Complaint Challenges Univ. of Hawaii Email Partnership Wth Google

An anonymous reader writes "A recent move by the University of Hawaii forcing all students and faculty to migrate their independent university email accounts to Google has raised serious questions, prompting one student to file a complaint with the U.S. Department of Education, with senior faculty questioning both the implementation and scope of this partnership." One of the stranger notes: a clause, defended as standard, naming Google a "school official" of the university.

Sounds like shilling

[bky1701]

If my Community College can get away with forcing (it is actually required you use it) all students and faculty to use Hotmail, which works properly on precisely zero of my three main computers, I don't see how Gmail warrants a shitfit for any reason other than some MS bribery.

Re:Sounds like shilling

[SJHillman]

Our college had Exchange and we were expected to use OWA, so if you use anything other than IE say goodbye to most features (assuming it was useable at all).

Re:Sounds like shilling

[Sylak]

Recent versions of OWA play nice with IE 7+, FireFox 3.x+ and Safari... nothing else though

Re:Sounds like shilling

[poetmatt]

Considering the kid made the typical anti-google statements, I would tend to agree.

"Fread has filed a complaint with the federal Department of Education, saying, “They’re [UH] absolutely ignoring Google’s abysmal record with privacy.”

That's word for word, isn't it. quoted from fox news: Yep "Steve Pociask, president of the American Consumer Institute Center for Citizen Research, wrote on FoxNews.com that "[Google's] abysmal track record on privacy "
Or here's one for facebook: http://rsjrealestate.blogspot.com/2012/02/google-facebook-privacy-and-digital.html "Facebook, with its abysmal track record on privacy"
How often do people trot out this line as if it's facts?

Re:Sounds like shilling

[NeutronCowboy]

1) What does being a former marine have to do with privacy laws?
2) What does being a former superintendent for federal contracting projects have to do with privacy laws?
3) How do you know he is quite well versed in privacy laws?

Sounds to me like you're substituting an ad hominem with two unjustified appeals to authority and an unsupported statement of fact.

It's not good to show up to a battle of wits with nothing but wet blanks.

Re:Sounds like shilling

[Jeng]

Hard drive contents from the Street View collection?

Really?

Got a source on that one, cause that sounds more than just unlikely it sounds like a complete lie.

Re:Sounds like shilling

[KhabaLox]

Log in Gmail. Enable POP3 and/or IMAP access. Configure Thunderbird. Done.

I was thinking about this the other night. I like Gmail, but I don't really like it's interface. I don't want to install a client on every machine I use to access my email. Is there a website/service that acts like an email client that has a customizable (or at least better) interface?

Re:Sounds like shilling

[frisket]

WTF is this about? My university provides Exchange accounts for staff and faculty (default Outlook or OWA), and branded Gmail for students. But both types of account are accessible over IMAP with Thunderbird or the client of your choice. Yes, I know most users are unaware nowadays that there are such things as email clients besides Outlook, but unless the IT service is actually blocking or banning IMAP, I don't see what it matters what the backend hosting arrangements are. Much :-)

My old Uni did this.

My old university moved from forcing every student to use an email account hosted by the University to forcing every student to use an email account hosted by Google, with the same .university.ca domain.

It saved the University money and provided better service because the old mail system was crap.

What's the beef?

Re:My old Uni did this.

[rabbit994]

Because in most cases, Google is mining all those accounts for data and showing ads. In some cases, students may be involved with research that includes confidential data. Google does not provide guarantees that they won't mine/archive or protect that data in accordance with laws/regulations surrounding that data.

That's generally been beef I've seen with Google.

Re:My old Uni did this.

[ajuda]

I logged in for the first time in years to say this:

If you are dealing with confidential data, you should not be emailing it in plain text. EVER.

Even if your server isn't mining the data, someone on the other end (or someone in between) could too.

Would you feel comfortable having your social security number being sent over yahoo/hotmail/random university email?

Re:My old Uni did this.

[NeutronCowboy]

But on the other hand, people complain that schools are expensive and inefficient. The logical conclusion is to outsource non-core departments to the lowest bidder. Isn't that how the free market is supposed to work?

Oh wait, people complain about free markets if the free markets affect them negatively. I forgot that humans are not rational beings, and are instead illogical, petty and short-sighted. Libertarians included.

Re:My old Uni did this.

[rabbit994]

HIPPA does not require that data be passed in encrypted form. It only requires that reasonable effort be made secure it. However, that can be patient data can be transmitted via internal email because it's all Exchange and therefore encrypted over the wire, then in most cases, HIPPA is satisfied.

