"Going Google" Exposes Students' Email

A ReadWriteWeb piece up on the NY Times site explores the recent glitch during the move of a number of colleges onto Google's email service that allowed a number of students to see each others' inboxes for a period of more than three days. Google would not give exact numbers, but the article concludes that about 10 schools were affected. "While the glitch itself was minor and was fixed in a few days, the real concern — at least at Brown — was with how Google handled the situation. Without communicating to the internal IT department, Google shut down the affected accounts, a decision which led to a heated conversation between school officials and the Google account representative. In the end, only 22 out of the 200 students were affected, but the fix was not put into place until Tuesday. ... The students had access to each other's email accounts for three solid days... before the accounts were suspended by Google. Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response.' (We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"

3 Days Turnaround

[sgbett]

Is that three days after they were notified, or did the affected students keep it quiet for a couple of days for 'research purposes'.

Brown

[Anonymous Coward]

Ah Brown, generally home to spoiled rich kids who's kids buy their way through college (all Ivy's have this, but Brown is the worst) and the least rigorous of any Ivy. Not surprised to see them shill a bit...

Re:Still more secure than most school systems

[julesh]

I bet most of us could read everyone else's email at school...

Not convinced. Mine used Solaris's default maildrop security, which is pretty effective, and I think was fairly standard practice until recently.

Re:3 Days Turnaround

[BikeHelmet]

It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.

Re:methinks he doth protest too much

[Arancaytar]

Well, that's one reason why those passwords aren't sent in clear. Breaking into someone's email account to get access to a forum/blog/website account is relatively easy - preventing them from catching on is hard to impossible.

Another security feature is to force you to leave your account unused for a week, to make sure the account is really not accessible. Few sites actually use it, unfortunately (Gmail does) - it's a substantial convenience trade-off, and people always value convenience above security.

Re:Someone has high demands.

[Anonymous Coward]

What the fuck.

This is a really big deal. And if the excuse is that 3 days (admittedly, 2 of them weekend days) turnaround on an absolute security breach is what you get for free, and to expect better you must pay for it, then the proper response is to pay for better and not use this service because it's shit-broken. It is my understanding that Google Apps for Education is not a tiered service -- you're a school, you get it free; there is no paying for better. If there IS paying for better, then we should spread awareness that the free version is bad.

Might I point out that losing privacy on your email and THEN losing access is pretty much the worst possible failure mode? This is an enormous fuck-up. This has nothing to do with Microsoft. Why would you bring up Microsoft? YOU are the one twisting something into what it is not to make some other company look bad. If I were as paranoid as you, I'd suggest that Google or Apple or somesuch was paying you to do this, but in fact, I know that you're capable of being fuckwitted all on your own.

Jesus Christ. Google Apps' security fails utterly, and that's Google kicking Microsoft in the groin to you? Maybe Google can start a puppy-stomping program; I bet that's just like Google ripping Microsoft's arms off.

I'd be a lot more comfortable if Google said "yeah, we fucked up, here's what we're going to do to prevent this from happening again". Instead we get the self-contradictory "it was a small hiccup [...] it's an issue we've taken extremely seriously".

Re:Someone has high demands.

[miffo.swe]

My impression is that this incident is a fuckup at the customer end of things. The problem was getting the emails out of Exchange into the right account in Google Apps.

This is something where i personally have missed a couple of times and its very common since there are always some accounts that are broken in an exchange system.

Re:Minor glitch! I think not

[ubrgeek]

In most (all?) states, universities that receive federal government funds have an absolute requirement to protect privacy-related information. That's one of the reasons nearly 20 years ago the California State University system switched from using SSNs as student ID numbers to some non-related numbering system. I know, because I was part of the group that challenged the use of SSNs. As IANAL, I don't know if what happened in the article email _might_ constitute the same thing, not do I know if the same would be true (i.e. whether it would constitute such a breach) if the system has a "If you use this system, you consent to monitoring" banner that pops up at login.

FERPA

[wireloose]

Worse than just a breach of privacy of email, students use their college-provided accounts to communicate with their faculty. If other students are able to see their emails, that constitutes a potential FERPA breach. As a college IT administrator, I would be screaming at Google for not sharing info and reacting immediately. Waiting a day to shut the accounts down temporarily is inexcusable.

Re:Breach of privacy

[agentgonzo]

Actually, a lot of people probably would. One of the things that really annoys me is that large companies will dispose of their old IT equipment by throwing it in a skip rather than donating it to local schools who would benefit from them. One of the major reasons that they do this (from what I have heard) is because "if we give it away to a school and someone goes wrong, we would be liable and could get sued". I still don't understand why the school can't just agree (via a disclamer or whatever) not to sue, but that's probably because I'm not a lawyer and live in my own little make-believe world where people shouldn't sue just because they can get away with it.

