Slashdot Mirror
"Going Google" Exposes Students' Email
A ReadWriteWeb piece up on the NY Times site explores the recent glitch during the move of a number of colleges onto Google's email service that allowed a number of students to see each others' inboxes for a period of more than three days. Google would not give exact numbers, but the article concludes that about 10 schools were affected. "While the glitch itself was minor and was fixed in a few days, the real concern — at least at Brown — was with how Google handled the situation. Without communicating to the internal IT department, Google shut down the affected accounts, a decision which led to a heated conversation between school officials and the Google account representative. In the end, only 22 out of the 200 students were affected, but the fix was not put into place until Tuesday. ... The students had access to each other's email accounts for three solid days... before the accounts were suspended by Google. Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response.' (We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"
Is that three days after they were notified, or did the affected students keep it quiet for a couple of days for 'research purposes'.
Invaders must die
You were born in California?
I bet most of us could read everyone else's email at school...
...social networking.
Taking it to a new level, no joining or other conscious actions required to share everything about your life.
The Mothership
So that's the use of that button!
Sue.
It's the American way.
We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.'
Look, I think we can all agree that if there were some major security breach like this for which we were responsible and we sat around for 3 days before doing anything, then unilaterally suspended a bunch of accounts before finally fixing the problem, we'd be fired.
On the other hand, if I were the head of IT at some place and we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence, it'd be really easy to say, "That's just how tech is, it's hard to do right even for Google, get used to it. Oh, and while you're looking for ways to prevent such a 'catastrophe' from ever happening again, consider boosting the IT budget, will ya?"
I'll bet that IT manager is pretty happy right now, student complaints aside.
i could just imagine the awkwardness when you find your best friends gay porn collection due to a software malfunction
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." - Albert Einstein
I'm French and if my personal or professional email were to be made public, that would be one hell of unsatisfactory service. Privacy is why I accept paying a provider for things that could be free (as in beer). If this expectation goes out, I will ask for damage. You know, the expectation for privacy is written in our constitution.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
" Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response."
In my NSHO three days is pretty fast for a free service. You want faster response times, 100% avail and dedicated engineers? For free? Sorry, no can do.
Everytime i see an article like this all i can think is "what Microsoft backed puppet wrote this crap?". Microsoft is working very hard to make out Google as craptastic, greedy and customerhating as them. For me it has the opposite effect, Google becomes the underdog with Microsoft kicking them in the groin. I find myself feel for Google in the search market despite their 90% marketshare.
Way to go Microsoft, no PR in the world coming from Google could accomplish that feat, feeling sorry for a market leader. ;D
HTTP/1.1 400
I'm French
Just save us the trouble and surrender this argument now.
It's the American dream.
Fixed it for ya.
How the fuck the "glitch itself was minor"? I'm not sure if it actually violated any privacy laws given the extensive cover-your-ass EULAs, but still, it was a a serious breach of privacy, and indeed was much more important than "how Google handled the situtation". With respect to the latter, temporarily shutting down all affected e-mails, _immediately_, was completely justified, and in fact, was the only thing to do until Google had the chance of finding out exactly what was going on, who and how is affected, and how to fix it. I'm much more of the opinion that Google, as a free (as in beer) service, ows you no performance SLAs whatsoever (it may even shut down Gmail completely tomorrow, and if you lose e-mails, its too bad for you for not backing them up). But even so, AS LONG as Google provides a mail service, it DOES have some obligations to respect the privacy of its users. So guaranteeing privacy > guaranteeing performance, and Google acted correctly in this case.
In the ether, thousands of janes are shrieking 'OMG!?!?!?! he really does fancy me!'
Ah Brown, generally home to spoiled rich kids who's kids buy their way through college (all Ivy's have this, but Brown is the worst) and the least rigorous of any Ivy. Not surprised to see them shill a bit...
You do realise that google has to comply with terror-laws don't you? gmail has been used for years. Inteliigence suggests students are most likely to be the ones who will be recruited for terrorism or do school shootings or become a suicide bomber.
All cows eat grass!
While the glitch itself was minor and was fixed in a few days
Pardon my ignorance, the glitch was minor?
