"Going Google" Exposes Students' Email

A ReadWriteWeb piece up on the NY Times site explores the recent glitch during the move of a number of colleges onto Google's email service that allowed a number of students to see each others' inboxes for a period of more than three days. Google would not give exact numbers, but the article concludes that about 10 schools were affected. "While the glitch itself was minor and was fixed in a few days, the real concern — at least at Brown — was with how Google handled the situation. Without communicating to the internal IT department, Google shut down the affected accounts, a decision which led to a heated conversation between school officials and the Google account representative. In the end, only 22 out of the 200 students were affected, but the fix was not put into place until Tuesday. ... The students had access to each other's email accounts for three solid days... before the accounts were suspended by Google. Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response.' (We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"

3 Days Turnaround

[sgbett]

Is that three days after they were notified, or did the affected students keep it quiet for a couple of days for 'research purposes'.

Re:3 Days Turnaround

[john83]

It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.

That was my thinking too, but TFA says that the students notified their admin on the Friday, who notified Google on the Saturday, who fixed it on the Tuesday. It's not clear - bad writing - but they may have suspended the service on the Monday.

Re:3 Days Turnaround

[Runaway1956]

"11 % of users were affected"

No, ~1% I think. Following the links in the links, you'll find that Brown University transferred 2000 accounts, not the 200 in the above summary. It seemed suspicious that a university was only transferring 200 accounts, to begin with. An individual small college would have that many accounts, or more.

Re:3 Days Turnaround

Well, I'm the guy at Brown who actually does the part of the migration that switches over internal email to Google (though others are involved), and I can tell you that we knew about a few almost immediately, from student reports. Google was involved as soon as we found out, but it took them a little while to determine exactly what happened.

Also, this wasn't as bad as it sounds. Students weren't receiving new mail meant for someone else, the problem was with the tool that migrated their old existing email from our Exchange system to their new Google email boxes. The 22 students got the contents of other students' -old- mail boxes, not new mail.

It appears that Google upgraded their IMAP migration tool on the back-end, and there was a problem with the new version. Interesting thing about 'the cloud', all the tools available on it are upgraded without the end user being aware. Had there been a 'migrate user email boxes - updated today to version 1.1!' button instead of 'migrate user email boxes', I might have waited a few days to let Google shake-out the bugs.

Re:3 Days Turnaround

[spyrochaete]

Is this still the gmail that you don't pay for btw?

Schools get Google Apps for free (that is to say, they don't pay for the licenses) but it's the full-fledged Google Apps that normally costs $50/user/year. It's effectively the same as the enterprise version.

Re:3 Days Turnaround

Is this still the gmail that you don't pay for btw?

Actually, having worked for a "university" who outsourced e-mail services to Google, it's not free. Not at all.

Re:3 Days Turnaround

[Bender0x7D1]

No offense, but from a privacy perspective there is nothing "less bad" about seeing "just" the contents of old mailboxes.

If I have nude photos, love letters, an email from porn-porn-porn.com, or just something I don't want someone else to read in my old mailboxes, how is someone else being able to see them not horribly bad even if they are over 90 days, (or whatever), old?

Google's version of...

[The+Ancients]

...social networking.

Taking it to a new level, no joining or other conscious actions required to share everything about your life.

Re:Google's version of...

[Arancaytar]

"You have sent an email to Emily. 6 people like this. 3 people have left a comment:"

"Frank has sent/received 26/20 emails to/from your friend Tom, 20/23 with your friend Megan, 15/12 with your friend John. Your social graph proximity is therefore 45.1. Click here to add Frank to your friend list and read his emails."

People would love it! :P

Re:Google's version of...

[sunjae]

Haha... So funny. You know what though. You should file a patent on this. At the current rate of people's acceptance of loss of privacy, this might actually come to pass!

Google: Lowering standards for the rest of us

[GradiusCVK]

We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.'

Look, I think we can all agree that if there were some major security breach like this for which we were responsible and we sat around for 3 days before doing anything, then unilaterally suspended a bunch of accounts before finally fixing the problem, we'd be fired.

On the other hand, if I were the head of IT at some place and we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence, it'd be really easy to say, "That's just how tech is, it's hard to do right even for Google, get used to it. Oh, and while you're looking for ways to prevent such a 'catastrophe' from ever happening again, consider boosting the IT budget, will ya?"

I'll bet that IT manager is pretty happy right now, student complaints aside.

Re:Google: Lowering standards for the rest of us

[JasterBobaMereel]

The current IT guy is laughing .... it is out of his hands and he cannot do anything about it and everyone knows this ...the person who outsourced it to Google however .....!

Re:Google: Lowering standards for the rest of us

[martinX]

we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence,

Does Google actually have a reputation for excellence? Apart from their search engine and maybe Google Maps, is anything they make "excellent"? Does anything excel; is anything groundbreaking and complete in utility and quality? I remember when a lot of their releases stayed in extended-Beta, which is code for "it's free, it's out there so use it at your own peril". I find a lot of their stuff nifty, and I think they head in interesting new directions, but they seem to be always short of excellence. Personally I think that they have gained years worth of kudos - and, by extension, a reputation for excellence - by creating a great search engine (not to mention the big plus of not being Microsoft) and are spending it.

Re:Google: Lowering standards for the rest of us

[KnownIssues]

Apart from their search engine and maybe Google Maps, is anything they make "excellent"?

