Search News


Browse Archives

News

Text, Trust and Third Parties

March 21, 2008

Share This Story

Related Stories

FREE Daily News Alerts

Advertisement

Almost four years ago, when Google started offering the first Gmail accounts through a viral referral campaign, the backlash from online privacy advocates was immediate and fierce. The text-based advertisements that supported the free service were tailored to users’ tastes -- and that meant filtering e-mail content for keywords hinting at their interests. Even if human eyeballs never came into contact with the messages, as is the case with Gmail, the potential for abuse was for some critics an unacceptable risk.

Today, with Gmail and similar Web-based services commonplace and many users perfectly content to keep their personal data stored in a far-off warehouse for potential data mining or ad targeting, those concerns seem almost quaint. In particular, students have flocked to Gmail, which many prefer to their college e-mail addresses. But privacy remains a perennial issue on the Internet, and its capacity to complicate transactions is rearing its head again as services from Google, Microsoft and other third-party vendors target colleges and universities as customers.

Hundreds of educational institutions worldwide have already signed up for services from Google and Microsoft, specifically, that offer e-mail, calendar, chat, document sharing and other functions at no cost -- both for students and for colleges. As a result, chief information officers have discovered that they can save money, outsource core IT services and improve their delivery, freeing up time and resources for more focused, campus-specific projects.

The possibility of outsourcing a college’s e-mail system has its perks, of course (including, in many cases, no advertising links at all for current students), but it has also raised some of the same concerns that accompanied Gmail’s initial launch. The question is whether, like the last time around, those concerns will fade away.

If e-mail lists and other online chatter are any indication, many college officials are increasingly worried about the legal implications of keeping all of their institutional e-mail data offsite. What would Google or Microsoft do if a court issued a subpoena for private data? Would they disclose students’ data in violation of the Family Educational Rights and Privacy Act? How would they respond to Freedom of Information Act requests for data from public institutions?

“There are some difficulties that we just have to work out if we want to pursue it,” said William C. Dougherty, the assistant director for systems support in network infrastructure and services at Virginia Tech.

Some of the early adopters of Web-based enterprise e-mail services decided that having Google or Microsoft handle maintenance, capacity and even legal issues was in many ways preferable to expending the college’s own resources for what could be the same, or even inferior, results. And any privacy risks inherent to hosting data with a third party, they concluded, also existed -- or were even more pronounced -- for on-site systems. Despite the fact that many universities have taken the plunge, however, some still hesitate.

“To put it simply, Google does not own your data,” according to the privacy policy for Google Apps. “We do not take a position on whether the data belongs to the institution signing up for Apps, or the individual user (that's between the two of you), but we know it doesn't belong to us! The data which you put into our systems is yours, and we believe it should stay that way.”

But even privately owned data can be subject to the mandates of subpoenas, FOIA requests or FERPA.

“Google does not share or reveal private user content such as email or personal information with third parties except as required by law, on request by a user or system administrator, or to protect our systems,” the policy continues. “These exceptions include requests by users that Google's support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of Google, its users and the public.”

It isn’t entirely clear in which instances vendors would disclose private data -- what, specifically, is “required by law” may vary case by case -- but institutions, seeking at least some measure of predictability, have sometimes negotiated with vendors until the agreement addresses privacy concerns to their satisfaction.

“In particular, we do a very thorough contract review here ... and a lot of discussion occurred between our general counsel and [Google’s] general counsel, but the whole project and the agreement had to meet the standards that our general counsel thought” were necessary to ensure the privacy of data, said Theresa Rowe, the chief information officer at Oakland University in Rochester, Mich.

The university doesn’t have a history of keeping backups of its e-mail, so unlike other universities, Oakland never needed a policy on who would get access to such archived material, Rowe added, and she conceded that its perspective on privacy may be different from those of other institutions. Smaller colleges may also have more to gain from outsourcing resource-intensive operations. Its initial privacy concerns addressed, Oakland recently signed with Google Apps.

“I think that every university’s tolerance for these issues is different, and it’s really important to have your senior leadership engaged in those discussions,” Rowe said.

She could not disclose specifics about the agreement with Google, but a spokesman for the company said that whenever legally possible, "we direct legal requests to the school or to the entity the request relates to so they can make a determination about whether or not to provide such data directly."

At Virginia Tech, there has been no decision to outsource any e-mail functions so far, but Dougherty has been investigating the possibility. Like many other IT directors, he is paying special attention to potential privacy issues and disclosures that can result from “e-discovery” in preparation for litigation.

