Roadblocks in deploying Google Apps: FUD
Fear, uncertainty and doubt (From Wikipedia, the free encyclopedia)
Fear, uncertainty, and doubt (FUD) is a tactic of rhetoric and fallacy used in sales, marketing, public relations, politics, propaganda and trolling. FUD is generally a strategic attempt to influence public perception by disseminating negative and dubious/false information designed to undermine the credibility of their beliefs. An individual firm, for example, might use FUD to invite unfavorable opinions and speculation about a competitor's product; to increase the general estimation of switching costs among current customers; or to maintain leverage over a current business partner who could potentially become a rival.
This document is in regards to an an email I received from a colleague regarding Google Apps for Education. Jaime approached Jackie and said that Google Apps for Education would be a great tool for collaboration among students, staff, and administrators. They have been going back and forth because their “Tech Expert” (Jackie) disagrees with the “Educational Expert” (Jamie) who wants to use the product. Jackie has fears and reservations about using Google Apps.
Jackie started to do some research on Google Apps and initially found the consumer version of the Consumer version of an Apps agreement. This led Jackie to raise some serious questions about privacy, safety, and security of Google Apps. Jamie emailed me and asked for advice. I suggested that they both look at the Google Apps for Education User Agreement.
What follows is Jackie’s response to reviewing the agreement, which I have responded to within the original email in Italics
Based on my security training and experience I would not recommend we use this service for the following reasons:
Google's internal security procedures are probably better than 90% of all school systems including ours.
I am not sure how this is a problem, but I am sure Google’s security is better than 99.9% of all systems. Read the security whitepaper.
That is why it is standard practice for any information that has any value whats so ever to be SSL encrypted. Remember that a lot of our staff will be accessing these docs from their
home computers. Security estimates estimate that at least 15% of these computers at any one time are compromised with viruses and worms that are designed to monitor and send any information they enter to Bots or used as a gateway to acquire information from the clients site.
In fact the secure communications (HTTPS) that would be required for our data, appears to be a paid premium service:
Secure Browser Connections (HTTPS)
Google Apps Premier and Education Editions offers domain administrators the ability to force all users in their domain to use Hypertext Transfer Protocol Secure (HTTPS) for services such as Gmail, Docs, Calendar, Sites, etc. Information sent via HTTPS is encrypted from the time it leaves Google until it is received by the recipients’ computer
This is not a free service and the following smacks of bait and switch tactics because they know that once we do all the training and have everything established we would not what to change; (from the user agreement)
3.4 No Fees. Google may charge a fee for the Services after the initial term, and may charge a fee for new functionality or optional enhancements that may be added by Google to the Service. Google may also offer a premium version of the Services for a fee. Prior to Google charging Customer as stated in this section, Google and Customer will negotiate either a new agreement or an amendment to this Agreement.
I do not think we what even our patterns of communications should be disclosed to their affiliates. (from the agreement, except their comments in the parenthesis)
a) protect the other party’s Confidential Information with the same
standard of care it uses to protect its own Confidential Information; and
(b) not disclose the Confidential Information, except to affiliates, (That includes companies that advertise with them) employees and agents who need to know it and who have agreed in writing to keep it confidential
The issue here is that a parent in litigation will say that potentially sensitive IEP conversations and documents are being held by an ad supported third party. Even if we assert there is no risk their lawyer would have a good case for "reasonable doubt" and we would lose the case.
It would also look bad if a local paper made FOIA requests that included data created from Google and ran an article with a Headline that read: Confidential information about students with special needs being stored on Google! (from the agreement)
FOIA requests: b. Third Party Requests. Customer is responsible for responding to Third Party Requests. Google will, unless it is prohibited by law or by the terms of the Third Party Request: (a) promptly notify Customer of its receipt of a Third Party Request in a manner permitted by law; (b) comply with Customer’s reasonable requests regarding its efforts to oppose a Third Party Request; and (c) provide Customer with the information or tools required for Customer to respond to the Third Party Request. Customer will first use the Admin Tool to access the required informationOnce again they answer their own question by using the agreement, but I will dive in a little further here. These are the same steps you would take with any email system. Google can't access your data, therefore they cannot respond to a FOIA request on your behalf (I don't think you would want them to). As the privacy FAQ’s say:
Google employees will access your account data only when an administrator from your domain grants Google employees explicit permission to do so for troubleshooting purposes. During the course of troubleshooting an issue or other investigation, the Google Support team may ask for the creation of a test administrator account, solely to be used to resolve the particular issue at hand.
Google employees or automated systems may also take down any content that violates the Terms of Service.
In order to provide some of the core features in Google Apps products, our automated systems will scan and index some user data. For example:
- Email is scanned so we can perform spam filtering and virus detection.
- Email is scanned so we can display contextually relevant advertising in some circumstances. (Note that there is no ad-related scanning or processing in Education or Premier Edition with ads disabled)
- Some user data, such as documents and email messages, are scanned and indexed so your users can privately search for information in their own Google Apps accounts.
In other words, we only scan or index user content in Google Apps in order to provide features that will directly benefit users, or to help us maintain the safety and security of our systems. Except when your users choose to publish information publicly, Google Apps data is not part of the general google.com index.
Our own internal searches for FOIA documents are more invasive than anything Google does with our data, and YES it is our data
Who owns the data that organizations put into Google Apps?
To put it simply, Google does not own your data. We do not take a position on whether the data belongs to the institution signing up for Apps, or the individual user (that's between the two of you), but we know it doesn't belong to us!
The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.
They can advertise us using this service and thus by implication endorsing their service:
Publicity. Customer hereby consents to Google's inclusion of Customer's name in a customer list, but only if Customer is not the only customer appearing on the list.
They are not liable for any issues or lawsuits arising from this arrangement: (from the agreement)
Limitation on Indirect Liability. NEITHER PARTY WILL BE LIABLE UNDER THIS
AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL,
CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT SATISFY A REMEDY.
This is standard in every contract that I have signed with a software company (which protects both YOU and the other company). You will see similar clauses in many agreements (look at the XP agreement or Adobe. I am not a lawyer, but your schools probably shouldn't let you sign an agreement where this isn't present.
To fully comply with the below we would have to send out notice to all our
parents that we use this service:
Customer acknowledges and agrees that it is solely responsible for
compliance with the Children’s Online Privacy Protection Act of 1998
(COPPA), including but not limited to, obtaining parental consent
concerning collection of personal information used in connection with the
provisioning and use of the Additional Products by the Customer and its
You will only need to do this if you are using student accounts with children under the age of 13 (Read about COPPA here). You should actually be doing this if you let students under 13 use any web based service where you are creating accounts for them where the provider may be able to access personal student information. Once again, I am not a lawyer, however since Google cannot actually access your student’s personal information (only you can) and since you are not a commercial entity, I really question if you even have to do this because of COPPA. You really only need to do it because you tell Google you will when you sign the agreement. By the way, since when is communicating with your parents a bad thing?
I am not sure why this is a constant roadblock tossed up by technology staff, administrators, or other members of the school community. Perhaps it is fear of losing one’s job, eroding their area of expertise, not knowing the facts, or not knowing where to go to get the answers. Whatever the reason, I hope that the information I have provided helps to reduce the FUD circulating around choosing to use Google Apps for Education in your school.