-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi fellows,
I would like to report a very bad situation for student's privacy in the public education system, here in Italy. Many universities, and as far as I know even high schools, are migrating from self-hosted mail servers to propietary, big-corp's owned email accounts. This without any chance to refuse the creation of this account, because this is created during the subscription to the faculty, and without any privacy agreement.
I can report my personal experience and others I know: Università Politecnica delle Marche (located in Ancona) used to adopt a self-hosted Squirrelmail soultion, now It's migrating to Microsoft Hotmail; Università degli studi di Ferrara is using Gmail; Università degli studi di Parma is using Gmail; Università degli studi di Bologna is using Microsoft Hotmail.
In Italy laws are very strict in terms on privacy and I think that since we are talking about a public service this issue It's even more serious. What's your opinion about? Can we move somehow?
Valentino Santori
On Saturday 22. August 2015 10.34.24 Valentino Santori wrote:
Hi fellows,
I would like to report a very bad situation for student's privacy in the public education system, here in Italy. Many universities, and as far as I know even high schools, are migrating from self-hosted mail servers to propietary, big-corp's owned email accounts. This without any chance to refuse the creation of this account, because this is created during the subscription to the faculty, and without any privacy agreement.
I think such practices are becoming widespread, and it would be interesting to do a survey to see which institutions are doing so.
In higher education, there is a shift towards cloud providers for basic services like e-mail and collaboration, and here in Norway various institutions have apparently already moved to Microsoft Office 365 in some form [1, 2]. Indeed, it would seem that there is a sector-wide plan to adopt Microsoft cloud-hosted products which will probably be formalised by the coordinating organisation, UNINETT, whose Web site is poorly organised and thus not as transparent as one might like (and whose conferences are sponsored by some of the companies whose products they intend to roll out [3]).
Expect Skype-specific infrastructure and principally Office 365, although they claim that they are also looking at other cloud product providers and assessing the legality. I have also seen documents [4] describing the actual strategy as opposed to the publicly-announced strategy.
I can report my personal experience and others I know: Università Politecnica delle Marche (located in Ancona) used to adopt a self-hosted Squirrelmail soultion, now It's migrating to Microsoft Hotmail; Università degli studi di Ferrara is using Gmail; Università degli studi di Parma is using Gmail; Università degli studi di Bologna is using Microsoft Hotmail.
Hotmail users will undoubtedly be encouraged to move to Office 365. Meanwhile, the nature of adoption of these cloud services may well involve reassurances that the data won't really be held in the US or outside the country but that some kind of "licensed cloud" will be used instead. Presumably, such a licensed cloud would just be the use of proprietary software on taxpayer- funded infrastructure, maybe in an even more restrictive way than traditional proprietary software because these services are not necessarily software products that are obtained and installed normally. (Remember the Google search appliance and how it was a box you installed in your network?)
In reality I think that institutions will end up using Microsoft's own hosting via what was known as their Live@edu service, which is now part of their Office 365 offering [5]. I know from personal experience that university decision-makers regard Microsoft as a friendly partner who would never hurt their customers, and they appear to regard all the reports of surveillance without any concern at all.
In Italy laws are very strict in terms on privacy and I think that since we are talking about a public service this issue It's even more serious. What's your opinion about? Can we move somehow?
Well, there are laws in Norway about this, too. Hence the remark that the legal situation is supposedly being reviewed. But in practice, various institutions are using the Microsoft cloud products already with only some holding back in order to legitimise the inevitable decision to use them as well [6]. (I note this because this is how the decision-makers work: they use a review of the suitability or legality as a cover for doing what they want anyway, and then they announce that everything was actually fine in the end and that their intended plan has already been carried out. You end up discussing a decision that was taken long ago and probably mostly implemented already.)
There is also a distinction in Norway between students and employees of institutions. Employees, at least in the public sector, are protected by laws that forbid data from being sent off over the Internet to some random place where it isn't safeguarded. (I guess it's the data that is actually protected, but then the employees cannot be pushed out into the cloud for their work- related services because they'd be processing the data in some inappropriate place.) Meanwhile, students appear to be commodities that can be farmed out in the way that is cheapest for the institution.
