dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2597
share rss forum feed

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4

WTF are Canadian universities thinking???

@OpenMedia
@Toronto Star
@Michael Geist
@CIPPIC
@CitizenLab
@Privacy Commissioners
@Globe & Mail
@Provincial Premiers

I guess I'm late to the party, but I today found out that a number of Canadian universities have outsourced some/all of their e-mail & other infrastructure to Google. In particular, Gmail, Calendar, Contacts, Drive and Google Mobile.

The universities include:
University of Ottawa,
University of Toronto,
University of Guelph
Wilfrid Laurier University,
McMaster University,
Ryerson University,
University of Windsor,
and several other Canadian universities.

These universities tout the 'contractual' security & privacy arrangements they have with Google over student, faculty, researcher, and staff data/e-mail. Yet all of this is hosted by Google in the US, which we know is subject to the Patriot Act, and the capricious actions of the FISA court and their National Security letters.

The delivery of a NSL letter to Google for ANY or ALL the data belonging to a Canadian university, its staff, students (some of whom would be minors under the law and cannot therefore provide informed consent to pretty much anything), researchers, & staff, would NEVER be known to the Canadian institution. All manner of industrial espionage could be conducted by the US at Canadian taxpayer expense, as it appears that Google holds the encryption keys, and not the Canadian universities.

According to the Privacy Commissioner, there is no prohibition on universities doing this sort of deal with Google - storing Canadian taxpayer funded research & information in the US; storing personally identifying information in the US; storing academic information in the US.

WTF are the universities thinking????

It's one thing for you or I to be a stupid ass and use Gmail (hosted wherever in the US), Sympatico.ca (hosted in Chicago), Rogers.com (hosted in Sunnyvale), or any Apple e-mail, but it's an entirely different thing when Canadian taxpayer-funded institutions think that a signed 'contract' with Google protects anything personal, private, or breakthough research and its accompanying commercial possibilities from the gaping maw of the NSA and the US government.

NSA: Google, here's a NSL for ALL University of Toronto's medical, pharmacological, biomedical, engineering research information and the correspondence associated thereto. And include all the budding little terrorist students , ie. everyone while you're at it.
Google: How soon would you like it?
NSA: Yesterday. And remember - don't tell anyone we asked.

-------------

Example............

By September 2014, all University of Guelph undergrad students will have their current Gryph
Mail email accounts migrated to Google Apps. This will provide you with larger storage quotas
(30 GB), improved smartphone compatibility and additional collaboration tools.

Once migrated, your email address will be different and will look like:
username@tbd.uoguelph.ca. We want your input on what the "tbd" in the domain name should be. We worked with U of G student leaders to come up with a list of options and now we need you to pick the best choice! Please click on this short survey:
»surveys.ccs.uoguelph.ca/limeSurv ··· php?sid=[redacted]&lang=en and vote on your favourite option.

To learn more about the project, please visit: »www.uoguelph.ca/ccs/projects/gma ··· ts/gmail.

HeadSpinning
MNSi Internet

join:2005-05-29
Windsor, ON
kudos:6
Short answer: They aren't thinking.


Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1
reply to MaynardKrebs
I bet you a looney that having Google host everything is significantly cheaper than running / supporting your own exchange / app server?


donoreo
Premium
join:2002-05-30
North York, ON
said by Mike:

I bet you a looney that having Google host everything is significantly cheaper than running / supporting your own exchange / app server?

It is. That is why companies do it as well. I know for sure that a large well known Canadian company uses it.


blueeyesm

join:2003-09-05
Waterloo, ON
reply to Mike
Ding!Ding!Ding! We have a winner.

Some universities also have agreements with Google with regards to data privacy.


OSUGoose

join:2007-12-27
Columbus, OH
reply to Mike
Yep


OSUGoose

join:2007-12-27
Columbus, OH
reply to donoreo
RIM? lol

Sorry couldn't resist.

