Wednesday, November 17, 2010

Roadblocks in Deploying Google Docs: CRUD and “ilities”

This is the second in a series of posts about roadblocks organizations face in deploying Google Apps for Education (GAFE). In the last post I went into depth about the FUD that circulates around Google Apps Deployments. In this post I will discuss CRUD, which are the reasonable Concerns, Reservations, Unknowns, and Decisions (along with some of the “ilities”) that emerge when choosing to use Google Apps for Education.

As the person that feels the heat for anything that goes wrong with educational technology in our district, from PEBKAC errors to full network meltdowns, there is CRUD that goes along with any hardware, software, or cloud based deployment. A big part of my job is to be paranoid and critical about technology until I can be reasonably assured that it will work reliably, to the point of invisibility, to my schools. Although few products are actually invisible, to the level of a classroom chalkboard, my goal is that they all end up there. With that in mind I am always worried about many of the the “ilities” (accountability, sustainability, reliability, supportability, operability...) with any products we choose. There reaches a point with any potential technology solution where there is a reasonable level of CRUD that you will be able to live with before making a choice to adopt a product long-term.

As the person that led my district down the path to use and invest time, money, and resources into using GAFE I wanted to share what Concerns, Reservations, Unknowns, and Decisions we have faced along the way, and in some cases, the “ilities” we are managing.

The scariest “ility” is accountability which commonly starts and ends with fiscal responsibility. Obviously the low cost (free), and therefore associated risk of initial financial investment, makes GAFE easier to accept. The agreement that we signed with Google locked us into the core products being free for life (FAQ #4), with the understanding that other parts of the product may come at a cost later on down the road (as is the case with every software product we buy). Yes, there is a risk that GAFE will come at a cost later on and if that happens we will evaluate the cost and value of the product. We do this with every one of the technology solutions we use and have had to make similar decisions with operating systems, desktop publishing products, and enterprise software in the last 4 years.

In the role of the technology leader being responsible for our decisions goes far beyond the initial cost of a product. The total costs of ownership (TCO) includes investing time and energy in researching, choosing, negotiating, deploying, maintaining, and training; all of which are often more costly than the initial investment. When we considered this for GAFE the price point made some of the TCO concerns more palatable. However there were other worries, starting with the fact that nobody on our staff even knew how to use GAFE and at the time we chose GAFE, in 2007, there were not a lot of other schools using it which added to the risk. We offset this concern by leaveraging nearby Northwestern University as a resource and tapping into 3rd party support through SADA Systems. Now there are entire states “Going Google”, millions of users, and excellent communities (like ours in Illinois) working to help each other deploy and use GAFE.

We are currently saving $35K/yr on student email and $55K/yr on staff email by using GAFE for email and message security over our previous products. We are choosing to pay Google 16K/yr for message archiving and discovery (to meet legal requirements) which results in a net saving of 74K/yr. At the end of our 4 year agreement we will have saved nearly $300K that has been reinvested mostly into network infrastructure that will have a long term positive impact on this district. One of the only associated costs of GAFE that is required is bandwidth. This savings from using GAFE along with the reinvestment in infrastructure has improved the sustainability of GAFE in our district.

Google also continues to grow and develop GAFE at no cost to us. Along with these changes comes the risk on not knowing what is coming. There are reasonable concerns that changes that come are things we do not llike, similar to the encrypted search change earlier this year. However Google has shown that they are responsive to their EDU users’ needs. This is an area that we continue to monitor closely and provide constructive feedback to Google about EDU needs and requirements.

One of the steps my team and I always talk about before choosing a technology solution is the cost of leaving the product if it becomes a problem. Unlike many other software companies Google provides resources through its “Data Liberation Front” to help you take your data and leave if you want to go. Once you are gone they will delete all of your data (Privacy FAQ #1). However, a decision to leave Google becomes increasingly difficult as more students and staff use it and as we invest more time and effort in training people to use it effectively. I don’t see a reason why we would leave Google, at this time, but at least I know that if we did we could take our data with us.

One of our major concerns when we chose Google was operability. Some of the more established enterprise products seem to work with everything and finding people that can integrate solutions is very easy. Google is relatively new to the enterprise setting, so we had concerns about getting help when we needed it and the ability to develop on Google’s platforms. We also had initial concerns that there were not a lot of established training resources on the market and we would have to create a lot of training material from scratch.

