Google Apps, Email Privacy: Framework and Guidance

posted Apr 27, 2012, 4:11 AM by Raymond Muzic   [ updated May 8, 2012, 8:14 AM ]
During the March 21, 2012 FSCICT meeting we discussed email privacy and best-practices.  We specifically discussed the circumstances under which ITS would access a person's email account and the implications of Google's recent change in its privacy policy.  Rather than seeking permission to publish the contract between CWRU and Google, we thought it would be better to present a non-legalese interpretation of the agreement.  Peter Poulos (Office of General Counsel) and Tom Siu (Chief Information Security Officer) responded to this request with the following information.  It was reviewed by FSCICT and now is (will be) made public to guide inform the university community.

From: Tom Siu (CISO) and Peter Poulos (University Counsel)

There exist several general concepts regarding the interpretation of the privacy standards of our CWRU Google Apps for Education written agreement with Google.  This posting is the result of a consultation with Peter Poulos and Tom Siu with contributions from FSCICT.  It is presented in a FAQ format.

Q1: What is the overall stance on privacy and email for the University?
A:  The university addresses privacy in the IT realm under the Acceptable Use of Information Technology Resources (the AUP for short).  The AUP drives three high-level directives with respect to privacy:
  1. The University does not guarantee privacy
  2. Users are expected to maintain confidentiality of information and data where applicable, such as in the context of applicable laws
  3. Individual users are expected to respect the privacy and personal rights of others.
From the perspective of email, the university can monitor it under very limited, specific circumstances, but in general it is not actively monitored by university personnel.  The users consent to the monitoring provisions of the AUP every time they log into any CWRU resource, as indicated by the Logon Warning Banner (for an example see https://login.case.edu)

Note that the terms are very employee friendly compared to the corporate world where auditing email is common.

Q2: What does the Google Apps Agreement say with regard to privacy of information?
A:  The Agreement, as a contract, states in essence, that CWRU will not disclose any intellectual property of Google, and Google will not disclose any intellectual property of CWRU.  This means that Google takes reasonable steps to ensure the confidentiality of any information contained in, or associated with, email communications.  This also means that Google is not searching for juicy tidbits of our user email, or spam, or mailing lists, etc.  Similarly, CWRU will not disclose any of features, limitations, or flaws we find in the Google Apps for Education product other than directly to Google.  Note there are public forums for these issues, and that is the optimal means to communicate with Google.  In two recent phishing incidents affecting CWRU users, it should be noted that Google was able to provide support for the general Google (a Google user created a phishing form) resources,  but they would not provide information from a Google Apps customer, where a different phishing form was found.

The recent Google Privacy Policy changes (March 1, 2012) apply to general Google users and do not affect Google Apps for Education users, such as CWRU.  Users of CWRU Google Apps have the means to change their personal privacy settings in their local CWRU accounts page, and sign in  to the Privacy Dashboard (you must be logged in to CWRU Google Apps to access these).

Q3:  If I delete data from Google Apps email, is it really gone?
A:  The answer is yes, after 30 days post deletion.  In the Google Apps webmail interface, a user deletes a message by placing it in the Trash folder.  The Trash folder is automatically purged every 30 days.  The user may also initiate an on-demand "empty" of the Trash folder.  New practices are being published regarding when to save or delete email messages, in accordance with the Email Retention Policy of Feb 15, 2012.  Also, university records retention policies that specify how long documents are to be kept and their destruction dates carry over to email. 

Q4. Can I use my CWRU email account for personal email?  
A. Yes, the AUP and the FAQ for the AUP define limitations to personal use of CWRU email.  It is understood that in an academic environment, professional and personal interests overlap.  A sound approach to avoid violation of the AUP is to use a separate email account for private email.   It should be noted, however,  a free personal email account at Google, Yahoo, Hotmail, and other services is subject to the privacy questions that cannot be addressed by the University.  It is our opinion that you have greater privacy protections in the CWRU Google Applications email services than you would have in free email services.

Q5. Can I forward my CWRU email to another email account that I have so I can read all my email in one place?
A. Yes, but there are better approaches to achieving this effect.  We recommend that you keep CWRU email within the Google Apps system which provides a high level of privacy and security that could protect intellectual property (Q2).  You can configure your email client, including Google browser interface, to check email from multiple email accounts.

 
Comments