Security Privacy Ownership with Google Apps for Education
10 views
Skip to first unread message
Mark O'Connell
May 12, 2013, 3:44:59 AM5/12/13
to iapop-online-learning-an...@googlegroups.com
dear all...
It would probably take a lawyer to advise us of the security and ownership issues of Google Apps for Education. And maybe more than any other issue it would be worth spending some money on that... But I have read through the privacy policy and am happy the data is ours, and that's a firm committment from Google. Also Google Apps has many security features beyond average, which you can turn on and off in the control panel.
I've pasted some FAQs below. What we should do next...?
Mark
Security and privacy overview
Two of the most common topics of questions regarding Google in general, and Google Apps specifically, are security and privacy. We take both topics very seriously and truly believe that our offerings are a great option for customers on both fronts. Our business is built on our users' trust: trust in our ability to properly secure their data and our commitment to respect the privacy of the information they place in our systems by not giving that information to others or using it inappropriately.
In order to help answer some of the many questions we receive and to dispel some common misconceptions we encounter; we have created this FAQ and a corresponding Google Apps security site. We hope this helps to answer some of your questions about Google's position on these important issues!
If you need to report an abuse issue, learn more about reporting abuse issues to our team.
Privacy
Who owns the data that organizations put into Google Apps?
To put it simply, Google does not own your data. We do not take a position on whether the data belongs to the institution signing up for Apps, or the individual user (that's between the two of you), but we know it doesn't belong to us!
The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.
We won't share your data with others except as noted in our Privacy Policy.
We keep your data as long as you require us to keep it.
Finally, you should be able to take your data with you if you choose to use external services in conjunction with Google Apps or stop using our services altogether.
When can Google employees access my account?
Google may only access data in your account in strict compliance with our Privacy Policy and your Customer Agreement. For purposes of providing technical support, an administrator from your domain may choose to grant the Google Support team permission to access accounts in order to resolve a specified issue.
Which of my users can gain access to my Google Apps administrative account?
Which of my end-users can gain access to other end-users' accounts?
Per your domain’s Customer Agreement, Google Apps administrators for a domain can access all end-user accounts and the associated data, as described in our Privacy Policy.
As a domain administrator, you have control of all user names and passwords within your domain. You may access your users' accounts in conformity with the Customer Agreement. We do require that you have a policy about such actions that is published to your end-users.
Does Google give third parties access to my organization's data?
Google may only share information with third parties in conformity with our Privacy Policy and your Customer Agreement. Google does not share or reveal private user content such as email or personal information with third parties except as required by law (see theGoogle Transparency Report), on request by a user or system administrator, or to protect our systems. These exceptions include requests by users that Google's support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of Google, its users and the public.
For full details, please refer to the "Information Sharing" section of our Privacy Policy.
What kind of scanning/indexing of user data is done?
In order to provide some of the core features in Google Apps products, our automated systems will scan and index some user data. For example:
Email is scanned so we can perform spam filtering and virus detection.
Priority Inbox, a Gmail feature, scans email message to identify which messages are considered important and which are considered not important.
If you are using Google Apps (free edition), email is scanned so we can display contextually relevant advertising in some circumstances. Note that there is no ad-related scanning or processing in Google Apps for Education or Business with ads disabled.
Some user data, such as documents and email messages, are scanned and indexed so your users can privately search for information in their own Google Apps accounts.
In other words, we scan or index user content in Google Apps in order to provide features that will directly benefit users, or to help us maintain the safety and security of our systems. Google Apps data is not part of the general google.com index, except when your users choose to publish information publicly,
It's important to note that our scanning and indexing procedures are 100% automated and involve no human interaction. For complete information, see our detailed Privacy Policy, Privacy Principles, and our Google Apps Terms of Service (Google Apps, Google Apps for Business, Google Apps for Education).
How long does Google keep my organization's data?
We believe that you should have control over your data. Google maintains multiple backup copies of users' content so that we can recover data and restore accounts in case of errors or system failure. When you ask us to delete messages and content, we make reasonable efforts to remove deleted information from our systems within a commercially reasonable amount of time. Learn more.
How does Google handle law enforcement requests?
How does Google process objectionably illegal content?
Is my organization compliant with the European Commission Directive on Data Protection if we use Google Apps?
Google adheres to the U.S. Safe Harbor Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Safe Harbor Program.
Generally, an organization must decide whether its use of Google Apps is compliant with any regulations it may be subject to.
Where can I find more information on Google's Privacy Policy?
Security
What does a Google Apps SSAE 16/ISAE 3402 Type II audit mean to me?
What does a Google Apps SAS70 Type II audit mean to me?
