[HN Gopher] Dutch schools must stop using Google's email and clo...
___________________________________________________________________
Dutch schools must stop using Google's email and cloud due to
privacy concerns
Author : starsep
Score : 79 points
Date : 2022-07-21 19:48 UTC (3 hours ago)
(HTM) web link (tutanota.com)
(TXT) w3m dump (tutanota.com)
| gidorah wrote:
| I am a UK college governor, and have bought up the GDPR issues
| that have come up with Google and Microsoft recently.
|
| Whilst I do get some nonsensical response, that big tech have
| great security, it does feel really lainful that there is
| basically no alternative. I really want there to be, but there
| just isn't a viable alternative.
| avianlyric wrote:
| Well good news! Our wonderful government has great plans to
| scrap GDPR and all the silly European bureaucracy slowing down
| business, and replace it with... checks notes ...better British
| bureaucracy that will cost just as much, while eradicating our
| rights to privacy...
|
| It's a Brexit benefit or something.
| ChuckNorris89 wrote:
| _> I really want there to be, but there just isn't a viable
| alternative._
|
| There isn't? My Eastern European highschool had self hosted
| email since as far as I can remember hosted on some pentium
| PCs.
|
| The issue isn't that there's no alternative, the issue is that,
| schools are unable or unwilling to bother doing things
| themselves and instead just go with Apple, Google, Microsoft,
| because it's easy and almost free.
| yazzku wrote:
| ls15 wrote:
| > but there just isn't a viable alternative.
|
| Why can't the state build a data center and host some Matrix,
| Nextcloud and Moodle instances? To me that would seem like tax
| money being used as intended by the taxpayer.
| jeffbee wrote:
| This kind of response always baffles me. Choose any of the
| common questions people have about cloud data privacy and ask
| the same question about Nextcloud. For example: when I delete
| a file does the cloud really delete it? Now read the
| Nextcloud source code. All it does is unlink files, and it
| doesn't even do that properly because it doesn't handle
| errors and races. Also, it poops your private data all over
| the filesystem while creating thumbnails and previews. So the
| answer is no, absolutely not even a single iota of effort has
| been expended making sure deleted data is really deleted, and
| inside administrators will have complete and total, unaudited
| access to it.
|
| Switching from a cloud run by professionals to a self-hosted
| Nextcloud would be a massive downgrade in information
| privacy.
| nisa wrote:
| ...and yet they win big government contracts and nextcloud
| is the official cloud storage solution for a lot of german
| universities. Same for matrix - good idea on paper but
| implementation is not there at the moment - still they won
| some pretty big government contracts for Bundeswehr
| (military) chat and health chat.
|
| IMHO Europe should just do something like create an
| https://www.inria.fr/en for writing sane software that
| acknowledges and handles the complexities of governance.
| Can't image that paying tons of grad students good money to
| design and hack something in Ocaml/Haskell that actually
| works is more expensive than the status quo.
| cmroanirgo wrote:
| The thing is, there's no gaurantee that google nor
| microsoft nor apple do anything more. With products like
| nextcloud, at least you can see exactly what's going on.
|
| We already know google, microsoft and apple have unfettered
| access to your data too. With self hosting, at least I have
| a chance of knowing when my data's being monitored & I can
| choose increasingly severe security around that system. The
| big players can only offer promises with little to no way
| for us to verify the truth of any one of their statements.
|
| So, unless the big players offer e2ee as a default, it's
| best to assume the worst from them. With nextcloud it's far
| less necessary if you're rolling your own (but it supports
| a form of encryption anyhow)
| jeffbee wrote:
| > at least I have a chance of knowing when my data's
| being monitored
|
| C'mon really. The whole central point of this euro
| scaremongering is that Google will turn over your data to
| intelligence agencies when U.S. court orders it to do so.
| Now imagine that for whatever fanciful and obviously
| highly unlikely reason the C.I.A. wants your PDFs. You
| are claiming this will be visible to you, that you will
| be able to defend yourself against hardware supply chain
| attacks, attacks on the media you downloaded to install
| CrapNux on your servers, attacks against your NextCloud
| auto-updates, attacks against the whole rest of your
| software supply chain, social engineering attacks against
| your sysadmins, attacks against your hard disk drive
| waste stream, and all the rest of it? And you will be
| able to achieve this on the budget on a Dutch primary
| school?
