Does Google's New Policy Really Protect Student Privacy in the Cloud?

February 28, 2012

At an increasing number of colleges nationwide, the traditional model for student e-mail services featuring on-campus data centers and clunky user interfaces is out. In its place, education institutions are gravitating toward "cloud-based" e-mail offerings that are less expensive to implement, more user-friendly, and more feature-rich than conventional services. In one example, students using Google Apps for Education can send correspondence to professors, chat with their friends, share and collaborate on projects and presentations, and even organize student groups all via a single set of online services.

Trusting the judgment of their institutions, most students and faculty assume that their cloud-based e-mail and related

online services are secure, and that information shared in those forums is safe. Unfortunately, recent events have raised serious questions about the privacy protections that some cloud-based companies are actually providing to educational institutions. Until such questions are resolved, something as seemingly familiar as e-mail could become a major new headache for administrators.


In January, Google announced changes to its privacy policy, effective on March 1. The company's new privacy settings give Google contractual permission to gather and collate information about the activities of individual users across all of its services, a change Google says will create a more "simple and intuitive experience" for its users. Formerly, Google already shared information across a number of its services, but the recent change expands these capabilities to include YouTube and others that were previously exempt.

When consumers sign up for Google services, they knowingly agree to an expansive set of terms and conditions that gives the company broad discretion to use their online information for secondary purposes, such as serving targeted advertisements. This recent change could mean even less privacy for the personal information users maintain online.

Google has said that the changes in its consumer-privacy policy will not affect the services it offers to businesses, the government, and educational institutions. According to its vice president of enterprise, Amit Singh, the company "will maintain our enterprise customers' data in compliance with the confidentiality and security obligations provided to their domain. The new Privacy Policy does not change our contractual agreements, which have always superseded Google’s Privacy Policy for enterprise customers." This statement implies that users of Google Apps for Education, for example, will be shielded from the changes by their existing contracts. The problem is that the privacy rights afforded to educational institutions through existing contracts are often hard to distinguish from the terms and conditions offered to regular consumers.

This is true even at major universities, which generally have the financial leverage to negotiate stronger protections for their communities.  In explaining its decision to transfer its e-mail services to Google Apps, the University of Maryland omitted reference to successfully negotiating a privacy policy that would preclude Google from aggregating and utilizing student information for its own ends in its contract provisions. Harvard University's home site for its Google Apps for Education service refers viewers to Google's basic terms and conditions and further claims that the university has "no authority to enforce these standards." At face value, it would seem that the end users at these universities are subject to Google's recent privacy policy changes, just like everyday consumers.

Though some universities, including Harvard, actively discourage students from using their student accounts to transmit personally identifiable or confidential information, students can and do transmit such information on a regular basis. Professors routinely notify students of their grades on individual assignments via e-mail, and students may receive preliminary notice of disciplinary measures via their accounts. University administrators should demand transparency into provider data-mining practices, whether Google's or another company's, and inspect how providers make user data anonymous; how student data and metadata is used; and how long providers maintain records of individual's searches.

For colleges using Google Apps for Education, the answers to these questions matter. Without additional contractual stipulations, university and college-based users may find themselves just as vulnerable as the average consumer. The traditional e-mail model may be a dying breed within academe, but administrators should evaluate whether any cloud-based e-mail system that applies these policies is truly a fit with privacy protections befitting users at institutions of higher education.

Andrew Weis is managing director of the Civitas Group, a consulting firm whose expertise includes cybersecurity.