“It’s a chancy proposition,” he said, “and I am actively providing e-discovery output in the way of e-mail and other e-formats for ongoing litigation, and it’s really easy for me because I control the assets,” and which data is disclosed and to whom, per the university's legal guidelines. But what if he didn’t?

That’s the question, and for many officials it boils down to a matter of trust. After consulting with lawyers from Google or Microsoft, are they convinced that the companies will respond (or not respond) to requests for private data in good faith?

“If we look at e-mail service providers, whether it’s Google or Yahoo or our own university providers, if a subpoena is presented to that provider [then] lawyers for that organization are going to figure out how they want to respond,” Rowe remarked. “[W]e were just wanting to make sure that those processes would be followed in any e-mail service provider. They have to have a process in place.”

“We’re not sure why people perceive Google to be different than” other providers, including those on campus, she continued -- a “perception that somehow our campus e-mail is private and outsourced e-mail is not.”

“I think sometimes they fear losing control,” she said, referring to college technology leaders. “[W]e’re replacing the technological controls with contractual controls and service-level standards, and that’s challenging, you really have to think that through.”

Dougherty raised another point that’s been especially salient at his campus: how to handle mass e-mails, especially in case of an emergency. He said he worried that if Internet connectivity beyond campus was temporarily severed, the university wouldn’t be able to reach its students since an e-mail blast would have to be routed to the third-party vendor and then back again.

"We regularly receive positive feedback from universities regarding our ability to process large volumes of email quickly. In the case of emergency email, universities may flag their bulk email servers to ensure we don't mark any mail from those servers as spam," the Google spokesman said ... in an e-mail.

There’s also the possibility that having Google or Microsoft responsible for a college’s e-mail services could actually attract attention. “Would Google be more likely to be asked than we would?” asked David S. Brawner, manager of network and user services at Maryville University in St. Louis, referring to requests for private data.

Whatever conclusions various colleges come to, there isn’t much precedent to build on. Dougherty put it simply: “I don’t want to be that first test case.”

Andy Guess
Go to comments (13) »

Get Hired!

See all postings »
Advertisement
Advertisement

Matching Jobs

See all jobs like these

Search for jobs

IT Associate, Level 3 (Web Applications Analyst)

Lehman College of the City University of New York
POSITION DESCRIPTION AND DUTIES Under supervision, with considerable latitude for independent initiative and judgment, performs ...
More

Senior Manager SAP Operations

Weill Medical College of Cornell University
Founded in 1898, and affiliated with what is now New York-Presbyterian Hospital since 1927, Weill Cornell Medical College is among the top-ranked ...
More

Information Systems Coordinator (Req. #0602541)

Georgia Southern University
Information Systems Coordinator (Req. #0602541) Emerging Technology Center. Perform highly technical work related to the training, utilization, ...
More

SR. DATA INTEGRATION ANALYST

University of Pennsylvania
Duties The Cardiovascular Institute is seeking a capable programmer/analyst to work in all technical areas of research informatics. Typical duties ...
More

Information Resource Coordinator I (4AS09) Two Positions Available Re-advertised

Aiken Technical College
DUTIES AND RESPONSIBILITIES: • Provide technical support for implementation of computer related software and hardware, campus wide for all ...
More

Programmer/Analyst

Harper College
Job Description: Responsible for analysis, design, development, testing documentation and maintenance of application systems, programs, reports and ...
More

Most Popular

More...
Don't Miss a Great Opportunity

Comments on Text, Trust and Third Parties

  • Inconvenient fact
  • Posted by Buzz on March 21, 2008 at 6:05am EDT

  • For the public colleges involved -- public tax-dollars are involved. That makes it the public's business.

    The ex-governor of New York State, the mayor of Detroit (as of today), and too many public college administrators and government officials think themselves above the law when it comes to resources purchased with taxpayer money. They are wrong.

    Don't want the heat of public scrutiny? Exit the kitchen. Or stop taking public tax-dollars, and go private.

  • Paying Again for What the Public Owns
  • Posted by Michael Bugeja , Professor at Iowa State University on March 21, 2008 at 10:05am EDT

  • Information technology officers at public institutions entertain the strange idea that outsourcing email is "free" but fail to realize, when they should know better, that nothing Google and Microsoft do is for free.

    It is supremely ironic as well that IT officers often make decisions about technology--which they maintain is a democratizing enhancement to academe--without expanding discussion to campus constituents, using the very same medium that they are trying to outsource and the one on which entire institutions are being run administratively.

