John Scullen, IT official at Australia’s Griffith University, noted in 2013 that analytics is a key motivator for these types of cloud-based deals. “If you’re able to get a whole university’s email on your system, there’s a wealth of information to mine. They use it in a kind of aggregated way—I suspect there’s no identification of personal information—but the bigger the data set, the more you can derive from it.”
Chris Jay Hoffnagle, director of the Berkeley Center for Law & Technology’s information privacy programs and senior fellow to the Samuelson Law, Technology & Public Policy Clinic, sees serious problems with academe’s rapid adoption of these agreements. Writing in 2013, he noted that outsourcing email and other key services to commercial cloud providers “has raised some anxiety about privacy and autonomy in communications.” He went on to question whether universities and Berkeley in particular “really look before we leaped? Did we really consider the special context of higher education, one that requires us to protect both students and faculty from outside meddling and university-specific security risks? Before deciding to outsource, we have to be sure that there are service providers that understand our obligations, norms, and the academic context.” Google and other companies “may be far less likely to be familiar with our specific duties, norms, and protocols, or to have in place procedures to implement them. Outsource providers may be motivated to provide services that they can develop and serve ‘at scale’ and that do not require special protocols.”
“Universities have historically experienced periodic pressures to limit research, publication, teaching, and speech,” Hoofnagle reminded his readers. “Without communications confidentiality, integrity, and availability, the quality of our freedom and the role we play in society suffers. And thus the decision to entrust the valuable thoughts of our community to outsiders requires some careful consideration.”
Hoofnagle reported that at Berkeley, negotiations with Google were taken without adequate due diligence. “Google treated Berkeley IT professionals like ordinary consumers—it presented take-it-or–leave-it contracts. Google was resistant to, though it eventually accepted, assuming obligations under FERPA, a critical concession for colleges and universities. Google also used a gag clause in its negotiations with schools. This made it difficult for our IT professionals to learn from other campuses about the nuances of outsourcing to Google. As a result, much of what we know about how other campuses protected the privacy of their students and faculty is rumor that cannot be invoked, as it implicitly violates the gag clause.” This is something that is not in keeping with the general ethos of academe.
In another co-authored paper, Hoofnagle and colleagues noted that “meeting the aspiration for increased privacy challenging because the online marketplace is optimized to maximize collection of data….If present trends continue, we will soon find ourselves in a world where ultra-large tracking platforms will have data about almost all online and offline consumer transactional behavior. Consumers will find themselves subject to these platforms’ power to collect and use that data, and with little recourse or say about that collection and use.”
Speaking to Against the Grain, Hoofnagle notes that “there are a few bright spots here: the constant profiling is being driven by venture funding. Companies are in a ‘collect it all and see if anything is worth something later’ model. Google is on its own trajectory, but the hundreds of companies with faith-based revenue models will be squeezed when the current VC exuberance fades a bit. Also, there are alternatives to some services. For instance, client-based (software on your computer) is far more privacy protective than cloud services. Personally, I also think that the desktop software is more reliable and available (i.e., you don’t need an internet connection to use Microsoft Word). The downside here is that Google is in education so that it can familiarize children with its stripped down, rather simple services. Once used to Google, Microsoft Word and alternatives will look like Photoshop—impossible to use and too complex.”
“In the US,” Hoffnagle explains, “everything depends on Europe. We’re already seeing this in consumer protection, where categorical rules on certain types of practices (such as the use of the work ‘free’ are causing US companies to change their marketing. If the Europeans pass a strong data protection regulation, it will have a reverse preemption effect on the US, with multinationals extending Europeans’ rights to US users. Finally, Google was very good in its early days in using the ‘charm offensive’. Schools were scrambling to make deals with Google because the company was hip and good-natured. We now have a much better picture of Google as a corporate citizen. It is a bit like the evolution of Microsoft…no one remembers, but Microsoft was the hip company that people moved to Seattle for in the 1990s. Within a few years, people were talking about the company as if they were the Borg.”
“Google followed a divide and conquer strategy that prevented schools from realizing the privacy issues. Some have been solved. Others will have greater traction as a result of FPF’s Student Privacy Pledge. When these contracts get renegotiated, there will be better understanding among university counsel. The deal is a bit implicit, but we’re beginning to understand it better. It goes like this: We give you this service with a price tag of zero. We will give you no technical support, so you will have to have FTEs to support your faculty and students (so the price is not zero…). We can look at your work for our own purposes, and we do this without really telling you what those purposes are and whether they change over time.”
“This is a scary deal,” Hoffnagle admits, “for anyone who is a professional—doctors, lawyers, anyone with intellectual property, etc. When you use desktop software, the data stays on the desktop, and is not subject to secondary uses. In the cloud, you are basically trusting a third party with incentive conflicts to use the information fairly. You cannot audit this third party. And in the case of Google, as the Gmail scanning litigation showed, they were willing to obfuscate and go to the court to seal documents to prevent people from learning about how they inspect email.”
What can we do at this point as individuals and institutions? Hoffnagle advises, “One general rule is that applications that you pay for are typically better for privacy. This is because the incentive conflict issue is better addressed—when you pay a company for a product, they are less likely to make you the product. So, I am a big fan of Apple, because their products are less tied to turning its own customers into targets for advertising. I also think it is important to realize that privacy-invasive services are privacy invasive because the designers made them that way. It is almost always an affirmative choice to build in massive data collection and surveillance. So many services we use today could be implemented in a more privacy-friendly manner with little or no effect on performance.”