|
| Look, I think it _would_ be cool if nation-sized
| bureaucracies had the doctrines and practices that
| allowed them to be _actually safer_ than the cloud, but
| as it stands they do not.
| pelasaco wrote:
| It is just the pure old European protectionism, lobbyism and etc.
|
| To read something like that makes me cringe:
|
| "Based on the statements by the Dutch and German privacy
| watchdogs, schools and universities in the Netherlands and in
| Germany my not use Google's email or cloud services.
|
| Instead, it is recommendable to use a European email service such
| as Tutanota." (Tutanota blog)
|
| Sure Tutawhat? Probably the whole infrastructure is already
| compromised, software full of vulnerabilities and who can
| guarantee that they won't sell my data? People bash at google and
| microsoft, and have no idea how hard is to get a software and
| infrastructure to operate in the same level.
|
| For Schools in Germany, the issue "American authorities can
| access data stored in the European cloud without the German
| government having control over this." is much smaller than the
| issue "provide a solution that work with different platforms,
| different browsers, resolutions and languages". Every other
| solution provider failed miserable other than AWS and Google, in
| providing collaboration and email tool by affordable price. We
| saw it over and over again during the pandemics.
| twiss wrote:
| Just because you happen not to have heard of them doesn't mean
| that they're likely to sell your data. It may be hard to
| imagine, but people living in Europe may trust these services
| more than Google and Microsoft, and may not appreciate those
| companies giving away their services for free in exchange for
| mining our data and showing us ads :)
| nisa wrote:
| It's the law (GDPR) and there is no agreement about data
| sharing with the USA that is good enough to fulfill the
| demands. So this is actually a good thing in my opinion.
|
| Unfortunately you are spot on with everything else - been
| involved in the education sector during the lockdowns I've seen
| it first hand how a lot of taxpayer money went to either small
| companies that over-promised and under-delivered with bad code
| and bad ops / coding practices all over the place - not just a
| single company it's just a recurring pattern - additionally big
| consultancy firms grab even more tax money - some projects are
| good, at least I saw a little bit more professionalism but not
| enough imho - but other projects are even worse than those from
| the small companies...
|
| one big problem is that for almost everything there is a public
| tendering procedure and there lobbyism or just plain
| incompetence often win contracts - additionally even with
| competent administration the best bid often doesn't win because
| it's too expensive but the lowest bidder delivers so much shit
| that the budget explodes anyway. Also been involved in one
| project that let to me resigning because in the contract
| everything was spelled out very careful and competent from the
| administration side and the place where I worked just ignored
| everything - they got lot's of money for implementing a process
| that was secure and scalable and a good idea or let's say at
| least not directly a non-starter on paper but none of this
| existed and nothing was worked on internally - not sure if this
| ever materialized I guess they were able to bullshit their way
| out without problems.
|
| However there are also a lot of European companies that deliver
| good quality ops/software but they are mostly not interested in
| education.
| lizardactivist wrote:
| jacquesm wrote:
| Please don't.
|
| Check the guidelines regarding accusing people of being
| shills.
|
| If you have strong evidence someone is a shill then mail
| hn@ycombinator.com
| ASalazarMX wrote:
| Tutanota is a peer of ProtonMail in the secure email
| department: https://nordvpn.com/blog/tutanota/
| jacquesm wrote:
| Great. Now let them get rid of the Microsoft requirement, because
| that's at least as bad if not worse.
| contravariant wrote:
| Could you elaborate? What microsoft requirement?
| jacquesm wrote:
| Highschools demand students buy a Windows laptop, preferably
| some overpriced piece of crap with a few applications pre-
| installed from their 'preferred partner' who also happens to
| be a Microsoft representative.
|
| It's way beyond despicable but I'm too tired to fight it so
| I've caved in and bought a Windows laptop for one of my kids
| to use for highschool. It disgusts me that Microsoft manages
| to extract a tax on every kid in highschool and that schools
| allow themselves to be used as a part of the marketing and
| sales arm of a multinational company.
| twiss wrote:
| I went to a Dutch high school that used Google Accounts for
| email, and they once caught some students "cheating" on a group
| project (i.e. collaborating in larger groups than they were meant
| to collaborate in, I guess) via email. This made me suspect that
| the admins could read our school email (which people also used to
| talk about various other stuff, which I guess was unwise). I
| don't know if that was actually how they found out, but it made
| me very conscious of email privacy (or lack thereof).