    I have had little success in arguing against outsourcing of email, which is being considered at Iowa State. My own Freedom of Information Council has been alerted to this possibility, with no public pronouncement of support as yet about issues articulated factually in this balanced article.

    Here's the bottom line: These documents are produced on a platform that is used to administer state institutions, including campuses that receive taxpayer support. As such, these documents are owned by the taxpayer. Yet we continue to read corporate propaganda promulgated by IT officers distracted by half-promises of Google and Microsoft about releasing public information under subpoena back to the taxpayer-supported institution.

    Everyone seems to be missing the point that taxpayers should not be made to pay again via legal fees what they already own.

    I encourage anyone at a public campus who feels as I do to contact their own Freedom of Information Council as well as Charles Davis at the National Freedom of Information Coalition: http://nfoic.org/

    Charles has been an eloquent spokesperson for outsourcing of public records. You can read a recent story citing him about text messages as public records at this URL: http://www.usatoday.com/tech/wireless/2008-03-15-textmsgs_N.htm

  • Colleges Behind the Curve
  • Posted by Chris on March 21, 2008 at 11:35am EDT

  • What strikes me when I read this article is how irrelevant this whole discussion is. The first thing I did when I came to my current institution is set up my University e-mail address to forward everything to my gmail account. Most folks I know (at least those with enough technical savvy to set up e-mail forwarding) do the same.

    Things aren't like they were ten or fifteen years ago when students got their first e-mail address when they showed up at college, incoming students already have e-mail, IM, a blog, a twitter feed, and a Facebook account. Most of their online communication is going to take place through systems and sites that have no connection to the college whatsoever. Universities need to be thinking about how to integrate their communications with the systems students are using already.

  • Chris' comment
  • Posted by Michael Bugeja , Professor at Iowa State University on March 21, 2008 at 12:15pm EDT

  • The comment by Chris is representative of tech advocates that only know how to use the technology according to how the companies dictate that they do. Yes, you can transfer your email from the public server to gmail; but, alas, the document is in the public server, for Pete's sake.

    Moreover, it doesn't matter what platform or interface a student or faculty member communicate upon to create a public record; the question is do taxpayers have to pay twice for that record.

    And then there are a dozen other administrative issues that mandate disclosure and transparency which, if we had more of, students would realize why their tuition keeps rising annually, among other things.

  • Missing the Point
  • Posted by Chris on March 21, 2008 at 1:40pm EDT

  • The companies aren't dictating how people use these technologies. If anyone is dictating (or trying to) it's the universities. Problem is, it's not going to work. Students, and increasingly faculty and staff, are coming to the university with a preexisting suite of communications tools. They are not moved by policy. They're going to keep using the tools that they like best and adopting new ones when they find better. Universities are going to have to adapt to this environment and get used to letting people communicate the way they want to.

  • Michael Bugeja's comment on Chris's comment
  • Posted by Faculty person on March 21, 2008 at 1:40pm EDT

  • If the mail is forwarded from the public (I assume you mean the university's) server to gmail then it will not remain on the university's server.

    Certainly Google or Microsoft expects to profit from the service. In the case of Google the no advertising pledge ends with the student's graduation.

    As to the costs of discovery -- they're either borne by the university or the email provider or both in any case.

    There are some concerns about the privacy of emails but realistically Microsoft and Google are just as likely to protect this as the typical university IT staff and administration.

  • IT policies that hurt
  • Posted by EngProf on March 21, 2008 at 1:40pm EDT

  • In my university, the IT policy has been to strip attachments from all incoming e-mails unless those attachments are named using some arcane rules. No other school I know of does this. The result--either embarrassment at having to send some stupidly long explanation of how to properly name a file to avoid the filter, or outright abandonment of the university e-mail system altogether. Most professors have opted for the latter.

    My complaints to IT about how this policy hampers researchers dealing with colleagues across the country were met with the IT equivalent of my response when my kids want something I don't think they should have: "We'll revisit the policy and let you know what we decide."

    Guess what they decided?

  • FERPA is the issue
  • Posted by John B. on March 21, 2008 at 2:45pm EDT

  • FERPA is a privacy act. Its purpose is to protect students' private information. A student's private e-mail is no more public information than is his/her grade data.

    In Chris' case, he chose to forward his private information to gmail. That is not a violation of FERPA. If the school outsources the entire e-mail system to a third party, the choice to not disclose is absent.