I have to say, I'm really glad to hear someone share this opinion. I've been a long time "fanboy" of Google, seldom questioning any of their choices (while finding all manner of things to be critical of with Microsoft, Apple, and *nix/open-source). On reflexion after reading this, I've come to realize something: Google is what would result from my IQ being doubled and a thousand clones made from me. They find some problem-space, develop something with really cool potential, get bored when it comes to refining the product and making it viable, then find some shiny new problem to work on. It's like they're grad students getting paid by a commercial entity to do research.

Re:Breach of privacy

I'm French

Just save us the trouble and surrender this argument now.

Re:methinks he doth protest too much

[gbjbaanb]

Most people don't keep that on their email accounts...

Most people don't keep that *what* on their email accounts?

Private stuff?
Passwords?
User ids?
$25,000,000 money-making invitations?
Shakespeare quotes?

I know one fact about email which makes it an incredibly important security risk - the 'I forgot my password' link. Log on to a site you think the user uses, click that 'forgot' link, read his new password a few moments later. erm.. profit.

That said, this is google mail we're talking about, the one that bills itself as "store everything on us" we're safe and you'll never lose an email again thanks to our massive storage, indexing and searching facilities. So, for some people email is downloaded immediately and never stored on the server, for many many others, it stays right on the server.

I'd have cancelled the account, the way it was handled is not acceptable, even a free service has reasonable expectations of security. To let it linger for 3 days... that's simply not good enough.

Re:Someone has high demands.

[Trogre]

I'm sorry, perhaps you missed the part where students could read each others emails.

Microsoft participation is not required in this case.

They must be kidding

[trifish]

While the glitch itself was minor and was fixed in a few days

Pardon my ignorance, the glitch was minor?

What?

The fact that emails contain back-mailed passwords to many kinds of online services, including those involving payments (which is stupid practice, but the online service providers do it anyway, they send you the password when you sign up)...

The fact that I can reset your password to any third-party online service account where I know that you use it and that you associated it with this email account...

Still minor glitch? Reading others emails? Really? I or TFA must be missing something.

Re:They must be kidding

[Anarchduke]

Small glitch, as in 22 out of 200 students affected on a data migration to Google's free service.

The glitch itself wasn't fixed for three days, true. However, the glitch occurred on Friday, and the CIS department notified Google of the issue Saturday. Prior to the fix on Tuesday, Google had disabled the accounts. The article also states that during this 24 to 48 hour windows before Google shut down the accounts, the CIS had sent out emails to the students and waited for their replies. I don't know how fast you expect students to reply to an email sent out over the weekend, but I am guessing that those emails didn't get back to the CIS department immediately. Let's give it 12 hours.

So, a free service responds to your problem and disables the accounts within 24 to 36 hours, then fixes the problem 18 - 36 hours later. All the while this same service is responding to similar glitches at ten other institutions, with no word on how large those universities were.

Overall, I'd say that is a pretty fair turnaround, all things considered.


By the way, the author of the article, Sarah Perez, seems like a fairly Microsoft-centric person, considering her personal website. So the guess by miffo doesn't seem that far off.

Consider the article itself

Friday, September 11th, a couple of students notified Brown's Computing and Information Services department (CIS) that they were able to read emails belonging to other students. The CIS department contacted Google on the following dayand sent out an email to the 200 students whose mailboxes were in transition

then she says:

That means that the students had access to each other's email accounts for three solid days (Saturday, Sunday, Monday) as well as parts of Friday and Tuesday before the accounts were suspended by Google

The author includes "parts of Friday" even though she had made it clear Google wasn't notified until Saturday. I mean, my God, Google didn't even bother to go back in time to before they were notified!!!

Re:Someone has high demands.

What the fuck.

This is a really big deal. And if the excuse is that 3 days (admittedly, 2 of them weekend days) turnaround on an absolute security breach is what you get for free, and to expect better you must pay for it, then the proper response is to pay for better and not use this service because it's shit-broken. It is my understanding that Google Apps for Education is not a tiered service -- you're a school, you get it free; there is no paying for better. If there IS paying for better, then we should spread awareness that the free version is bad.

Might I point out that losing privacy on your email and THEN losing access is pretty much the worst possible failure mode? This is an enormous fuck-up. This has nothing to do with Microsoft. Why would you bring up Microsoft? YOU are the one twisting something into what it is not to make some other company look bad. If I were as paranoid as you, I'd suggest that Google or Apple or somesuch was paying you to do this, but in fact, I know that you're capable of being fuckwitted all on your own.

Jesus Christ. Google Apps' security fails utterly, and that's Google kicking Microsoft in the groin to you? Maybe Google can start a puppy-stomping program; I bet that's just like Google ripping Microsoft's arms off.

I'd be a lot more comfortable if Google said "yeah, we fucked up, here's what we're going to do to prevent this from happening again". Instead we get the self-contradictory "it was a small hiccup [...] it's an issue we've taken extremely seriously".

FERPA

[wireloose]

Worse than just a breach of privacy of email, students use their college-provided accounts to communicate with their faculty. If other students are able to see their emails, that constitutes a potential FERPA breach. As a college IT administrator, I would be screaming at Google for not sharing info and reacting immediately. Waiting a day to shut the accounts down temporarily is inexcusable.

Re:Still more secure than most school systems

[betterunixthanunix]

Google docs is another liability, when it comes to security. A while back, Columbia experienced a major data leak -- tens of thousands of social security numbers, names, dates of birth, etc. (everything you need to open a bank account) -- all because someone was using Google docs. Frankly, if you want the same level of document/email integration, there are a lot of free-libre and proprietary packages that will do that; MS Office, or KOffice+Kontact, for example. Being willing to put up with a slightly less convenient, but far more secure (in terms of data) method is all it really takes.