Google Apps for Education

 

Enabling Google Consumer Apps

by Dennis Rice

Saint Mary’s College has an agreement with Google that provides the College with certain apps in the Google suite, such as G-mail, Calendar, Drive, Groups and Sites. Google makes it possible for the community members of Higher Ed institutions to use these applications and store email and documents, whether they contain confidential or private information or not, securely in the Google cloud. Google does this by protecting the data using industry accepted security measures, and by contractually accepting the same level of guardianship of this data as is required of the College by Federal law. However, these “Core” Google Apps for Education are not the complete suite of applications that Google offers. There are others, many of which offer great value as tools used in teaching and learning, such as Google+, Google Maps, Blogger and YouTube. Unfortunately, Google excludes all of these “Consumer” apps from the data protections that are afforded by the Google Apps for Education contract. Furthermore, the terms associated with the Education contract specifically put the responsibility for compliance with all laws that protect private and sensitive information, including FERPA, with the institution. In other words, in the event some piece of important confidential information was revealed to an unauthorized person via the use or abuse of these apps, the consequences would fall on the College and the individual user, but not on Google.

A few years ago, Google would not take responsibility for legal compliance with confidentiality laws for any of their applications, and their unwillingness to do so prevented many Higher Ed institutions, including Saint Mary’s, from utilizing their services. The risks were considered too great. In order to make these “Consumer” apps available to the community, we would have to agree to essentially the same terms that prevented our participation in the Google Education program a few years ago. However if the value of these applications to teaching and learning outweigh the level of risk, or if that risk can be reduced to an acceptable level by certain measures or precautions (controls), then it would be sensible to make them available to the community. IT Services is asking for help from interested faculty in the process of evaluating whether one or more of these “Consumer” applications can be made available to the College community, and if so, what the value of a particular app is as a teaching tool versus the risk of making that application available without the full confidentiality protections.  The decision to make any or none of these apps available will ultimately lie with the Technology Planning and Policy Committee (TPPC), and all the information we gather and what actions we recommend will be made to that group at their December 2013 meeting. The implementation of any decision to offer these apps will be targeted for the beginning of the Spring Term. IT Services believes that some of these applications are valuable tools for teaching and learning and should be made available. Some, however, pose more risk than others, and it is around  these apps that the discussion should focus.

One of the early steps we took in this evaluation was to look at what peer Higher Ed institutions who participate in the Google Apps for Education program are doing with the “Consumer” Apps. We looked for institutions that had specific Google Apps web pages, and found 30 good examples. Of those we found that 18, or roughly 2/3rds, do not offer any apps beyond the “Core” apps that have the contractual protections of confidential data. In this group are UC Berkeley, Fresno State, Reed College, Michigan State, Harvard, Yale and Vassar. Here are a few examples of these sites: http://huit.harvard.edu/services/web-collaboration/collaboration-services/google-apps-harvard, http://googleapps.msu.edu/. One university in this group, USC, recommended to their users who wished to use any Google apps beyond the Core offering that they should use their personal G-mail account. There are also institutions who do offer the “Consumer” Apps within their Google Apps for Education offering, but limit the number available and only one institution offered all the apps that are available. A few, such as Brown, Wellesley, Oregon State and RIT, offer a group of the “Consumer”Apps to their communities without any warning of the risks and responsibilities of using the apps (example: http://oregonstate.edu/main/online-services/google-apps-for-osu, http://google.ncsu.edu/); others permit access to a group of  “Consumer” apps, but also post information about the risks and what precautions to take (example: http://googleapps.simmons.edu/core-and-consumer-apps); one, Brandeis (https://sites.google.com/a/brandeis.edu/googleapps/consumer-applications) permits access to the “Consumer” Apps, but only after an opt-in process where each user who wishes to use the apps agrees to a statement of their responsibility to protect confidential and private information. A record is made of that agreement.

This latter method is what is called a “control” that reduces risk. Both IT Services and College Counsel favor this approach if it is decided to make some of these “Consumer” Google apps available to the Saint Mary’s Community. We have been in touch with members of the Brandeis IT department, discovered how this process works, and we can implement such a control here.

In preparation for the discussion about the issues around making Google “Consumer” apps available to the College community, the TLT group went through the full palate of “Consumer” apps that Google offers us, and have come up with a list of possible apps that make sense to offer, and give them a rough rating as to risk and value. It should be noted that there are many in the suite that are targeted at groups other than education (such as advertising and marketing), and are not obviously very relevant to teaching and learning.

Preliminary list of low-risk Google Consumer Apps recommended by the TLT group to be opened to the SMC community:

3D Warehouse
Google Bookmarks
Google Chrome Sync
Google Finance
Google in Your Language
Google Map Maker
Google Maps
Google News
Google Public Data

 

Consumer Apps that the group thinks should  be turned on, but are higher risk or have other issues and further investigation is needed:

APP Risk Value Control Possible? Note
Blogger Med/High Med/High Yes 1
Google Wallet Very High Low No 2
Google + High High Yes 3
Picassa Medium Medium Yes 4
You Tube Med/ High High Yes 5

 

 

 

Notes:

  1. Risk can be lowered if it is limited to the SMC domain. We know it is possible for the blogger to enter a ACL.
    1. Information needed: Can all blogs be limited to the SMC domain
  2. Transaction information – user enters credit card info which may be saved – a user name/password breech can expose this information
    1. Information needed: Can these expansion charges be paid another way
  3. Risk can be lowered if it is limited to the SMC domain
    1. Information needed: Can the extent of this app and sharing etc. be limited to the SMC domain
  4. Risk can be lowered if it is limited to the SMC domain.
    1. Information needed: Can the extent of this app and sharing etc. be limited to the SMC domain
  5. Risk can be lowered if the viewing of any material uploaded is limited to the SMC domain. Otherwise, non-SMC accounts should be used for uploading.
    1. Information needed: Can videos uploaded within the SMC Google domain be restricted for viewing to members of the community only.

 

 

Print Friendly