Main Nav

Has anyone read this article about the privacy changes being implemented by Google starting March 1? What are your thoughts? http://www.washingtonpost.com/business/economy/google-tracks-consumers-a... -- Nicole Kegler Communications Manager University Information Security Office Georgetown University 202-687-5784 Protecting data is a shared responsibility! INSTALL antivirus and antispyware software. USE strong passwords. KNOW who you are dealing with online. STORE confidential and sensitive data on encrypted devices only. SHUT DOWN computers or disconnect from the Internet when it's not in use.

Comments

Thanks Nicole. I had not read it before now. My thoughts: I don't like it. I also don't like the potential loss of privacy in the USA PATRIOT act and the potential loss of freedom in the NDAA. I see these as symptoms of a society that continues to allow personal privacy and freedom to be eroded, mostly because we're simply not paying attention. I've been told that I should just "get over it", which is probably the easiest course of action. Maybe I'll feel better after my 4 hours (on average) of TV today. ;^) (Wow - I guess I woke up on the wrong side if cynicism this morning) -Vik Vik Solem, CISSP, Sr. Applications Risk Consultant Tufts University, Information Security, vik.solem@tufts.edu / 617-627-4326 InfoSec Team: information_security@tufts.edu / 617-627-6070 On 2012-01-25 10:44 , "Nicole Kegler" wrote: >Has anyone read this article about the privacy changes being implemented >by Google starting March 1? What are your thoughts? > >http://www.washingtonpost.com/business/economy/google-tracks-consumers-acr >oss-products-users-cant-opt-out/2012/01/24/gIQArgJHOQ_story.html?hpid=z3 > >-- >Nicole Kegler >Communications Manager >University Information Security Office >Georgetown University >202-687-5784 > >Protecting data is a shared responsibility! > >INSTALL antivirus and antispyware software. >USE strong passwords. >KNOW who you are dealing with online. >STORE confidential and sensitive data on encrypted devices only. >SHUT DOWN computers or disconnect from the Internet when it's not in use.
Message from pete@shadows.uottawa.ca

Each time Google will acquire something new, it gets more and more scarey.... add what about other non-google sites using google services/add-ins/whatever.... such as the resturant with the google maps to show its location... And all the other things google provides for free to web developers. On Wed, Jan 25, 2012 at 10:44:05AM -0500, Nicole Kegler wrote: > Has anyone read this article about the privacy changes being implemented > by Google starting March 1? What are your thoughts? > > http://www.washingtonpost.com/business/economy/google-tracks-consumers-a... > > -- > Nicole Kegler > Communications Manager > University Information Security Office > Georgetown University > 202-687-5784 > > Protecting data is a shared responsibility! > > INSTALL antivirus and antispyware software. > USE strong passwords. > KNOW who you are dealing with online. > STORE confidential and sensitive data on encrypted devices only. > SHUT DOWN computers or disconnect from the Internet when it's not in use. -- Pete Hickey The University of Ottawa "I want to move to theory; Ottawa, Ontario everything works in theory." Canada
Sure flies in the face of what the EU is proposing: http://www.nytimes.com/2011/11/30/technology/a-proposal-for-eu-wide-data... Tracy
Message from terry.l.cavender@vanderbilt.edu

So should we not be concerned that this is already being done? Some analysts said Google's move is aimed squarely at Apple and Facebook - which have been successful in building unified ecosystems of products that capture people's attention. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tracy Mitrano Sent: Wednesday, January 25, 2012 10:40 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users Sure flies in the face of what the EU is proposing: http://www.nytimes.com/2011/11/30/technology/a-proposal-for-eu-wide-data... Tracy
Time to switch your default search engine. Marty On 1/25/2012 11:30 AM, Solem, Vik P. wrote: > Thanks Nicole. I had not read it before now. > > My thoughts: I don't like it. I also don't like the potential loss of > privacy in the USA PATRIOT act and the potential loss of freedom in the > NDAA. I see these as symptoms of a society that continues to allow > personal privacy and freedom to be eroded, mostly because we're simply not > paying attention. I've been told that I should just "get over it", > which is probably the easiest course of action. Maybe I'll feel better > after my 4 hours (on average) of TV today. ;^) (Wow - I guess I woke up > on the wrong side if cynicism this morning) > > -Vik > > > Vik Solem, CISSP, Sr. Applications Risk Consultant > Tufts University, Information Security, vik.solem@tufts.edu / 617-627-4326 > InfoSec Team: information_security@tufts.edu / 617-627-6070 > > > > > > > > > On 2012-01-25 10:44 , "Nicole Kegler" wrote: > >> Has anyone read this article about the privacy changes being implemented >> by Google starting March 1? What are your thoughts? >> >> http://www.washingtonpost.com/business/economy/google-tracks-consumers-acr >> oss-products-users-cant-opt-out/2012/01/24/gIQArgJHOQ_story.html?hpid=z3 >> >> -- >> Nicole Kegler >> Communications Manager >> University Information Security Office >> Georgetown University >> 202-687-5784 >> >> Protecting data is a shared responsibility! >> >> INSTALL antivirus and antispyware software. >> USE strong passwords. >> KNOW who you are dealing with online. >> STORE confidential and sensitive data on encrypted devices only. >> SHUT DOWN computers or disconnect from the Internet when it's not in use. > -- Martin Manjak CISSP, GIAC GSEC-G Information Security Officer University at Albany MSC 209 518/437-3813 The University at Albany will never ask you to reveal your password. Please ignore all such requests.
Message from ahockett@warnerpacific.edu

Having reading the Post article and numerous other tech articles on the privacy issue, I believe Google has made the unfortunate misstep of setting itself up one of the most prolific data breaches that will cause a ripple effect in the IT and consumer data privacy laws. What I also find even more ironic is that this is a result of poor company earnings. So in order to exploit us even more and to protect their revenue, they need "more data" in a single bucket. I don't know about the rest of you, but I'm stocking up on tin-foil hats. :) -Aaron
Not sure my understanding is correct. If I am not going sign in at YouTube or Google search (which I don't have to or need to), then I probably will not be affected and I'll get untailored searching result?

