Gmail Security - Concerns About Privacy



Similar documents
Norwegian Data Inspectorate

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING?

Committee on Civil Liberties, Justice and Home Affairs - The Secretariat - Background Note on

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Student Service Improvements Executive Background Brief

Brit HOSTED EXCHANGE BRITE SECURITY FEATURES:

The cloud thing: Privacy and cloud computing

ing and Texting with Patients

Network Usage Guidelines Contents

MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing

Cloud Computing: Privacy and Other Risks

Patriot Act Impact on Canadian Organizations Using Cloud Services

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

DATE: November 5, 2012 REPORT NO. CS Chair and Members Committee of the Whole - Operations and Administration

FDIC Division of Supervision and Consumer Protection

Drawing Lines in the Cloud: Jurisdictional Access to Data. Nancy Libin Mary Ellen Callahan

How To Address Data Sovereignty In The Cloud

Insights and Commentary from Dentons

Better secure IT equipment and systems

Privacy Year in Review: Privacy and VoIP Technology

Basic Security Considerations for and Web Browsing

ITS Policy Library Use of . Information Technologies & Services

The USA Patriot Act Government Briefing. Kirsten Tisdale, Chris Norman, Sharon Plater & Alexandra (Gina) Henley September 30, 2004

Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully.

developing your potential Cyber Security Training

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Data Privacy in the Cloud: A Dozen Myths & Facts

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

IN THE SUPREME COURT OF BRITISH COLUMBIA NOTICE OF CIVIL CLAIM. This action has been started by the plaintiff for the relief set out in Part 2 below.

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Interim Threat / Risk Assessment. Student E- Communications Outsourcing Project

Cyber Security: Beginners Guide to Firewalls

Preemptive security solutions for healthcare

Nine Steps to Smart Security for Small Businesses

Five keys to a more secure data environment

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Business Case. for an. Information Security Awareness Program

Why Encryption is Essential to the Safety of Your Business

DATA AND PAYMENT SECURITY PART 1

T.38 fax transmission over Internet Security FAQ

Jeff M. Bauman, Psy.D. P.A. and Associates FLORIDA-HIPAA PRIVACY NOTICE FORM

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration

Report to the Public Accounts Committee on mitigation of cyber attacks. October 2013

Providing a quality IT Support & Consultancy service in the South East

Internet threats: steps to security for your small business

APWG. (n.d.). Unifying the global response to cybecrime. Retrieved from

IIABSC Spring Conference

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

Firewalls for small business

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Penetration Testing //Vulnerability Assessment //Remedy

by Ian Brown and Brian Gladman

Managed Security Monitoring: Network Security for the 21st Century

I D C E X E C U T I V E B R I E F

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

Interactive welcome kit Charter-Business.com CB.016.fibCD.0210

The Lawyer s Independence

Security Controls What Works. Southside Virginia Community College: Security Awareness

Guide to Vulnerability Management for Small Companies

Service Line Warranties of Canada PRIVACY STATEMENT

PINAL COUNTY POLICY AND PROCEDURE 2.50 ELECTRONIC MAIL AND SCHEDULING SYSTEM

2012 Endpoint Security Best Practices Survey

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

THE REGULATION OF INTERCEPTION OF COMMUNICATIONS BILL, 2007 ARRANGEMENT OF CLAUSES. PART I - PRELIMINARY

Privacy Policy. Federal Insurance Company, Singapore Branch Singapore Personal Data Protection Privacy Policy. 1. Introduction

Using AWS in the context of Australian Privacy Considerations October 2015

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Voice over Internet Protocol. Kristie Prinz. The Prinz Law Office

Why the Fuss over Encrypting ? Empowering People and Business through Technology SMALL AND MEDIUM BUSINESS TECHNOLOGY STRATEGIES

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

ENCYTPT. and Coach. Brian Dear

Network Segmentation

Privacy Matters. The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Data Security. The dominant business communication tool

Secure communication between accountants and their clients: The role of the client portal

Secure Mail Registration and Viewing Procedures

INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA

To proceed, you need to agree to the following Terms and Conditions:

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Finding Security in the Cloud

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

SMALL BUSINESS PRESENTATION

ITS Policy Library Use of . Information Technologies & Services

Enterprise level security, the Huddle way.

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Security Policy for External Customers

The privacy of DataLogic CRM, Inc. s customers and affiliates is important to us. Therefore:

Making the leap to the cloud: IS my data private and secure?

AS APPROVED BY CONVOCATION, MARCH 25, (new/amended rules and commentary for rule 2.02)

Discover Virtual Freedom. Atum Corporation will help you explore Virtualization in a brand new way...

