Educause Security Discussion mailing list archives
Re: Google announces privacy changes, no opt out for users
From: Tim Doty <tdoty () MST EDU>
Date: Mon, 6 Feb 2012 16:23:37 -0600
On Tue, 2012-01-31 at 09:11 -0600, Jesse Thompson wrote:
Right. Google is being intentionally vague. I'm not a lawyer, but my interpretation is that the new privacy policy effectively allows Google to bypass the protections offered in the EDU privacy policy for the core apps. The only way around it is to disable all of the non-core apps. Again, I'm no lawyer.
so... today I got an email from google because we use Postini that looks very like the one from google if you have gmail. It refers to the same privacy policy, the one that says "we can do whatever we want with your data". I'm no lawyer, but I'm concerned that this means they are in fact considering *all* users, EDU or not, as being subjects of spying.
From http://www.google.com/policies/privacy/preview/ "We may combine personal information from one service with information, including personal information, from other Google services"
Take this in the light of google having access to all your email because the institution uses Postini. I'm not liking where this is going.
I understand this to mean that all apps are now able to interchange personal data, which means that the new consumer apps privacy policy would effectively minimize or eliminate (in some cases) the protections within our core apps privacy policy.
I think it is worth double checking that you still have a core apps privacy policy, or that it won't change come March 1st. Yes, they state it doesn't include services that have a separate privacy policy, but the whole point is that they are combining them and they *were* separate but are now not only unified in terms, but permit sharing of information between them. (That last distinction is one of my personal gripes with how google is doing this. They are pretending that unifying to a single privacy policy requires allowing them to share your PII between all of them.)
From http://www.google.com/policies/privacy/preview/
Our Privacy Policy applies to all of the services offered by Google Inc. and its affiliates, including services offered on other sites (such as our advertising services), but excludes services that have separate privacy policies that do not incorporate this Privacy Policy.
The last phrase '...that do not incorporate this Privacy Policy' indicates to me specific assurance is needed that your existing one won't simply be merged in with this PII-should-be-free model. Also from http://www.google.com/policies/privacy/preview/
For external processing We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.
So they are saying they will provide PII to other businesses or persons for them to process it on Google's behalf. Of course, Google is looking out for you and those folks will have to protect your PII just as well as Google did -- by only providing it in exchange for a service, apparently. I am no lawyer, but that looks pretty meaningless to me. I mean, they promise not to just publish it on the web or put it up on an anonymous FTP server -- after all they expect to receive some benefit for sharing it. You might also be interested how Google defines "sensitive personal information" which is the term they use rather than PII. From http://www.google.com/policies/privacy/preview/faq/#toc-terms-sensitive-info
This is a particular category of personal information relating to confidential medical facts, racial or ethnic origins, political or religious beliefs or sexuality.
So medical facts, race/ethnicity, political/religious beliefs or sexuality. But not, for example, financial/economic information. Or personally identifying information. Would searching for debt relief not be considered something they need to protect? Not even necessary to invoke the 'business relationship' clause for selling the geographic location and name of individuals performing such searches? Maybe I should take off my tin foil hat and quit hiding from the Sun, but this new 'privacy' policy concerns me. Tim Doty
