Main Nav

Hi Folks....

Has anyone else been approached by Google Maps to allow them to "map your campus" in detail - presumably, for student navigation purposes??  Here's the "agreement" that they want us to sign off on.  I have some basic concerns, but - then again - my concerns may be completely unfounded.  So - I thought I'd offer this up to this group to see what your collective wisdom would respond with....(note the italicized entry)....

Let me know what you all think....

 

Thanks,

 

Michael

Agreement
We (the “Property Owner”, “Property Manager”, or “Property Operator”) hereby permit Google Inc. (through its employees, affiliates or agents) to enter the publicly accessible areas of the properties described above, at a time and in the manner directed by our designated contact person listed in the Signatory Information area below, to collect Location Information.
 
For the purposes of this agreement, “Location Information” means Wi-Fi access point MAC addresses (also known as BSSIDs); Wi-Fi access point properties (including signal strength); mobile handset-generated compass, gyroscope and accelerometer measurements; and other related information.

Google will abide by the property access rules specified by our designated contact person. 

Google must have suitable insurance coverage or self-insure for all of Google’s activities on the propert(ies).  Google will be responsible for all costs of its data collection, and will be the exclusive owner of all right, title and interest in all data collected on the proper(ties).

This letter does not give Google any intellectual property rights to our trademarks or logos.  Neither party will use the other’s name, trademark or logo in any public statement without the other’s permission.

We affirm that we are either the Property Owner, the Property Manager, or the Property Operator, and that we have full power and authority to grant you the permission above.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Comments

Message from win-hied@bradjudy.com

Sounds like what Google has been doing with their StreetView cars for years.  I expect they have a backpack version of it with which someone walks around your campus.  Then they can provide detailed location information to devices that don’t have a GPS.  The only reason they even have to ask is that they won’t be a public roads, but on University property. 

 

It’s up to your campus’ legal and business offices to decide if they want to allow Google to map on campus, but I don’t see it as a notable security issue.  They’ve already collected that information for your access points that reach to public roads covered by StreetView. 

 

Brad Judy

 

 

 

We’ve had google on campus already for a mapping project, and they have a tricked out 3 wheeled adult size tricycle with their cameras mounted on it and the peddle around the sidewalks much like the car would do for street view.

 

Michael

 

FYI

 

From the Technology section of today’s NY Times – The Federal Gov’t has claimed that when it investigated claims  into potential invasion of privacy problems with Google (accidently) capturing Wi-Fi traffic during Google’s Streetview project that some at Google apparently attempted to obstruct the investigation:

 

http://www.nytimes.com/2012/04/16/technology/fccs-google-case-leaves-unanswered-questions.html

 

 

 

If memory serves me, they were fined $25k by the FCC for impeding the investigation. I'm sure they could take that out of petty cash. Marty On 4/16/2012 10:32 AM, Morrow Long wrote: > FYI > > > > From the Technology section of today's NY Times - The Federal Gov't has > claimed that when it investigated claims into potential invasion of privacy > problems with Google (accidently) capturing Wi-Fi traffic during Google's > Streetview project that some at Google apparently attempted to obstruct the > investigation: > > > > http://www.nytimes.com/2012/04/16/technology/fccs-google-case-leaves-una... > red-questions.html > > > > > Martin Manjak CISSP, GIAC GSEC-G Information Security Officer University at Albany MSC 209 518/437-3813 The University at Albany will never ask you to reveal your password. Please ignore all such requests.

Find attached a photo of the Streetview trike operating on our campus. There is a small Honda generator in the rear compartment to power the cameras and such.

 

Best,

alex

 

Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller@sfsu.edu

 

 