TYPES, PREVALENCE, AND PREVENTION OF CYBERCRIME. Haya Fetais & Mohammed Shabana. Saint Leo University COM- 510

Swiftcoin is electronic money that resides on the user s computer, much like Word documents do, enabling it to be sent to anybody just as quickly and

Privacy 101. A Brief Guide

Transcription:

Office of Risk Management and Access to Information MEMORANDUM Tel.: (807) 343-8518; 343-8267 Fax: (807) 346-7735 Email: mshaw1@lakeheadu.ca TO: FROM: Inquirers about Lakehead University s Adoption of Google s Gmail System Millo Shaw, Director of Risk Management and Access to Information DATE: August 1, 2007 RE: Arguments in Defence of Switching to Gmail The practical advantages of adopting Gmail are well known. The system has fewer problems and down time than the one we were using for the simple reason that Google can afford the significant resources necessary to keep their system operating efficiently: for example, they have back-up servers in place in case their main servers crash; we did not; and they have staff dedicated solely to ensuring that their system remains operational 24 hours a day, 7 days a week, which we did not. Gmail gives all users over 2 gigabytes [as of Sept. 2012 25 gigabytes!] of storage, which is more than 13 times greater than the maximum of 150 megabytes to which we were restricted before. It also gives access to more services (e.g. the Calendar that has enabled us to give up our old and expensive appointment setting software, and instant messaging technology the new wave in electronic communication). Google s system is, in general, more user-friendly. Concerns have been raised, however, about the Google service s security particularly with respect to protection of privacy. When discussing the security of email systems, one has to keep in mind that security is, in this context, an entirely relative term for the simple reason that email is, almost by definition, a fundamentally insecure means of communication unless extraordinary and restrictive and obstructive - measures are put in place. On the one hand it would be at least theoretically possible to set up a special system that would be completely closed-circuited but, for the provision of electronic communication beyond a single location, such a system would be difficult to establish and expensive, for it would have to ensure not only that access to the system would be completely secure, but also that no one would be able to send, copy, or forward an email message to anyone outside the system, and it would have to have completely dedicated transmission lines and servers. On the other hand, senders can acquire software that encrypts their messages but this requires every receiver to have some means of securely acquiring each sender s encryption key (and each sender would have a different key!). While such a set up is certainly conceivable on an individual basis, trying to extend it to an institution s entire Page 1 of 5 pages

email service would be both very complicated and very expensive. Both of these alternatives to regular email service would be obstructive and, indeed, frustrate the main attractions of email transmission over the internet: facilitation and speed of communication. Indeed, it is highly questionable whether such trammeled systems could even be accurately called email as the term is generally understood. Standard email transmission, however, is susceptible to intrusion. It can be penetrated both by hackers and service providers at any number of points - as a careful reading of the terms and conditions of any private service provider's email contract will confirm - whether the email server is based in Canada or the US. To use the standard analogy, one should consider regular email communication as no more confidential than sending a postcard by mail. For this reason there is significant case law supporting the proposition that privacy cannot be guaranteed for email communications (see, e.g., Re Camosun College and Canadian Union of Public Employees Local 2081, [1999] B.C.C.A.A.A. No. 490, paragraphs 20-29 and Re Naylor Publications Co. (Canada) and Media Union of Manitoba (2003), 73 C.L.A.S. 116 at page 26). With this reality in mind, before committing Lakehead University to switching over to Google s Gmail service, the Director of the Technology Services Centre (TSC), in consultation with myself, both of us reporting to the Vice-President (Administration and Finance), considered the privacy implications - and concluded that our use of Gmail would not be likely to breach privacy more than did our - or anyone else's - current email service. On the contrary, the evidence was that Gmail would give us overall much better privacy security than we ourselves - or anyone else - provided or could provide. Following are our responses to specific concerns about Gmail s security: (1) Technical Vulnerabilities: Software bugs are a fact of life. Virtually every major software system (e.g. Microsoft, Sun, et al.) has them, and since every computerized electronic communications system relies on software, most email systems have vulnerabilities created by these bugs. We were responsible for making sure that our former system stayed patched from problems to which its creators alerted us - but, frankly, had to rely on nothing more than a wing and a prayer that the vulnerabilities we didn't know about wouldn't be exploited. TSC simply did not (and does not) have the hefty resources necessary to guard against all such risks. This is a major problem for ALL technological service providers who do not author their own email systems. By contrast, Google DOES have sufficient resources to search out and protect against possible software vulnerabilities. The Gmail servers have firewall protection that our old system couldn t match and they employ additional intruder prevention technology that we did not and do not possess. Page 2 of 5 pages

