Educause Security Discussion mailing list archives
Re: google docs google services
From: "Judith L. Tabron" <Judith.L.Tabron () HOFSTRA EDU>
Date: Tue, 23 Feb 2016 18:57:39 +0000
And I'm sure folks are aware of the FTC complaint the Electronic Frontier Foundation has lodged against Google for what it claims are deceptive practices, i.e., that Google claims not to "use" student data but in fact tracks and does use it, just not in direct ads in their mail feeds. https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade [https://www.eff.org/files/2015/03/02/eff-og-3.png]<https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade> Google Deceptively Tracks Students’ Internet Browsing, EFF ...<https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade> www.eff.org San Francisco—The Electronic Frontier Foundation (EFF) filed a complaint today with the Federal Trade Commission (FTC) against Google for collecting and data mining ... Which is just to say that we may satisfy FERPA requirements but the question is still on the table of how ethically Google handles student data. (I know privacy != security, but your campus community may not make the distinction right away.) Judith ------ Judith Tabron, Ph.D., Director, Faculty and Student Computing Services Hofstra University judith.tabron () hofstra edu | 516-463-6316 State Chair, New York State ACE Women's Network ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ruth Ginzberg <rginzberg () UWSA EDU> Sent: Tuesday, February 23, 2016 1:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] google docs google services The thing that makes this so challenging is that “FERPA compliance” isn’t defined anywhere w.r.t. computer security. There is nothing whatsoever in 20 U.S.C. § 1232g; 34 CFR Part 99 a.k.a. “FERPA” that says anything at all about what kind of security measures 3rd party providers are obligated to take. So (technically) a 3rd party provider could do nothing at all with respect to FERPA and claim that it is “FERPA compliant.” As it stands right now, there is the law, and there are about a gad-zillion letters (http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html ) saying what the Dept of Ed thinks FERPA says. But it is up to each individual institution to interpret those and figure out what IT is willing to argue constitutes “compliance” with FERPA when it comes to electronic records. The law itself was written in (I think…) 1973 (?) when most educational records were still paper items in manila file folders in drawers in cabinets in rooms filled with such filing cabinets. [http://www2.ed.gov/images/ed-gov-hat.png]<http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html> FERPA Online Library - US Department of Education<http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html> www2.ed.gov Listing of important letters of technical assistance and other communications regarding FERPA decisions made by the Department of Education. It is always, always, always up to the INSTITUTION (not the 3rd party) to ensure FERPA compliance (i.e., you can’t outsource responsibility for regulatory compliance). So different institutions are going to make different judgment calls regarding whether something is “compliant” with FERPA as that institution understands it. What matters most is whether the institution in question believes (and is willing to defend, if called on the carpet for it) that the 3rd party’s security practices are “FERPA compliant.” Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Mark B Sent: Tuesday, February 23, 2016 12:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] google docs google services We use GAE and our legal department was satisfied with regard to FERPA. I don’t know if the standard Google agreement was sufficient or if Google signed an addendum. Either way, FERPA Compliance is doable. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jay Fowler Sent: Tuesday, February 23, 2016 10:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] google docs google services Perhaps this would be helpful. Google mentions this with regard to FERPA: https://www.google.com/edu/trust/#does-google-apps-for-education-comply-with-ferpa ________________________________ From: "Mark Reboli" <mreboli () MISERICORDIA EDU<mailto:mreboli () MISERICORDIA EDU>> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tuesday, February 23, 2016 8:00:56 AM Subject: [SECURITY] google docs google services Is anyone utilizing Google Docs or Google Services? If so how have you dealt with the FERPA compliance component. I know this has been discussed in the past and the issue according to our FERPA person on campus has also indicated in his discussion with other registrars etc. is the potential for the mining of FERPA information store by Google. We have likewise tried for several months to find a good source at google that we can discuss information about this but have never been responded in all of the requests we have made, so If you have a contact that you can share I would be most appreciative. m [Description: MU Arches] Mark Reboli Network/Telecom Manager Misericordia University (570) 674-6753
Current thread:
- google docs google services Mark Reboli (Feb 23)
- Re: google docs google services Jay Fowler (Feb 23)
- Re: google docs google services Jones, Mark B (Feb 23)
- Re: google docs google services Ruth Ginzberg (Feb 23)
- Re: google docs google services Judith L. Tabron (Feb 23)
- Re: google docs google services Steve Terry (Feb 23)
- Re: google docs google services Jones, Mark B (Feb 23)
- Re: google docs google services Jay Fowler (Feb 23)
- <Possible follow-ups>
- Re: google docs google services Bellina, Brendan (Feb 23)
- Re: google docs google services Ruth Ginzberg (Feb 23)
- Re: google docs google services Bellina, Brendan (Feb 23)
- Re: google docs google services Ruth Ginzberg (Feb 23)