The link indicates that the fine was assessed, but there is no indication that google has paid it, particularly in light that they apparently can still contest having to pay even that token amount. But as to the original query: I think concerns would be that Google has demonstrated a lack of concern for privacy* and what they might collect and do with what they collect. But ultimately it would seem a question for general counsel. * I think that statement requires some justification, skip if you aren't concerned. First they captured data, then when confronted over the matter they initially denied having done so, then claimed it was fragmentary, before finally admitting they had captured complete emails, login credentials, etc. Somehow only one person at Google knows whether or not they were also cracking wireless encryption and he has invoked the fifth amendment to avoid testifying. Google has not allowed any third party access for an audit to determine the true extent of Google's data capture and subsequent use of that data so there is no certainty as to the completeness of the information Google has provided.
Michael, I realize that for those of whose job includes security there is a responsibility to be a little paranoid, but this seems pretty harmless. Wearing another my hats of being responsible for the wireless network this seems very cool. They are offering to map the strength of our WiFi signal in the public areas of our campus. We don't intentionally provide wireless signal outdoors: here in the northeast there are only 2 weeks a year that the weather is conducive to sitting outside and working, otherwise it's too cold or it's raining or it's too sunny to see the screen! However a wireless heat map of the campus would be useful to students and useful to us to see if there are areas that we should pump up a bit. Most campuses have centrally controlled WiFi networks and I can't see any particular security risk to Google advertising the (after all) publicly viewable aspects of our networks. Am I missing something? - Mark From: "SCHALIP, MICHAEL" > Date: Mon, 16 Apr 2012 00:16:19 -0400 Subject: Google Maps offering to "map our locations"....concerns?? Hi Folks.... Has anyone else been approached by Google Maps to allow them to "map your campus" in detail - presumably, for student navigation purposes?? Here's the "agreement" that they want us to sign off on. I have some basic concerns, but - then again - my concerns may be completely unfounded. So - I thought I'd offer this up to this group to see what your collective wisdom would respond with....(note the italicized entry).... Let me know what you all think.... Thanks, Michael Agreement We (the “Property Owner”, “Property Manager”, or “Property Operator”) hereby permit Google Inc. (through its employees, affiliates or agents) to enter the publicly accessible areas of the properties described above, at a time and in the manner directed by our designated contact person listed in the Signatory Information area below, to collect Location Information. For the purposes of this agreement, “Location Information” means Wi-Fi access point MAC addresses (also known as BSSIDs); Wi-Fi access point properties (including signal strength); mobile handset-generated compass, gyroscope and accelerometer measurements; and other related information. Google will abide by the property access rules specified by our designated contact person. Google must have suitable insurance coverage or self-insure for all of Google’s activities on the propert(ies). Google will be responsible for all costs of its data collection, and will be the exclusive owner of all right, title and interest in all data collected on the proper(ties). This letter does not give Google any intellectual property rights to our trademarks or logos. Neither party will use the other’s name, trademark or logo in any public statement without the other’s permission. We affirm that we are either the Property Owner, the Property Manager, or the Property Operator, and that we have full power and authority to grant you the permission above. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
In light of this thread, I asked on the NACUA list if Google approached any attorneys. So far only one responded. It was, for the record, a private institution. Tracy On a mobile device, please excuse typos.
Message from mail@jeffmoore.com

Perhaps we are ultra paranoid with the bomb threats we have had recently
http://www.katu.com/news/local/Bomb-threat-shuts-down-Chemeketa-Community-College-139217864.html?tab=gallery&c=y&img=1
but we are trying to be very protective of our internal structural information. We even went to the extreme of removing particular maps of our campus due to the fact that they had shown the internal dimensions of the buildings. As with anything this information can be used against us and our concerns are that someone could use this information strategically in a very negative way. We are looking at it with the view that the internal layout of the buildings is not a necessity for students and when we do provide them we will provide partial views that will cover the place of interest.
Perhaps its a bit extreme but we have swayed toward the conservative side.

Thanks all hope this helps!

Jeff (Tinfoil Hat) Moore

CCC

While I agree that campus wireless maps are useful, I am more comfortable when they are contained on an access controlled site as opposed to publicly displayed on Google. Here in Massachusetts we have similar weather conditions, but that does not stop people from driving to the school and sitting in their cars (rain or snow) while using campus (guest) wireless services. Granted, a lot of this use went away when we moved to 802.1x (registered users) and a minimal set of services for guest wireless, but it still exists. I don't see Google making that any better. Dan Jones CISO UMass Medical School
Hi Mark....et al.... Your point is well taken - and absolutely correct. I just thought this would be something to throw out to the masses and see what everyone else was thinking or doing. As it turns out - I think most folks feel the way you do....you can't stop them - if anything, having a "contract" with them is just formal notification and acknowledgement of what they're doing....or going to do anyway. I'm not the decision maker in matters like this.....just the information gatherer.....so, this is the overview that I passed along..... Thanks, Michael
With tongue loosely placed in cheek...
 