What?
The fact that emails contain back-mailed passwords to many kinds of online services, including those involving payments (which is stupid practice, but the online service providers do it anyway, they send you the password when you sign up)...
The fact that I can reset your password to any third-party online service account where I know that you use it and that you associated it with this email account...
Still minor glitch? Reading others emails? Really? I or TFA must be missing something.
Is Google Apps for Edu in beta? :-)
How is that a troll? I'd be suing if I got that kind of service from an e-mail service provider. They're selling you a service and support. If they don't provide it, you deserve compensation.
How is that a troll?
Because it's a one-word answer to an unasked question that parrot's the American Dream (tm): "Get rich without having to do anything".
I'd be suing if I got that kind of service from an e-mail service provider. They're selling you a service and support. If they don't provide it, you deserve compensation.
And that's why the American legal system is FUTA. In most sensible countries, you *can* sue them *if* you have experienced a major problem due to their behaviour - eg, if you can show that you have lost money/posessions/safety etc as a direct result of someone else having access to your emails. You can't just go "I feel slightly aggrieved that someone read my email - give me a bajillion dollars!!!!".
"While the glitch itself was minor and was fixed in a few days"
That's not exactly what I would call a MINOR breach.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
In Finland reading someone else's mail, of electronic or snail variety, is illegal. What about other legislations? This sounds like something that would be taken rather seriously here.
(Actually, due to how seriously this is taken a recent law has (unfortunately) been put in place, to explicitly allow employers to read employees' work mail. Google "lex Nokia" for more info.)
.: Max Romantschuk
The article makes a great point about communication being a problem when migrating services to the cloud environments. But this issue is not exclusive to cloud-sourcing, it's prevalent in most outsorcing today. How many call centers and admin management have been moved to different country with cheaper resources - countless. And how many times you had to make a third and even a fourth call to something resolved with say your favourite telecommunications provider?
If you've worked in an organisation that outsources services you will have encountered communication problems like this and worse every week. The fact that Google is a high-profile outsourcing vendor means that everyone gets to hear about it.
But I would still choose Google over 99% of other outsources because these guys care about quality, and as a rule they don't make the same mistake twice.
They aren't paying anything for it. If someone gives you a car I doubt you'd sue them if the electric windows stopped working.
"We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"
um....someone else can read your email, and for more than 3 days. You store your email on an external server or send it through other servers unencrypted, and someone else can and probably does read it. Period.
If you want some bit of privacy, use encryption and don't store your email on other people's servers.
When concerning inidivdual citizen liberty and privacy, history has PROVEN. People cannot be trusted. Corporations can be trusted less. Governments can be trusted least of all. For those who are confused, the US founders created a 2nd amendment with the INTENTION of having a government which feared it's citizenry. If there was going to be a rebellion, they WANTED the citizens to win.
Yeah, blame Susan, that's the spirit...
Worse than just a breach of privacy of email, students use their college-provided accounts to communicate with their faculty. If other students are able to see their emails, that constitutes a potential FERPA breach. As a college IT administrator, I would be screaming at Google for not sharing info and reacting immediately. Waiting a day to shut the accounts down temporarily is inexcusable.
probably because his neck is on the line, and he's trying to save face with management. Oops.
Why is it even necessary, in this day and age, for a school to provide their students with email? I can understand, back in the dark ages, when I was at university, and few incoming students had email addresses. But these days, doesn't every one of these incoming students have an email address somewhere? Wouldn't it be better to have the professor email out to the student's personal email account that the student had before they went to university, and will likely have long after they leave the university?
"I'm French and if my personal or professional email were to be made public, that would be one hell of unsatisfactory service."
Well, who do you think would want to read a Frenchman's mail, anyway?
More seriously, what does nationality have to do with privacy issues? You think that maybe a Ugandan needs more privacy than a Russian? Degrees of privacy are scaled from one nationality to another? Had you said something to the effect, "The Iranian government has grown really oppressive, so my mail being made public is a major threat to personal security", then your nationality and/or government might be a factor.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Or lack thereof.
