Forgot your password?
typodupeerror
Education Google Privacy News Your Rights Online

"Going Google" Exposes Students' Email 244

Posted by kdawson
from the visibility-in-the-clouds dept.
A ReadWriteWeb piece up on the NY Times site explores the recent glitch during the move of a number of colleges onto Google's email service that allowed a number of students to see each others' inboxes for a period of more than three days. Google would not give exact numbers, but the article concludes that about 10 schools were affected. "While the glitch itself was minor and was fixed in a few days, the real concern — at least at Brown — was with how Google handled the situation. Without communicating to the internal IT department, Google shut down the affected accounts, a decision which led to a heated conversation between school officials and the Google account representative. In the end, only 22 out of the 200 students were affected, but the fix was not put into place until Tuesday. ... The students had access to each other's email accounts for three solid days... before the accounts were suspended by Google. Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response.' (We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"
This discussion has been archived. No new comments can be posted.

"Going Google" Exposes Students' Email

Comments Filter:
  • 3 Days Turnaround (Score:5, Interesting)

    by sgbett (739519) <slashdot@remailer.org> on Monday September 21, 2009 @04:39AM (#29488693) Homepage

    Is that three days after they were notified, or did the affected students keep it quiet for a couple of days for 'research purposes'.

    • Re:3 Days Turnaround (Score:4, Interesting)

      by BikeHelmet (1437881) on Monday September 21, 2009 @05:48AM (#29488943) Journal

      It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.

      • Re:3 Days Turnaround (Score:5, Informative)

        by john83 (923470) on Monday September 21, 2009 @06:12AM (#29489031)

        It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.

        That was my thinking too, but TFA says that the students notified their admin on the Friday, who notified Google on the Saturday, who fixed it on the Tuesday. It's not clear - bad writing - but they may have suspended the service on the Monday.

        • by sgbett (739519) <slashdot@remailer.org> on Monday September 21, 2009 @06:49AM (#29489159) Homepage

          Its conveniently devoid of detail regarding the timeline of things. I don't mean to be a google apologist, but the article seems full of conjecture.

          11 % of users were affected during a migration. OK it could have been better, but a 3 day turnaround (over a weekend) of an outage during planned maintenance doesn't sound *that* bad to me. Is this still the gmail that you don't pay for btw?

          The critical (missing) detail is how quickly did Google turn off access to other people's mail following notification. Yes it may be a contentious decision if it was made without approval, but in areas of privacy it might be a good idea to CYA first ask questions later.

          Heated discussions are one thing, being taken to court over Data Protection is quite another.

          I'm confused at the reaction from Brown, were they advocating leaving people's data out in the open whilst it was resolved?

          • Re:3 Days Turnaround (Score:5, Informative)

            by Runaway1956 (1322357) on Monday September 21, 2009 @07:31AM (#29489327) Homepage Journal

            "11 % of users were affected"

            No, ~1% I think. Following the links in the links, you'll find that Brown University transferred 2000 accounts, not the 200 in the above summary. It seemed suspicious that a university was only transferring 200 accounts, to begin with. An individual small college would have that many accounts, or more.

            • by sgbett (739519)

              Interesting! I must admit I had to do a double take when I was checking the total user-base to figure out a percentage, it did seem low to me for a University but as I'm not familiar with the US system I didn't go any further. Seems, I should have dug deeper - I'll never make a journalist eh.

              I suspect this bit of misinformation was another convenient re-phrasing designed to increase the newsworthiness of this non-event.

            • by Jurily (900488)

              Following the links in the links, you'll find that

              Nice summary, isn't it?

          • Re:3 Days Turnaround (Score:5, Informative)

            by spyrochaete (707033) <spyrochaete@@@hyppy...zapto...org> on Monday September 21, 2009 @10:37AM (#29491245) Homepage Journal

            Is this still the gmail that you don't pay for btw?

            Schools get Google Apps for free (that is to say, they don't pay for the licenses) but it's the full-fledged Google Apps that normally costs $50/user/year. It's effectively the same as the enterprise version.

          • Re:3 Days Turnaround (Score:4, Interesting)

            by Anonymous Coward on Monday September 21, 2009 @10:51AM (#29491461)

            Is this still the gmail that you don't pay for btw?

            Actually, having worked for a "university" who outsourced e-mail services to Google, it's not free. Not at all.

          • by belg4mit (152620)

            Is this still the gmail that you don't pay for btw?

            No, it's the education edition of Google Apps. They've been offering
            for a while now to colleges and universities.

        • Friday: School got 1 or 2 emails from students
          Saturday: Google got email from School. They sent an email to all 200students asking who was affected
          Sunday: I only assume they we waiting on replies.
          Mon: Ditto.. Prolly working out what it is.
          Tuesday: Problem fixed early in the morning. Only 22 accounts were affected. Of those accounts they couldn't see everyone's email, all of some accounts or just a few emails that weren't theirs.