Jesse On 1/27/12 11:56 AM, Mike Porter wrote:On Fri, 27 Jan 2012, H Morrow Long wrote: Without knowing what our contract states, and what portions of the contracts refer to URLs whose contents may or may not have changed, the below statement sort of means nothing. Well, it means Google is not violating a legal contract, but the terms in that contract were hardly static, if I recall correctly. Am I wrong for most of us? Mike Mike Porter Systems Programmer V IT/NSS University of DelawareGoogle's new privacy change will apparently not affect Education, Government nor Enterprise business customers (at least not right away anyway). As long as we have current contracts. [ http://www.computerworld.com/s/article/9223753/Google_says_privacy_change_won_t_affect_government_users?source=CTWNLE_nlt_security_2012-01-27&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ffeed%2Ftopic%2F84+%28Computerworld+Privacy+News%29 ] Google says privacy change won't affect government users Company downplays privacy, security concerns from former federal IT official By Jaikumar Vijayan January 26, 2012 05:02 PM ET 1 Comment Computerworld - Google today dismissed concerns by a former senior federal IT official that the company's controversial new privacy policy would create problems for customers of Google Apps for Government (GAFG). In a statement, Google said the new policy will not change existing contracts that define how it handles and stores data belonging to government users of its cloud services. "Enterprise customers using Google Apps for Government, Business or Education have individual contracts that define how we handle and store their data," Amit Singh, vice president of Google Enterprise said in a statement. "As always, Google will maintain our enterprise customers' data in compliance with the confidentiality and security obligations provided to their domain," he said. According to Singh, Googles contractual agreements have always superseded its privacy policy for enterprise customers. On Jan 26, 2012, at 1:11 PM, H Morrow Long wrote:I think we need to hear from Google. Part of the rationale for the current change is that Google wants to reduce the # of different privacy policies they have (for different products). Morrow On Jan 26, 2012, at 12:56 PM, Jesse Thompson wrote:I don't see any indication that the changes to the generic policy are trumped by the edu-apps policy. But, I'm no lawyer. http://www.google.com/apps/intl/en/edu/privacy.html Jesse On 1/26/12 11:08 AM, Joel Rosenblatt wrote:I asked the question also and was told (not by google) that this only applies to their consumer apps, not core Google Apps for Edu Have you contacted google to confirm this? Joel --On Wednesday, January 25, 2012 12:56 PM -0500 Morrow Long <morrow.long () YALE EDU> wrote:Read it & trying to determine what this means for Yale. We outsource many of our studen Sent from my iPhonet email accts to Google now (though our branded gmail does not have Google targeted ads shown alongside the messages). Morrow On Jan 25, 2012, at 10:44 AM, Nicole Kegler <nk278 () georgetown edu> wrote:Has anyone read this article about the privacy changes being implemented by Google starting March 1? What are your thoughts? http://www.washingtonpost.com/business/economy/google-tracks-consumers-across-products-users-cant-opt-out/2012/01/24/gIQArgJHOQ_story.html?hpid=z3 -- Nicole Kegler Communications Manager University Information Security Office Georgetown University 202-687-5784 Protecting data is a shared responsibility! INSTALL antivirus and antispyware software. USE strong passwords. KNOW who you are dealing with online. STORE confidential and sensitive data on encrypted devices only. SHUT DOWN computers or disconnect from the Internet when it's not in use.Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3- Mike Porter PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA 2F D2 37 F3 99 ED D1 C2
Current thread:
- Re: Google announces privacy changes, no opt out for users, (continued)
- Re: Google announces privacy changes, no opt out for users Jesse Thompson (Jan 26)
- Re: Google announces privacy changes, no opt out for users H Morrow Long (Jan 26)
- Re: Google announces privacy changes, no opt out for users Tim Doty (Jan 26)
- Re: Google announces privacy changes, no opt out for users H Morrow Long (Jan 27)
- Re: Google announces privacy changes, no opt out for users David C Kovarik (Jan 27)
- Re: Google announces privacy changes, no opt out for users Guy Almes (Jan 27)
- Re: Google announces privacy changes, no opt out for users Manjak, Martin (Jan 27)
- Re: Google announces privacy changes, no opt out for users Manjak, Martin (Jan 27)
- Re: Google announces privacy changes, no opt out for users Mike Porter (Jan 27)
- Re: Google announces privacy changes, no opt out for users Jesse Thompson (Jan 31)
- Re: Google announces privacy changes, no opt out for users Tim Doty (Feb 06)
- Re: Google announces privacy changes, no opt out for users O'Callaghan, Daniel (Jan 26)
- Re: Google announces privacy changes, no opt out for users Bradley, Stephen W. Mr. (Jan 26)
- Re: Google announces privacy changes, no opt out for users O'Callaghan, Daniel (Jan 26)