Google now has a marketplace with many other applications that integrate with GAFE, has built on their platform, and has released many API’s that allow us to build on the GAFE platform. Since going Google in 2007 we have had no problem getting help through the support tab in the GAFE control panel. For those that have not seen the GAFE control panel, here is a portion of it:

We are provided with the usual online forums and help center links, however we also are provided with a phone number to call and links to a help desk along with personalized identifiers that link back to our accounts. We have used these features several time over the past few years and always have received prompt quality support. Google’s reliability has been incredible and blows away the level of service we could provide in-house (even David Spangler, our Network Manager will verify that statement) Sometimes it is just easier to find the information yourself or talk to someone else in a similar setting, which is why the state level agreements and user’s groups have also helped in this area.

Google has also begun a certified trainer program which is now creating a listing of individuals and organizations that can help in deployment and training. We have tapped into these resources and are now part of the community of trainers which has unlocked a massive supply of training material to us. I wouldn’t be surprised if Google continues to collect, collate, improve upon, and publish training materials going forward.

So is there CRUD with Google Apps EDU?


However, there are questions like this with every product and it is our responsibility to raise these questions and look for potential problems. There are other questions and concerns that come along with GAFE, that for the sake of time and space, I have not addressed here. Please add your GAFE CRUD to the comments and the readers and I will respond to them. All we can do is help manage these concerns. because reasonable questions will always be present as long as it is our job to discover and prepare for all of the possible “crudilities”.

Thursday, November 04, 2010

Roadblocks in deploying Google Apps: FUD

This is the first in a series of longer posts that will discuss some of the common roadblocks I hear about, and help other schools work through, when trying to deploy Google Apps for Education in their schools

Fear, uncertainty and doubt (From Wikipedia, the free encyclopedia)

Fear, uncertainty, and doubt (FUD) is a tactic of rhetoric and fallacy used in sales, marketing, public relations,[1][2] politics, propaganda and trolling. FUD is generally a strategic attempt to influence public perception by disseminating negative and dubious/false information designed to undermine the credibility of their beliefs. An individual firm, for example, might use FUD to invite unfavorable opinions and speculation about a competitor's product; to increase the general estimation of switching costs among current customers; or to maintain leverage over a current business partner who could potentially become a rival.

This document is in regards to an an email I received from a colleague regarding Google Apps for Education. Jaime approached Jackie and said that Google Apps for Education would be a great tool for collaboration among students, staff, and administrators. They have been going back and forth because their “Tech Expert” (Jackie) disagrees with the “Educational Expert” (Jamie) who wants to use the product. Jackie has fears and reservations about using Google Apps.

Jackie started to do some research on Google Apps and initially found the consumer version of the Consumer version of an Apps agreement. This led Jackie to raise some serious questions about privacy, safety, and security of Google Apps. Jamie emailed me and asked for advice. I suggested that they both look at the Google Apps for Education User Agreement.

What follows is Jackie’s response to reviewing the agreement, which I have responded to within the original email in Italics



Based on my security training and experience I would not recommend we use this service for the following reasons:

Google's internal security procedures are probably better than 90% of all school systems including ours.

I am not sure how this is a problem, but I am sure Google’s security is better than 99.9% of all systems. Read the security whitepaper.

But the key concept is on their site not in the transport process between our users and their site. The standard free service is not encrypted from the end user to Google’s site and is thus subject to "man in the middle" attaches. (A widely used attack to gain personal information). In my security training this is one of the most basic and widely used tactics to intercept personal information.

That is why it is standard practice for any information that has any value whats so ever to be SSL encrypted. Remember that a lot of our staff will be accessing these docs from their

home computers. Security estimates estimate that at least 15% of these computers at any one time are compromised with viruses and worms that are designed to monitor and send any information they enter to Bots or used as a gateway to acquire information from the clients site.

In fact the secure communications (HTTPS) that would be required for our data, appears to be a paid premium service:

Secure Browser Connections (HTTPS)

Google Apps Premier and Education Editions offers domain administrators the ability to force all users in their domain to use Hypertext Transfer Protocol Secure (HTTPS) for services such as Gmail, Docs, Calendar, Sites, etc. Information sent via HTTPS is encrypted from the time it leaves Google until it is received by the recipients’ computer

The answer is actually in the question above. “Education Editions offer domain administrators the ability to force all users to use HTTPS”. The link that explains how to do this is here: and this is the box you would check in the email control panel:

This is not a free service and the following smacks of bait and switch tactics because they know that once we do all the training and have everything established we would not what to change; (from the user agreement)

3.4 No Fees. Google may charge a fee for the Services after the initial term, and may charge a fee for new functionality or optional enhancements that may be added by Google to the Service. Google may also offer a premium version of the Services for a fee. Prior to Google charging Customer as stated in this section, Google and Customer will negotiate either a new agreement or an amendment to this Agreement.

