Office of the Vice President for Global Communications

Monday, March 12, 2012

Five facts U-M's chief IT security officer wants you to know about M+Google

Google implemented a new privacy policy March 1 that affects all users, including the faculty, staff and students on the U-M Ann Arbor campus who have had access since March 5 to more than 40 tools and services in Google Apps for Education, a cloud-based computing platform.


Defining M+Google

Cloud-based computing: Software, information or resources delivered to computers through a shared network (Internet) and accessed by users through a Web browser (e.g., Internet Explorer).

M+Google: The private U-M space within Google governed by formal agreement.

Google Core Services: Mail, Calendar, Talk, Docs, Sites and Contacts.

Google Additional Services: Includes Alerts, Blogger, Google+, Picasa, YouTube and others.

Google Dashboard: Individualized view of the personal data associated with a Google account.

Click here for a complete list of Google Core and Additional Services, and more information on Google Security and Privacy.

Click here for more on U-M's approach to security in the cloud.

"The university has policies and agreements in place to help ensure that the U-M community can use these new collaborative tools confidently and securely," says Paul Howell, U-M's chief IT security officer.

To address these changes and to clarify the personal and data privacy agreement between the university and Google, Howell offers the following five facts:

1. The @umich space in Google is not the same as the Google commercial space.

The U-M agreement with Google creates a "private space" within Google available only to university users. The "Core Services" — Mail, Calendar, Talk, Docs, Sites, and Contacts — of the university's Google Apps for Education environment (M+Google) are accessible only to U-M designated users. A personal Google account — if a person has one — exists outside this space.

2. The U-M agreement applies only to the M+Google "Core Services."

The university has rolled out a number of Google-provided services; these services are divided between "Core Services" and "Additional Services." Only the Core Services fall under the terms of the university's agreement with Google. This is important, because there are certain privacy protections in the Core Services environment that are not found when using the Additional Services.

3. Use of the M+Google Core Services includes three specific guarantees.

First, U-M continues to own its own data and Google may only process or otherwise use @umich account data as required for the purpose of providing services and performing its obligations under the agreement. Secondly, users will not be subject to advertising. All advertising within the Core Services environment is prohibited. Finally, Google's revised Terms of Service and Privacy Policy, effective March 1, do not alter the agreement between U-M and Google with respect to the Core Services.

4. Google's new Terms of Service and Privacy Policy do apply to the Additional Services.

That means that any data or information used within the Additional Services, such as Google+, YouTube, or Picasa, are not protected by U-M's agreement and may be subject to individualized data mining and advertising.

5. Users can limit Google's access to personal information.

The university agreement and existing U-M IT policies ensure a high level of security and privacy within the @umich Google environment. M+Google users may further protect their information through the Google Account Dashboard, including clearing Google Web history and monitoring personal data. Users also may decline Google's Additional Services that do not fall under the university's agreement by emailing or calling 734-764-HELP (4357).

"The M+Google environment meets the university's standards for safe computing. But as with many online activities, people may need some guidance to safely use the collaborative tools for teaching and learning," Howell says.