If James Cameron were writing the screenplay for The Terminator today, would he use "Google" instead of "Skynet?"
 
"Hi. I'm from Google. Give us your permission to map everything we want and use the data globally however we decide. 
'No' you say?
I'll be back."
 
Bob
 
 


 
 
Robert E. Meyers,  Ms.Ed.
Manager, Security Awareness
  Information Security Services
West Virginia University
office: (304) 293-8502
remeyers@mail.wvu.edu


>>> On Tuesday, April 17, 2012 at 11:51 AM, "SCHALIP, MICHAEL" <mschalip@CNM.EDU> wrote:
Hi Mark....et al....

Your point is well taken - and absolutely correct.  I just thought this would be something to throw out to the masses and see what everyone else was thinking or doing.  As it turns out - I think most folks feel the way you do....you can't stop them - if anything, having a "contract" with them is just formal notification and acknowledgement of what they're doing....or going to do anyway.  I'm not the decision maker in matters like this.....just the information gatherer.....so, this is the overview that I passed along.....

Thanks,

Michael

 

We have similarly been approached by Google, and there has been some internal discussion about the pros and cons.

 

I find it difficult to sustain the notion that a floor plan presents a significant risk to the institution. Just two points, first from the venerable Claude Shannon: “The enemy knows the system.” Second, if a floor plan presents a significant risk, how can that risk be mitigated by the tens of thousands of students that walk the floor plan daily?

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brian Basgen

Director of User Support Services (Acting)

& Information Security Officer

 

Pima Community College

Office: 520-206-4873

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeff Moore
Sent: Tuesday, April 17, 2012 8:31 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns??

 

Perhaps we are ultra paranoid with the bomb threats we have had recently
http://www.katu.com/news/local/Bomb-threat-shuts-down-Chemeketa-Community-College-139217864.html?tab=gallery&c=y&img=1
but we are trying to be very protective of our internal structural information. We even went to the extreme of removing particular maps of our campus due to the fact that they had shown the internal dimensions of the buildings. As with anything this information can be used against us and our concerns are that someone could use this information strategically in a very negative way. We are looking at it with the view that the internal layout of the buildings is not a necessity for students and when we do provide them we will provide partial views that will cover the place of interest.
Perhaps its a bit extreme but we have swayed toward the conservative side.

Thanks all hope this helps!

Jeff (Tinfoil Hat) Moore

CCC

I'm curious why there have been few comments about what Google did -not- say in the agreement.  There have been many news stories about Google "accidentally" collecting emails, passwords, etc., as a byproduct of doing this mapping.  My own paranoia would lead me to request an explicit clause that says something like "Any information recorded by Google or it's contractor other than what is described above as Location Information shall not be used for any purpose and shall be erased from all records immediately upon discovery."

David


I share Brian's belief that floor plans are not a significant risk and if they are they are well know or easily discoverable already. I also fail to understand from this thread what we would be protecting and why it is important. If we are talking about mapping publicly accessible areas and wireless access points visible to the public haven't we already granted the ability to know and access that information?

I find the thought of removing maps of public places or putting them behind access controls contrary to the openness of the university environment. It can be hard to facilitate exchange of knowledge if you are perceived as closed off or complicated to navigate. 

Nathan

The reasonably paranoid person in me was also going to say what David said. I'd be more concerned with what they may be gathering "accidentally" while they are at your campus than what they are there to officially do. It's not like Google hasn't "accidentally" done this in the past - http://www.computerworld.com/s/article/9176810/Google_stops_sniffing_Wi_... I don't know about you, but the difference between running netstumbler and tcpdump isn't just a simple "whoops - wrong button, my bad..." kinda thing, so a little bit of suspicion is well placed. Sven -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David L. Wasley Sent: Tuesday, April 17, 2012 1:04 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns?? I'm curious why there have been few comments about what Google did -not- say in the agreement. There have been many news stories about Google "accidentally" collecting emails, passwords, etc., as a byproduct of doing this mapping. My own paranoia would lead me to request an explicit clause that says something like "Any information recorded by Google or it's contractor other than what is described above as Location Information shall not be used for any purpose and shall be erased from all records immediately upon discovery." David

Geez……I *love* sci-fi analogies……(I’m using this one, and promise to give you full credit….;-)

M

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Robert Meyers
Sent: Tuesday, April 17, 2012 10:34 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns??

