21 comments

[ 5.2 ms ] story [ 60.5 ms ] thread
My grandma is more tech-savvy than my university.

We were scheduled to adopt Google apps this February, but at the last minute a group of professors stymied the proposal for a number of bogus "privacy" concerns, which included, and I wish I was kidding about this one, a fear that our data could be hosted on a Google server in a country with questionable human rights laws. What?!

Meanwhile, we use the ancient open-source Horde e-mail system, which is slow, frequently down, and far less secure than Google's. It's expensive to maintain, and its webmail interface looks like it was designed by a kindergartener in the mid-90's. Plus, our pricey yet outdated university servers are just sitting in some random IT room on campus, and are probably far more susceptible to data theft than anything in the cloud (both virtually, and in the form of someone just picking up the servers and walking out with them).

The future is in the cloud. Institutions wise enough to adopt it will enjoy huge benefits; those who are too afraid will be left behind.

And don't even get me started on the generally sorry state of technology use in education...

> I wish I was kidding about this one, a fear that our data could be hosted on a Google server in a country with questionable human rights laws

Was that in UK by any chance? If so, take a look at Data Protection Act - especially this:

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

If you want to be ok with the law, basically you cannot store your emails (which at some point will definitely contain personal data) in an unknown location. Gmail storage qualifies as an unknown location for all we know.

Google has a UK office, so they have to comply with the law, too.
To be honest, I'm not sure how does it work for companies providing the technology, but from what I can tell Google doesn't store the personal data itself. They let you store theoretically opaque strings. They might guarantee that their own emails which contain personal data are not stored in the country X. But since they don't really provide a system for storing personal data, your emails might end up in that country. It was your responsibility not to put them in a potentially foreign place and it was you who broke the rule, not Google.

So in the end, their UK office might be compliant - but it's not the same as their datacenters.

It's in the US, but that's a fascinating law.

Google actually specifies that they cannot disclose the exact location of one's Google Apps data because it is automatically distributed across three different server farms out of several dozen (or more) potential locations. They also are purposefully vague about disclosing the locations of their data farms, in general. Incidentally, one likely reason for this is security.

I agree that there are some genuine privacy and security concerns about the cloud, but I think most criticisms fall into the unforgivable category of "I don't trust it because I can't see it."

And in this sense, academics refusing to accept the cloud are like academics refusing to accept gravity.

I think it's not a problem of not seeing the data. After all, outsourcing storage and processing is very common now. The real problem is that when you need to see the data, you cannot and you don't know where to find it.

For example, you cannot easily swap the email server for a new one and recover everything from backups. Actually, you cannot even reliably make full on-site google apps backups afaik, which is a hard requirement in many places. If you have problems with disappearing data, not only do you have to wait for Google to fix it, but you have a specific priority in their queue. In extreme cases you might want to get a bunch of consultants to deal with the problem on-site right now. No such option if you outsource your storage.

The cloud is the future, and it's a general improvement over previous mail servers, but that doesn't mean that it's 100% perfect yet, or that those criticisms are invalid (well, some of them are). Individuals and institutions are well within the bounds of sanity to say that Google's cloud solution doesn't give exactly what they need, and that in turn pushes Google to improve those cloud solutions (or a competitor to address those issues and snipe the sale).
I take it you're a Yalie? I can't believe they're still using Horde, which still (last time I checked, back in 2006) uses iFrames.

They are right to be duly diligent, but even if they don't choose Google, it is unlikely that they should truly self-host email.

a leading public university has ended its evaluation of Gmail as the official e-mail program for its 30,000 faculty and staff members [...] Keltner noted UC Davis students are continuing to use the service

According to wikipedia, UCD has 2,092 faculty and 31,426 students [1]. Unless they happen to have a "staff" of 28,000, it seems someone got their numbers mixed up.

1. http://en.wikipedia.org/wiki/University_of_California,_Davis

The relatively incomplete state salary database shows UC Davis as having 21,154 employees.

UC campuses are huge enterprises and contain a lot more than some classrooms and dorms. Davis for instance, runs one of the few Californian hospitals that is both an Adult and Pediatric Level 1 trauma center. Davis has many other things you wouldn't expect, for instance, the campus also has an airport and a fire department.

University of California, by employee count, is larger than Intel. Larger than Google, Yahoo and Apple combined. 6 times the size of NASA and is several times over the size of General Mills. Just to give you an idea. UC is a very complex organism and many of its campuses are non-trivial.