Sorry for the long response! Can we do anything about it? If laws and regulations about privacy and competition were upheld, maybe we could, but I haven't seen much evidence of that going on in recent times.
Paul
[1] Just searching for "Office 365" on this page listing single sign-on integration indicates how much it has been used: https://www.feide.no/tilgjengelige-tjenester
[2] 70% of students and employees in the sector have Office 365 access according to this: http://www.usit.uio.no/prosjekter/o365/
[3] Conference sponsors: https://www.uninett.no/uninett- konferansen-2015/sponsorer
[4] http://slashdot.org/submission/2683909/end-of-the-line-for-linux-in- norways-educational-system
[5] https://en.wikipedia.org/wiki/Live%40edu
[6] A document indicating how University of Oslo decision-makers really want to take advantage of Microsoft bundling deals to use Office 365 while at the same time making the necessary noises about privacy and legal requirements: http://www.usit.uio.no/prosjekter/o365/mandat/office365-saksnotat-i- rektoratet-190315.pdf
Il 22 agosto 2015 10:34:24 CEST, Valentino Santori vfvs@riseup.net ha scritto:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi fellows,
I would like to report a very bad situation for student's privacy in the public education system, here in Italy. Many universities, and as far as I know even high schools, are migrating from self-hosted mail servers to propietary, big-corp's owned email accounts. This without any chance to refuse the creation of this account, because this is created during the subscription to the faculty, and without any privacy agreement.
I can report my personal experience and others I know: Università Politecnica delle Marche (located in Ancona) used to adopt a self-hosted Squirrelmail soultion, now It's migrating to Microsoft Hotmail; Università degli studi di Ferrara is using Gmail; Università degli studi di Parma is using Gmail; Università degli studi di Bologna is using Microsoft Hotmail.
In Italy laws are very strict in terms on privacy and I think that since we are talking about a public service this issue It's even more serious. What's your opinion about? Can we move somehow?
Valentino Santori
I try to give you some motivation that often bring such institutions to make the choice to externalize some services, core ones too, as per e-mail.
Apart for reasons connected to historic factors, open contract and partnership, side interpretation of reports (cfr Pesaro municipality some days ago), there are two main reasons a PA may take such a decision: cuts to ordinary founds (FFO) and cuts to staff employee.
Those two factors, in the short period, bring an IT manager to realize that he cannot anymore supervise to time consuming tasks like administration of servers needed to operate common site services (web, e-mail, shared archives, etc.) because anyone can anymore nowadays assure to him the needed financial resources to maintain such services year by year and moreover very probably he/she is alone to administer those services because all his/her colleagues retired, haven't been replaced (due to the stop of the turnover).
The solution: externalisation! The life motif of the PA in Italy today :-(
So, even though there are laws that prevent you to do it, there are others who, in a sense, force you to do so.
Andrea
-- Sent with free software from my mobile: freeyourandroid.org . Please, excuse my brevity.
On Saturday 22. August 2015 15.20.58 Andrea Di Dato wrote:
I try to give you some motivation that often bring such institutions to make the choice to externalize some services, core ones too, as per e-mail.
Apart for reasons connected to historic factors, open contract and partnership, side interpretation of reports (cfr Pesaro municipality some days ago), there are two main reasons a PA may take such a decision: cuts to ordinary founds (FFO) and cuts to staff employee.
This is admittedly true, and even in countries where there hasn't exactly been a shortage of money to spend on essential services, it is often the case that budgets are frozen or cut. Municipalities are often forced to take on the responsibility for additional services and are then blamed by central government for letting people down.
Those two factors, in the short period, bring an IT manager to realize that he cannot anymore supervise to time consuming tasks like administration of servers needed to operate common site services (web, e-mail, shared archives, etc.) because anyone can anymore nowadays assure to him the needed financial resources to maintain such services year by year and moreover very probably he/she is alone to administer those services because all his/her colleagues retired, haven't been replaced (due to the stop of the turnover).