 

With tongue loosely placed in cheek...

 

If James Cameron were writing the screenplay for The Terminator today, would he use "Google" instead of "Skynet?"

 

"Hi. I'm from Google. Give us your permission to map everything we want and use the data globally however we decide. 

'No' you say?

I'll be back."

 

Bob

 

 



 

 

Robert E. Meyers,  Ms.Ed.
Manager, Security Awareness
  Information Security Services

West Virginia University
office: (304) 293-8502
remeyers@mail.wvu.edu

>>> On Tuesday, April 17, 2012 at 11:51 AM, "SCHALIP, MICHAEL" <mschalip@CNM.EDU> wrote:

Hi Mark....et al....

Your point is well taken - and absolutely correct.  I just thought this would be something to throw out to the masses and see what everyone else was thinking or doing.  As it turns out - I think most folks feel the way you do....you can't stop them - if anything, having a "contract" with them is just formal notification and acknowledgement of what they're doing....or going to do anyway.  I'm not the decision maker in matters like this.....just the information gatherer.....so, this is the overview that I passed along.....

Thanks,

Michael

Michael, Don't forget that all the Rebels needed were the floor plans of the Death Star. :p ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Basgen Director of User Support Services (Acting) & Information Security Officer Pima Community College Office: 520-206-4873 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL Sent: Tuesday, April 17, 2012 10:32 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns?? Geez..I *love* sci-fi analogies..(I'm using this one, and promise to give you full credit..;-) M From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Robert Meyers Sent: Tuesday, April 17, 2012 10:34 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns?? With tongue loosely placed in cheek...   If James Cameron were writing the screenplay for The Terminator today, would he use "Google" instead of "Skynet?"   "Hi. I'm from Google. Give us your permission to map everything we want and use the data globally however we decide.  'No' you say? I'll be back."   Bob         Robert E. Meyers,  Ms.Ed. Manager, Security Awareness   Information Security Services West Virginia University office: (304) 293-8502 remeyers@mail.wvu.edu >>> On Tuesday, April 17, 2012 at 11:51 AM, "SCHALIP, MICHAEL" wrote: Hi Mark....et al.... Your point is well taken - and absolutely correct.  I just thought this would be something to throw out to the masses and see what everyone else was thinking or doing.  As it turns out - I think most folks feel the way you do....you can't stop them - if anything, having a "contract" with them is just formal notification and acknowledgement of what they're doing....or going to do anyway.  I'm not the decision maker in matters like this.....just the information gatherer.....so, this is the overview that I passed along..... Thanks, Michael
Message from mail@jeffmoore.com

One question for those that have been through this mapping process. Is this like the google car where they will offer a "street view" of the inside of your buildings or is it strictly google maps and wifi mapping?

Thanks!

Jeff M

Message from mail@jeffmoore.com

So is the google trike R2D2? It carries the "Death Star" plans! ;)

And it has three wheels just like R2. Cue the twilight zone music!

jm

I don't think they ride the trike inside the buildings, but I think they do ride it on the campus sidewalks. I've been trying to remember a campus that I had seen on google maps that had been mapped this way, but so far I have been unable to recall what it was. - ken Jeff Moore wrote: > So is the google trike R2D2? It carries the "Death Star" plans! ;) > > And it has three wheels just like R2. Cue the twilight zone music! > > jm > >
Message from gwillia5@uccs.edu

They sort of go through the buildings if your sidewalk goes through the building. http://maps.google.com/maps?hl=en&client=safari&oe=UTF-8&hq=UCCS&hnear=C... Just turn around and go through our University Center and you'll see what I mean. Here is also an article written when Google mapped our campus: http://communique.uccs.edu/?p=959 Greg Williams IT Security Principal University of Colorado at Colorado Springs Website: http://www.uccs.edu/itsecure -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken Connelly Sent: Tuesday, April 17, 2012 12:02 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns?? I don't think they ride the trike inside the buildings, but I think they do ride it on the campus sidewalks. I've been trying to remember a campus that I had seen on google maps that had been mapped this way, but so far I have been unable to recall what it was. - ken Jeff Moore wrote: > So is the google trike R2D2? It carries the "Death Star" plans! ;) > > And it has three wheels just like R2. Cue the twilight zone music! > > jm > >
I agree with this as well. There's a difference between walking around with your wifi adapter on and seeing what you see and actually capturing information, which I believe if anyone of us got caught doing would land us in a federal prison.