UC also plays a role in running our nuclear program and has various units that need to comply with HIPPA and/or national security regulations for dealing with classified information.

So... I'm not surprised at that number and it's definitely nowhere near as far off as you speculated even if it was a little high.

More related to the main story, UC policy currently prohibits use of Gmail applications for non-student affiliates of the university due to security, policy and compliance issues. UC Davis was one of the leading campuses trying to change this, (and I think they might have been approved for a pilot or something?) but it appears they've backed off. (Edit: Ah yes, you'll note the article explicitly cites a section of their notice stating that the UC ECP does not allow for this type of data sharing since the university can't get Google to agree to the necessary data privacy constraints.)

Sometimes decisions like this are just about wanting to maintain control (read: job security).

The CIO and his people want to run mail and calendaring systems. Nothing wrong with that, other than the fact that it likely costs them more to do it themselves than they would pay Google to do so.

In 2010, managing your own email and calendaring systems seems to me to be the IT equivalent of generating your own electricity.

These systems are utilities like power and water.

But that's just my opinion, based on using Gmail, Talk, Google Calendar, etc, for my personal life and Microsoft Exchange and BlackBerry in my work life.

Yes - they are about maintaining control, but not about job security. Every university will have a number of documents defining the level of privacy and security provided by each involved entity. If exporting the information to google means that some rule is broken -- for example if bulk transfers of personal information are forbidden and people start using gmail as a basic tool of document exchange, something has to change. And sometimes it's easier to change the technology provider than people... Even if no local regulations stop them, there might be some law about personal data processing that completely prevents gmail usage for some specific organisation.

You'll also find that serious tech. universities do have their own power generators for emergencies.

I've seen more major breaches of privacy (not to mention system failures) with university run services than GMail. I think it's more that when it breaks, they want to be able to do something to fix it versus waiting on Google to fix it.
This is BS. They're saying Buzz was part of the cause for the decision yet Buzz wasn't even on Google Apps GMail instances. The other issue cited is on the premise that they are disclosing emails to GMail vs using GMail for a service provider of their own email. Ridiculous sensationalism in my opinion.
The Buzz comment makes sense really. If they thought that Google doesn't handle all of its data in a proper way, then there's a reasonable suspicion they don't do it with your mails.

Let's use a hyperbole: If your bank guaranteed you security, while you see robbers taking the cash from their vaults -- would you believe them? Would the situation change if you were told that this vault will not be used to store your money?

If they mentioned it, they might think of it as a symptom of bigger problems with the data handling procedures.

  Many faculty "expressed concerns that our campus’s commitment to protecting the
  privacy of their communications is not demonstrated by Google and that the 
  appropriate safeguards are neither in place at this time nor planned for in the 
  near future,” the letter said.
So, it's a decision made based on FUD. Sounds like that's going to work out awesomely for them.

Looks like they just want to move things back in-house for perceived control. That reminds me of a story about a major directory server at Georgia Tech going down regularly. The hard drive inside kept crashing on a regular basis. They restored backups, reinstalled software from scratch, and even replaced the hardware several times. It kept crashing until one day when a tech was out in the server room to restore it one more time. He found a technician working in the ceiling above on some sort of HVAC system. Below him was the server pulled out of the rack partially. The technician had been stepping on the combination of his ladder and the server itself to reach the unit he was working on.

So, yeah, on-campus servers are way more secure than scary Google servers in the mysterious "cloud"...

Poorly implemented local security does not prove anything about security of Google servers. You cannot draw such conclusions based on this event. For all you know, monkeys are flinging poo everywhere in the Google datacenter holding your Gmail account.

In this case the university had at least the chance to fire the technician / hold him responsible. Good luck holding Google responsible for anything.

My university just migrated to Gmail (about 2 weeks ago). 30k students and about 8200 faculty and staff members.

It beats the 2 different systems we had to use before (one exchange account and one squirrel mail faculty account), and is probably more secure as well.

Looking at the actual url, I wonder how this is 'Windows Security' news.

Oh, I get it.

Lets look at an example guys. What if a student while in college had a disability. Now while I was in school, my University used its own private servers. Though upon me leaving, they switched to gmail. Now in my school, the office of disability services used email to schedule test taking and other arrangements. Now that they use gmail, google knows which students have disabilities. Data like that is quite scary if ever made public and if it ever was breached those students like myself, likely would never ever be able to have a career they have worked for.