The solution: externalisation! The life motif of the PA in Italy today :-(
Or indeed everywhere. And all the time, people are asking, "Why are you paying to run these things when there are companies offering services to run those things for nothing?" Nobody asks why they cost nothing.
So, even though there are laws that prevent you to do it, there are others who, in a sense, force you to do so.
Indeed. There is another factor I can think of, unrelated to general financial and societal pressures: the idea that universities are institutions whose role it is to make money and to create businesses that make money. This does intersect with the external pressures because it sounds appealing that by making money, the institution "pays its own way", meaning that the government or public budgets can reduce their financial support.
What this leads to is the idea that industry-centred research is the top priority (along with increased demands for people to publish academic papers and to file patents on discoveries), with the teaching of students becoming a source of costs that must be reduced or eliminated. Perversely, one would think that administrative costs would be subject to severe reductions, but apparently, the administrators need the latest and greatest toys. Consequently, a large proportion of people in such institutions are being squeezed by this corruption of those institutions' purposes.
(I don't have a problem with rewarding and encouraging research, but doing so in a way that would monopolise it is just wrong. And if those pursuing such an agenda had any honesty, they would be running a private company funding its own research through its own revenues, except that then those people wouldn't be able to finance their schemes from the public purse.)
So, I suppose the last three paragraphs merely add the consequences of greed to the motivations for doing this as well.
Paul
On Sat, Aug 22, 2015 at 03:20:58PM +0200, Andrea Di Dato wrote:
Those two factors, in the short period, bring an IT manager to realize that he cannot anymore supervise to time consuming tasks like administration of servers needed to operate common site services (web, e-mail, shared archives, etc.) because anyone can anymore nowadays assure to him the needed financial resources to maintain such services year by year and moreover very probably he/she is alone to administer those services because all his/her colleagues retired, haven't been replaced (due to the stop of the turnover).
The solution: externalisation! The life motif of the PA in Italy today :-(
So, since they don't have money to pay for the service they pay with meat (the students).
The solution is not offering those services. University worked a long time without email. If they don't have the resources to offer it nowadays, they could go back to offer learning resources, not networking resources.
If they can't keep an email server any more they can send email to whatever address the student provides, allowing the option of not having an email address, and concentrate in off-line teaching.
If they want to offer an email account and can keep their email server fine. But if they pretend to offer an email account and end up forcing users to subscribe external services, they are imposing an obligation to users in exchange for a service that the users could get for free if they wanted, so they're doing a net disservice. How negative must be the cost of offering gmail to compensate ?
Politicians will never stop to cut funding while people keep pretending they're doing the same with less funding while in fact simply lying with straight faces. If one cuts funds one can expect fewer/worse services offered. As long as the decision comes from a democratically elected government one can only do politics about it. Society can choose to have more services for more taxes or less for less (but should choose the ensure basic rights). But pretending to offer the same at half the cost is most often dishonest. Once in a blue moon you find a clever administrator who achieves cost reductions offering the same as before, but most often they simply overstate the services and understate the costs.
The background problem is most people think having a google, MS, twitter or facebook account is "normal" so one can impose it on anyone because most people already have it anyway, and too few people care. Nobody cares what is moral or legal, just what looks like "common sense". Part of the problem is people don't realise the costs of the service they use and how they pay with their rights. Some may be aware and choose to give something (rights/privacy/etc.) away for the service. Most don't understand what they're using is costly, because computers are black magic, and magic is gratis, right ?
:(
I hope this does not sound against Andrea. Thanks for explaining, Andrea. It's obvious that explaining how something works does not mean you like how it works.
Yes, it's bad and I fear it's widespread.
I think I once heard Universitat Politecnica de Catalunya students have gmail accounts (that look like UPC mail, but it's handled by Google). It's hearsay, I don't know the exact situation now, or whether it's optional, or how are they informed or how do they consent if at all.