HeadSpinning
MNSi Internet

join:2005-05-29
Windsor, ON
kudos:6
reply to Mike
said by Mike:

I bet you a looney that having Google host everything is significantly cheaper than running / supporting your own exchange / app server?

Makes one how much the NSA pays Google make sure their services are attractive to foreign entities like universities, corporations etc...
--
MNSi Internet - »www.mnsi.net


elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2
reply to donoreo
We're moving to Office 365 and eventually VDI , so instead of PC's we'll be using thin clients.
--
My Name is Wiley E Coyote, Super Genius

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
said by elwoodblues:

We're moving to Office 365 and eventually VDI , so instead of PC's we'll be using thin clients.

Yes, but your employer IS a US-based company, so they'd have to cough up ANYTHING the US demanded of it - even on Canadians, even if the data was held in Canada.

Since when is it ethically correct for a publicly-funded Canadian university to serve up Canadian student & academic information to the NSA via Google?

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
reply to HeadSpinning
said by HeadSpinning:

said by Mike:

I bet you a looney that having Google host everything is significantly cheaper than running / supporting your own exchange / app server?

Makes one how much the NSA pays Google make sure their services are attractive to foreign entities like universities, corporations etc...

I wonder how much the NSA 'contributed' towards Microsoft's purchase of Skype. Since Microsoft bought Skype, the service has been re-architected from peer-to-peer to more client-server, with the servers located in the US, and the encryption keys held by Microsoft. Convenient, n'est pas?

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
reply to Mike
said by Mike:

I bet you a looney that having Google host everything is significantly cheaper than running / supporting your own exchange / app server?

Fifty Canadian universities could fund a Canadian hosted & routed service used by all of those institutions. It might not be as cheap as using Google, but then there's that old saying that goes something like this......

They who would give up essential Liberty, to purchase services a little cheaper, deserve neither Liberty nor Cost Savings.


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
reply to MaynardKrebs
Having used in-house university mail systems, Google Apps is an immensely better solution. I don't see government security being a concern, because CSEC is going to give everything to the NSA anyhow (and even if they don't, a lot of Canadian traffic travels through the US), so having stuff hosted domestically doesn't matter.

If Google is offering a better solution at a better price, the universities are doing the right thing by going with Google Apps.
--
Latest version of CapSavvy systray usage checker: »CapSavvy v4.2 released!


TLS2000
Crazy Canuck
Premium
join:2004-02-24
Mississauga, ON
reply to MaynardKrebs
Humber College is using Google's email services for their @humbermail.com addresses as well.
--
Tom


AMailer
Aaron DM

join:2004-04-03
reply to MaynardKrebs
I am so glad that they are doing this. The in-house email services were just garbage (web interfaces were stuck in the early 2000s).

I wish however UofT went with Google instead of Microsoft.

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
reply to Guspaz
said by Guspaz:

I don't see government security being a concern, because CSEC is going to give everything to the NSA anyhow.

Not if it's hosted in Canada.

and even if they don't, a lot of Canadian traffic travels through the US), so having stuff hosted domestically doesn't matter

Not if it's routed in Canada.

Hypothetically, what if a professor (or grad student's) research is stored on Google and is scarfed up before it's patented and instead handed to a US company to patent, what loss is it to Canada?

What do you figure the patent to the next insulin is worth? Or the next viagra? As an example, Tagamet (a heartburn/anti-ulcer treatment) made the company that invented it billions of dollars over its patent period from the early 1980's onwards.

For years the US complained bitterly about the DGSE of France doing EXACTLY sort of thing in terms of industrial espionage on US companies and universities. Only back then it was not done electronically. Today it's MUCH easier to steal the work of taxpayer-funded research than ever before, and that is being done by State actors like the NSA.

We bitch and moan as a country about job losses & brain drain. Why hand our stuff on a silver platter to the US - just to save $100k per year?

