Your email may be less secure in the hands of a local sysadmin than with a company like Google, which has a valuable reputation to defend and sophisticated systems in place to guard your data.
A legitimate reason to not use Google is their history of less than perfect customer service; they excel in technology, not in customer service.
I've never bought this argument. It is mathematically unsound. Systems behind my firewall, touched by one or two people, and with fewer hackers trying to break in are exposed to fewer threats. Many people want to break into gmail, because it's gmail. Many fewer people care about breaking into one university. There's no wire over which to transmit information. The more access points there are and the more hackers there are who can reach the systems, the greater the probability that one of those hackers will succeed.
Google's sophisticated systems have already been compromised by unsophisticated hackers in China.
A house with 5 doors is less secure than a house with 1 door. A house with no windows is more secure than a house with windows.
I completely agree. My university required you to change your password every 90 days. Not such a bad idea, however, they compare your new password against all previous passwords to make sure they are significantly different (e.g. you can't change your password from abcdefg to abcdeff). I'm assuming this means they save your passwords in clear text somewhere. Not exactly the type of people I'd trust with sensitive information.
EDIT: meastham makes a good point and he/she could definitely be right about generating hashes of all slight variations of each password. In response to what fname said, I'm wondering if there are any security concerns about being able to find similarities in hashes for similar passwords.
That doesn't mean that they're storing your passwords in the clear. They could simply be keeping hashes of your old passwords around and checking simple variations of the new password you're trying to use.
If I understand what you're suggesting, it is that they generate a list of slight variations to the new password, has it, then compare it to the old password, right?
I think many people are misunderstanding what you're saying i.e., they think you're saying that similarities between hashes correspond to similarities between passwords.
In the Windows/AD world, this is not true. AD will never store a current or previous password in clear-text. AD will, however, compare the password hashes before it will accept the new password when this type of setting is enabled.
EDITed to add: There's some logic to detect how close a new password is to an old one. Mainly, it's looking for consistencies between the 2.
Why are you assuming that? You can compare hashes ("does the encrypted version of what they entered as a new password equal any of the encrypted previous passwords").
If by hash you mean a one-way hashing system, then he did say significantly different and not just different. You couldn't do that with any common one-way hash.
You're correct, I didn't understand what he meant by significantly different until you pointed out because I have never encountered a system that didn't allow me to have a "similar password". However, I have encountered ones where my new password could not contain previous passwords, so unless they are hashing each component of my password and comparing this probably does indicate clear-text storage.
That article is fairly info-lite, even after visiting the source article (linked from OP). So "members of the faculty were concerned that it wouldn’t keep their correspondence private enough" but they don't say why they feel that way or suggest there's any actual evidence of lax security. The Google Buzz thing is a red herring since UCD weren't using that anyway, and as an apps administrator you can say which services your users are allowed to use.
I do have an interest in this: I'm about to move a campus to Gmail. I have no evidence it's less secure than the Exchange/Postfix systems it will be replacing, and I suspect in many ways it is more secure. I would welcome evidence to the contrary but the OP doesn't have any. This sounds like a bunch of people who don't understand "hacking" making loud about how the cloud just has to be less secure than their in-house systems.
Part of it may be the association of Google with web search--people may think that if Google is processing email, it can become part of search results.
My employer uses a hosted Exchange service, and I've not heard anyone raise a peep about privacy concerns. I suspect, however, that if we decided to move to Google Mail, people would raise the same sort of concerns.
Well, my current strategy is to migrate users when we give them new PCs this summer, then only tell them about the change later. Much later. Initially they'll be using Outlook to access email; they can use the web interface later if they want to. Why would they be interested in which email backend we're using? The trouble with asking them, or informing them in a way which suggest I want their opinion, is that it very quickly just becomes a beauty contest, where I have sound technical and financial reasons to make the move.
Actually the problem is too much privacy. University staff have access to your email without any problem if you store it on their system. However, on Google's system, they can't access it at all. They probably don't like this very much.
There are privacy issues, certainly, but as with the recent Yale rejection of Google Apps, I'd suggest we're not getting the full picture in this article.
Keep in mind that, as with any IT department in a large organization, there are vested interests to protect and outsourcing infrastructure can often be seen as a threat.
Holding up privacy as the showstopper is bit of a straw man. I could easily list a bunch of reasons why keeping mail service local has major downsides and security concerns.
I'm not assuming that the IT dept in question had covert motives in this, just noting that we certainly aren't getting all the information in this situation.
After having to endure my university's switch to Live@Edu (Outlook Webaccess in cloud) I can only envy those that would be so lucky to have Gmail for their uni email service.
Yes! My university uses Live, or whatever it's called this year and it sucks in a majestic fashion. Different versions open in different browsers, the mobile site just doesn't work at all, there's an enormous redirection song and dance when logging in. Loads of basic usability flaws. Want to archive an email and create a new folder at the same time? Not possible. Oh and it's down far too often.
The only reason I don't pump it through my Gmail account is the level of crap that gets sent on mailing lists.
I feel your pain! My university's tranfer to Live@Edu has been anything but easy and I just forward my email to GMail from the university's email. I long for the day when the backend of email is completely transparent.
as a UC Davis student, I can say it's a much better change than what we had before (and my on-campus work switched to Gmail from OWA as well). definitely will hate to see it go ..
I have this thought in my mind that google is looking at and using my email for it's own purposes. I have a google apps account for my business (free).
While I understand they do use my information for advertising purposes, is that the extent of it? Am I just misguided? I don't really think there is anything to worry about, but I don't trust them. Should I?
A legitimate reason to not use Google is their history of less than perfect customer service; they excel in technology, not in customer service.