What I know is that last year I tried to enter a course in a private university in Barcelona (Blanquerna-la Salle) intended to make engineers, etc. high school teachers for "technical" subjects/studies. They opened each student an account in two virtual campus servers (presumably in the University) but required a gmail account for each student, and a teacher also required students to have a twitter account and a facebook account to do an exercise, because "one can't be a technology teacher if one isn't in facebook and twitter". I was there only a few days, so I don't know what else.
But the impression I got was that the thoughtlessness in the requirements (both from teachers, staff and students) was even more frightening than the requirements themselves. Students were complaining that they needed to check three different accounts and two websites to be aware of schedule changes, assignments or readings or so on, and felt this was too much trouble, but I was the only one complaining of the fact that they had to be customers of arbitrary companies or accept third party terms of use in order to complete a master.
Good luck out there.
* Valentino Santori:
I would like to report a very bad situation for student's privacy in the public education system, here in Italy. Many universities, and as far as I know even high schools, are migrating from self-hosted mail servers to propietary, big-corp's owned email accounts. This without any chance to refuse the creation of this account, because this is created during the subscription to the faculty, and without any privacy agreement.
There is a privacy agreement, the question is whether you like it.
From a privacy perspective, the move from self-hosted mail service to
an external managed service might not be a regression. Few universities can afford the required resources to run secure mail servers and detect compromised user accounts. It's a complex trade-off.
I also don't think this has to do much with free software, so it's probably off-topic for this list.
On Sunday 23. August 2015 12.57.14 Florian Weimer wrote:
- Valentino Santori:
I would like to report a very bad situation for student's privacy in the public education system, here in Italy. Many universities, and as far as I know even high schools, are migrating from self-hosted mail servers to propietary, big-corp's owned email accounts. This without any chance to refuse the creation of this account, because this is created during the subscription to the faculty, and without any privacy agreement.
There is a privacy agreement, the question is whether you like it.
It's more than whether there is a privacy agreement, though. As others have noted, it's also about whose terms of service you have to agree to, and even whether someone effectively signs you up for those terms without your knowledge. Should a student have to enter into contracts with random (and typically foreign) companies?
From a privacy perspective, the move from self-hosted mail service to an external managed service might not be a regression. Few universities can afford the required resources to run secure mail servers and detect compromised user accounts. It's a complex trade-off.
Although this is true - while following up to earlier messages I noticed that my most recent academic employer had experienced yet another unintentional disclosure of personal information - many larger organisations do apparently have substantial expertise in the appropriate areas.
It appears that smaller organisations often take advantage of providers of services across their sector. This does also raise concerns about how data is handled and protected, and whether security incidents are reported or acknowledged.
I also don't think this has to do much with free software, so it's probably off-topic for this list.
On the contrary, if we were all comfortable with people signing us up for agreements without our knowledge, we'd probably all be happy to use proprietary software with the zoo of exotic contractual animals it tends to cultivate.
And also, the use of Free Software is directly impacted by this cloud-pushing agenda, meaning that the viability of Free Software is affected since, just as it is when people decide to spend large sums on proprietary software, beneficial investment is withheld from improving Free Software that competes with those cloud products. Also, some cloud-related products do not support Free Software operating systems, affecting Free Software once again.
Paul
* Paul Boddie:
On Sunday 23. August 2015 12.57.14 Florian Weimer wrote:
- Valentino Santori:
I would like to report a very bad situation for student's privacy in the public education system, here in Italy. Many universities, and as far as I know even high schools, are migrating from self-hosted mail servers to propietary, big-corp's owned email accounts. This without any chance to refuse the creation of this account, because this is created during the subscription to the faculty, and without any privacy agreement.
There is a privacy agreement, the question is whether you like it.
It's more than whether there is a privacy agreement, though. As others have noted, it's also about whose terms of service you have to agree to, and even whether someone effectively signs you up for those terms without your knowledge. Should a student have to enter into contracts with random (and typically foreign) companies?
I'm sure universities have subcontracted some of the services they provide basically since their inception. With proper terms, there is nothing wrong with that, especially if it helps to bring down costs of secondary services, freeing up resources for core serivce offerings.