I would suggest, if asked for opinion by administration, that a stipulation be made that Google only be allowed to do passive scanning of the network only. That way they can still gather their WiFi location data if they want but not get user data.
--
Heath Barnhart, CCNA
Network Administrator
Information Systems Services
Washburn University
Topeka, KS

On 4/17/2012 12:20 PM, Hahues, Sven wrote:
The reasonably paranoid person in me was also going to say what David said. I'd be more concerned with what they may be gathering "accidentally" while they are at your campus than what they are there to officially do. It's not like Google hasn't "accidentally" done this in the past - http://www.computerworld.com/s/article/9176810/Google_stops_sniffing_Wi_Fi_data_after_privacy_gaffe I don't know about you, but the difference between running netstumbler and tcpdump isn't just a simple "whoops - wrong button, my bad..." kinda thing, so a little bit of suspicion is well placed. Sven -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David L. Wasley Sent: Tuesday, April 17, 2012 1:04 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns?? I'm curious why there have been few comments about what Google did -not- say in the agreement. There have been many news stories about Google "accidentally" collecting emails, passwords, etc., as a byproduct of doing this mapping. My own paranoia would lead me to request an explicit clause that says something like "Any information recorded by Google or it's contractor other than what is described above as Location Information shall not be used for any purpose and shall be erased from all records immediately upon discovery." David
On Tue, Apr 17, 2012 at 01:21:45PM -0500, Heath Barnhart wrote: > I agree with this as well. There's a difference between walking around with > your wifi adapter on and seeing what you see and actually capturing > information, which I believe if anyone of us got caught doing would land us in > a federal prison. There isn't a difference though.. unless by "see" you mean display to the screen and "capture" you mean write to disk. > I would suggest, if asked for opinion by administration, that a stipulation be > made that Google only be allowed to do passive scanning of the network only. > That way they can still gather their WiFi location data if they want but not > get user data. "passive scanning" confuses two different concepts. What google did originally that got them in trouble was completely passive data collection and didn't even involve any type of scanning. What google had intended on doing was to capture the unencrypted 802.11 beacon frames which contain the SSID and BSSID. They accidentally captured all 802.11 frames, including those from people using insecure wireless networks. The only reason why google every captured user data was users were being stupid and broadcasting their data in the clear into public areas. -- -- Justin Azoff -- Network Security & Performance Analyst
Hi, I'm curious, who did Google approach to ask for permission to scan the campus? Thanks, Joel --On Tuesday, April 17, 2012 3:04 PM -0400 Justin Azoff wrote: > On Tue, Apr 17, 2012 at 01:21:45PM -0500, Heath Barnhart wrote: >> I agree with this as well. There's a difference between walking around with >> your wifi adapter on and seeing what you see and actually capturing >> information, which I believe if anyone of us got caught doing would land us in >> a federal prison. > > There isn't a difference though.. unless by "see" you mean display to > the screen and "capture" you mean write to disk. > >> I would suggest, if asked for opinion by administration, that a stipulation be >> made that Google only be allowed to do passive scanning of the network only. >> That way they can still gather their WiFi location data if they want but not >> get user data. > > "passive scanning" confuses two different concepts. What google did > originally that got them in trouble was completely passive data > collection and didn't even involve any type of scanning. > > What google had intended on doing was to capture the unencrypted 802.11 > beacon frames which contain the SSID and BSSID. They accidentally > captured all 802.11 frames, including those from people using insecure > wireless networks. The only reason why google every captured user data > was users were being stupid and broadcasting their data in the clear > into public areas. > > -- > -- Justin Azoff > -- Network Security & Performance Analyst > Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
That's what was kind of funny in our case - this request originated through our "Marketing and Communications Office" - and they referred it to ITS.....we've also advised them to check with our Security group..... M
Message from nrouten@mail.twu.edu

Anyone can add this detail themselves or Google can help. http://maps.google.com/floorplans

 

“Submit your entry for a chance to win and help your university at the same time! Join together with up to three other student mappers to add high quality edits like university buildings, walking paths, public spaces, or restaurant hangouts near your campus using Google Map Maker, and your efforts could win a grand prize package worth more than $5,000 USD for your team. 

