Can the UG take back control?
We’ve become totally dependent on Google
Jeanne Mifsud Bonnici doesn’t even have to think about it. Choosing Google, she says, was a bad decision.
It’s been seven years since the UG traded in its own email service Pegasus Mail for Gmail. Over time, the university added Google Calendar and other parts of the Google Suite for Education. The company’s software was said to be more reliable – an attractive feature after some university-wide mail system malfunctions – and it was also a lot cheaper, saving the university almost 400,000 euros a year. But still, it was a bad decision, says the professor of European technology law and human rights.
‘We do research funded by the EU in the area of security’, Bonnici explains. ‘One of the conditions in the contract was to use tools that were secure. We already knew that Google wasn’t safe.’
Bonnici, who’s part of the Security, Technology & E-privacy research group (STeP), fought vehemently against the switch. She and her colleagues felt the risks outweighed the advantages offered by the Big Tech company. They feared loss of autonomy, lack of privacy and transparency, and potential data leakages. And after Edward Snowden revealed how the NSA tapped Google servers to get data on European governments, how could STeP possibly justify using Google during their research?
We already knew that Google wasn’t safe
They weren’t alone in their objections. Staff members of the faculties of Science and Engineering, Behavioural and Social Sciences and Law in particular objected. Of all FSE staff, 60 percent opposed the decision.
And even though people could submit a request for an exemption, only a handful of researchers were granted one. The fourteen STeP scholars were among them, due to the clear incompatibility between their research and Google.
Gmail has indeed proven to be reliable and handy over time. However, concerns about how safe university data is with Google have cropped up again. First in March, when an investigation commissioned by the UG and the Amsterdam University of Applied Sciences showed that Google might not treat our data as securely as initially thought.
Then again last week, when the Dutch Personal Data Authority (Autoriteit Persoonsgegevens) advised Dutch educational institutions to either drastically renegotiate the terms of the contracts between the institutions and Google or ban the company entirely.
But instead of stepping away, it seems the UG is venturing deeper into the Google universe: just this week the university has started using multi-factor authentication at several faculties, suggesting its employees download a Google app to generate an authentication code.
‘I’m clearly not surprised’, Bonnici says. ‘Considering the examples in recent years of how Big Tech companies dealt with people’s data, the question isn’t if we’ll have a major issue one day, but when.’
‘The problem with Google is fundamental’, agrees Aline Klingenberg, who is both a judge and an expert in data protection and privacy. ‘Google just doesn’t comply with the very basics of the General Data Protection Regulation (GDPR), which sets the guidelines in the European Union.’
The question isn’t if we’ll have a major issue, but when
According to EU rules, there are two essential entities when it comes to dealing with data: the controller and the processor. The controller determines the goal for which personal data is processed and how. The UG controls its staff and students’ data, for example.
The processor is the one who processes data on behalf of the controller, following its instructions. In this case, Google.
Google doesn’t see it that way, though. ‘It considers itself a controller and not a processor. And that entitles it to determine what to do with the data it collects without having to explain much to educational institutions’, says Klingenberg.
It’s not that nobody thought to draft a contract. But those aren’t as clear and binding as they should be, argues Klingenberg. Moreover, Google complies with American laws and the Patriot Act, which enables the US government to access the data of American companies for security purposes.
‘This discrepancy between controller and processor has potentially endless consequences, and leads to unknown threats’, says Klingenberg. ‘We cannot know what Google may do with the data it collects.’ Since the US has no interest in protecting EU citizens, ‘once our data goes to America, it’s basically lost to us’.
There’s also a profound difference between the EU’s approach to data protection and the American one. ‘EU rules are more human rights based, and the GDPR also focuses on making fair economic traffic possible. Big Tech companies are profit driven’, says Klingenberg. That alone should be enough to veer away from the US and not want to rely on Google’s social responsibility.
Loss of autonomy
Jaap-Henk Hoepman, an expert in privacy technologies at the IT Law section, had issues with Google too. But where Bonnici fears Google’s use of data, he points to more practical problems. ‘Imagine if the Netherlands would get its water, gas, and electricity solely from Russia or China. People would be uncomfortable with that.’
That’s the way it is with Google, he says: it provides any online service you might want and everyone depends on it. ‘So people should feel equally uncomfortable.’
What you spend in effort, you gain in freedom
Loss of autonomy is another issue, he says. ‘By outsourcing a service to external companies, we lose control as a university and therefore we lose power over our system.’
This makes us vulnerable in ways that go beyond the fear of data leakage. If Google decides so, it can shut down its services and we might find ourselves unable to work or to access our emails from one day to the next. ‘That possibility is not simply theoretical’, Hoepman says. ‘In 2019 for example, Adobe shut down Photoshop in Venezuela in accordance with the US government sanctions towards the country.’
‘Google sets a wrong example for our students’, says Daan Opheikens, who’s doing a master in computer science, intelligence systems and visualization. ‘These kinds of enterprises have profit as their main interest rather than ethics and respect for individuals or customers.’
The problem is, there is no clear-cut way to get out of the mess the uni has gotten itself into. Renogiating contracts isn’t a permanent solution, Hoepman says. ‘Even if the agreement with Google is improved, universities will still be outsourcing fundamental services to external companies and no real form of autonomy would be reached.’
What can be a solution is self-hosting: the university would then maintain and run software and websites based on private servers, limiting the risk of shutdowns or loss of control.
‘It’s more work to self-host, and more expensive’, says Opheikens. ‘But what you spend in effort, you gain in freedom, which is much more valuable.’
After seven years, Jeanne Bonnici can confirm that ‘one can survive quite well outside the Google world’. Many solutions already exist inside the UG system, at least for staff members, she says.
It seems indispensable, but alternatives are close at hand
‘There is Unishare, which can replace Google Docs; it also offers the possibility to have guest accounts. This way, external researchers can join in collaborative editing. And there’s software like Blue Jeans, which allows you to have secure virtual meetings, or Collaborate, although that’s just for teachers.’
However, Bonnici is realistic. In a world where everyone uses Google, choosing autonomy and transparency comes with a price. ‘At times, it’s not easy to be an outsider, but in the end, it’s just a matter of choice.’
She would be overjoyed if the UG were to take its first steps away from Google. ‘It seems indispensable, but alternatives are close at hand’, she says. Opheikens would also welcome the change. ‘It’s something universities ought to do. It would be difficult, stressful and expensive, but it would definitely be worth it.’