This wasn't IT's fault, but in my university CS department, there was a period of about three months during which we had passwordless logon to our department course Wiki, which provided the option to use Perl in place of Wikicode as the source for a page. Said Perl ran with the webserver's username on the server.
As far as I know, nothing bad came of it. The seniors just enjoyed not needing to bother with passwords. (To be clear, we repeatedly notified the professor responsible for the Wiki, who repeatedly said he'd take care of it. After a couple weeks, it just kind of became normal.)
Actually, a lot of people probably would. One of the things that really annoys me is that large companies will dispose of their old IT equipment by throwing it in a skip rather than donating it to local schools who would benefit from them. One of the major reasons that they do this (from what I have heard) is because "if we give it away to a school and someone goes wrong, we would be liable and could get sued". I still don't understand why the school can't just agree (via a disclamer or whatever) not to sue, but that's probably because I'm not a lawyer and live in my own little make-believe world where people shouldn't sue just because they can get away with it.
I think stating one's nationality implies that the writer is framing his/her comments as representing the expectation in one's country. What level of privacy one should desire from a pure philosophical standpoint, what is legally protected, and what the cultural norm expects can all be different.
.sig withheld by request
This has to do with the GGP stating "It's the American way."
In France, as in most European counties, this affair could even be a case for a criminal proceeding.
There's nothing like $HOME
Not paying anything? Tuition at Brown is $35,584, and some of that goes to IT services; the fact that they've contracted student email service out to Google is irrelevant.
.sig withheld by request
Then again, in most sensible countries, punitive damages don't exist.
There's nothing like $HOME
Why was this feature^H^H^H^ bug present in the first place? It's not like this is the 1st time Google has had to implement email for 3rd parties.
Did Brown give a list of "superusers" to Google that had the ability to read global mails and someone botched it? O Oh.
"Ah.. CRAP. I think we cut and paste the wrong names on the God list." ... ? What do you mean NO? .... Oh yeah the whole space-time thing.... . Err.. can we just call it a Google bug? .... ? What do you mean we have to deal with our own PR?" ... click.
"What... Call Google, quick!"
"Hello Google.... can you spin back time... ?
I was I had Karma points to give.. That's funny.
That I see their failure as a possible bright spot in the failure of the Global Economy.
Crash, Baby! Crash!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
My understanding is that's it's actually for accounting purposes. The equipment can't be written off the same way if they are donated, or something like that. I'm neither an accountant nor a tax specialist.
It's not the school who's going to sue. It's the customer (who's financial information you left on the computer, and which the student has just sold to the newspaper) who is going to sue you.
Depends on your version of "sensible".
They exist to hammer home wrongs done.
Unfortunately, in the past, they've been given for any willy-nilly thing instead of handing it down for egregious conduct. I know about egregious conduct- I'm experiencing it right now in a matter that I can't discuss for legal reasons.
Fortunately or unfortunately, depending on your viewpoint, there's a cap on just how much punitive damages you can get in most of the states. Texas' is three quarters of a million after computing 2.5 times the economic damages. It's similar in other states.
So, when you say "in most sensible countries, punitive damages don't exist", it implies you know little about how it all actually works. When someone sues someone else, it's mainly for economic or actual and potential (believable potential) harm. Now, since someone can file any stupid civil cause they want to (See SCO v. IBM...) we have at least a few people out there filing all sorts of actions that waste money, court time, etc. to see if they can extort money or score big on dumb blind luck in the courtroom. Except for rare cases, there is no pursuit in punishing barritry (the promulgation of a nonexistent case...) or for penalties being brought against a party that honestly believed they had a case and didn't because they didn't do all their work. In most sensible countries, you should have penalties for bringing a case of this sort to court- but there isn't so you see "sue em" happening all the time for things that shouldn't have ever been brought to court.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Somewhere at Google HQ there is a guy saying "I told you we still weren't ready to come out of beta!"
3 or 4 years later. Hahaha. Google stinks.
While the issue took three days to resolve, the unilateral shut down of the accounts prevented students from reading other students' emails during that period.