Email Encryption still has long way to go before it's completely transparent to user.

Re:My old Uni did this.

[Githaron]

But on the other hand, people complain that schools are expensive and inefficient. The logical conclusion is to outsource non-core departments to the lowest bidder. Isn't that how the free market is supposed to work?

Oh wait, people complain about free markets if the free markets affect them negatively. I forgot that humans are not rational beings, and are instead illogical, petty and short-sighted. Libertarians included.

Assuming people put their money where their mouth is, the free market welcomes complaint. When there is a market, either existing companies will change in order to grab up that market or new companies will come up to grab that market. Now, if you are a market of one, expect to pay a lot more since you will be dealing with a custom solution. Don't blame the free market if the average Joe would get email by giving out their personal data than paying cash for it. If you can't get your college or email service provider to change, there are other colleges and other email service providers. If you want something contrary to the majority of the market, expect to pay more for it.

Re:My old Uni did this.

[miserere+nobis]

It's not about being forced to use a specific email account. It is about handing the entire store of all academic, personal, and often confidential-by-law communications to a for-profit corporation whose business is data mining. We should be moving away from giving ownership of all our data to others, and universities should be at the head of that charge, not pushing people in the opposite direction. They should be seeking to protect the identities and private information of faculty, staff, and enrolled students, as well as sometimes sensitive and unpublished research data, as much as possible, not handing it over to third parties whose interests conflict with that goal. Where do Google's interests lie? Where do they stand to gain? From lowering the levels of information security and privacy and protection, not increasing it. This is at odds with what universities should be attempting to accomplish. Do, and should, your communications with the disciplinary board or billing office or your grades, or university medical center test results, or your personal communications about all the stupid stuff you do while a college student rightfully belong to an advertising company?

From an employer's perspective

[TWX]

As an employer there are laws on data retention, so faculty and staff e-mail has to be retained for legal purposes.

At this point I think it's foolish for students to expect e-mail at school to remain unarchived. Both free and paid private e-mail services are available all over the place.

As an employee I use work e-mail for only work-related purposes. Nothing private. In college this would be a good lesson for students to learn- use academia e-mail for "work" related purposes, as they'll have to do in their professional lives later.

Re:From an employer's perspective

[TWX]

Last I checked, it's possible for Google's mail to use SMTP and POP3. Whether or not the institution chooses that is not the same as it being impossible or even difficult to implement. We use Google for our e-mail at work, with our own domain, etc, and we have SMTP and POP3 enabled.

Re:We went with google

[smooth+wombat]

and our 2 gigabyte quotas.

You couldn't manage with 2 gigs? WTF are you doing? Let me guess, you're one of those who saves the email with the attachment rather than saving the attachment and deleting the email.

I tell people where I work, you have your email quota (set by another agency) and you get 1 pst file of 2 gigs. If you can't manage your email with that amount space, you're doing something wrong.

When they follow my suggestion, it's amazing how much space they suddenly have.

And before those of you start whining about how space is cheap, it costs about 1 penny per email per person per day to maintain. That's storage space, manpower to manage the space, backups and electricity to keep everything running. Multiply out the potentially millions of emails in an organization by that cost and you'll see why deleting emails and saving the attachment is the correct path.

Here to, but...

[betterunixthanunix]

We are at the mercy of Google now. When Google decides to roll out a new "feature," it is not as though we can choose not to use it. I thought that perhaps I could shield myself by using an email client, but guess what? When Google decided to start classifying some of my mail as "important," messages started disappearing from my inbox and appearing in a folder I had not subscribed to. It took me a few days to figure out what was happening, and to disable the "feature."

That and the fact that official communication basically shuts down if our Internet service is ever interrupted, which has happened a few times.

"School Official" is not strange, but CRITICAL...

[nweaver]

Normally, Google is the service provider. Which means if they get a warrant, or a subpoena, it goes to Google, and Google can answer it however they want or are required to. For example, with some warrants, Google would be forbidden from notifying the university about the warrant, and even when Google can, they are an intermediary that gets in the way.

By making Google a school official, such warrants and subpoenas go DIRECTLY to the University's attorneys. Berkeley's outsourced-to-google mail system has the same basic language from what I understand.

Re:We went with google

If it costs $0.01/email/day ($3.65/email/year) for storage and support then your entire IT operation should be shut down and replaced tomorrow.