Where is my organization's data stored?
Is my organization's data safe from your other customers when it is running on the same servers?
Yes. Data is virtually protected as if it were on its own server. Unauthorized parties cannot access your data. Your competitors cannot access your data, and vice versa. In fact, all user accounts are protected via this virtual lock and key that ensures that one user cannot see another user's data. This is similar to how customer data is segmented in other shared infrastructures such as online banking applications.
Google Apps has received a satisfactory SSAE 16 and ISAE 3402 Type II audit. This means that an independent auditor has examined the controls protecting the data in Google Apps (including logical security, privacy, Data Center security, etc) and provided reasonable assurance that these controls are in place and operating effectively.
An administrator/end-user deleted a number of email messages, how can I recover them?
How do you protect your infrastructure against hackers and other threats?
How do you prevent and resolve security flaws in your applications?
How do you protect against machine failures or natural disaster?
Is it safe for my organization to access Google Apps over the internet?
Google Apps services provide the ability to access all data using HTTPS encrypted tunnels. Customers can choose to require this option for their users, which helps ensure that no one except the user has access to his or her data. This is true for access to Gmail, Galendar, and Chat, Drive and Sites data via our web applications. The mobile email client also uses encrypted access to ensure the privacy of communications. We do not offer encryption on the Start Page or Google Video service at this time. We also require encryption for access to your mail data by third-party email clients.
I'm being asked to sign in at a different page. Why?
How do you protect my organization against spam, viruses and phishing attacks?
Google has one of the best spam blockers in the business, and it's integrated into Google Apps. Spam is purged every 30 days. We have built in virus checking, and we enforce checking of documents before allowing a user to download any message. Most computer viruses are contained in executable files, so standard virus detectors scan messages for executable files that appear to be viruses. Google helps block viruses in the most direct possible way: by not allowing users to receive executable files (such as files ending in .exe) that could contain damaging executable code; even if they are sent in a compressed (.zip, .tar, .tgz, .taz, .z, .gz) format.
Google supplies Chrome™ and Firefox® users with constantly updated filters against phishing and malware.
By combining advanced algorithms with reports about misleading pages from a number of sources, Google downloads to your browser a list of information about sites that may engage in phishing or contain malicious software. Safe Browsing is often able to automatically warn you when you encounter a page that's trying to trick you into disclosing personal information.
Need to report abuse? Please see our Reporting Abuse Incidents page.
What is CAPTCHA?
How do I prevent spammers from spoofing my domain name?
Publishing your SPF records will secure your domain name from anyone attempting to spoof your domain.
SPF allows a domain owner to use a special format of DNS TXT records to specify which machines/hosts are authorized to transmit email for their domain, making it difficult to forge From: addresses.
We strongly encourage you to publish SPF records for your domain.
Need to report abuse? Please see our Reporting Abuse Incidents page.
How does Google respond to users in my domain who are sending spam?
Can my organization use our own authentication system to provide user access to Google Apps?
Does Google Apps offer SSL/TLS connectivity?
What is FISMA?
The Federal Information Security Management Act of 2002, or "FISMA", is a United States federal law pertaining to the information security of federal agencies' information systems. FISMA applies to all information systems used or operated by U.S. federal agencies -- or by contractors or other organizations on behalf of the government. Google Apps has received an authority to operate at the FISMA-Moderate level -- the standard level for Federal email systems -- from the U.S. federal government.
If you want to learn more about FISMA, there is a very thorough entry on Wikipedia.
It would probably take a lawyer to advise us of the security and ownership issues of Google Apps for Education. And maybe more than any other issue it would be worth spending some money on that... But I have read through the privacy policy and am happy the data is ours, and that's a firm committment from Google. Also Google Apps has many security features beyond average, which you can turn on and off in the control panel.
I've pasted some FAQs below. What we should do next...?
Mark
Security and privacy overview
Two of the most common topics of questions regarding Google in general, and Google Apps specifically, are security and privacy. We take both topics very seriously and truly believe that our offerings are a great option for customers on both fronts. Our business is built on our users' trust: trust in our ability to properly secure their data and our commitment to respect the privacy of the information they place in our systems by not giving that information to others or using it inappropriately.
In order to help answer some of the many questions we receive and to dispel some common misconceptions we encounter; we have created this FAQ and a corresponding Google Apps security site. We hope this helps to answer some of your questions about Google's position on these important issues!
If you need to report an abuse issue, learn more about reporting abuse issues to our team.
Privacy
Who owns the data that organizations put into Google Apps?
To put it simply, Google does not own your data. We do not take a position on whether the data belongs to the institution signing up for Apps, or the individual user (that's between the two of you), but we know it doesn't belong to us!