          If this weren't a free service I'd definitely raise hell, I don't think I'd
          • Re: (Score:2, Interesting)

            by Uber Banker (655221)

            If this weren't a free service I'd definitely raise hell..

            Are these students not paying fees, and (were it to occur in most other countries) taxpayers paying also?

        • It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.

          That was my thinking too, but TFA says that the students notified their admin on the Friday, who notified Google on the Saturday, who fixed it on the Tuesday. It's not clear - bad writing - but they may have suspended the service on the Monday.

          That was my assumption too. And actually, that's not too bad... If they shut down the accounts on Monday morning, that's as prompt as it gets. To my knowledge, Google email support doesn't work on sundays.

          • Re: (Score:3, Insightful)

            by dave562 (969951)

            To my knowledge, Google email support doesn't work on sundays.

            For Google's sake I hope that is conjecture on your part and not the reality of the situation. Any organization that is touting their software as "enterprise ready" better have tech support there and ready to take care of problems 24x7x365 for organizations willing to pay for it.

    • Re:3 Days Turnaround (Score:5, Informative)

      by Anonymous Coward on Monday September 21, 2009 @08:18AM (#29489583)

      Well, I'm the guy at Brown who actually does the part of the migration that switches over internal email to Google (though others are involved), and I can tell you that we knew about a few almost immediately, from student reports. Google was involved as soon as we found out, but it took them a little while to determine exactly what happened.

      Also, this wasn't as bad as it sounds. Students weren't receiving new mail meant for someone else, the problem was with the tool that migrated their old existing email from our Exchange system to their new Google email boxes. The 22 students got the contents of other students' -old- mail boxes, not new mail.

      It appears that Google upgraded their IMAP migration tool on the back-end, and there was a problem with the new version. Interesting thing about 'the cloud', all the tools available on it are upgraded without the end user being aware. Had there been a 'migrate user email boxes - updated today to version 1.1!' button instead of 'migrate user email boxes', I might have waited a few days to let Google shake-out the bugs.

      • by Bender0x7D1 (536254) on Monday September 21, 2009 @11:28AM (#29491909)

        No offense, but from a privacy perspective there is nothing "less bad" about seeing "just" the contents of old mailboxes.

        If I have nude photos, love letters, an email from porn-porn-porn.com, or just something I don't want someone else to read in my old mailboxes, how is someone else being able to see them not horribly bad even if they are over 90 days, (or whatever), old?

    • by sukotto (122876) on Monday September 21, 2009 @08:47AM (#29489863)

      Also, have they already arrested/suspended/expelled the students that reported the problem?

  • I bet most of us could read everyone else's email at school...
    • by julesh (229690) on Monday September 21, 2009 @05:45AM (#29488931)

      I bet most of us could read everyone else's email at school...

      Not convinced. Mine used Solaris's default maildrop security, which is pretty effective, and I think was fairly standard practice until recently.

    • Re: (Score:3, Interesting)

      by mcgrew (92797) *

      Gmail must not ve very secure, and their reaction to glitches makes me want to stay away from it. I had a Gmail account, one day it wouldn't let me log on, saying it had been used for "improper purposes", odd since I'd only used it to email friends, never forwarding anything or sending a mail to more than one person at a time. One of the questions it asked was "do you think your accout was compromised"? I probably should have said yes, because they took the account away. No big deal, they're no better or wo

    • by ryen (684684)
      my school, UIC, used aix unix with its own mail setup (no Exchange) when i was there. the admins never had problems like this (i know them personally).
  • by The Ancients (626689) on Monday September 21, 2009 @04:51AM (#29488747) Homepage

    ...social networking.

    Taking it to a new level, no joining or other conscious actions required to share everything about your life.

  • by Anonymous Coward

    So that's the use of that button!

  • by GradiusCVK (1017360) <(originalcvk) (at) (gmail.com)> on Monday September 21, 2009 @04:56AM (#29488761)

    We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.'

    Look, I think we can all agree that if there were some major security breach like this for which we were responsible and we sat around for 3 days before doing anything, then unilaterally suspended a bunch of accounts before finally fixing the problem, we'd be fired.

    On the other hand, if I were the head of IT at some place and we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence, it'd be really easy to say, "That's just how tech is, it's hard to do right even for Google, get used to it. Oh, and while you're looking for ways to prevent such a 'catastrophe' from ever happening again, consider boosting the IT budget, will ya?"

    I'll bet that IT manager is pretty happy right now, student complaints aside.

