[HN Gopher] Dutch schools must stop using Google's email and clo... ___________________________________________________________________ Dutch schools must stop using Google's email and cloud due to privacy concerns Author : starsep Score : 79 points Date : 2022-07-21 19:48 UTC (3 hours ago) (HTM) web link (tutanota.com) (TXT) w3m dump (tutanota.com) | gidorah wrote: | I am a UK college governor, and have bought up the GDPR issues | that have come up with Google and Microsoft recently. | | Whilst I do get some nonsensical response, that big tech have | great security, it does feel really lainful that there is | basically no alternative. I really want there to be, but there | just isn't a viable alternative. | avianlyric wrote: | Well good news! Our wonderful government has great plans to | scrap GDPR and all the silly European bureaucracy slowing down | business, and replace it with... checks notes ...better British | bureaucracy that will cost just as much, while eradicating our | rights to privacy... | | It's a Brexit benefit or something. | ChuckNorris89 wrote: | _> I really want there to be, but there just isn't a viable | alternative._ | | There isn't? My Eastern European highschool had self hosted | email since as far as I can remember hosted on some pentium | PCs. | | The issue isn't that there's no alternative, the issue is that, | schools are unable or unwilling to bother doing things | themselves and instead just go with Apple, Google, Microsoft, | because it's easy and almost free. | yazzku wrote: | ls15 wrote: | > but there just isn't a viable alternative. | | Why can't the state build a data center and host some Matrix, | Nextcloud and Moodle instances? To me that would seem like tax | money being used as intended by the taxpayer. | jeffbee wrote: | This kind of response always baffles me. Choose any of the | common questions people have about cloud data privacy and ask | the same question about Nextcloud. For example: when I delete | a file does the cloud really delete it? Now read the | Nextcloud source code. All it does is unlink files, and it | doesn't even do that properly because it doesn't handle | errors and races. Also, it poops your private data all over | the filesystem while creating thumbnails and previews. So the | answer is no, absolutely not even a single iota of effort has | been expended making sure deleted data is really deleted, and | inside administrators will have complete and total, unaudited | access to it. | | Switching from a cloud run by professionals to a self-hosted | Nextcloud would be a massive downgrade in information | privacy. | nisa wrote: | ...and yet they win big government contracts and nextcloud | is the official cloud storage solution for a lot of german | universities. Same for matrix - good idea on paper but | implementation is not there at the moment - still they won | some pretty big government contracts for Bundeswehr | (military) chat and health chat. | | IMHO Europe should just do something like create an | https://www.inria.fr/en for writing sane software that | acknowledges and handles the complexities of governance. | Can't image that paying tons of grad students good money to | design and hack something in Ocaml/Haskell that actually | works is more expensive than the status quo. | cmroanirgo wrote: | The thing is, there's no gaurantee that google nor | microsoft nor apple do anything more. With products like | nextcloud, at least you can see exactly what's going on. | | We already know google, microsoft and apple have unfettered | access to your data too. With self hosting, at least I have | a chance of knowing when my data's being monitored & I can | choose increasingly severe security around that system. The | big players can only offer promises with little to no way | for us to verify the truth of any one of their statements. | | So, unless the big players offer e2ee as a default, it's | best to assume the worst from them. With nextcloud it's far | less necessary if you're rolling your own (but it supports | a form of encryption anyhow) | jeffbee wrote: | > at least I have a chance of knowing when my data's | being monitored | | C'mon really. The whole central point of this euro | scaremongering is that Google will turn over your data to | intelligence agencies when U.S. court orders it to do so. | Now imagine that for whatever fanciful and obviously | highly unlikely reason the C.I.A. wants your PDFs. You | are claiming this will be visible to you, that you will | be able to defend yourself against hardware supply chain | attacks, attacks on the media you downloaded to install | CrapNux on your servers, attacks against your NextCloud | auto-updates, attacks against the whole rest of your | software supply chain, social engineering attacks against | your sysadmins, attacks against your hard disk drive | waste stream, and all the rest of it? And you will be | able to achieve this on the budget on a Dutch primary | school? | | Look, I think it _would_ be cool if nation-sized | bureaucracies had the doctrines and practices that | allowed them to be _actually safer_ than the