Re:FERPA

[surgen]

As a college student, the possibility of having my own personal emails with faculty members exposed concerns me, but nowhere near as much as the confidential student data emailed between me and the staff members I work for.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Google: Lowering standards for the rest of us

[martinX]

we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence,

Does Google actually have a reputation for excellence? Apart from their search engine and maybe Google Maps, is anything they make "excellent"? Does anything excel; is anything groundbreaking and complete in utility and quality? I remember when a lot of their releases stayed in extended-Beta, which is code for "it's free, it's out there so use it at your own peril". I find a lot of their stuff nifty, and I think they head in interesting new directions, but they seem to be always short of excellence. Personally I think that they have gained years worth of kudos - and, by extension, a reputation for excellence - by creating a great search engine (not to mention the big plus of not being Microsoft) and are spending it.

Re:3 Days Turnaround

[Uber Banker]

If this weren't a free service I'd definitely raise hell..

Are these students not paying fees, and (were it to occur in most other countries) taxpayers paying also?

Re:Breach of privacy

[Dog-Cow]

My understanding is that's it's actually for accounting purposes. The equipment can't be written off the same way if they are donated, or something like that. I'm neither an accountant nor a tax specialist.

Re:The IT manager is praising them

[glyneth]

This will make me unable to moderate, but what the hell?

Brown had a unix based backend for years. A few years back, they got a new IT head, who insisted on off-the-shelf packages for everything. So out went postoffice, and in came Exchange. It's been running Exchange since then, and yes, untold numbers of problems (though nothing like this). We're not even on the most recent version of Exchange, which will make my office's future transition to Snow Leopard problematic since afaik the native Mail interoperability with Exchange that comes in 10.6 won't work with anything but the latest.

AFAIK, the plan is to move everyone to Google eventually, departments too. Once they get all the security figured out. This isn't helping, of course.

Re:Breach of privacy

[thePowerOfGrayskull]

And that's why the American legal system is FUTA. In most sensible countries, you *can* sue them *if* you have experienced a major problem due to their behaviour - eg, if you can show that you have lost money/posessions/safety etc as a direct result of someone else having access to your emails. You can't just go "I feel slightly aggrieved that someone read my email - give me a bajillion dollars!!!!".

Spoken like someone whose only expose to the American legal system is via television...

Re:Someone has high demands.

[Albanach]

How lame is your college that it can't run an email system?

I don't think anyone, except you, is suggesting the colleges can't run an email service.

Email is time consuming and expensive to provide. 10, 20 or 30 thousand accounts, all demanding storage - and these days you can't give folk 100MB quotas. Accounts that are all attracting spam that requires either constant tweaking of anti-spam rules, or outsourcing spam and virus checking. Add in off-site backups, support, abuse and you are quickly spending tens of thousands on equipment and more on staff.

Then they get a call, or an email saying Google will offer all that for free. For a school facing budget constraints it's a very tempting offer. It says more about their budget than their technical ability.

Re:Someone has high demands.

[afex]

That is, unless you think that 'free' means 'no hard currency was exchanged'.

Yea, that's pretty much what we all think. do you really think someone is reading your post and going
"holy crap, he's right - they DO look at my data! and tv DOES have ads! none of this is FREE!!!!"
Yea, we all know we are giving up time, or letting company X gain something by giving our time, or whatever, but most of the general public (including me!) considers only their pocketbook when thinking about whether or not something is "free". Hell, even if i have to spend 20 minutes doing something (lets say filling out a rebate on something so that the final price is $0), i STILL consider it free!

Re:Still more secure than most school systems

[mcgrew]

Gmail must not ve very secure, and their reaction to glitches makes me want to stay away from it. I had a Gmail account, one day it wouldn't let me log on, saying it had been used for "improper purposes", odd since I'd only used it to email friends, never forwarding anything or sending a mail to more than one person at a time. One of the questions it asked was "do you think your accout was compromised"? I probably should have said yes, because they took the account away. No big deal, they're no better or worse than any other free web based email service, but their attitude was really shitty and there seems to be no way to contact a human at Google.

Re:3 Days Turnaround

[Anonymous Coward]

so you're giving them kudos for good customer support because they don't work on Sunday? Hey Google, this is the big leagues. Put on your uniform and show up to work on time.

Re:Google: Lowering standards for the rest of us

[KnownIssues]

Apart from their search engine and maybe Google Maps, is anything they make "excellent"?

I have to say, I'm really glad to hear someone share this opinion. I've been a long time "fanboy" of Google, seldom questioning any of their choices (while finding all manner of things to be critical of with Microsoft, Apple, and *nix/open-source). On reflexion after reading this, I've come to realize something: Google is what would result from my IQ being doubled and a thousand clones made from me. They find some problem-space, develop something with really cool potential, get bored when it comes to refining the product and making it viable, then find some shiny new problem to work on. It's like they're grad students getting paid by a commercial entity to do research.

Re:3 Days Turnaround

[Anonymous Coward]

Is this still the gmail that you don't pay for btw?

Actually, having worked for a "university" who outsourced e-mail services to Google, it's not free. Not at all.