 

Map universities, campus organizations, local businesses, university buildings and so much more! Adding these features to the map will help students and visitors alike when they visit your campus. Having a complete, accurate and rich map on Google helps people in your campus community, businesses, tourism boards, civil services and even emergency rescue workers.

 

Did you know you can help improve indoor maps of your campus? Universities can use indoor maps to help new and returning students locate their classrooms, highlight important areas of buildings (such as specific administrative offices) and navigate in libraries or gymnasiums. After obtaining the necessary permissions and ensuring that your submission complies with our content guidelines, go to http://maps.google.com/floorplans and follow the instructions to put your university's floor plan on Google Maps.  Important note:  Indoor maps submissions are not part of an official entry to the contest, but can make the map of your campus even more complete!

 

Be recognized and rewarded for your mapping contributions. The contest winning mapping team will be a local campus hero.  Top mapping contributors appear on Google Map Maker and ultimately on Google Maps.”

 

http://sites.google.com/site/mapyourworldcommunity/competition/2012-us-ca-universities

 

Nate

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Heath Barnhart
Sent: Tuesday, April 17, 2012 1:22 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns??

 

I agree with this as well. There's a difference between walking around with your wifi adapter on and seeing what you see and actually capturing information, which I believe if anyone of us got caught doing would land us in a federal prison.

I would suggest, if asked for opinion by administration, that a stipulation be made that Google only be allowed to do passive scanning of the network only. That way they can still gather their WiFi location data if they want but not get user data.
--
Heath Barnhart, CCNA
Network Administrator
Information Systems Services
Washburn University
Topeka, KS

On 4/17/2012 12:20 PM, Hahues, Sven wrote:

The reasonably paranoid person in me was also going to say what David said.  I'd be more concerned with what they may be gathering "accidentally" while they are at your campus than what they are there to officially do.   It's not like Google hasn't "accidentally" done this in the past - http://www.computerworld.com/s/article/9176810/Google_stops_sniffing_Wi_Fi_data_after_privacy_gaffe   I don't know about you, but the difference between running netstumbler and tcpdump isn't  just a simple "whoops - wrong button, my bad..." kinda thing, so a little bit of suspicion is well placed.   Sven   -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David L. Wasley Sent: Tuesday, April 17, 2012 1:04 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns??   I'm curious why there have been few comments about what Google did -not- say in the agreement.  There have been many news stories about Google "accidentally" collecting emails, passwords, etc., as a byproduct of doing this mapping.  My own paranoia would lead me to request an explicit clause that says something like "Any information recorded by Google or it's contractor other than what is described above as Location Information shall not be used for any purpose and shall be erased from all records immediately upon discovery."   David    
By passive scan, I mean the wireless adapter is looking at beacons for networks to potentially connect to and nothing else, which every wireless device does. You can get the BSSID information from the OS which doesn't require a packet capture. The packet capture is just easier.

On 4/17/2012 2:04 PM, Justin Azoff wrote:
On Tue, Apr 17, 2012 at 01:21:45PM -0500, Heath Barnhart wrote:
I agree with this as well. There's a difference between walking around with your wifi adapter on and seeing what you see and actually capturing information, which I believe if anyone of us got caught doing would land us in a federal prison.
There isn't a difference though.. unless by "see" you mean display to the screen and "capture" you mean write to disk.
I would suggest, if asked for opinion by administration, that a stipulation be made that Google only be allowed to do passive scanning of the network only. That way they can still gather their WiFi location data if they want but not get user data.
"passive scanning" confuses two different concepts. What google did originally that got them in trouble was completely passive data collection and didn't even involve any type of scanning. What google had intended on doing was to capture the unencrypted 802.11 beacon frames which contain the SSID and BSSID. They accidentally captured all 802.11 frames, including those from people using insecure wireless networks. The only reason why google every captured user data was users were being stupid and broadcasting their data in the clear into public areas.