This is absolutely untrue (However, I find it funny that nobody is concerned about other providers suddenly raising prices) this link to the FAQs explains:

Google Apps for Education is free. We plan to keep the core offering of Google Apps Education Edition free. This includes user accounts for incoming students in the future. As you may know, Google was founded by a research project at Stanford University, and this is just one way we can give back to the educational community.

To see the available features included in Google Apps Education Edition please navigate here.

For more information, you can review our Terms of Service.

If you would like to purchase Google Message Security and Compliance for filtering or archiving purposes, this will have a per user fee depending on the services you choose. Each package is listed here.

But wait, what do they mean by “Core Apps” - certainly this is a trick statement! - No, it’s not:

Google is currently offering schools a hosted solution for their email, calendar, and chat through Google Apps Education Edition, our integrated communication and collaboration solution. Our offer includes Gmail, Google Calendar, Google Talk, Google Sites, and Google Docs and Google Video, all using your own school's domain.

Google Apps Education Edition includes:

  1. Gmail: Email storage and search tools that help your students find information fast and instant messaging from right inside their accounts.
  2. Google Calendar: Students can organize their schedules and share events and calendars with others.
  3. Google Talk: Students can call or send instant messages to their contacts for free anytime, anywhere in the world.
  4. Google Docs: Share documents, spreadsheets, and presentations. Collaborate in real-time with your team or with your whole school. You can publish final documents to the entire world, too.
  5. Google Sites: Work together to keep related documents, web content and other information in one place, on one site.
  6. Google Video for education: A video hosting and sharing solution that enables schools and other organizations to use video as an effective medium for internal communication and collaboration

I do not think we what even our patterns of communications should be disclosed to their affiliates. (from the agreement, except their comments in the parenthesis)

a) protect the other party’s Confidential Information with the same

standard of care it uses to protect its own Confidential Information; and

(b) not disclose the Confidential Information, except to affiliates, (That includes companies that advertise with them) employees and agents who need to know it and who have agreed in writing to keep it confidential

The issue here is that a parent in litigation will say that potentially sensitive IEP conversations and documents are being held by an ad supported third party. Even if we assert there is no risk their lawyer would have a good case for "reasonable doubt" and we would lose the case.

Again untrue. A quick check of the Security and Privacy FAQs answers this question directly:

Does Google give third parties access to my organization's data?

Google does not share or reveal private user content such as email or personal information with third parties except as required by law, on request by a user or system administrator, or to protect our systems. These exceptions include requests by users that Google's support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of Google, its users and the public.

For full details, please refer to the "Information Sharing" section of our Privacy Policy.

Back to the EDU FAQ’s

There are no advertisements used with the Google Apps Education Edition.

If you have an account for only alumni at your schools, you are required to enable advertisements.

Gmail also offers web clips at the top of your inbox which show you news headlines, blog posts, RSS and Atom feeds, and relevant sponsored links. Each clip displays the source from which it was received, how long ago the clip was published, and a link to access the entire story or page containing the clip. You may want to create custom RSS feeds for your University.

If you have an Education domain and choose to Hide all advertisements for this domain in your domain's Google Apps control panel, then sponsored links will also no longer be shown as webclips. Your users will still be able to customize their webclips for news headlines, blog posts, RSS feeds, and Atom feeds.

Using a hosted email, or document storage service, for confidential information is common practice for business (Companies use Google), Government (yes they use Google too), and lots of schools. Even if it isn’t Google hosting the email service, as this search shows:

It would also look bad if a local paper made FOIA requests that included data created from Google and ran an article with a Headline that read: Confidential information about students with special needs being stored on Google! (from the agreement)

FOIA requests: b. Third Party Requests. Customer is responsible for responding to Third Party Requests. Google will, unless it is prohibited by law or by the terms of the Third Party Request: (a) promptly notify Customer of its receipt of a Third Party Request in a manner permitted by law; (b) comply with Customer’s reasonable requests regarding its efforts to oppose a Third Party Request; and (c) provide Customer with the information or tools required for Customer to respond to the Third Party Request. Customer will first use the Admin Tool to access the required informationOnce again they answer their own question by using the agreement, but I will dive in a little further here. These are the same steps you would take with any email system. Google can't access your data, therefore they cannot respond to a FOIA request on your behalf (I don't think you would want them to). As the privacy FAQ’s say:

Google employees will access your account data only when an administrator from your domain grants Google employees explicit permission to do so for troubleshooting purposes. During the course of troubleshooting an issue or other investigation, the Google Support team may ask for the creation of a test administrator account, solely to be used to resolve the particular issue at hand.

Google employees or automated systems may also take down any content that violates the Terms of Service.