Re:"School Official" is not strange, but CRITICAL.

[bobaferret]

Where I work we are a service provider for court public records, and are legally an agent of the court for exactly the same reasons. It allows any lawsuits or what have you to be directed to the court as opposed to us. If the court screws up, and makes some information public that shouldn't we do our best to correct the issue, but in the end it's the court's fault and not our own. We even have to be careful in how much help we give them in setting up what data they show, we can't direct them at all or it could make us liable for their bad choices. We can tell them what the majority of our other courts do in similar situations, but even that is a stretch.

A few points

[jklovanc]

1. Google in in a contract with the university that sets out exactly what Google can and can not do with the data. If they break that contract they will be sued and lose. It is not in a companies interest to leave themselves open to litigation and large judgments.
2. The "school official" phrase has a few implications;
  a. Subpoenas can go to the school instead of Google
  b. Teachers are required to post all correspondence on Gmail for retention purposes.
  c. IT is only required to support Gmail
Many universities are trying to cut IT budgets and one of the best ways is to outsource email. One of the biggest failings in the critics is that they offer no alternative. It is very easy to be an obstructionist and much more difficult to solve the issue. No matter what provider was chosen there would always be a few people who object to it and/or the process that came to the solution. For example one of the criticisms is that the comment period was too short at a couple of months and people did not have sufficient time to comment. If that period was extended to say six months there would be people criticizing that such a simple decision should not take so long and the university was wasting time and money. It is impossible to please everyone.

The "lack of consultation" issue is yet another example of what is called the "outhouse principle". It goes like this; When a huge complex project is proposed, say a power plant, where non experts do not have enough knowledge to understand the detail the approval process goes quite quickly as almost all comments are "yes" or "no". When a smaller project, such as an outhouse, is proposed everyone can understand how one is built and want to comment on every little detail of construction; what shape hole in the door(round, moon, star?), dimensions of the door, which way the door swings, how much ventilation room under the door, etc. The approval process for a simple project can be longer than a complex project.
There is no reason for everyone on campus to debate this issue until everyone is satisfied. It is a decision by the IT department who made it based on their experience and requirements. Does everyone comment when the chemistry department changes their chemical supplier? Does everyone comment when administration changes their paper supplier? Just because people think they should be able to have a say in matters they think the know about does not mean they really should.

HIPAA

[TheTerseOne]

If you're going to claim to know the implementation of a standard, it's usually best to actually know the standard. HIPAA (one P, two As) specifically states:

Covered entities must consider the use of encryption for transmitting EPHI, particularly over the Internet. As business practices and technology change, situations may arise where EPHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.

Re:We went with google

[KhabaLox]

You left out all the expensive bits.

Back up, electricity, manpower, space, maintenance, yada yada yada.

They're not that expensive. See my post in response to the GP. $0.01 per email per day equates to several dollars per GB per month. I have vendor quotes for disk and management (everything except electricity, rent, and AC - switches and cabling included) for orders of magnitude less than that. The only thing I can think is that he is dealing with much smaller volumes (i.e. less than 5-10 TB).

Re:Universities should NEVER outsource email

[Ash-Fox]

(a) No, not if you have competent IT staff, it's not

With no single cent spent at all on the service by the university, I find it hard to believe the same can be accomplished using the university's staff.

(b) should universities REALLY have email service provided by the lowest bidder?

To be fair, you'll be hard to find a provider that is the capability to constantly deal with increasing capacity, needs, functionality that is as reliable to Google. Now, considering Google is also cheaper than all the alternatives, you're hard pressed.

much of what it carries needs to remain private

I looked on Google for public e-mail archives of university but couldn't find any?

Doubly so when the chosen outsource vendor has a very, very, very long history of miserable performance on privacy issues.

Their history shows them acting responsibly when breaches have occurred actually. So, I have to disagree.

universities as a class have shown vastly more spine than Google has

I've seen many horrible issues with the universities class too. From being unable to secure their networks to terrible draconian policies that serve the interests of information control to prevent a series of 'nasty' truths from surfacing. Even using them both in tandem to get students silenced, removed for bringing awareness to the issue as the university expresses no interest in fixing said problems.

Incidentally, I've run email services ranging in size from "a few" to "a few million" users, and I've run some of them in academic environments -- i.e., I'm not speculating.

While doing it in such a way that the university doesn't spend a single cent on it, providing all the options of google apps premium (including outlook support, active sync)... Yeah, I don't believe you.