Safe Computing
Home Students Faculty and Staff IT Security Community

Security and Privacy in the M+Google Environment

It is the policy of U-M to take all appropriate and desirable steps to protect the confidentiality, integrity, security, and privacy of both personal and institutional data maintained within the university environment. Under the terms of U-M's agreement with Google, U-M continues to own its own data, so consequently its security and privacy policies continue to apply for members of the U-M campus community using M+Google core services.

Google is a cloud computing service. U-M, like other large institutions, is increasingly moving into the cloud. Find more specifics about U-M's approach to security in the cloud in Cloud Computing and Information Security.

Expand All Questions

Common Questions

Google secures your data and provides for personal privacy. Google has its own very detailed security and privacy overview.

Google is SSAE-16 certified and periodically updates its SSAE report, which describes its security practices. You can read more about these practices in Google's 2011 Security Whitepaper: Google Apps Messaging and Collaboration Products.

Not all security and privacy practices or functionality developed or offered by Google are included in the U-M contract. For example:

  • Although almost all of the information in Good to Know applies to core M+Google services, there are some important differences between Google Apps for a general consumer audience and the enterprise version under contract, such M+Google. U-M account holders using M+Google Apps will not see any advertising.
  • The second recommendation in the video, 5 tips for staying safe on the web – enable 2-step verification for your Google account – is not currently activated in the M+Google environment.

U-M is responsible for all regulatory requirements even when it moves its data into the cloud. While M+Google is appropriate for most communication and collaboration, the sensitivity and regulatory status of information and data must be carefully considered before storing data in the M+Google environment.

Users who work with certain types of regulated data will not have their email or calendars migrated to M+Google. They will have access to M+Google Docs and other collaboration tools, but must always be cognizant of the Proper Use Policy and Sensitive Regulated Data Standard when using those tools.

Faculty, researchers, and staff (including student employees and students conducting research) need to assess whether federal and state laws, contractual obligations, and/or grant restrictions limit the ability to maintain institutional or research data in M+Google Apps.

The Office of the CIO has issued the following standard that establishes mandatory expectations for complying with statutory and regulatory requirements related to protecting sensitive regulated data:

To assist in making this assessment, faculty and staff can see at a glance whether a specific data type is permissible or not to be maintained in a U-M or external vendor cloud service using the Sensitive Data Guide To IT Services.

Google revised their Terms of Service and Privacy Policy, effective March 1, 2012. These changes do not alter the contractual agreement between the University of Michigan and Google with respect to the Core Services. The new Terms of Service and Privacy Policy do apply to the Additional Services that are made available to users, but there is no interaction between the Core Services and Additional Services. The new Terms of Service state that if a user is signed in Google may combine information that the user provides in one service with information provided in another service. Google is not changing how such information is protected or shared outside of Google. You will be presented with the Terms of Service acceptance page the first time you log in to your new M+Google account. If you do not want to accept the new Terms of Service or Privacy Policy for these Additional Services, please contact 734-764-HELP (4357) and you will be set up with an account that does not have these Additional Services activated.

M+Google Drive is considered a "core service" and is covered by the U-M agreement with Google. This means that it will be covered by the same terms as other M+Google Core Services.

No. U-M continues to own its own data and Google may only process or otherwise use @umich account data as required for the purpose of providing services and performing its obligations under the agreement. The university has rolled out a number of Google-provided services that are divided between "Core Services" and "Additional Services." Only the Core Services fall under the terms of the university's agreement with Google. This is important, because there are certain privacy protections in the Core Services environment that are not found when using the Additional Services. Google's Terms of Service and Privacy Policy, do not alter the agreement between U-M and Google with respect to the Core Services. However, any data or information used within the Additional Services are not protected by U-M's agreement and may be subject to individualized data mining and advertising.

For more information, see Google's FAQ page regarding Security and Privacy.

Per the terms of our agreement (which covers Core Services only), Google may only process or otherwise use M+Google account data as required for the purpose of providing services and performing its obligations under the agreement. This includes processes for preventing spam and ensuring the technical functioning of Google's network (including detecting, preventing or otherwise addressing fraud, security or technical issues). Note that our agreement with Google specifically prohibits advertising within the U-M domain for the Core Services. The university is neither selling data nor profiting from this arrangement.

Per the terms of the M+Google Apps agreement, U-M account holders using Google Apps within the U-M domain will not see advertising when using the Core Services.

Google will store data on its secure servers, which could be located outside the U.S. or within the U.S. accessible to foreign nationals. For this reason, U-M users working with regulated export-controlled data that must be housed in the U.S. and managed by U.S. citizens will not be able to use some M+Google Apps such as email and calendar. Their use of other Google Apps must be in accordance with the Proper Use Policy and the Information Technology Standard Sensitive Regulated Data: Permitted and Restricted Uses.

When you log in to your M+Google account via the web, you will actually log in to U-M's weblogin service. That service will then pass on assurance of your identity and authorization to Google without passing on your password. For details, see Signing In and Out of Your M+Google Account Via the Web (S4389).

When you log in to your M+Google account using a desktop mail client, such as Outlook or Apple Mail, or from a mobile device, you will log in directly to Google. In this case, Google needs to have an encrypted copy of your UMICH password so you can log in. U-M transfers your password to Google in encrypted form over a secure connection for this purpose. For details, see UMICH Password Hub.

Yes, the move to M+Google for email services does not alter the university's rules, obligations, and procedures related to FOIA. For more information visit the Office of the General Counsel's website and the FOIA Office.

It won't. Your M+Google account is managed separately from your personal Google account. However, you will be able to integrate some functions if you choose. For example, you can forward mail and share calendars between accounts.

Users with both med.umich and umich.edu email accounts should NOT forward email from their med.umich to their umich.edu account to ensure that HIPAA data remains in a compliant environment.

More Questions?

Information and Infrastructure Assurance offers introductory answers to frequently asked questions about what categories of sensitive regulated data can or cannot be maintained in cloud computing environments generally and the M+Google environment specifically.

The FAQ will be regularly updated to include new recurring questions asked by U-M faculty and staff. Contact us to submit a question you would like to see answered on this FAQ.

Additional Resources