Google monitors their system for attacks 24 hours a day, 7 days a week; we did not and could not afford to. Google can control physical access to their servers; our security cannot match their standard. Google can afford to apply top-of-the-line antivirus and antispam solutions to their system; we could not and cannot. The one software vulnerability that they did discover - the first of its kind was very circumscribed. It was reported Dec 30 th, 2006 and affected only the Google Video offering, not the Google "Apps for Education" through which we get Gmail (Google "Apps for Education" has a separate infrastructure). Google has confirmed that such a problem did not and could not touch the Gmail system; moreover, this particular exposure was resolved within one day - making it very unlikely that any exploitation could have taken place. In view of the security resources available to Google, such a sterling record is not surprising. Technically, then, we have much better security with Google than we could ever even have hoped to provide for ourselves. We did have numerous improvements in the works to enhance the security of our former system, but even after their full implementation we would not have been able to match the level of security provided to us by Google. Moreover, it is highly unlikely that any university anywhere can genuinely claim that their email system security is better than Google's or, frankly, comes even close to it. We are confident that, by adopting the Google service, we have provided our Users with one of the best and most secure email systems available, and far superior to what we were offering and could offer before - period. (2) Access by External Individuals and Entities: Concern has been expressed about access available in the Google system to non-users and the U.S. Government in the latter case because the USA PATRIOT Act (actually an acronym for the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001") allows the American Government to peruse records stored on U.S. servers. Keeping in mind that anyone who truly wishes an ironclad guarantee of security in the communication of their personal and confidential information should NOT be using any email system (including Lakehead s old system), we do not view this concern as having sufficient weight to justify declining or abandoning Gmail. First, every email system permits system administrators to access email communications under certain restricted circumstances as a perusal of the terms and conditions of service of any private email operator will confirm. Lakehead s adoption of Gmail, however, has actually made this a more difficult process for our system administrators. Page 3 of 5 pages

Not only does Google have a strict access code in this regard, but Lakehead s technical staff must now seek Google s approval before accessing emails sent or received by University users a bar to access that did not confront them in the administration of our old system. And Lakehead server administrators can no longer, as they were able to before, monitor all incoming and outgoing email communications; such monitoring can now occur only with Google s restrictive permission. Second, access by the U.S. Government to Gmail users personal information stored on Google s American servers, while a possibility, is nevertheless restricted, and must be considered in the context of email communication and the internet in general: Google, to our knowledge alone among US service providers, has not granted the US Government, when they've requested it for security reasons, informal access to their files and servers - but has insisted that such requests be backed up by formal judicial orders. Now a warrant issued under the PATRIOT Act cannot be disregarded or even reported by the recipient, but we have Google s assurance that, to the extent permitted under American law, they will actively resist such warrants if and when they are issued. And it should be noted that, even under the PATRIOT Act, the American government must convince a Court albeit the highly secretive Foreign Intelligence Surveillance Act (FISA) Court to issue a warrant before it can gain access to such electronic correspondence. It is true that, if Lakehead had its own servers from which to send and receive email transmissions, or if it relied on the servers of a company that was wholly Canadian and not in any way directly or indirectly controlled by an American entity, the American government would not be able, without resorting to clandestine means (and it is probable that the American government has highly sophisticated and extensive clandestine access capability), to access information residing in those servers. Such an arrangement could NOT, however, guarantee exclusion of American government access to email messages either originating, or that could be sent, OUTSIDE the University s system in other words, potentially ALL email messages in the University s email system for the simple reason that neither the University nor any other entity could or can secure the sources or ultimate transmission of such messages which may have been or may be, at some point, routed through servers/equipment owned or ultimately controlled by U.S. companies where the messages would be potentially accessible to the American Government through the USA PATRIOT Act. As far as the American courts are concerned at least to the extent that they have expressed views in this area (as in Hunter Douglas Inc. v. Comfortex Corp [1999 WL 14007 (S.D.N.Y. 1999)]) it would appear that the test to determine whether a corporation has custody and control over documents located with an overseas affiliate is not limited to whether the corporation has a legal right to those Page 4 of 5 pages

documents, but rather focuses on whether the corporation has "access to the documents" and the "ability to obtain the documents" (David Keeshan, Patriot Act Controversy Heats Up, in The Riley Report (http://www.rileyis.com/report/july04.htm) for July, 2004). That being the case, personal information passing through equipment even in Canada that belongs even to a Canadian company is potentially accessible to the American authorities if that company is ultimately controlled by an American firm or even just affiliated with that firm. The practical conclusion to be drawn from this state of affairs is inescapable: anyone who wants to guarantee that their email communications remain beyond the reach of the American government must refuse to send or respond to email not only in the United States, but even in Canada or anywhere else in the world that is, unless they are willing to use one of the highly restrictive and cumbersome security procedures (involving a completely closed circuit or encryption) described earlier in this memorandum. It is also worth noting that the Canadian government, under the Anti-terrorism Act which received Royal Assent in December, 2001, has no less secret access, by warrants secretly obtained, to Canadians electronic communications than has the American government to communications controlled by Americans. Moreover, while Canadians may have less objection to their own than the American government snooping through their private electronic correspondence without their knowledge or consent, there can be no basis for confidence that their personal information will not end up in the hands of American authorities for which the Maher Arar case provides an object lesson. Conclusion: In conclusion, in an imperfect world and in the light of the inherent and so far ineradicable security weaknesses in email as a medium of communication, we believe that we've chosen the best practical option available to us. We have made one concession: we do not insist that only Gmail be used for email communication to the University, and we do not compel students, faculty, and staff to adopt it - they actually have to sign into it, and formally agree to its terms of service and use before being granted access although we do use it as an official means of communicating with the members of the Lakehead University community. Page 5 of 5 pages

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information