On Wed, 2012-01-25 at 11:34 -0500, Pete Hickey wrote:
Each time Google will acquire something new, it gets more and more scarey.... add what about other non-google sites using google services/add-ins/whatever.... such as the resturant with the google maps to show its location... And all the other things google provides for free to web developers. On Wed, Jan 25, 2012 at 10:44:05AM -0500, Nicole Kegler wrote: > Has anyone read this article about the privacy changes being implemented > by Google starting March 1? What are your thoughts? > > http://www.washingtonpost.com/business/economy/google-tracks-consumers-across-products-users-cant-opt-out/2012/01/24/gIQArgJHOQ_story.html?hpid=z3 > > -- > Nicole Kegler > Communications Manager > University Information Security Office > Georgetown University > 202-687-5784 > > Protecting data is a shared responsibility! > > INSTALL antivirus and antispyware software. > USE strong passwords. > KNOW who you are dealing with online. > STORE confidential and sensitive data on encrypted devices only. > SHUT DOWN computers or disconnect from the Internet when it's not in use.

--
Leo Song, Senior Analyst & Cluster Lead
Computing and Communication Services - Networking and Security
University of Guelph
(519) 824-4120 x 53181


All your data are belonging to us. Nothing to see here, move along. thx steve -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@listserv.educause.edu] On Behalf Of Cavender, Terry Sent: Wednesday, January 25, 2012 11:43 AM To: SECURITY@listserv.educause.edu Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users So should we not be concerned that this is already being done? Some analysts said Google's move is aimed squarely at Apple and Facebook - which have been successful in building unified ecosystems of products that capture people's attention. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tracy Mitrano Sent: Wednesday, January 25, 2012 10:40 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users Sure flies in the face of what the EU is proposing: http://www.nytimes.com/2011/11/30/technology/a-proposal-for-eu-wide-data... Tracy
Vik, I agree. Perhaps we need to pay a little something for a great service (e.g. quickly finding something useful among 50 billion web pages). Perhaps then we can expect to be treated like the customer instead of being the product to be resold to advertizers. Just one of the things we are not paying enough attention to. - Troy On 1/25/2012 11:46 AM, Martin Manjak wrote: > Time to switch your default search engine. > Marty > > On 1/25/2012 11:30 AM, Solem, Vik P. wrote: >> Thanks Nicole. I had not read it before now. >> >> My thoughts: I don't like it. I also don't like the potential loss of >> privacy in the USA PATRIOT act and the potential loss of freedom in the >> NDAA. I see these as symptoms of a society that continues to allow >> personal privacy and freedom to be eroded, mostly because we're simply not >> paying attention. I've been told that I should just "get over it", >> which is probably the easiest course of action. Maybe I'll feel better >> after my 4 hours (on average) of TV today. ;^) (Wow - I guess I woke up >> on the wrong side if cynicism this morning) >> >> -Vik >> >> >> Vik Solem, CISSP, Sr. Applications Risk Consultant >> Tufts University, Information Security, vik.solem@tufts.edu / 617-627-4326 >> InfoSec Team: information_security@tufts.edu / 617-627-6070 >> >> >> >> >> >> >> >> >> On 2012-01-25 10:44 , "Nicole Kegler" wrote: >> >>> Has anyone read this article about the privacy changes being implemented >>> by Google starting March 1? What are your thoughts? >>> >>> http://www.washingtonpost.com/business/economy/google-tracks-consumers-acr >>> oss-products-users-cant-opt-out/2012/01/24/gIQArgJHOQ_story.html?hpid=z3 >>> >>> -- >>> Nicole Kegler >>> Communications Manager >>> University Information Security Office >>> Georgetown University >>> 202-687-5784 >>> >>> Protecting data is a shared responsibility! >>> >>> INSTALL antivirus and antispyware software. >>> USE strong passwords. >>> KNOW who you are dealing with online. >>> STORE confidential and sensitive data on encrypted devices only. >>> SHUT DOWN computers or disconnect from the Internet when it's not in use. >> > > -- Troy Jordan t r o y j @ m a i n e . e d u GIAC GCIH,GCIA ------------------------------------------------------------ Network Systems Security Analyst Office of the CISO University of Maine System (UMS) ------------------------------------------------------------ 233 Science Building | voice: 207.561.3590 Portland, ME 04103 | fax: 509.351.3650
How long before Google, like Facebook, tells us that everything you upload to Google Docs now is their property and not yours?  The average user will never see the problem since they prefer convenience over security. "Save all my important docs to a free cloud sever so I (and anyone else on the planet) can access it from anywhere? Sounds great to me!"
 
Bob
 


 
 
Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers@mail.wvu.edu


>>> On Wednesday, January 25, 2012 at 11:59 AM, "Bradley, Stephen W. Mr." <bradlesw@MUOHIO.EDU> wrote:
All your data are belonging to us.






Nothing to see here, move along.

thx

steve

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@listserv.educause.edu] On Behalf Of Cavender, Terry
Sent: Wednesday, January 25, 2012 11:43 AM
To: SECURITY@listserv.educause.edu
Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users

So should we not be concerned that this is already being done?