cloud, but | as it stands they do not. | pelasaco wrote: | It is just the pure old European protectionism, lobbyism and etc. | | To read something like that makes me cringe: | | "Based on the statements by the Dutch and German privacy | watchdogs, schools and universities in the Netherlands and in | Germany my not use Google's email or cloud services. | | Instead, it is recommendable to use a European email service such | as Tutanota." (Tutanota blog) | | Sure Tutawhat? Probably the whole infrastructure is already | compromised, software full of vulnerabilities and who can | guarantee that they won't sell my data? People bash at google and | microsoft, and have no idea how hard is to get a software and | infrastructure to operate in the same level. | | For Schools in Germany, the issue "American authorities can | access data stored in the European cloud without the German | government having control over this." is much smaller than the | issue "provide a solution that work with different platforms, | different browsers, resolutions and languages". Every other | solution provider failed miserable other than AWS and Google, in | providing collaboration and email tool by affordable price. We | saw it over and over again during the pandemics. | twiss wrote: | Just because you happen not to have heard of them doesn't mean | that they're likely to sell your data. It may be hard to | imagine, but people living in Europe may trust these services | more than Google and Microsoft, and may not appreciate those | companies giving away their services for free in exchange for | mining our data and showing us ads :) | nisa wrote: | It's the law (GDPR) and there is no agreement about data | sharing with the USA that is good enough to fulfill the | demands. So this is actually a good thing in my opinion. | | Unfortunately you are spot on with everything else - been | involved in the education sector during the lockdowns I've seen | it first hand how a lot of taxpayer money went to either small | companies that over-promised and under-delivered with bad code | and bad ops / coding practices all over the place - not just a | single company it's just a recurring pattern - additionally big | consultancy firms grab even more tax money - some projects are | good, at least I saw a little bit more professionalism but not | enough imho - but other projects are even worse than those from | the small companies... | | one big problem is that for almost everything there is a public | tendering procedure and there lobbyism or just plain | incompetence often win contracts - additionally even with | competent administration the best bid often doesn't win because | it's too expensive but the lowest bidder delivers so much shit | that the budget explodes anyway. Also been involved in one | project that let to me resigning because in the contract | everything was spelled out very careful and competent from the | administration side and the place where I worked just ignored | everything - they got lot's of money for implementing a process | that was secure and scalable and a good idea or let's say at | least not directly a non-starter on paper but none of this | existed and nothing was worked on internally - not sure if this | ever materialized I guess they were able to bullshit their way | out without problems. | | However there are also a lot of European companies that deliver | good quality ops/software but they are mostly not interested in | education. | lizardactivist wrote: | jacquesm wrote: | Please don't. | | Check the guidelines regarding accusing people of being | shills. | | If you have strong evidence someone is a shill then mail | hn@ycombinator.com | ASalazarMX wrote: | Tutanota is a peer of ProtonMail in the secure email | department: https://nordvpn.com/blog/tutanota/ | jacquesm wrote: | Great. Now let them get rid of the Microsoft requirement, because | that's at least as bad if not worse. | contravariant wrote: | Could you elaborate? What microsoft requirement? | jacquesm wrote: | Highschools demand students buy a Windows laptop, preferably | some overpriced piece of crap with a few applications pre- | installed from their 'preferred partner' who also happens to | be a Microsoft representative. | | It's way beyond despicable but I'm too tired to fight it so | I've caved in and bought a Windows laptop for one of my kids | to use for highschool. It disgusts me that Microsoft manages | to extract a tax on every kid in highschool and that schools | allow themselves to be used as a part of the marketing and | sales arm of a multinational company. | twiss wrote: | I went to a Dutch high school that used Google Accounts for | email, and they once caught some students "cheating" on a group | project (i.e. collaborating in larger groups than they were meant | to collaborate in, I guess) via email. This made me suspect that | the admins could read our school email (which people also used to | talk about various other stuff, which I guess was unwise). I | don't know if that was actually how they found out, but it made | me very conscious of email privacy (or lack