  • Posted by Chris on March 21, 2008 at 2:45pm EDT

  • To follow up on what EngProf said, University IT departments have a lot to do with my attitude on this. I first soured on institutional email addresses when I transferred between institutions as an undergraduate. Changing everything over to the new address was a huge hassle. As a result, the next time I changed institutions, I moved everything over to Gmail and forwarded my institutional address. I avoid using the university webspace for the same reason.

    About a year later, my university switched to a Microsoft based email system and announced that they would no longer allow students to forward their email (ostensibly because important university emails were going unread by some students). Thankfully, I was a TA at the time and I was able to convince the IT department that made me a staff member rather than a student. However, I started moving everything I could away from my university email address. So in addition to Faculty person's point, most of the email I get from real people (as opposed to university mailing lists) doesn't even touch the university's servers. So, I avoid university email because I find Gmail more pleasant to use, because it will make things much easier when I change institutions, and because I trust Google to do right my me a lot more than I trust the university's IT department.

    Now, it took me almost a decade to make this transition. Current undergraduates start out at pretty much the point I've ended up at. A decade ago the university email address was the default, and often the first personal email a student had. Today students have had their own email addresses for years and they're not going to change just because they go to college. When I ask a class to give me an email address they actually read on a regular basis, the vast majority of them give me something other than their university account. The "you will use the email address we tell you to and like it" policy of the university IT department is utterly foreign to them. The end result of the "no forwarding" policy I described above is that fewer people are actually reading the official university emails because they aren't willing to check a second account and they're definitely not going to be moving their personal e-mail over to an account they have so little control over and are going to loose as soon as they graduate.

    I think open records laws are important, and I laud Michael for his support of them. However, efforts to enable them by centralizing email are the product of an era who's time has passed. University IT departments decisions on this score are irreverent. Email is being "outsourced" one student and one faculty member at a time, because companies are providing a better experience, better service, and are more open, trustworthy and reliable than university systems are. There's really nothing the university can do to stop it. Most of today's students and an increasing portion of the faculty and staff too savvy to want to get trapped in an institutional email system.

    This is a phenomena that extends far beyond universities. The 'millennials' are giving their employers, who have their own records preservation and destruction policies to comply with Sarbanes-Oxley and other financial laws, fits by communicating outside the company's systems. Governments are having similar problems related to open records laws. Even draconian measures to prevent this (that would never fly in a university setting) like blocking access to web based email and instant messaging, are increasingly untenable as cellphones become better email and IM clients.

    The world is changing and public records and financial disclosure laws and the institutions that are governed by them, are not keeping up. These laws and institutions are going to have to adapt to a world where communications systems are personal, rather than institutional.

  • Inconvenient Fact No. 2
  • Posted by Buzz on March 21, 2008 at 5:05pm EDT

  • " .. realistically Microsoft and Google are just as likely to protect this as the typical university IT staff and administration .."

    Correct. MSFT & GOOG are private companies that defend, to the end, their property rights from Big Government. Like Noam Chomsky does with his copyrights.

    Typical public university IT staff and administration: not private. No direct ownership rights involved. Watching clock until retirement. Can hand-off hard work to contractors, viz. U.S. State Dept. passport division handling presidential candidates' records.

  • FERPA and open records law
  • Posted by Faculty Person on March 21, 2008 at 5:25pm EDT

  • I don't think it's unreasonable to expect that Google and Microsoft are aware of the need to comply with FERPA and other public records laws. The products they're offering universities are tailored for the university environment.

    Like Chris I never use the "official" university email system for important off-campus communications personal or private. It's just too undependable.

    Buzz, I work at a private university and I'd be willing to bet our administrators would cave at the first whiff of a lawyer.

  • Of course
  • Posted by Buzz on March 22, 2008 at 6:45am EDT

  • " .. I work at a private university and I’d be willing to bet our administrators would cave at the first whiff of a lawyer."

    ---

    Yup, yup, yup, I'd agree, small private colleges are different than a $135,870,000,000.00 Google. Per the search for "truth" and "academic freedom," be sure that fact is in the college marketing brochure. Have a nice day.

  • Posted by CollegeITadmin on August 1, 2008 at 3:10pm EDT

  • Well, it's nice to see that the IT bashing doesn't end at our institution's walls. However, looking at things from the more realistic side, we are doing a disservice to students who will move on to corporations and find that their google/yahoo/msn emails are not going to be their only email .. and probably will be frowned up for corporate usage.

    I have two emails (ok more, but for this example the concept holds): the email I use for business (ie my college email) and the one I use for everything else (ie my yahoo). It's not rocket science, but faculty always know best, right?

Print
© Copyright 2009 Inside Higher Ed