Some analysts said Google's move is aimed squarely at Apple and Facebook - which have been successful in building unified ecosystems of products that capture people's attention. 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tracy Mitrano
Sent: Wednesday, January 25, 2012 10:40 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users

Sure flies in the face of what the EU is proposing:

http://www.nytimes.com/2011/11/30/technology/a-proposal-for-eu-wide-data-protection-regulation.html

Tracy

Now would be a pretty good time to try another search engine.  Google might even take the hint if enough people switch.

 

thx

steve

Hi, Is anyone doing or considering setting desktop images\installations to clear browser cache and or cookies on logout? I've been thinking of this for a while, but there will be a slow down for users. In this case would that be helpful here to protect user privacy and send a message? For forensics we can discover traffic via other methods. Does anyone know, will Google collect the data instantaneously? Maria
All of the privacy concerns have caught the attention of the Supreme Court (or a few of the justices) - specifically with how it applies to the 4th Amendment and protections against unreasonable searches and seizures. http://www.forbes.com/sites/kashmirhill/2012/01/23/a-supreme-court-justi... On 1/25/2012 11:40 AM, Tracy Mitrano wrote: > Sure flies in the face of what the EU is proposing: > > http://www.nytimes.com/2011/11/30/technology/a-proposal-for-eu-wide-data... > > Tracy > >
On 2012-01-25 12:20 , "Steve Bohrer" wrote: >
Message from mclaugkl@ucmail.uc.edu

Two words: Indefinite Detention man I'm a very strong patriot and I just got shivers..... - Kevin Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified Chief Information Security Officer (CISO) & Assistant Vice President TEWG-Region 6 TLO University of Cincinnati 513-556-9177   The University of Cincinnati is one of America's top public research institutions and one of the region's largest employers, with a student population of more than 42,700.
While I understand, grudgingly, why some cross service sharing may have some justification, I vehemently oppose the notion that -contents- of my email or Google docs can be termed "information that I provide to Google!" Have the universities that have chosen to outsource email to Google and use Google docs vs Office thought about this?? I try to keep believing that Scott McNealy was wrong but Google is certainly trying to prove -me- wrong. Has anyone tried to contact Dr. Alma Whitten, Google's Director of Privacy for Product and Engineering, about this? http://research.google.com/pubs/author32149.html David PS: There are already quite a few articles on this Google move ...
Message from graham@american.edu

I've been using it for a while now (for various reasons) and I really like it. For those of you that keep cookies between sessions, they have some really nice options [http://duckduckgo.com/settings.html] and their bang syntax is a nice feature [http://duckduckgo.com/bang.html]. Definitely recommended. Now I just need a good free web-based email alternative... Isabelle Graham Information Security Engineer American University On 2012-01-25 13:40, Solem, Vik P. wrote: > On 2012-01-25 12:20 , "Steve Bohrer" wrote: > > >>
I think this may be a bit overly-sunny, but it is an interesting take on the upcoming Google policy shift:

I know this is veering off-topic, but if you want guaranteed non-tracked email, paying for it is the only way to go, imho. As long as it's free, there's going to have to be something to pay for it, and advertisers have gotten used to being able to get targeted eyeballs for their pitches. 

Karl Bernard 
Senior Information Security Analyst
UTHealth, Academic Health Center at Houston


Amazing, Google just sent me their explanation in the notification e-mail. Nice of them right after I changed my default engine to Duck Duck Go. steve ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@listserv.educause.edu] On Behalf Of Josh Richard [jrichar4@D.UMN.EDU] Sent: Wednesday, January 25, 2012 2:52 PM To: SECURITY@listserv.educause.edu Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users
On Wed, 2012-01-25 at 20:11 -0500, Bradley, Stephen W. Mr. wrote: > Amazing, Google just sent me their explanation in the notification e-mail. Yeah... the explanation is that they reduced the privacy policy to one. A deep explanation that certainly addresses the privacy issues. Two links later I was able to browse the actual privacy policy which essentially gives them carte blanch to do whatever they please with your personal information (developing a new 'service' is one of the catch all excuses given). About the only thing I saw that they restricted themselves on was full sharing with doubleclick is supposed to be opt-in only. Nice if true, but completely ignores the widespread, and not mentioned whatsoever in the privacy policy, google-analytics. > Nice of them right after I changed my default engine to Duck Duck Go. Thanks to the pointers on this list I have switched now. Another thing that troubles me is that virustotal has been increasingly requiring javascript for the site to function. This has always bothered me because there is no functionality on the site that requires javascript, they just chose to implement it that way. And in the latest revision it won't work unless you allow google.com. I'm aware of some alternatives, but I'm curious about reputation. What do people here use other than virustotal? Tim Doty > From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@listserv.educause.edu] On Behalf Of Josh Richard [jrichar4@D.UMN.EDU] > Sent: Wednesday, January 25, 2012 2:52 PM > To: SECURITY@listserv.educause.edu > Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users > >
Read it & trying to determine what this means for Yale. We outsource many of our studen Sent from my iPhonet email accts to Google now (though our branded gmail does not have Google targeted ads shown alongside the messages). Morrow
Message from jtk@cymru.com