So for review, no one got to read others' email for three days, instead, they got to read no email for that time and email sent to the accounts which were routing wrong was bounced back.
What privacy? Those are Google's emails. They were sent by your friends to Google. That they are about you and you are allowed to read them makes no difference to their ownership.
/sarcasm ...?
It's troll because he's saying bad things about teh Google! We only bash Micro$$$$$oft here.
If you really want something to be private you don't put in your emails anyway. This is pretty well known by now isn't it, that privacy on the 'net is a myth? Can we stop with the "omg, I thought it was private" b.s. now? When I communicate on the 'net (or on my mobile phone, now, too) I always treat it like I'm using a p.a. system, no matter how many people the communication is addressed to.
And that's why the American legal system is FUTA. In most sensible countries, you *can* sue them *if* you have experienced a major problem due to their behaviour - eg, if you can show that you have lost money/posessions/safety etc as a direct result of someone else having access to your emails. You can't just go "I feel slightly aggrieved that someone read my email - give me a bajillion dollars!!!!".
Spoken like someone whose only expose to the American legal system is via television...
Sigh. *exposure.
That's easy to handle.
Example.
During WWII, for the aeons before the US entered the war, they were 'neutral'. Neutral to all the death and slaughter, and cry for help from their allies.
Uh, sorry.. off track a bit there. :P
Seriously though, it wasn't all bad. For whatever reasons the US remained neutral, they weren't as neutral as could be. One thing they did, was 'accidentally' leave massive quantities of ammunition and weaponry right near the US border. Somehow, the Canadian military would fine out, and would 'steal' this weaponry and ammunition.. which was quickly transported to the UK, and then to the front lines... that is, whatever would make it across the German sub riddled sea.
Point being, there is no reason that this can't be the same way. You write off the equipment, you throw it in a dumpster in the back, and then someone tells someone that there are computers in the garbage.
At that point, they've been trashed. All is well on one side, and the other can act as they wish...
This is an account given to the students by the school, right? I would assume the school is reading my email in that case. Just like the email address given to you by your employer, it is not yours, it is theirs. You are better off just assuming someone is snooping it. Don't use your work or school email for anything but work/school. Do we really need to tell people this still?
However, the real issue that concerned the university was the matter of communication between Google and the CIS department. Before fixing the issue on Tuesday, Google suspended the affected accounts, a necessary step that was taken so no more data was improperly shared. What angered the IT director, though, was that the accounts were suspended without first notifying CIS.
Translation: We sent you an email communicating the issue at hand. However, we had to disable your email account so nobody else could accidentally view it.
"I've spoken very forcefully with the account (executive), my boss, senior administrators at Brown -- including the president. (Google needs) to find a better way to communicate with us," said Tom.
Translation: We told them to stop or else we'll say stop again.
Most probably, it means there are laws regarding "Unsatisfactory service". D'oh.
no sig
People who use Google services will be too scared to send privacy info over email. They then stop sending anything personal on personal email ;-)
After sometime, it occurs to people, why they should use an email account to exchange info. that every one can share with everyone.
After that, it becomes, Google Social email or Social conversations if you like it.
Then suddenly, people move away from email to Social Mail/Social Conversation platform. Email is so last century ;-)
Reminds me about a story I heard about the math department at a university I attended (yes, I'm deliberately being vague here). They had a large number of computers for which they no longer had a use. However, they were forbidden by their purchasing contract from re-selling them, giving them away, or even disposing of them. So the machines were put into storage. On the loading dock. Outside. The contract didn't forbid the department from having the goods stolen.
I wonder if this was because they converted usernames that had periods in them and some that didn't, or just in slightly different places.
Gmail had some issues with this when it started off, because it allowed you to sign up as "j.smith" but would treat it the same as "jsmith", regardless of where you put the period. This led to some problems for my ex, who had "first.last@gmail.com" and someone else who just had "firstlast@gmail.com" because they would routinely get mail for the other one. Eventually, she contacted google and got an account name changed. If you had say, "j.smith" and "js.mith" as email accounts you were converting to google apps, it will probably see them the same way, and the inbox thing doesn't entirely shock me.
lol that was brilliant :D
Just like you guys surrendered in Vietnam after killing 2 million locals for nothing?
