs; or (3) interfere with the user’s obligations to the institution or NDUS.
“We have not yet been made aware of any violations of Procedure 1901.2,” Lorius told me. “Any reported misuse under this procedure will be investigated appropriately.”
State of North Dakota/Municipal Governments
The State of North Dakota has two primary domains for emails, nd.gov and nd.us. A search for both revealed just three AshleyMadison.com accounts, though two of them appear to be for the same person using both a nd.gov and nd.us email address.
Given how many public accounts in the education sector were in the AshleyMadison.com data, and how many state employees North Dakota has, I’m honestly surprised there weren’t more state accounts in the data. Maybe state employees are a little more cognizant of how public their email accounts are? Generally speaking, emails sent to and from public email accounts are a matter of open record.
There was also one municipal government email account found after searching domains owned by the cities of Fargo, Grand Forks, Jamestown, Devils Lake, Minot, Bismarck, Dickinson, and Williston. That account was from the City of Fargo.
Mike Ressler, the chief information officer for the State of North Dakota’s Information Technology Department, didn’t respond to a phone call and email requesting comment.
Bruce Grubb, administrator for the City of Fargo, was out of the office until next week and unavailable for comment.