On Thu, 26 Jan 2012 08:24:08 -0600 Tim Doty wrote: > I'm aware of some alternatives, but I'm curious about reputation. What > do people here use other than virustotal? I can't speak to reputation, but here are a few popular alternatives. Not all of these do exactly the same thing, but they do at least provide a similar sort of service: John
On Thu, 2012-01-26 at 09:01 -0600, John Kristoff wrote: > On Thu, 26 Jan 2012 08:24:08 -0600 > Tim Doty wrote: > > > I'm aware of some alternatives, but I'm curious about reputation. What > > do people here use other than virustotal? > > I can't speak to reputation, but here are a few popular alternatives. > Not all of these do exactly the same thing, but they do at least provide > a similar sort of service: > > yep, these guys are good for getting an analysis > I don't think I've seen this one before, thanks! > > > > This is one I've started using. Note, they also require javascript "just because" (c'mon, it doesn't require javascript to do a simple form, but for some reason the submit button isn't active until you permit their domain -- I haven't analyzed what their javascript does, but the fact they require it for *submit* button is not encouraging). > I've never had wepawet ever find anything, even on files simple enough for manual examination it would conclude it was safe. Tim Doty
A quick look at jotti's source and I expect them to follow virustotal down the path of requiring allowing all google domains to function. To force javascript enabled they disable the form input and then use javascript to enable it. They have a claim that the service will not work without javascript. Inasmuch as that is true it is only so because they deliberately broke the page. Of course, it is a misleading statement anyway because javascript isn't an either/or situation (thanks to NoScript). They also use javascript to validate form data. I haven't looked at it deeply (what is there to validate for a simple file upload?), but I did notice the comment that they skip hidden elements because user's can't alter the information. Really? My estimation of their web developers is dropping... The javascript they include looks pretty mundane, just some "fancy it up" type stuff (and of course a function to enable the submit button for the form). If they were upfront and said "this is an ad supported service, we will try our best to make it not work if you don't view our ads" I'd think more highly of them. What would be nice is a community service that did what virustotal and jotti do, but without the back links to google. Maybe something for REN-ISAC (as if they didn't have enough stuff lined up already...) Tim Doty On Thu, 2012-01-26 at 09:23 -0600, Tim Doty wrote: > On Thu, 2012-01-26 at 09:01 -0600, John Kristoff wrote: > > On Thu, 26 Jan 2012 08:24:08 -0600 > > Tim Doty wrote: > > > > > I'm aware of some alternatives, but I'm curious about reputation. What > > > do people here use other than virustotal? > > > > I can't speak to reputation, but here are a few popular alternatives. > > Not all of these do exactly the same thing, but they do at least provide > > a similar sort of service: > > > > > > yep, these guys are good for getting an analysis > > > > I don't think I've seen this one before, thanks! > > > > > > > > > > > This is one I've started using. Note, they also require javascript "just > because" (c'mon, it doesn't require javascript to do a simple form, but > for some reason the submit button isn't active until you permit their > domain -- I haven't analyzed what their javascript does, but the fact > they require it for *submit* button is not encouraging). > > > > > I've never had wepawet ever find anything, even on files simple enough > for manual examination it would conclude it was safe. > > Tim Doty
Message from valdis.kletnieks@vt.edu