    • by JasterBobaMereel (1102861) on Monday September 21, 2009 @05:08AM (#29488791)

      The current IT guy is laughing .... it is out of his hands and he cannot do anything about it and everyone knows this ...the person who outsourced it to Google however .....!

      • by drinkypoo (153816)

        More and more of this is coming. At my local community college they are actually postponing the meeting in which they were supposed to explain what positions are being cut, and which are being cut back, to almost immediately before the new budget comes in, so that they can avoid static with the union; they're just not going to tell them. Begging for a strike? Probably won't happen anyway in this economy, right? Let's see how far we can push. They have already outsourced router configuration, which is pretty

        • by dada21 (163177)

          He didn't lose his job, he became less efficient than someone or something else at it.

          The unions definitely ruin the efficiency of the division of labor in the world. It is the division of labor that makes us wealthier by saving us time and money. PCs, phones, iPods, TVs, even clothes and food have a tendency to get cheaper because new competitors enter a market and do things faster/cheaper/better.

          I hope IT continually gets cheaper -- it means cheaper infrastructure and support for the 99% of the world th

          • Re: (Score:3, Insightful)

            by drinkypoo (153816)

            He didn't lose his job, he became less efficient than someone or something else at it.

            False. Everything the college has outsourced so far has become a problem. Not having someone onsite will be a bigger one. They are actually settling for less service because they are out of money (in this case, mostly because the administrators get paid very, very well.)

    • by Scutter (18425)

      Oh, and while you're looking for ways to prevent such a 'catastrophe' from ever happening again, consider boosting the IT budget, will ya?"

      [BigBoss] It only affected students and not my e-mail so it's not a problem. No budget increase for you. NOT YOURS.[/BigBoss]

    • by martinX (672498) on Monday September 21, 2009 @08:02AM (#29489477)

      we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence,

      Does Google actually have a reputation for excellence? Apart from their search engine and maybe Google Maps, is anything they make "excellent"? Does anything excel; is anything groundbreaking and complete in utility and quality? I remember when a lot of their releases stayed in extended-Beta, which is code for "it's free, it's out there so use it at your own peril". I find a lot of their stuff nifty, and I think they head in interesting new directions, but they seem to be always short of excellence. Personally I think that they have gained years worth of kudos - and, by extension, a reputation for excellence - by creating a great search engine (not to mention the big plus of not being Microsoft) and are spending it.

      • by KnownIssues (1612961) on Monday September 21, 2009 @10:33AM (#29491199)

        Apart from their search engine and maybe Google Maps, is anything they make "excellent"?

        I have to say, I'm really glad to hear someone share this opinion. I've been a long time "fanboy" of Google, seldom questioning any of their choices (while finding all manner of things to be critical of with Microsoft, Apple, and *nix/open-source). On reflexion after reading this, I've come to realize something: Google is what would result from my IQ being doubled and a thousand clones made from me. They find some problem-space, develop something with really cool potential, get bored when it comes to refining the product and making it viable, then find some shiny new problem to work on. It's like they're grad students getting paid by a commercial entity to do research.

        • (while finding all manner of things to be critical of with Microsoft, Apple, and *nix/open-source)

          Don't sweat it, that's just the usual slashdot compartmentalization going on. When it comes to Google, anything they do in relation to MS or Apple is good thing, anything else they do with privacy, it is a bad thing. Nevermind that Google's "rejected" voice app substitutes itself for the native one that comes with the iphone, and thus could almost be considered malware for the iphone and by admitting it to

  • They must be kidding (Score:5, Informative)

    by trifish (826353) on Monday September 21, 2009 @05:46AM (#29488937)

    While the glitch itself was minor and was fixed in a few days

    Pardon my ignorance, the glitch was minor?

    What?

    The fact that emails contain back-mailed passwords to many kinds of online services, including those involving payments (which is stupid practice, but the online service providers do it anyway, they send you the password when you sign up)...

    The fact that I can reset your password to any third-party online service account where I know that you use it and that you associated it with this email account...

    Still minor glitch? Reading others emails? Really? I or TFA must be missing something.

    • by Anarchduke (1551707) on Monday September 21, 2009 @06:50AM (#29489161)
      Small glitch, as in 22 out of 200 students affected on a data migration to Google's free service.

      The glitch itself wasn't fixed for three days, true. However, the glitch occurred on Friday, and the CIS department notified Google of the issue Saturday. Prior to the fix on Tuesday, Google had disabled the accounts. The article also states that during this 24 to 48 hour windows before Google shut down the accounts, the CIS had sent out emails to the students and waited for their replies. I don't know how fast you expect students to reply to an email sent out over the weekend, but I am guessing that those emails didn't get back to the CIS department immediately. Let's give it 12 hours.