InvalidError

join:2008-02-03
kudos:5
said by MaynardKrebs:

Hypothetically, what if a professor (or grad student's) research is stored on Google and is scarfed up before it's patented and instead handed to a US company to patent, what loss is it to Canada?

Mail servers are public shared systems open to attacks, mail left on servers are usually stored in plain text or have readily accessible encryption/decryption keys for local storage encryption, server admins or any technical staff who manage the databases, disk arrays, wembail software, etc. can potentially come across mail content by accident so email through mail servers should be treated as public/non-secret.

If you are genuinely concerned with the security of your email contents, you should be using encryption to make interception useless on its own.
Expand your moderator at work

coryw

join:2013-12-22
Flagstaff, AZ
Reviews:
·CenturyLink
reply to MaynardKrebs

Re: WTF are Canadian universities thinking???

This is pretty common in American universities too. At my particular institution, the federal privacy laws for student data have become a bigger issue in just the past few years, but of everything we've got, entrusting the student's communications to Google is relatively low on our radar. Even several years ago when the process began, it was reasonably clear that Google was doing to treat the data of active students with a fair amount of respect.

The other thing to notice is that, especially in the quoted message from Guelph, the university isn't putting everything on Google. A lot of the more critical information (directory information, contact information) is NEVER going to be fed to Google. Often, google will get a user name and a shibboleth ticket from the school's authentication servers. The school's on-campus servers will coordinate labeling message with a friendly name and deciding whether user@institution.edu belongs to user@google.institution.edu or user@exchange.institution.edu

In this type of case, research data (regardless of the funding) typically stays on campus-hosted machines. At my particular institution, student employees doing work for the school get an internal-only employee account and are granted access to shared mailboxes for things like ParticularResearchLab@institution.edu or CertainDepartmentTeam@institution.edu so that their work and their study never need to cross-over. (Ideally, of course humans are involved so you can imagine how that goes.)

In addition, although Google is a US company, who knows how much of the data would ever even touch US servers. Google might not even know, they have server farms all over the world and they do a very good job of distributing everything. If it's possible to control where things are duplicated to, then it's possible that a government or educational institution can choose to have their data either stored in a certain location, or away from it. I am not privy to that particular kind of detail of the contract.

Privacy and nationalism issues aside, at least at the American universities where it's deployed, Google Apps for Education is almost universally loved. In fact, at my institution, we run a dual deployment where the students get GAE and faculty and staff have Exchange, Lync, SharePoint, Windows-based file servers, and a UNIX file server and shell box for that type of work, and many departments require their employees sign up for GAE accounts in order to do things like work on Google Docs. The unfortunate thing here is that to my knowledge, Google doesn't quite have permissions and delegation down the way Microsoft does, because there's not really a notion of organizational ownership of a particular resource, and as such, departments or teams/groups parting ways with a member have experienced problems separating their Google-based resources with a former team member.

I think once Google figures that out, there's not really going to be any way to stop them. (Not that there is even now.)

And, in terms of security agencies, is it any different if it's American ones looking in or if it's Canadian ones? (Heck, in a situation like that, I suspect most of the world's security agencies have contacts within Google/Apple/Microsoft/every-ISP/Yahoo/et al for information requests anyway.) E-mail is transmitted over the wires in clear text anyway, and because of where the Canadian population is physically located, it makes sense that some amount of their network traffic would have a pretty good chance of spilling over into the US.

Probably the best way to have totally secure and private e-mail is either to a) not have e-mail b) have internal-only e-mail set up on something like Microsoft Exchange (which encrypts everything going from clients to the server) without in/out settings configured, so the users can only e-mail one-another. Also disable OWA just for good measure, and IMAP and POP/SMTP.


lookabird

@start.ca
reply to MaynardKrebs
UofT switched its student mail to outlook, which is terribly implemented in basically every aspect. That's not to say the in house system before that wasn't equally as bad, if not worse.

but... Google IIRC was one of the most transparent companies when it comes to this government surveillance nonsense.

but... while cost was cited as the major factor, its really admins being lazy. If the university really cared about cost, it'd stop paying $40 bucks for a union light bulb change, stop paying ridiculous sums to lazy and incompetent admins and switch to automated administrative systems.