On Thu, 26 Jan 2012 09:38:22 CST, Tim Doty said: > They also use javascript to validate form data. I haven't looked at it > deeply (what is there to validate for a simple file upload?), but I did > notice the comment that they skip hidden elements because user's can't > alter the information. Really? My estimation of their web developers is > dropping... Somebody shoot me. Or them. Or somebody. :) Am I the only person who has this cool add-on? https://tamperdata.mozdev.org/ I suspect the guys at jotti need to test-drive this one a bit. ;) Oh, this is often useful when trying to figure out what the web developers did to screw things up *this* time: http://chrispederick.com/work/web-developer/
I asked the question also and was told (not by google) that this only applies to their consumer apps, not core Google Apps for Edu Have you contacted google to confirm this? Joel --On Wednesday, January 25, 2012 12:56 PM -0500 Morrow Long wrote: > Read it & trying to determine what this means for Yale. > > We outsource many of our studen > > Sent from my iPhonet email accts to Google now (though our branded gmail does not have Google targeted ads shown alongside the messages). > > Morrow > >
I don't see any indication that the changes to the generic policy are trumped by the edu-apps policy. But, I'm no lawyer. http://www.google.com/apps/intl/en/edu/privacy.html Jesse On 1/26/12 11:08 AM, Joel Rosenblatt wrote: > I asked the question also and was told (not by google) that this only > applies to their consumer apps, not core Google Apps for Edu > > Have you contacted google to confirm this? > > Joel > > --On Wednesday, January 25, 2012 12:56 PM -0500 Morrow Long > wrote: > >> Read it & trying to determine what this means for Yale. >> >> We outsource many of our studen >> >> Sent from my iPhonet email accts to Google now (though our branded >> gmail does not have Google targeted ads shown alongside the messages). >> >> Morrow >> >>
I think we need to hear from Google. Part of the rationale for the current change is that Google wants to reduce the # of different privacy policies they have (for different products). Morrow
On Thu, 2012-01-26 at 13:11 -0500, H Morrow Long wrote: > I think we need to hear from Google. > > Part of the rationale for the current change is that Google wants to reduce the # of different privacy policies they have (for different products). The thing is, they could have accomplished that without giving themselves permission to tie everything about you in every service together and then exploit that in any way they see fit (I refer to the 'developing new service' as just one example of the carte blanch they reserve). They *do* throw in a provision that tying in to doubleclick will be opt-in. What about google-analytics? *crickets* They could have a single policy while maintaining separation. That isn't what they want. Tim Doty > > Morrow > > >
Per this article, contractual agreements are not affected by the updated policy. "Google's enterprise branch quickly clarified, though, that the new policy does not apply to enterprise systems such as Google Apps for Government, Business or Education, which are defined by individual customer contracts." http://techinsider.nextgov.com/2012/01/former_e-gov_director_calls_new_g... ___________________________________ Daniel V. O'Callaghan, Jr., MBA, CISSP, GCFA Chief Information Security Officer Sinclair Community College 444 W Third St, 13-000F Dayton, OH 45402 937.512.2452 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jesse Thompson Sent: Thursday, January 26, 2012 12:57 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users I don't see any indication that the changes to the generic policy are trumped by the edu-apps policy. But, I'm no lawyer. http://www.google.com/apps/intl/en/edu/privacy.html Jesse On 1/26/12 11:08 AM, Joel Rosenblatt wrote: > I asked the question also and was told (not by google) that this only > applies to their consumer apps, not core Google Apps for Edu > > Have you contacted google to confirm this? > > Joel > > --On Wednesday, January 25, 2012 12:56 PM -0500 Morrow Long > wrote: > >> Read it & trying to determine what this means for Yale. >> >> We outsource many of our studen >> >> Sent from my iPhonet email accts to Google now (though our branded >> gmail does not have Google targeted ads shown alongside the messages). >> >> Morrow >> >>
But Dan, would it affect the individual students at an edu using say Miami or Sinclair mail? They sign up outside the university and wouldn't necessarily be covered unless specifically called out in the contract. I love a good cloud. thx steve -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@listserv.educause.edu] On Behalf Of O'Callaghan, Daniel Sent: Thursday, January 26, 2012 1:33 PM To: SECURITY@listserv.educause.edu Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users Per this article, contractual agreements are not affected by the updated policy. "Google's enterprise branch quickly clarified, though, that the new policy does not apply to enterprise systems such as Google Apps for Government, Business or Education, which are defined by individual customer contracts." http://techinsider.nextgov.com/2012/01/former_e-gov_director_calls_new_g... ___________________________________ Daniel V. O'Callaghan, Jr., MBA, CISSP, GCFA Chief Information Security Officer Sinclair Community College 444 W Third St, 13-000F Dayton, OH 45402 937.512.2452 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jesse Thompson Sent: Thursday, January 26, 2012 12:57 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users I don't see any indication that the changes to the generic policy are trumped by the edu-apps policy. But, I'm no lawyer. http://www.google.com/apps/intl/en/edu/privacy.html Jesse On 1/26/12 11:08 AM, Joel Rosenblatt wrote: > I asked the question also and was told (not by google) that this only > applies to their consumer apps, not core Google Apps for Edu > > Have you contacted google to confirm this? > > Joel > > --On Wednesday, January 25, 2012 12:56 PM -0500 Morrow Long > wrote: > >> Read it & trying to determine what this means for Yale. >> >> We outsource many of our studen >> >> Sent from my iPhonet email accts to Google now (though our branded >> gmail does not have Google targeted ads shown alongside the messages). >> >> Morrow >> >>
As I understand it (IANAL), what is collected/covered is determined by domain. If the account is an enterprise/hosted domain covered by contract, contract takes precedence; if the account is a 'public' Google account, the new policy applies. Our student mail (@my.sinclair.edu) and any apps we contract with Google for use by these domain accounts are covered by the privacy provisions of our contract with Google, not the new public policy. Of course, the reality is that most of our students and staff also have personal Google accounts not covered by our contract, so while Google might not be collecting personal info from @my.sinclair.edu accounts (and the cynical me wonders how we would know, if they would really admit if they were, and if push came to shove--could they prove where they got the info), they likely get the same or similar info from Google Search, Toolbar, Gmail, Google+, YouTube, Android, Maps, Navigation, Earth, Docs, Picasa... Google is just one of the companies doing this. Look at the policies of all the 'free' service providers. Facebook, Linked-in, Yahoo, MS all make money using CRM and similar. Ever read the terms