      So, a free service responds to your problem and disables the accounts within 24 to 36 hours, then fixes the problem 18 - 36 hours later. All the while this same service is responding to similar glitches at ten other institutions, with no word on how large those universities were.

      Overall, I'd say that is a pretty fair turnaround, all things considered.


      By the way, the author of the article, Sarah Perez [sarahintampa.com], seems like a fairly Microsoft-centric person, considering her personal website. So the guess by miffo [slashdot.org] doesn't seem that far off.

      Consider the article itself

      Friday, September 11th, a couple of students notified Brown's Computing and Information Services department (CIS) that they were able to read emails belonging to other students. The CIS department contacted Google on the following dayand sent out an email to the 200 students whose mailboxes were in transition

      then she says:

      That means that the students had access to each other's email accounts for three solid days (Saturday, Sunday, Monday) as well as parts of Friday and Tuesday before the accounts were suspended by Google

      The author includes "parts of Friday" even though she had made it clear Google wasn't notified until Saturday. I mean, my God, Google didn't even bother to go back in time to before they were notified!!!

      • Re: (Score:3, Informative)

        by agiduda (861184)

        By the way, the author of the article, Sarah Perez [sarahintampa.com], seems like a fairly Microsoft-centric person, considering her personal website.

        Understatement, she is a contract worker at Microsoft and has what reads to me as a very defensive disclaimer on her site. Her neutrality is questionable.

    • Re: (Score:3, Insightful)

      Who the hell uses their college e-mail account for anything important unless you're part of the staff? When I was in school I just forwarded my university address to my home account.

    • Please don't use services that actually mail passwords to you.

      I've had it happen too, when I've forgotten my password, that a website just sends it to me -- and I immediately E-mail them about how stupid and insecure it is and beg them to implement a mandatory password changing page link instead.

      Being able to retrieve the password is completely unnecessary and potentially exposes one of your well-used passwords to others.

      Even assuming you reset all of a co-student's website passwords using this glitch, they

      • I'd like to know the difference between a site emailing you the new password and the site emailing you a link to reset your password (in both cases assuming you have forgotten the original one). In either case if someone intercepts the email they can achieve the same effect. I suppose that a reset link at least gives you a chance that you'll be there before an eavesdropper and the link is one use?

        Or are you explicitly talking about the site emailing your existing password, which means they are storing it in

  • "While the glitch itself was minor and was fixed in a few days"

    That's not exactly what I would call a MINOR breach.

  • Legal issues? (Score:3, Informative)

    by Max Romantschuk (132276) <max@romantschuk.fi> on Monday September 21, 2009 @06:35AM (#29489109) Homepage

    In Finland reading someone else's mail, of electronic or snail variety, is illegal. What about other legislations? This sounds like something that would be taken rather seriously here.

    (Actually, due to how seriously this is taken a recent law has (unfortunately) been put in place, to explicitly allow employers to read employees' work mail. Google "lex Nokia" for more info.)

  • probably because his neck is on the line, and he's trying to save face with management. Oops.
    • Re: (Score:3, Insightful)

      The article does not give many details on what their email system was before they sold their soul to Google. It may very well have been (or perceived to have been) worse, and this is an improvement in the eyes of upper management.
      • Re: (Score:3, Interesting)

        by glyneth (47975)

        This will make me unable to moderate, but what the hell?

        Brown had a unix based backend for years. A few years back, they got a new IT head, who insisted on off-the-shelf packages for everything. So out went postoffice, and in came Exchange. It's been running Exchange since then, and yes, untold numbers of problems (though nothing like this). We're not even on the most recent version of Exchange, which will make my office's future transition to Snow Leopard problematic since afaik the native Mail interoperab

  • However, the real issue that concerned the university was the matter of communication between Google and the CIS department. Before fixing the issue on Tuesday, Google suspended the affected accounts, a necessary step that was taken so no more data was improperly shared. What angered the IT director, though, was that the accounts were suspended without first notifying CIS.

    Translation: We sent you an email communicating the issue at hand. However, we had to disable your email account so nobody else could accidentally view it.

    "I've spoken very forcefully with the account (executive), my boss, senior administrators at Brown -- including the president. (Google needs) to find a better way to communicate with us," said Tom.

    Translation: We told them to stop or else we'll say stop again.

  • in this case. it seems in my experience more and more that most companies do not care how long the outage is or what caused it, or how poorly the service performs so long as the price is rock bottom and they avoid the IT department asking for more cash each year.
    this is a self correcting problem as more industries move into a greater reliance on computers. you cant just make IT another blindly outsourced number at the end of the day, and the decision cant come from a group of boardmembers who think gmai
  • Clouds are translucent.

Economics is extremely useful as a form of employment for economists. -- John Kenneth Galbraith

Working...