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
said by lookabird :

UofT switched its student mail to outlook, which is terribly implemented in basically every aspect. That's not to say the in house system before that wasn't equally as bad, if not worse.

Can you elaborate on how it was terribly implemented?

I'm interested to know how anyone with any insight into the old system wouldn't agree that everything is better.


Brodey

@start.ca
reply to MaynardKrebs
This is simply not true.

The services are hosted in Canada. Algonquin went with Microsoft...also hosted in Canada.


lookabird

@start.ca
reply to urbanriot
said by urbanriot:

Can you elaborate on how it was terribly implemented?

I'm interested to know how anyone with any insight into the old system wouldn't agree that everything is better.

The old mail system wasn't pretty, but it worked... Nightmares with the @mail.utoronto.ca domain include but is not limited to...

-Automatic sorting is wacky
-Kept on marking read emails unread
-Email from a lot of ppl (including known contacts) are going straight to spam
-Calendar loses information randomly
-Mobile sync issue/ push mail problems
-Problem with outlook desktop client (ironically)
-Forwarding doesn't work all the time
-Trash doesn't actually delete, it just stays there
-Cannot cancel the account, and wont give me a new one...
Best of all, UT tech guys have no idea why its so F'd up and can't help me. Thought it was just my computer, but it does the same shit at Robarts library...

Verdict... Outlook based UTMail+ is a PoS!

It was such a pain in the ass that I went back to the old @utoronto.ca email, I was so glad they let me keep that old one.

yyzlhr

join:2012-09-03
Scarborough, ON
kudos:4
reply to MaynardKrebs
Since when did University of Toronto use google? They used their own in house system, then migrated to Outlook Web App, and now they're using Office 365. Also most universities are looking to provide more services, then what they can develop in house. If they're not using Google, they will very likely migrate to Office 365. Microsoft has done a lot with their 365 product to try and court academic institutions. I would assume the Microsoft would be prone to the same concerns as Google.


Gone
Premium
join:2011-01-24
Fort Erie, ON
kudos:4
reply to HeadSpinning
said by HeadSpinning:

Short answer: They aren't thinking.

Does anyone here honestly think it makes any difference, anyway?


Gone
Premium
join:2011-01-24
Fort Erie, ON
kudos:4
reply to MaynardKrebs
said by MaynardKrebs:

Not if it's hosted in Canada.

You are incredibly naive if that's what you think.


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23

1 recommendation

I was going to say. If it's in Canada, either the NSA (or someone else) has compromised it, or a domestic agency is tapping it. To assume otherwise is naive. These are the people who completely compromised the entire TLS/HTTPS system, after all. If they want to read your e-mail, nothing is going to stop them.
--
Latest version of CapSavvy systray usage checker: »CapSavvy v4.2 released!


Gone
Premium
join:2011-01-24
Fort Erie, ON
kudos:4

1 recommendation

Exactly. The CSE and NSA are in complete cahoots with one another. To assume anything otherwise is so naive it's outright laughable.


neochu

join:2008-12-12
Windsor, ON
said by Gone:

Exactly. The CSE and NSA are in complete cahoots with one another. To assume anything otherwise is so naive it's outright laughable.

Anything with a wire connected to it can be spied upon by 'the powers that be'.

Including those wishing to enact a North American Union controlled by Washington DC through the use of clandestine economic warfare and undermining of Canadian sovereignty.

If you enjoy the trip given to you by massive doses of Risperdal, Zyprexa, and Seroquel in a straight jacket. Never put your "world saving research" on a computer at all.

They will get it and steal it from you anyways. :P

You could also encode it like the alchemists did to save themselves from being burned at the stake too.


battleop

join:2005-09-28
00000
reply to elwoodblues
If you are in IT for your company your life will be so much easier by doing this.