thereof). | | Now I work at ProtonMail, so go figure. | dekhn wrote: | That admins can read the emails in their managed accounts is | working as intended. School accounts aren't for privacy, | period. | twiss wrote: | Maybe, but it should be disclosed, at least, and students | reminded to only use these accounts for school-related stuff, | then. And even then, I'm not sure that there should be no | privacy in school accounts - what if you want to complain | about a teacher? What if that teacher happens to be an admin | and retaliates? Sure, there may be cases where having some | oversight is good, but it's not necessarily clear-cut. | digitallyfree wrote: | Even if it was personal email/social media I've see school | computers continually log to disk a low-framerate screen | capture of the student's screen. They could also watch it in | realtime. My school also had keyloggers installed and while | admin insisted that they would not use any captured usernames | and passwords they certainly had the capacity to do so. | | I think there was some news in the past where some schools took | this even further with webcam and mic access, though I didn't | experience this. | | On a school or work computer that you don't control assume | someone is watching behind your shoulder at all times, and | reading every word you type. Whether if that's the case or not. | twiss wrote: | Yeah, that's also terrible. But this was an email account | that we could access from our personal computers (they didn't | give us a laptop) so at the time I didn't realize that they | would be able to read it. IMO, it would have been good if | Google had shown some warning or so, that that's the case. | inopinatus wrote: | I have worked for a MSP supplying internet access and | groupware to institutions, and can tell you that the business | and technical requirements for schools are almost | indistinguishable from those of prisons. | agentdrtran wrote: | If your're on a paid plan it's pretty trivial for superadmins | to read your mail. It's logged, but they can. | jeffbee wrote: | Yeah of course, gsuite administrators can access everything, | and because gsuite admins are just modern-day instances of | bofh-type obnoxious IT guys, there's no way you'll convince | them to give up those powers. | [deleted] | ASalazarMX wrote: | I don't know about Google for Education, but the business | flavor doesn't let you spy the email of your users, at least | I haven't found it. There are ways that allow you to copy | every email to an "audit" address, if you're persistent | enough, but good luck managing that mess and liability. | | There's the option of quarantining emails that have specific | keywords. That's the likely way to catch students discussing | cheating, attachments and all. | agentdrtran wrote: | You can view full email content in the investigation tool, | use the APIs to download their mail via MBOX and read it | there, or if you're feeling bold, just add yourself as a | delegate to their inbox. | nickdothutton wrote: | Shortly after the height of the Merkel/NSA hacking scandal, when | EU member states were most upset that US spying had been | disclosed to their electorate (making EU politicians look weak in | front of the voter). The EU kicked off an internal project to try | and build a gmail replacement. Their plan was that customer | number 1 would be all the educational establishments on the | continent. They even got as far as checking out buildings to | lease from paper manufacturers, to turn into data centres. | Eventually that project went away, but I don't think we've seen | the last of it yet. | tmp_anon_22 wrote: | That they tried to build their own data centers is a red flag. | Not because its a bad idea, but I think you need to establish | product-market fit for a software product before laying down | serious hardware. | waych wrote: | Agreed, but that isn't a good way to spend a lot of taxpayer | money. | jeroenhd wrote: | It's the weekly "USA is not GDPR compliant" thread, brought to | you by an ad from a company you've never heard of! | | Nobody is going to care about the Google ban until someone gets | fined. And then when someone gets fined, there will be an outcry | because schools are funded with public money and think about the | children etcetera etcetera. It's all so tiresome. | hourago wrote: | https://european-alternatives.eu/category/email-providers | | https://european-alternatives.eu/category/cloud-computing-pl... | | It should be easy to replace most of the services. | moffkalast wrote: | Honestly I half wish we had some kind of supergiant company on | this side of the pond too, despite the drawbacks that brings at | least it would guarantee some sense of digital stability. | | I've had my gmail account for probably more than a decade now | and have never had to worry about it going amiss, meanwhile I | look at this list of barely legit sounding names (aside from | Proton) and wonder if any of these will be still around in a | few years. ___________________________________________________________________ (page generated 2022-07-21 23:01 UTC)