The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.
We won't share your data with others except as noted in our Privacy Policy.
We keep your data as long as you require us to keep it.
Finally, you should be able to take your data with you if you choose to use external services in conjunction with Google Apps or stop using our services altogether.
When can Google employees access my account?
Google may only access data in your account in strict compliance with our Privacy Policy and your Customer Agreement. For purposes of providing technical support, an administrator from your domain may choose to grant the Google Support team permission to access accounts in order to resolve a specified issue.
Which of my users can gain access to my Google Apps administrative account?
Which of my end-users can gain access to other end-users' accounts?
Per your domain’s Customer Agreement, Google Apps administrators for a domain can access all end-user accounts and the associated data, as described in our Privacy Policy.
As a domain administrator, you have control of all user names and passwords within your domain. You may access your users' accounts in conformity with the Customer Agreement. We do require that you have a policy about such actions that is published to your end-users.
Does Google give third parties access to my organization's data?
Google may only share information with third parties in conformity with our Privacy Policy and your Customer Agreement. Google does not share or reveal private user content such as email or personal information with third parties except as required by law (see theGoogle Transparency Report), on request by a user or system administrator, or to protect our systems. These exceptions include requests by users that Google's support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of Google, its users and the public.
For full details, please refer to the "Information Sharing" section of our Privacy Policy.
What kind of scanning/indexing of user data is done?
In order to provide some of the core features in Google Apps products, our automated systems will scan and index some user data. For example:
Email is scanned so we can perform spam filtering and virus detection.
Priority Inbox, a Gmail feature, scans email message to identify which messages are considered important and which are considered not important.
If you are using Google Apps (free edition), email is scanned so we can display contextually relevant advertising in some circumstances. Note that there is no ad-related scanning or processing in Google Apps for Education or Business with ads disabled.
Some user data, such as documents and email messages, are scanned and indexed so your users can privately search for information in their own Google Apps accounts.
In other words, we scan or index user content in Google Apps in order to provide features that will directly benefit users, or to help us maintain the safety and security of our systems. Google Apps data is not part of the general google.com index, except when your users choose to publish information publicly,
It's important to note that our scanning and indexing procedures are 100% automated and involve no human interaction. For complete information, see our detailed Privacy Policy, Privacy Principles, and our Google Apps Terms of Service (Google Apps, Google Apps for Business, Google Apps for Education).
How long does Google keep my organization's data?
We believe that you should have control over your data. Google maintains multiple backup copies of users' content so that we can recover data and restore accounts in case of errors or system failure. When you ask us to delete messages and content, we make reasonable efforts to remove deleted information from our systems within a commercially reasonable amount of time. Learn more.
How does Google handle law enforcement requests?
How does Google process objectionably illegal content?
Is my organization compliant with the European Commission Directive on Data Protection if we use Google Apps?
Google adheres to the U.S. Safe Harbor Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Safe Harbor Program.
Generally, an organization must decide whether its use of Google Apps is compliant with any regulations it may be subject to.
Where can I find more information on Google's Privacy Policy?
Security
What does a Google Apps SSAE 16/ISAE 3402 Type II audit mean to me?
What does a Google Apps SAS70 Type II audit mean to me?
Where is my organization's data stored?
Is my organization's data safe from your other customers when it is running on the same servers?
Yes. Data is virtually protected as if it were on its own server. Unauthorized parties cannot access your data. Your competitors cannot access your data, and vice versa. In fact, all user accounts are protected via this virtual lock and key that ensures that one user cannot see another user's data. This is similar to how customer data is segmented in other shared infrastructures such as online banking applications.
Google Apps has received a satisfactory SSAE 16 and ISAE 3402 Type II audit. This means that an independent auditor has examined the controls protecting the data in Google Apps (including logical security, privacy, Data Center security, etc) and provided reasonable assurance that these controls are in place and operating effectively.
An administrator/end-user deleted a number of email messages, how can I recover them?
How do you protect your infrastructure against hackers and other threats?
How do you prevent and resolve security flaws in your applications?
How do you protect against machine failures or natural disaster?
Is it safe for my organization to access Google Apps over the internet?
Google Apps services provide the ability to access all data using HTTPS encrypted tunnels. Customers can choose to require this option for their users, which helps ensure that no one except the user has access to his or her data. This is true for access to Gmail, Galendar, and Chat, Drive and Sites data via our web applications. The mobile email client also uses encrypted access to ensure the privacy of communications. We do not offer encryption on the Start Page or Google Video service at this time. We also require encryption for access to your mail data by third-party email clients.