of use on 'free' smartphone apps? Do you ever wonder what the contract says that most law-enforcement and state/federal agencies have with Lexis-Nexis to warehouse the data they collect on citizens? IMO, privacy as we traditionally think of it no longer exists, and what little is left is rapidly eroding. If you've never seen it, watch the YouTube of Steve Rambam's "Privacy is Dead - Get Over It" presentation. It's a little dated, but still valid. Of course, this doesn't mean we abdicate responsibility for protecting the privacy of the data we do have control over, but Pandora's Box is already open, and I think we are just beginning to deal with the repercussions. -Dan _________________________ Dan O'Callaghan CISO, Sinclair Community College 937.512.2452 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bradley, Stephen W. Mr. Sent: Thursday, January 26, 2012 3:15 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users But Dan, would it affect the individual students at an edu using say Miami or Sinclair mail? They sign up outside the university and wouldn't necessarily be covered unless specifically called out in the contract. I love a good cloud. thx steve -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@listserv.educause.edu] On Behalf Of O'Callaghan, Daniel Sent: Thursday, January 26, 2012 1:33 PM To: SECURITY@listserv.educause.edu Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users Per this article, contractual agreements are not affected by the updated policy. "Google's enterprise branch quickly clarified, though, that the new policy does not apply to enterprise systems such as Google Apps for Government, Business or Education, which are defined by individual customer contracts." http://techinsider.nextgov.com/2012/01/former_e-gov_director_calls_new_g... ___________________________________ Daniel V. O'Callaghan, Jr., MBA, CISSP, GCFA Chief Information Security Officer Sinclair Community College 444 W Third St, 13-000F Dayton, OH 45402 937.512.2452 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jesse Thompson Sent: Thursday, January 26, 2012 12:57 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users I don't see any indication that the changes to the generic policy are trumped by the edu-apps policy. But, I'm no lawyer. http://www.google.com/apps/intl/en/edu/privacy.html Jesse On 1/26/12 11:08 AM, Joel Rosenblatt wrote: > I asked the question also and was told (not by google) that this only > applies to their consumer apps, not core Google Apps for Edu > > Have you contacted google to confirm this? > > Joel > > --On Wednesday, January 25, 2012 12:56 PM -0500 Morrow Long > wrote: > >> Read it & trying to determine what this means for Yale. >> >> We outsource many of our studen >> >> Sent from my iPhonet email accts to Google now (though our branded >> gmail does not have Google targeted ads shown alongside the messages). >> >> Morrow >> >>
Google's new privacy change will apparently not affect Education, Government nor Enterprise business customers (at least not right away anyway). As long as we have current contracts. [ http://www.computerworld.com/s/article/9223753/Google_says_privacy_chang... ] Google says privacy change won't affect government users Company downplays privacy, security concerns from former federal IT official By Jaikumar Vijayan January 26, 2012 05:02 PM ET 1 Comment Computerworld - Google today dismissed concerns by a former senior federal IT official that the company's controversial new privacy policy would create problems for customers of Google Apps for Government (GAFG). In a statement, Google said the new policy will not change existing contracts that define how it handles and stores data belonging to government users of its cloud services. "Enterprise customers using Google Apps for Government, Business or Education have individual contracts that define how we handle and store their data," Amit Singh, vice president of Google Enterprise said in a statement. "As always, Google will maintain our enterprise customers' data in compliance with the confidentiality and security obligations provided to their domain," he said. According to Singh, Googles contractual agreements have always superseded its privacy policy for enterprise customers.
Contracts expire... are the privacy terms negotiable? Dave Kovarik Northwestern University 847-467-5930 -----Original Message----- From: H Morrow Long Reply-To: The EDUCAUSE Security Constituent Group Listserv Date: Fri, 27 Jan 2012 10:06:03 -0500 To: Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users >Google's new privacy change will apparently not affect Education, >Government nor Enterprise business customers (at least not right away >anyway). >As long as we have current contracts. > >[ >http://www.computerworld.com/s/article/9223753/Google_says_privacy_change_ >won_t_affect_government_users?source=CTWNLE_nlt_security_2012-01-27&utm_so >urce=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ff >eed%2Ftopic%2F84+%28Computerworld+Privacy+News%29 ] > >Google says privacy change won't affect government users > >Company downplays privacy, security concerns from former federal IT >official > >By Jaikumar Vijayan >January 26, 2012 05:02 PM ET >1 Comment > >Computerworld - Google today dismissed concerns by a former senior >federal IT official that the company's controversial new privacy policy >would create problems for customers of Google Apps for Government (GAFG). > >In a statement, Google said the new policy will not change existing >contracts that define how it handles and stores data belonging to >government users of its cloud services. "Enterprise customers using >Google Apps for Government, Business or Education have individual >contracts that define how we handle and store their data," Amit Singh, >vice president of Google Enterprise said in a statement. > >"As always, Google will maintain our enterprise customers' data in >compliance with the confidentiality and security obligations provided to >their domain," he said. > >According to Singh, Googles contractual agreements have always >superseded its privacy policy for enterprise customers. > > >
Dave et al., And, with a view to the best interests of our students, it does not help them if our university "contracts" protect them while they are students but then get them (per the basic idea of Google's outreach to the university community) deeply enmeshed with Google with negative implications for the rest of their lives. -- Guy On 1/27/12 9:16 AM, David C Kovarik wrote: > Contracts expire... are the privacy terms negotiable? > Dave Kovarik > Northwestern University > 847-467-5930 > > > -----Original Message----- > From: H Morrow Long > Reply-To: The EDUCAUSE Security Constituent Group Listserv > > Date: Fri, 27 Jan 2012 10:06:03 -0500 > To: > Subject: Re: [SECURITY] Google announces privacy changes, no opt out for > users > >> Google's new privacy change will apparently not affect Education, >> Government nor Enterprise business customers (at least not right away >> anyway). >> As long as we have current contracts. >> >> [ >> http://www.computerworld.com/s/article/9223753/Google_says_privacy_change_ >> won_t_affect_government_users?source=CTWNLE_nlt_security_2012-01-27&utm_so >> urce=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ff >> eed%2Ftopic%2F84+%28Computerworld+Privacy+News%29 ] >> >> Google says privacy change won't affect government users >> >> Company downplays privacy, security concerns from former federal IT >> official >> >> By Jaikumar Vijayan >> January 26, 2012 05:02 PM ET >> 1 Comment >> >> Computerworld - Google today dismissed concerns by a former senior >> federal IT official that the company's controversial new privacy policy >> would create problems for customers of Google Apps for Government (GAFG). >> >> In a statement, Google said the new policy will not change existing >> contracts that define how it handles and stores data belonging to >> government users of its cloud services. "Enterprise customers using >> Google Apps for Government, Business or Education have individual >> contracts that define how we handle and store their data," Amit Singh, >> vice president of Google Enterprise said in a statement. >> >> "As always, Google will maintain our enterprise customers' data in >> compliance with the confidentiality and security obligations provided to >> their domain," he said. >> >> According to Singh, Googles contractual agreements have always >> superseded its privacy policy for enterprise customers. >> >> >>