--
Heath Barnhart, CCNA
Network Administrator
Information Systems Services
Washburn University
Topeka, KS
Message from aperry@murraystate.edu

"Many Bothans died to bring you the fastest walking directions to the student union."
Sponsored result: Thinking about gallactic rebellion? Hot Topic has all your rebel clothing needs.

-Sorry, I couldn't resist.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

***MSU Information Systems staff will never ask for your password or other confidential information via email.***




A couple of more institutions have responded to the NACUA query, all private institutions, one very high profile university, but the other two smaller colleges.  FYI …  Tracy


On Apr 17, 2012, at 12:38 PM, Basgen, Brian wrote:

 
We have similarly been approached by Google, and there has been some internal discussion about the pros and cons.
 
I find it difficult to sustain the notion that a floor plan presents a significant risk to the institution. Just two points, first from the venerable Claude Shannon: “The enemy knows the system.” Second, if a floor plan presents a significant risk, how can that risk be mitigated by the tens of thousands of students that walk the floor plan daily?
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Basgen
Director of User Support Services (Acting)
& Information Security Officer
 
Pima Community College
Office: 520-206-4873
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeff Moore
Sent: Tuesday, April 17, 2012 8:31 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Google Maps offering to "map our locations"....concerns??
 

Perhaps we are ultra paranoid with the bomb threats we have had recently 
http://www.katu.com/news/local/Bomb-threat-shuts-down-Chemeketa-Community-College-139217864.html?tab=gallery&c=y&img=1 
but we are trying to be very protective of our internal structural information. We even went to the extreme of removing particular maps of our campus due to the fact that they had shown the internal dimensions of the buildings. As with anything this information can be used against us and our concerns are that someone could use this information strategically in a very negative way. We are looking at it with the view that the internal layout of the buildings is not a necessity for students and when we do provide them we will provide partial views that will cover the place of interest. 
Perhaps its a bit extreme but we have swayed toward the conservative side.

Thanks all hope this helps!

Jeff (Tinfoil Hat) Moore

CCC

Our counsel's office was involved in these discussions last year when Google wanted to street view one of our campuses. I'm not sure exactly how they became involved, but I *think* it was by-way-of our media relations department. Our primary concerns with "street view" at the time were privacy-related (e.g., capturing faces, people entering medical facilities, license plate numbers, through dormitory windows). Google's response was: "Google take peoples privacy very seriously. We use our state of the art blurring program to blur out peoples faces all license plates to protect their privacy. Unfortunately this blurring program is not accessible to users or partners. However, you can always request to have areas blurred out." Of course, there is always the chance the an image would be missed. There is a process in place to fix those images once discovered, but I'm sure it would take some time to accomplish. For "indoor maps", an additional concern was safety. Google uses "crowd sourced" floor plans for these, so the accuracy and validity cannot be guaranteed. While the risks are somewhat minimal, someone could upload an inaccurate floor plan with malicious intent (e.g., to lure sometime to a secluded place in a building, direct them to a particular business instead of another[1], etc.). Footnotes: [1] http://tinyurl.com/3c9ttpw -- Tom Davis, CISSP, CISM Chief Security Officer Public Safety and Institutional Assurance Indiana University https://protect.iu.edu/tdavis
It isn't clear that google wasn't also cracking wireless encryption. Somehow only one person at google knows and he pleaded the fifth. That doesn't exactly install confidence.
Message from pete@shadows.uottawa.ca

On Tue, Apr 17, 2012 at 09:38:48AM -0700, Basgen, Brian wrote: > I find it difficult to sustain the notion that a floor plan > presents a significant risk to the institution. Just two points, > first from the venerable Claude Shannon: "The enemy knows the system." > Second, if a floor plan presents a significant risk, how can that risk > be mitigated by the tens of thousands of students that walk the floor > plan daily? On the security side of things, I've always been taught: default deny Rather than saying, "What is the risk?", the question should be "What are the benefits? Aside from the "wow factor"* what does it bring. There are unknowns in the future. Heck back a number of years ago, I never worried about giving someone my name, SSN, DoB, etc. Things we think of as useless now, may be more useful in the future. * Wow factor: See : http://www.ibiblio.org/Dave/Dr-Fun/df200601/df20060116.jpg -- Pete Hickey "It's true hard work never killed anybody, The University of Ottawa but I figure, why take the chance." Ottawa, Ontario Canada
Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.