Text, Trust and Third Parties

As more colleges outsource e-mail, some worry about who will decide which files are secure and which can be disclosed.
March 21, 2008

Almost four years ago, when Google started offering the first Gmail accounts through a viral referral campaign, the backlash from online privacy advocates was immediate and fierce. The text-based advertisements that supported the free service were tailored to users’ tastes -- and that meant filtering e-mail content for keywords hinting at their interests. Even if human eyeballs never came into contact with the messages, as is the case with Gmail, the potential for abuse was for some critics an unacceptable risk.

Today, with Gmail and similar Web-based services commonplace and many users perfectly content to keep their personal data stored in a far-off warehouse for potential data mining or ad targeting, those concerns seem almost quaint. In particular, students have flocked to Gmail, which many prefer to their college e-mail addresses. But privacy remains a perennial issue on the Internet, and its capacity to complicate transactions is rearing its head again as services from Google, Microsoft and other third-party vendors target colleges and universities as customers.

Hundreds of educational institutions worldwide have already signed up for services from Google and Microsoft, specifically, that offer e-mail, calendar, chat, document sharing and other functions at no cost -- both for students and for colleges. As a result, chief information officers have discovered that they can save money, outsource core IT services and improve their delivery, freeing up time and resources for more focused, campus-specific projects.

The possibility of outsourcing a college’s e-mail system has its perks, of course (including, in many cases, no advertising links at all for current students), but it has also raised some of the same concerns that accompanied Gmail’s initial launch. The question is whether, like the last time around, those concerns will fade away.

If e-mail lists and other online chatter are any indication, many college officials are increasingly worried about the legal implications of keeping all of their institutional e-mail data offsite. What would Google or Microsoft do if a court issued a subpoena for private data? Would they disclose students’ data in violation of the Family Educational Rights and Privacy Act? How would they respond to Freedom of Information Act requests for data from public institutions?

“There are some difficulties that we just have to work out if we want to pursue it,” said William C. Dougherty, the assistant director for systems support in network infrastructure and services at Virginia Tech.

Some of the early adopters of Web-based enterprise e-mail services decided that having Google or Microsoft handle maintenance, capacity and even legal issues was in many ways preferable to expending the college’s own resources for what could be the same, or even inferior, results. And any privacy risks inherent to hosting data with a third party, they concluded, also existed -- or were even more pronounced -- for on-site systems. Despite the fact that many universities have taken the plunge, however, some still hesitate.

“To put it simply, Google does not own your data,” according to the privacy policy for Google Apps. “We do not take a position on whether the data belongs to the institution signing up for Apps, or the individual user (that's between the two of you), but we know it doesn't belong to us! The data which you put into our systems is yours, and we believe it should stay that way.”

But even privately owned data can be subject to the mandates of subpoenas, FOIA requests or FERPA.

“Google does not share or reveal private user content such as email or personal information with third parties except as required by law, on request by a user or system administrator, or to protect our systems,” the policy continues. “These exceptions include requests by users that Google's support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of Google, its users and the public.”

It isn’t entirely clear in which instances vendors would disclose private data -- what, specifically, is “required by law” may vary case by case -- but institutions, seeking at least some measure of predictability, have sometimes negotiated with vendors until the agreement addresses privacy concerns to their satisfaction.

“In particular, we do a very thorough contract review here ... and a lot of discussion occurred between our general counsel and [Google’s] general counsel, but the whole project and the agreement had to meet the standards that our general counsel thought” were necessary to ensure the privacy of data, said Theresa Rowe, the chief information officer at Oakland University in Rochester, Mich.

The university doesn’t have a history of keeping backups of its e-mail, so unlike other universities, Oakland never needed a policy on who would get access to such archived material, Rowe added, and she conceded that its perspective on privacy may be different from those of other institutions. Smaller colleges may also have more to gain from outsourcing resource-intensive operations. Its initial privacy concerns addressed, Oakland recently signed with Google Apps.

“I think that every university’s tolerance for these issues is different, and it’s really important to have your senior leadership engaged in those discussions,” Rowe said.

She could not disclose specifics about the agreement with Google, but a spokesman for the company said that whenever legally possible, "we direct legal requests to the school or to the entity the request relates to so they can make a determination about whether or not to provide such data directly."

At Virginia Tech, there has been no decision to outsource any e-mail functions so far, but Dougherty has been investigating the possibility. Like many other IT directors, he is paying special attention to potential privacy issues and disclosures that can result from “e-discovery” in preparation for litigation.

“It’s a chancy proposition,” he said, “and I am actively providing e-discovery output in the way of e-mail and other e-formats for ongoing litigation, and it’s really easy for me because I control the assets,” and which data is disclosed and to whom, per the university's legal guidelines. But what if he didn’t?

That’s the question, and for many officials it boils down to a matter of trust. After consulting with lawyers from Google or Microsoft, are they convinced that the companies will respond (or not respond) to requests for private data in good faith?

“If we look at e-mail service providers, whether it’s Google or Yahoo or our own university providers, if a subpoena is presented to that provider [then] lawyers for that organization are going to figure out how they want to respond,” Rowe remarked. “[W]e were just wanting to make sure that those processes would be followed in any e-mail service provider. They have to have a process in place.”

“We’re not sure why people perceive Google to be different than” other providers, including those on campus, she continued -- a “perception that somehow our campus e-mail is private and outsourced e-mail is not.”

“I think sometimes they fear losing control,” she said, referring to college technology leaders. “[W]e’re replacing the technological controls with contractual controls and service-level standards, and that’s challenging, you really have to think that through.”

Dougherty raised another point that’s been especially salient at his campus: how to handle mass e-mails, especially in case of an emergency. He said he worried that if Internet connectivity beyond campus was temporarily severed, the university wouldn’t be able to reach its students since an e-mail blast would have to be routed to the third-party vendor and then back again.

"We regularly receive positive feedback from universities regarding our ability to process large volumes of email quickly. In the case of emergency email, universities may flag their bulk email servers to ensure we don't mark any mail from those servers as spam," the Google spokesman said ... in an e-mail.

There’s also the possibility that having Google or Microsoft responsible for a college’s e-mail services could actually attract attention. “Would Google be more likely to be asked than we would?” asked David S. Brawner, manager of network and user services at Maryville University in St. Louis, referring to requests for private data.

Whatever conclusions various colleges come to, there isn’t much precedent to build on. Dougherty put it simply: “I don’t want to be that first test case.”


Be the first to know.
Get our free daily newsletter.


Back to Top