Re: google docs google services

["Judith L. Tabron" <Judith.L.Tabron () HOFSTRA EDU>]

And I'm sure folks are aware of the FTC complaint the Electronic Frontier Foundation has lodged against Google for what 
it claims are deceptive practices, i.e., that Google claims not to "use" student data but in fact tracks and does use 
it, just not in direct ads in their mail feeds.

https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade

[https://www.eff.org/files/2015/03/02/eff-og-3.png]<https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade>

Google Deceptively Tracks Students’ Internet Browsing, EFF 
...<https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade>
www.eff.org
San Francisco—The Electronic Frontier Foundation (EFF) filed a complaint today with the Federal Trade Commission (FTC) 
against Google for collecting and data mining ...

Which is just to say that we may satisfy FERPA requirements but the question is still on the table of how ethically 
Google handles student data. (I know privacy != security, but your campus community may not make the distinction right 
away.)


Judith


------
Judith Tabron, Ph.D., Director, Faculty and Student Computing Services
Hofstra University
judith.tabron () hofstra edu | 516-463-6316
State Chair, New York State ACE Women's Network



________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ruth Ginzberg 
<rginzberg () UWSA EDU>
Sent: Tuesday, February 23, 2016 1:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] google docs google services


The thing that makes this so challenging is that “FERPA compliance” isn’t defined anywhere w.r.t. computer security.



There is nothing whatsoever in 20 U.S.C. § 1232g; 34 CFR Part 99 a.k.a. “FERPA” that says anything at all about what 
kind of security measures 3rd party providers are obligated to take.  So (technically) a 3rd party provider could do 
nothing at all with respect to FERPA and claim that it is “FERPA compliant.”



As it stands right now, there is the law, and there are about a gad-zillion letters 
(http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html ) saying what the Dept of Ed thinks FERPA says.  But 
it is up to each individual institution to interpret those and figure out what IT is willing to argue constitutes 
“compliance” with FERPA when it comes to electronic records.  The law itself was written in (I think…) 1973 (?) when 
most educational records were still paper items in manila file folders in drawers in cabinets in rooms filled with such 
filing cabinets.

[http://www2.ed.gov/images/ed-gov-hat.png]<http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html>

FERPA Online Library - US Department of Education<http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html>
www2.ed.gov
Listing of important letters of technical assistance and other communications regarding FERPA decisions made by the 
Department of Education.





It is always, always, always  up to the INSTITUTION (not the 3rd party) to ensure FERPA compliance (i.e., you can’t 
outsource responsibility for regulatory compliance).



So different institutions are going to make different judgment calls regarding whether something is “compliant” with 
FERPA as that institution understands it.



What matters most is whether the institution in question believes (and is willing to defend, if called on the carpet 
for it) that the 3rd party’s security practices are “FERPA compliant.”





Ruth Ginzberg, CISSP, CTPS

Sr. I.T. Procurement Specialist

University of Wisconsin System

608-890-3961



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, 
Mark B
Sent: Tuesday, February 23, 2016 12:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] google docs google services



We use GAE and our legal department was satisfied with regard to FERPA.

I don’t know if the standard Google agreement was sufficient or if Google signed an addendum.

Either way, FERPA Compliance is doable.



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jay 
Fowler
Sent: Tuesday, February 23, 2016 10:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] google docs google services



Perhaps this would be helpful. Google mentions this with regard to FERPA:



https://www.google.com/edu/trust/#does-google-apps-for-education-comply-with-ferpa



________________________________

From: "Mark Reboli" <mreboli () MISERICORDIA EDU<mailto:mreboli () MISERICORDIA EDU>>
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Tuesday, February 23, 2016 8:00:56 AM
Subject: [SECURITY] google docs google services



Is anyone utilizing Google Docs or Google Services?  If so how have you dealt with the FERPA compliance component.  I 
know this has been discussed in the past and the issue according to our FERPA person on campus has also indicated in 
his discussion with other registrars etc. is the potential for the mining  of FERPA information store by Google.  We 
have likewise tried for several months to find a good source at google that we can discuss information about this but 
have never been responded in all of the requests we have made, so If you have a contact that you can share I would be 
most appreciative.



m



[Description: MU Arches]

Mark Reboli

Network/Telecom Manager

Misericordia University

(570) 674-6753