Larry, I just disabled the port in NetDisco. I haven't checked yet, but I suspect the registration does not have a NetID tied to it, only a dept affiliation, and that's why it doesn't show up. Martin Manjak Information Security Officer University at Albany Via OWA ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] on behalf of Guy Almes [galmes@TAMU.EDU] Sent: Friday, January 27, 2012 10:51 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google announces privacy changes, no opt out for users Dave et al., And, with a view to the best interests of our students, it does not help them if our university "contracts" protect them while they are students but then get them (per the basic idea of Google's outreach to the university community) deeply enmeshed with Google with negative implications for the rest of their lives. -- Guy On 1/27/12 9:16 AM, David C Kovarik wrote: > Contracts expire... are the privacy terms negotiable? > Dave Kovarik > Northwestern University > 847-467-5930 > > > -----Original Message----- > From: H Morrow Long > Reply-To: The EDUCAUSE Security Constituent Group Listserv > > Date: Fri, 27 Jan 2012 10:06:03 -0500 > To: > Subject: Re: [SECURITY] Google announces privacy changes, no opt out for > users > >> Google's new privacy change will apparently not affect Education, >> Government nor Enterprise business customers (at least not right away >> anyway). >> As long as we have current contracts. >> >> [ >> http://www.computerworld.com/s/article/9223753/Google_says_privacy_change_ >> won_t_affect_government_users?source=CTWNLE_nlt_security_2012-01-27&utm_so >> urce=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ff >> eed%2Ftopic%2F84+%28Computerworld+Privacy+News%29 ] >> >> Google says privacy change won't affect government users >> >> Company downplays privacy, security concerns from former federal IT >> official >> >> By Jaikumar Vijayan >> January 26, 2012 05:02 PM ET >> 1 Comment >> >> Computerworld - Google today dismissed concerns by a former senior >> federal IT official that the company's controversial new privacy policy >> would create problems for customers of Google Apps for Government (GAFG). >> >> In a statement, Google said the new policy will not change existing >> contracts that define how it handles and stores data belonging to >> government users of its cloud services. "Enterprise customers using >> Google Apps for Government, Business or Education have individual >> contracts that define how we handle and store their data," Amit Singh, >> vice president of Google Enterprise said in a statement. >> >> "As always, Google will maintain our enterprise customers' data in >> compliance with the confidentiality and security obligations provided to >> their domain," he said. >> >> According to Singh, Google?s contractual agreements have always >> superseded its privacy policy for enterprise customers. >> >> >>
Whoops! Now there's a major mis-direction of email. Apologies for spamming the list. That was clearly intended as an internal communication. Martin Manjak Information Security Officer University at Albany Via OWA ________________________________________
On Fri, 27 Jan 2012, H Morrow Long wrote: Without knowing what our contract states, and what portions of the contracts refer to URLs whose contents may or may not have changed, the below statement sort of means nothing. Well, it means Google is not violating a legal contract, but the terms in that contract were hardly static, if I recall correctly. Am I wrong for most of us? Mike Mike Porter Systems Programmer V IT/NSS University of Delaware > Google's new privacy change will apparently not affect Education, Government nor Enterprise business customers (at least not right away anyway). > As long as we have current contracts. > > [ http://www.computerworld.com/s/article/9223753/Google_says_privacy_chang... ] > > Google says privacy change won't affect government users > > Company downplays privacy, security concerns from former federal IT official > > By Jaikumar Vijayan > January 26, 2012 05:02 PM ET > 1 Comment > > Computerworld - Google today dismissed concerns by a former senior federal IT official that the company's controversial new privacy policy would create problems for customers of Google Apps for Government (GAFG). > > In a statement, Google said the new policy will not change existing contracts that define how it handles and stores data belonging to government users of its cloud services. "Enterprise customers using Google Apps for Government, Business or Education have individual contracts that define how we handle and store their data," Amit Singh, vice president of Google Enterprise said in a statement. > > "As always, Google will maintain our enterprise customers' data in compliance with the confidentiality and security obligations provided to their domain," he said. > > According to Singh, Googles contractual agreements have always superseded its privacy policy for enterprise customers. > > >
Right. Google is being intentionally vague. I'm not a lawyer, but my interpretation is that the new privacy policy effectively allows Google to bypass the protections offered in the EDU privacy policy for the core apps. The only way around it is to disable all of the non-core apps. Again, I'm no lawyer. From http://www.google.com/policies/privacy/preview/ "We may combine personal information from one service with information, including personal information, from other Google services" I understand this to mean that all apps are now able to interchange personal data, which means that the new consumer apps privacy policy would effectively minimize or eliminate (in some cases) the protections within our core apps privacy policy. Jesse On 1/27/12 11:56 AM, Mike Porter wrote: > On Fri, 27 Jan 2012, H Morrow Long wrote: > > Without knowing what our contract states, and what portions of the > contracts refer to URLs whose contents may or may not have changed, > the below statement sort of means nothing. Well, it means Google is > not violating a legal contract, but the terms in that contract were > hardly static, if I recall correctly. Am I wrong for most of us? > > Mike > > Mike Porter > Systems Programmer V > IT/NSS > University of Delaware > >> Google's new privacy change will apparently not affect Education, >> Government nor Enterprise business customers (at least not right away >> anyway). >> As long as we have current contracts. >> >> [ >> http://www.computerworld.com/s/article/9223753/Google_says_privacy_chang... >> ] >> >> Google