At the same time, Hoofnagle sees Google Scholar as an example of “an area where Google has made a substantial contribution to better research. I’m in the process of writing a book now and the combination of HathiTrust and Google Book Search has greatly deepened my research. My book is about the Federal Trade Commission. There is obvious literature on the FTC, but Hathi and Google make it possible for me to view any material published that merely mentions the FTC. This has allowed me to find some works overlooked by other scholars. I think there are other knock on effects of this as well. For instance, Google’s h-index calculation seems to be more liberal than Scopus, and this is resulting in researcher having greater indexes. A greater scope of material counts for citation, and this also helps find non-traditional material that is sometimes of high quality.”
What’s Academe to Do?
Cornell’s Mitrano sees good and bad in the types of Big Deals being offered by Google and Microsoft. “There is no question that cloud services are the technology of the foreseeable future. There is nothing wrong with a commercial cloud service. It is not in and of itself the problem. The problem lies in the contract formation and in the trust that any one college or university, or higher education as a sector, has in the vendor. I do believe that given the highly complex nature of Internet businesses, government, the FTC in particular, would do well to keep an eye on, if not formally open an investigation of, those companies that have established a pattern of practices that compromise higher education and its missions. Google stands out as an example.”
What can we do now? “First and foremost,” Mitrano advises, “it is imperative that academic institutions closely read the terms and conditions and privacy policies presented to them by commercial vendors—and know that they can and should demand the highest bar of protection for students. My research suggests that issues of user profiling run deep in the technological architecture of some vendors, particularly those that have tried to retrofit consumer technology for commercial purposes. Google is an advertising company; it is no wonder that it has been a notoriously difficult company with which to contract for higher education and continuously under suspicion for misuse of education records protected by FERPA, student data generally and institutional information as well. In a word, it remains quite likely that they continue to profile students—which is a violation of FERPA because it is use of protected data for their commercial purposes. Heaven, and Google, only knows what they do with institutional data, especially given their mission (to organize the world’s information) in contrast to the mission of higher education.”
“One step in the right direction by industry,” Mitrano continues, “is the recent Student Privacy Pledge, though I would advocate that it needs to be extended to higher education. Yet even with the pledge, questions remain. For example, Google pledges not to use/disclose student information for behavioral targeted of ads; however, in looking at their Google Apps for Education Agreement, several loopholes exist.
But is it too late? Mitrano sees hope: “In answer to your question, please see Internet2’s Net+ that does precisely that of which you ask: Bargain on behalf of higher education collectively for technological services. Traditionally in service to research 1 universities, of which Minnesota would be one, Internet2 does have the inherent limitation of helping that subsection of higher education; it would be great if another organization, for example, EDUCAUSE, which has a wider population under its bigger tent, could use the I2 model and help smaller institutions, especially liberal arts colleges. Let’s hope that, when John O’Brien takes the reins of EDUCAUSE in July, that this idea will be among those that breathe fresh air into the organization for the benefit of higher education overall.”
We Need a New Map
In the important 2011 book, Pervasive Information Architecture: Designing Cross-Channel User Experiences, Andrea Resmini and Luca Rosati note the difficulty in even defining the complicated mesh of the cultural, economic, political, and technical threads that are the woof and weave of the web that is our current environment.
We’re creating multichannel, cross-platform, transmedia, physicodigital user experiences that tear down the walls between categories. We can call it ubiquitous computing, the Internet of Object, Web Cubed, or the Intertwingularity. We can talk about smark things, sensor Webs, product-service systems, and collaborative consumption. But none of these labels begins to describe the extraordinary diversity of the ambient, pervasive, mobile, social, real-time mashups unfolding before our very eyes. No word or phrase can possibly bind together the 21st century success stories of iTunes, Nike+, Netflix, Redbox, Zipcar, iRobot, Freecycle and CouchSurfing with the emergent phenomena of augmented reality, urban informatices, and plants that tweet. But as we wander blindly in this landscape of vernacular chaos, one thing is clear: We need a new map. (p. xi, Morgan Kaufmann, 2011)
Mitrano sees potential hope for academe—and everyone else—coming from across the sea: “When it comes to the tailoring of search results, we have seen from recent news that this topic deserves close scrutiny. Currently, the European Commission is deciding if they will move forward with charges against Google for abusing its dominance in the European search market for among other potential violations, favoring its own products and services above those if its competitors. Until Google comes clean with its (mis)use of data and information in enterprise services, such as Google Scholar, I remain pessimistic in the use of any of their services. Even for Google Scholar.”
Yet academe isn’t the only area of serious concern. A 2013 Fordham Law School study on “Privacy and Cloud Computing in Public Schools” found that “95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.” The study also found that “districts frequently surrender control of student information when using cloud services: Fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice.” All this despite what many assume FERPA, PPRA, COPPA, and other specific federal protections of student data would require.
Europe has drawn a line in the sand, declaring in court that individuals possess a “right to be forgotten.” Although this path has no parallel in American case law, it does provide a ray of light for the open discussion of the role of technology, information, companies, and individuals in this swiftly evolving global transformation. We all want to lower institutional costs, increase our productivity, and maximize organizational efficiency and innovation. However, we are starting to see that there is a high cost to be considered when offered something for nothing. The stakes are indeed high. However, this is one journey for which a commercial GPS won’t lead us to a satisfactory end. We need a new map.
Nancy K. Herther is librarian for American Studies, Anthropology, Asian American Studies & Sociology at the University of Minnesota Libraries, Twin Cities campus. email@example.com