Nor was the 18-36 hour outage that followed.
The only reason that this has been labelled small is because they only transitioned 200 accounts. Supposing they transitioned 20000 accounts (How many people are at Brown anyway?)
in this case. it seems in my experience more and more that most companies do not care how long the outage is or what caused it, or how poorly the service performs so long as the price is rock bottom and they avoid the IT department asking for more cash each year.
this is a self correcting problem as more industries move into a greater reliance on computers. you cant just make IT another blindly outsourced number at the end of the day, and the decision cant come from a group of boardmembers who think gmail is a typo.
Good people go to bed earlier.
And I suppose that if a defense contractor leaked classified information then it's ok because you are a private company.
Point: Being a subcontractor doesn't let you off the hook when you're handling confidential information belonging to someone else.
Clouds are translucent.
My concern has always been the aggravation of making VERY sure there's no data to recover. Completely doable, but requires time and effort when they can just as easily have the HDD removed and toss the rest in the dumpster.
While you idea does work, I for one think legal and tax codes which incentivizes throwing-away working equipment rather than donating/selling it to someone that can use it indicates some deeper problems with modern society. It's a wasteful misuse of resources and it's causing unnecessary trash. And no, I don't care if it adds a few more dollars per year to some PC manufactures bottom-line. Economies exist to serve their societies, not the other way around!
More seriously, what does nationality have to do with privacy issues? You think that maybe a Ugandan needs more privacy than a Russian?
From what I've learned from colleges, Europe has very strict privacy laws, especially with electronic information when compared to the US. What are departments allowed to see, store, etc. And failure to comply usually means all heck breaking loose.
I am a student at St. Ambrose University, a medium sized Midwestern school that's recently 'Gone Google'.
Here was our old microsoft exchange authentication scheme -
username: Student ID (rp7830284)
password: randomly generated string (h38Kbht8)
Now withGoogle Apps -
Google Apps username: email address (LastFirstM@sau.edu)
Google Apps password: Student ID (rp7830284))
That's right, they used our student ID's as passwords! I immediately logged into a couple of my friends email accounts in disbelief. Worst of all, the IT folks just said 'well, they can reset it'. An informal poll revealed that practrically no one had done so, knew how, or even desired too.
Now consider that this is the fourth combination of usernames/passwords that Ambrose has given everyone for various web services.
WTF
This same thing happened to Slashdot a few months ago for an afternoon. Every time I, and others, refreshed the page I was logged in under another Slashdot account. Other people had reported this in article comments until it got fixed.
...is why I still use POP3 or IMAP.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Have you actually read the EULAs to googles services, or are you content to merely fearmonger and spread FUD about them? I hear this crap every time chrome, or gmail, or blogspot are mentioned-- that there is a google minion reading all your sordid affairs in some cubicle somewhere.
Possibly some day complaints will be based on legitimate issues with their services, rather than blatantly false attempts to rile up concern.
Works doubly if they had them insured against theft...
Little glitches like this just reenforce the idea that Google is not a safe pair of hands for confidential data. We just had a memo at work saying that Google docs was not suitable for confidential data and they are cutting off all access to the site. Now, I don't know the rights and wrongs of that decision but I guess Google are losing the battle for the confidence of system administrators.
If you're not encrypting your e-mail (and you really have no choice in some cases - such as those back-mailed passwords) - you have no real privacy.
'E-mail security' fits into the same group of word combinations as 'military intelligence' and 'honest politician'.
I admit my grasp of how punitive damages actually work may be superficial, but as I understand it, they end up as being an incentive for silly lawsuits.
Coming from a different country, with a different legal system, I find weird the notion that punishment can be discussed in a civil court, instead of a criminal court where it belongs.
Granted, I'm not biased enough to ignore that I'm biased, but that's how I view it:
And anyone who tries to abuse the system should face some due consequence, I quite agree with that.
In a civil suit, for example, the costs of the proceedings plus, in severe cases, the defender's attorney fees. It's applied in some countries, just so you know.
There's nothing like $HOME