I'm being asked to sign in at a different page. Why?
How do you protect my organization against spam, viruses and phishing attacks?
Google has one of the best spam blockers in the business, and it's integrated into Google Apps. Spam is purged every 30 days. We have built in virus checking, and we enforce checking of documents before allowing a user to download any message. Most computer viruses are contained in executable files, so standard virus detectors scan messages for executable files that appear to be viruses. Google helps block viruses in the most direct possible way: by not allowing users to receive executable files (such as files ending in .exe) that could contain damaging executable code; even if they are sent in a compressed (.zip, .tar, .tgz, .taz, .z, .gz) format.
Google supplies Chrome™ and Firefox® users with constantly updated filters against phishing and malware.
By combining advanced algorithms with reports about misleading pages from a number of sources, Google downloads to your browser a list of information about sites that may engage in phishing or contain malicious software. Safe Browsing is often able to automatically warn you when you encounter a page that's trying to trick you into disclosing personal information.
Need to report abuse? Please see our Reporting Abuse Incidents page.
What is CAPTCHA?
How do I prevent spammers from spoofing my domain name?
Publishing your SPF records will secure your domain name from anyone attempting to spoof your domain.
SPF allows a domain owner to use a special format of DNS TXT records to specify which machines/hosts are authorized to transmit email for their domain, making it difficult to forge From: addresses.
We strongly encourage you to publish SPF records for your domain.
Need to report abuse? Please see our Reporting Abuse Incidents page.
How does Google respond to users in my domain who are sending spam?
Can my organization use our own authentication system to provide user access to Google Apps?
Does Google Apps offer SSL/TLS connectivity?
What is FISMA?
The Federal Information Security Management Act of 2002, or "FISMA", is a United States federal law pertaining to the information security of federal agencies' information systems. FISMA applies to all information systems used or operated by U.S. federal agencies -- or by contractors or other organizations on behalf of the government. Google Apps has received an authority to operate at the FISMA-Moderate level -- the standard level for Federal email systems -- from the U.S. federal government.
If you want to learn more about FISMA, there is a very thorough entry on Wikipedia.
Mark O'Connell
May 15, 2013, 1:56:08 AM5/15/13
to iapop-online-learning-and-collaboration-platform
Dear all,
I look forward to hearing what you find out about Google Security Privacy and Ownership. Heres a snippet of what i'm finding...
Cloud computing companies use the the SSAE 16 Type II audit, and its international counterpart ISAE 3402 Type II audit, to document and verify the data protections in place for their services. These auditing standards are defined by the The American Institute of Certified Public Accountants (AICPA) and the the International Auditing and Assurance Standards Board (IAASB), respectively. These audit standards have replaced the SAS 70 Type II audit, which Google Apps first completed in 2008. In our audits, we specify the confidentiality, integrity and availability controls that our customers are most concerned about, which are then verified by our auditors. We recently announced that we’vesuccessfully completed the SSAE 16 and ISAE 3204 Type II audits for Google Apps, Postini services, Google Apps Script, Google Storage for Developers and Google App Engine.
Google Apps for Government has also received Federal Information Security Management Act (FISMA) certification from the U.S. Government. The FISMA certification includes a rigorous evaluation of the security processes and data protections in place in Google Apps for Government and is required by U.S. federal government customers, who must comply with FISMA by law.
Third party audits are only part of the security and compliance benefits of Google Apps. For more information visit our Google Apps security page.
Google Apps for Government has also received Federal Information Security Management Act (FISMA) certification from the U.S. Government. The FISMA certification includes a rigorous evaluation of the security processes and data protections in place in Google Apps for Government and is required by U.S. federal government customers, who must comply with FISMA by law.
Third party audits are only part of the security and compliance benefits of Google Apps. For more information visit our Google Apps security page.
Mark
--
IAPOP-online-learning-and-collaboration-platform
"Dreaming, collaborating and learning together"
---
You received this message because you are subscribed to the Google Groups "IAPOP online learning and collaboration platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iapop-online-learning-and-coll...@googlegroups.com.
To post to this group, send an email to iapop-online-learning-an...@googlegroups.com.
Visit this group at http://groups.google.com/group/iapop-online-learning-and-collaboration-platform?hl=en-GB.
Mark O'Connell - Child Psychotherapist (Northern Guild UKCP HIPS) Process Oriented Psychologist - Team Leader Connect Service Suffolk
I practise Process Oriented Psychology founded and developed by Dr Arnold Mindell & colleagues. I specialise in process-oriented approaches to child & family work, as well as sustainable living.
Reply all
Reply to author
Forward
0 new messages