|
| Now I work at ProtonMail, so go figure.
| dekhn wrote:
| That admins can read the emails in their managed accounts is
| working as intended. School accounts aren't for privacy,
| period.
| twiss wrote:
| Maybe, but it should be disclosed, at least, and students
| reminded to only use these accounts for school-related stuff,
| then. And even then, I'm not sure that there should be no
| privacy in school accounts - what if you want to complain
| about a teacher? What if that teacher happens to be an admin
| and retaliates? Sure, there may be cases where having some
| oversight is good, but it's not necessarily clear-cut.
| digitallyfree wrote:
| Even if it was personal email/social media I've see school
| computers continually log to disk a low-framerate screen
| capture of the student's screen. They could also watch it in
| realtime. My school also had keyloggers installed and while
| admin insisted that they would not use any captured usernames
| and passwords they certainly had the capacity to do so.
|
| I think there was some news in the past where some schools took
| this even further with webcam and mic access, though I didn't
| experience this.
|
| On a school or work computer that you don't control assume
| someone is watching behind your shoulder at all times, and
| reading every word you type. Whether if that's the case or not.
| twiss wrote:
| Yeah, that's also terrible. But this was an email account
| that we could access from our personal computers (they didn't
| give us a laptop) so at the time I didn't realize that they
| would be able to read it. IMO, it would have been good if
| Google had shown some warning or so, that that's the case.
| inopinatus wrote:
| I have worked for a MSP supplying internet access and
| groupware to institutions, and can tell you that the business
| and technical requirements for schools are almost
| indistinguishable from those of prisons.
| agentdrtran wrote:
| If your're on a paid plan it's pretty trivial for superadmins
| to read your mail. It's logged, but they can.
| jeffbee wrote:
| Yeah of course, gsuite administrators can access everything,
| and because gsuite admins are just modern-day instances of
| bofh-type obnoxious IT guys, there's no way you'll convince
| them to give up those powers.
| [deleted]
| ASalazarMX wrote:
| I don't know about Google for Education, but the business
| flavor doesn't let you spy the email of your users, at least
| I haven't found it. There are ways that allow you to copy
| every email to an "audit" address, if you're persistent
| enough, but good luck managing that mess and liability.
|
| There's the option of quarantining emails that have specific
| keywords. That's the likely way to catch students discussing
| cheating, attachments and all.
| agentdrtran wrote:
| You can view full email content in the investigation tool,
| use the APIs to download their mail via MBOX and read it
| there, or if you're feeling bold, just add yourself as a
| delegate to their inbox.
| nickdothutton wrote:
| Shortly after the height of the Merkel/NSA hacking scandal, when
| EU member states were most upset that US spying had been
| disclosed to their electorate (making EU politicians look weak in
| front of the voter). The EU kicked off an internal project to try
| and build a gmail replacement. Their plan was that customer
| number 1 would be all the educational establishments on the
| continent. They even got as far as checking out buildings to
| lease from paper manufacturers, to turn into data centres.
| Eventually that project went away, but I don't think we've seen
| the last of it yet.
| tmp_anon_22 wrote:
| That they tried to build their own data centers is a red flag.
| Not because its a bad idea, but I think you need to establish
| product-market fit for a software product before laying down
| serious hardware.
| waych wrote:
| Agreed, but that isn't a good way to spend a lot of taxpayer
| money.
| jeroenhd wrote:
| It's the weekly "USA is not GDPR compliant" thread, brought to
| you by an ad from a company you've never heard of!
|
| Nobody is going to care about the Google ban until someone gets
| fined. And then when someone gets fined, there will be an outcry
| because schools are funded with public money and think about the
| children etcetera etcetera. It's all so tiresome.
| hourago wrote:
| https://european-alternatives.eu/category/email-providers
|
| https://european-alternatives.eu/category/cloud-computing-pl...
|
| It should be easy to replace most of the services.
| moffkalast wrote:
| Honestly I half wish we had some kind of supergiant company on
| this side of the pond too, despite the drawbacks that brings at
| least it would guarantee some sense of digital stability.
|
| I've had my gmail account for probably more than a decade now
| and have never had to worry about it going amiss, meanwhile I
| look at this list of barely legit sounding names (aside from
| Proton) and wonder if any of these will be still around in a
| few years.
___________________________________________________________________
(page generated 2022-07-21 23:01 UTC)