Although this is true - while following up to earlier messages I noticed that my most recent academic employer had experienced yet another unintentional disclosure of personal information - many larger organisations do apparently have substantial expertise in the appropriate areas.
This does not match my experience with university IT infrastructure. Experience, yes, but adequate resources? Hardly.
I also don't think this has to do much with free software, so it's probably off-topic for this list.
On the contrary, if we were all comfortable with people signing us up for agreements without our knowledge, we'd probably all be happy to use proprietary software with the zoo of exotic contractual animals it tends to cultivate.
Seems rather speculative to me.
A lot of free software aficionados are also happy Gmail users, and have agreed to terms that are, on paper, extremely far-reaching and obnoxious.
And also, the use of Free Software is directly impacted by this cloud-pushing agenda, meaning that the viability of Free Software is affected since, just as it is when people decide to spend large sums on proprietary software, beneficial investment is withheld from improving Free Software that competes with those cloud products.
That's a separate discussion, but I fail to see how it relates to privacy. And as far as I can tell, the FSF (US) does not consider a healthy community of developers are primary goal, the priority is end user freedom. The GPL v3 even contains an explicit permission to use cloud providers tu ron proprietary, GPL-derived software.
↪ 2015-08-23 Sun 14:39, Florian Weimer fw@deneb.enyo.de:
user freedom. The GPL v3 even contains an explicit permission to use cloud providers tu ron proprietary, GPL-derived software.
There's no such explicit permission in the GPL. What are you referring to?
* Hugo Roy:
↪ 2015-08-23 Sun 14:39, Florian Weimer fw@deneb.enyo.de:
user freedom. The GPL v3 even contains an explicit permission to use cloud providers tu ron proprietary, GPL-derived software.
There's no such explicit permission in the GPL.
There is this clause:
“ You may convey covered works to others for the sole purpose of having them […] provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus […] running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. ”
[Replying to list explicitly...]
On Sunday 23. August 2015 14.39.40 Florian Weimer wrote:
Seems rather speculative to me.
A lot of free software aficionados are also happy Gmail users, and have agreed to terms that are, on paper, extremely far-reaching and obnoxious.
Yes, but they agreed to those terms as an individual choosing a mail service: it wasn't part of them signing up to do something else.
And also, the use of Free Software is directly impacted by this cloud-pushing agenda, meaning that the viability of Free Software is affected since, just as it is when people decide to spend large sums on proprietary software, beneficial investment is withheld from improving Free Software that competes with those cloud products.
That's a separate discussion, but I fail to see how it relates to privacy.
You claimed that the original topic, or least its focus on privacy, had nothing to do with Free Software and wasn't worthy of discussion on this list. I was only noting that the phenomenon observed (that happens to raise privacy issues) does have an impact on Free Software. Is that not worth discussing either?
And as far as I can tell, the FSF (US) does not consider a healthy community of developers are primary goal, the priority is end user freedom.
And is using proprietary cloud services with potentially unacceptable terms that you may not even have had a reasonable chance to disagree with good or bad for user freedom?
The GPL v3 even contains an explicit permission to use cloud providers tu ron proprietary, GPL-derived software.
And the part of GPLv3 that says this is...?
Paul
Am 22.08.2015 um 10:34 schrieb Valentino Santori: ...
I can report my personal experience and others I know: Università Politecnica delle Marche (located in Ancona) used to adopt a self-hosted Squirrelmail soultion, now It's migrating to Microsoft Hotmail; Università degli studi di Ferrara is using Gmail; Università degli studi di Parma is using Gmail; Università degli studi di Bologna is using Microsoft Hotmail.
Bern University in Switzerland also unfortunately migrated from a well-functioning Unix mail system to Microsoft Exchange a few years ago. I tried very hard (as an employee at the time) to find out how and why this happened, but nobody would tell me and nobody I knew cared one way or the other. Of course it suited users of Microsoft Outlook and also many more people started using the Outlook Calender in a Browser.
Best, Theo