says privacy change won't affect government users >> >> Company downplays privacy, security concerns from former federal IT >> official >> >> By Jaikumar Vijayan >> January 26, 2012 05:02 PM ET >> 1 Comment >> >> Computerworld - Google today dismissed concerns by a former senior >> federal IT official that the company's controversial new privacy >> policy would create problems for customers of Google Apps for >> Government (GAFG). >> >> In a statement, Google said the new policy will not change existing >> contracts that define how it handles and stores data belonging to >> government users of its cloud services. "Enterprise customers using >> Google Apps for Government, Business or Education have individual >> contracts that define how we handle and store their data," Amit Singh, >> vice president of Google Enterprise said in a statement. >> >> "As always, Google will maintain our enterprise customers' data in >> compliance with the confidentiality and security obligations provided >> to their domain," he said. >> >> According to Singh, Googles contractual agreements have always >> superseded its privacy policy for enterprise customers. >> >> >>
On Tue, 2012-01-31 at 09:11 -0600, Jesse Thompson wrote: > Right. Google is being intentionally vague. > > I'm not a lawyer, but my interpretation is that the new privacy policy > effectively allows Google to bypass the protections offered in the EDU > privacy policy for the core apps. The only way around it is to disable > all of the non-core apps. Again, I'm no lawyer. so... today I got an email from google because we use Postini that looks very like the one from google if you have gmail. It refers to the same privacy policy, the one that says "we can do whatever we want with your data". I'm no lawyer, but I'm concerned that this means they are in fact considering *all* users, EDU or not, as being subjects of spying. > From http://www.google.com/policies/privacy/preview/ > > "We may combine personal information from one service with information, > including personal information, from other Google services" Take this in the light of google having access to all your email because the institution uses Postini. I'm not liking where this is going. > I understand this to mean that all apps are now able to interchange > personal data, which means that the new consumer apps privacy policy > would effectively minimize or eliminate (in some cases) the protections > within our core apps privacy policy. I think it is worth double checking that you still have a core apps privacy policy, or that it won't change come March 1st. Yes, they state it doesn't include services that have a separate privacy policy, but the whole point is that they are combining them and they *were* separate but are now not only unified in terms, but permit sharing of information between them. (That last distinction is one of my personal gripes with how google is doing this. They are pretending that unifying to a single privacy policy requires allowing them to share your PII between all of them.) >From http://www.google.com/policies/privacy/preview/ > Our Privacy Policy applies to all of the services offered by Google > Inc. and its affiliates, including services offered on other sites > (such as our advertising services), but excludes services that have > separate privacy policies that do not incorporate this Privacy Policy. The last phrase '...that do not incorporate this Privacy Policy' indicates to me specific assurance is needed that your existing one won't simply be merged in with this PII-should-be-free model. Also from http://www.google.com/policies/privacy/preview/ > For external processing > > We provide personal information to our affiliates or other trusted > businesses or persons to process it for us, based on our instructions > and in compliance with our Privacy Policy and any other appropriate > confidentiality and security measures. So they are saying they will provide PII to other businesses or persons for them to process it on Google's behalf. Of course, Google is looking out for you and those folks will have to protect your PII just as well as Google did -- by only providing it in exchange for a service, apparently. I am no lawyer, but that looks pretty meaningless to me. I mean, they promise not to just publish it on the web or put it up on an anonymous FTP server -- after all they expect to receive some benefit for sharing it. You might also be interested how Google defines "sensitive personal information" which is the term they use rather than PII. From http://www.google.com/policies/privacy/preview/faq/#toc-terms-sensitive-... > This is a particular category of personal information relating to > confidential medical facts, racial or ethnic origins, political or > religious beliefs or sexuality. So medical facts, race/ethnicity, political/religious beliefs or sexuality. But not, for example, financial/economic information. Or personally identifying information. Would searching for debt relief not be considered something they need to protect? Not even necessary to invoke the 'business relationship' clause for selling the geographic location and name of individuals performing such searches? Maybe I should take off my tin foil hat and quit hiding from the Sun, but this new 'privacy' policy concerns me. Tim Doty > > Jesse > > On 1/27/12 11:56 AM, Mike Porter wrote: > > On Fri, 27 Jan 2012, H Morrow Long wrote: > > > > Without knowing what our contract states, and what portions of the > > contracts refer to URLs whose contents may or may not have changed, > > the below statement sort of means nothing. Well, it means Google is > > not violating a legal contract, but the terms in that contract were > > hardly static, if I recall correctly. Am I wrong for most of us? > > > > Mike > > > > Mike Porter > > Systems Programmer V > > IT/NSS > > University of Delaware > > > >> Google's new privacy change will apparently not affect Education, > >> Government nor Enterprise business customers (at least not right away > >> anyway). > >> As long as we have current contracts. > >> > >> [ > >> http://www.computerworld.com/s/article/9223753/Google_says_privacy_chang... > >> ] > >> > >> Google says privacy change won't affect government users > >> > >> Company downplays privacy, security concerns from former federal IT > >> official > >> > >> By Jaikumar Vijayan > >> January 26, 2012 05:02 PM ET > >> 1 Comment > >> > >> Computerworld - Google today dismissed concerns by a former senior > >> federal IT official that the company's controversial new privacy > >> policy would create problems for customers of Google Apps for > >> Government (GAFG). > >> > >> In a statement, Google said the new policy will not change existing > >> contracts that define how it handles and stores data belonging to > >> government users of its cloud services. "Enterprise customers using > >> Google Apps for Government, Business or Education have individual > >> contracts that define how we handle and store their data," Amit Singh, > >> vice president of Google Enterprise said in a statement. > >> > >> "As always, Google will maintain our enterprise customers' data in > >> compliance with the confidentiality and security obligations provided > >> to their domain," he said. > >> > >> According to Singh, Googles contractual agreements have always > >> superseded its privacy policy for enterprise customers. > >> > >> > >>
Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.