In order to provide some of the core features in Google Apps products, our automated systems will scan and index some user data. For example:

  1. Email is scanned so we can perform spam filtering and virus detection.
  2. Email is scanned so we can display contextually relevant advertising in some circumstances. (Note that there is no ad-related scanning or processing in Education or Premier Edition with ads disabled)
  3. Some user data, such as documents and email messages, are scanned and indexed so your users can privately search for information in their own Google Apps accounts.

In other words, we only scan or index user content in Google Apps in order to provide features that will directly benefit users, or to help us maintain the safety and security of our systems. Except when your users choose to publish information publicly, Google Apps data is not part of the general index.

It's important to note that our scanning and indexing procedures are 100% automated and involve no human interaction. For complete information, see our detailedPrivacy Policy, Privacy Principles, and our Google Apps Terms of Service (Premier, Standard, Education Editions).

Our own internal searches for FOIA documents are more invasive than anything Google does with our data, and YES it is our data

Who owns the data that organizations put into Google Apps?

To put it simply, Google does not own your data. We do not take a position on whether the data belongs to the institution signing up for Apps, or the individual user (that's between the two of you), but we know it doesn't belong to us!

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

  1. We won't share your data with others except as noted in our Privacy Policy.
  2. We keep your data as long as you require us to keep it.
  3. Finally, you should be able to take your data with you if you choose to use external services in conjunction with Google Apps or stop using our services altogether.

They can advertise us using this service and thus by implication endorsing their service:

Publicity. Customer hereby consents to Google's inclusion of Customer's name in a customer list, but only if Customer is not the only customer appearing on the list.

Wow, the FUD is getting deep, the entire statement from the Apps EDU agreement:

Publicity. Customer hereby consents to Google's inclusion of Customer's name in a customer list, but only if Customer is not the only customer appearing on the list. Other than this, neither party may make any public statement regarding the relationship contemplated by this Agreement without the other party's prior written consent.

Which is preceded by the Intellectual properties section, which would allow you to ask in writing for Google to not use your brand (and also reinforces that all of your stuff is yours)

Intellectual Property Rights; Brand Features.

  1. 7.1 Intellectual Property Rights. Except as expressly set forth herein, this Agreement does not grant either party any rights, implied or otherwise, to the other’s content or any of the other’s intellectual property. As between the parties, Customer owns all Intellectual Property Rights in Customer Data, and Google owns all Intellectual Property Rights in the Services.
  2. 7.2 Display of Brand Features. Google may display only those Customer Brand Features authorized by Customer, and only within designated areas of the Service Pages. Customer may specify the nature of this use using the Admin Console. Google may also display Google Brand Features on the Service Pages to indicate that the Services are provided by Google. If Customer wants to display Google Brand Features in connection with the Services, Customer will comply with the Trademark Guidelines.
  3. 7.3 Brand Features Limitation. Each party may use the other party’s Brand Features only as permitted in this Agreement. Any use of a party’s brand features will inure to the benefit of the party holding intellectual property rights to those Brand Features. A party may revoke the other party’s right to use its Brand Features pursuant to this Agreement with written notice to the other and a reasonable period to stop the use.

They are not liable for any issues or lawsuits arising from this arrangement: (from the agreement)

Limitation on Indirect Liability. NEITHER PARTY WILL BE LIABLE UNDER THIS



This is standard in every contract that I have signed with a software company (which protects both YOU and the other company). You will see similar clauses in many agreements (look at the XP agreement or Adobe. I am not a lawyer, but your schools probably shouldn't let you sign an agreement where this isn't present.

To fully comply with the below we would have to send out notice to all our

parents that we use this service:

Customer acknowledges and agrees that it is solely responsible for

compliance with the Children’s Online Privacy Protection Act of 1998

(COPPA), including but not limited to, obtaining parental consent

concerning collection of personal information used in connection with the

provisioning and use of the Additional Products by the Customer and its

end users

You will only need to do this if you are using student accounts with children under the age of 13 (Read about COPPA here). You should actually be doing this if you let students under 13 use any web based service where you are creating accounts for them where the provider may be able to access personal student information. Once again, I am not a lawyer, however since Google cannot actually access your student’s personal information (only you can) and since you are not a commercial entity, I really question if you even have to do this because of COPPA. You really only need to do it because you tell Google you will when you sign the agreement. By the way, since when is communicating with your parents a bad thing?




I am not sure why this is a constant roadblock tossed up by technology staff, administrators, or other members of the school community. Perhaps it is fear of losing one’s job, eroding their area of expertise, not knowing the facts, or not knowing where to go to get the answers. Whatever the reason, I hope that the information I have provided helps to reduce the FUD circulating around choosing to use Google Apps for Education in your school.