Yale switching to Google Apps / Gmail

[David Farber <dave () farber net>]

Begin forwarded message:

From: Gene Spafford <spaf () cerias purdue edu>
Date: February 11, 2010 1:04:55 AM EST
To: David Farber <dave () farber net>, ip <ip () v2 listbox com>
Subject: For IP: Yale switching to Google Apps / Gmail

I was part of a committee that studied the issue here at Purdue.  For the time being, there weren't large-scale wins 
identified to doing this, but there were many questionable issues about FERPA, HIPAA, pre-patent disclosure info, 
export restricted information, and so on being hosted off-campus -- and perhaps outside the country. (Think about the 
"Aurora" incidents with Google in China.)

What really left a question mark for us was the issue of the future.   Google offers their service to campuses at no 
charge for now, and offers it with particular and useful terms of service.  However, we have no way of knowing if the 
same terms will be used indefinitely.   Once we move our email off campus, the local infrastructure will wither -- 
equipment, personnel, software, and policies for dealing with the special issues (spam, forensics, etc).   If, 4 or 5 
years from now, there is a change in terms -- for example, a large charge in fees, or claiming they will use all email 
for behavioral tracking -- we would be at a real loss to take back the capability (and all the archived email).   There 
could be a very short time interval to act and it seems unlikely that we could manage to ramp up the facilities on 
short notice.

This is a similar situation as with some of the other issues of going to "clouds" or outsourcing to "free" services -- 
lack of control and atrophy of in-house capability.  The analysis of the costs shows a near-term savings, but it fails 
to take into account that there is no control of future, unending costs *and* there is an implicit lock-in because the 
barrier to movement gets bigger as time goes on.   Ironically, its a lot like purchasing an OS or large-scale app that 
seems cheap up front.  However, the service contracts keep getting more and more expensive, but because so much has 
been invested in the peripherals and software to date and it would be so difficult to rearchitect, the contracts keep 
getting renewned.  

That isn't to suggest that Google (or one of the other services doing this) intends to raise prices or plans to change 
their terms of service.  But they aren't running charities for the good of higher ed...they will need to provide a 
profit for their activities at some point, and there is very little in the way of restrictive law in this arena.

Donn Parker's 6 attributes of security include "control" and it is key to understanding risks for cloud computing or 
outsourcing as well as this case.   If you don't maintain positive control over the important aspects, you don't know 
what may happen out of view in time or space.



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com