+ Post New Thread
Page 4 of 7 FirstFirst 1234567 LastLast
Results 46 to 60 of 95
General Chat Thread, Article: Is DropBox ok to use? in General; That's actually the first good explanation I've seen about this. I still think the likelihood of dropbox selling my users ...
  1. #46
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,738
    Thank Post
    894
    Thanked 414 Times in 348 Posts
    Blog Entries
    12
    Rep Power
    85
    That's actually the first good explanation I've seen about this.

    I still think the likelihood of dropbox selling my users data is remote though. Especially as its stored most probably in the USA who you would imagine have similar laws and moral values.

  2. #47

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,528
    Thank Post
    513
    Thanked 2,406 Times in 1,862 Posts
    Blog Entries
    24
    Rep Power
    822
    Quote Originally Posted by zag View Post
    That's actually the first good explanation I've seen about this.

    I still think the likelihood of dropbox selling my users data is remote though. Especially as its stored most probably in the USA who you would imagine have similar laws and moral values.
    It isn't just about selling etc... though. Its also about protections from, say, hackers etc... The company say they're using encryption but they could simply be lying. If someone managed to circumvent their security and get in and steal your data, in the UK they would be subject to various DPA related crimes. In the USA? Likely not...

  3. #48

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593
    Quote Originally Posted by zag View Post
    What I don't understand is why Dropbox or Skydrive are any less safe than our VLE, My document shares, USB sticks, hard disks in a server room ect.

    I have all kinds of confidential stuff on my personal drop box. But its protected with a username and password just like our other IT systems.

    Just to explain where im coming from we use Skydrive everyday in a large secondary school. In the future I hope to move all our storage into the cloud just like I have our email systems which has already been a great success.
    This could almost be a separate article all on its own.

    A quick summary then ... and this is almost a stand-alone post so trying not to refer back to lots of previous posts.

    1) There is a law in the UK (and equivalent laws within the EU which are compatible with it) called the Data Protection Act. This is a very clear law as to what people can and can't do with data and information of belonging to others, how you let others know you are going to use / handle their data and supported by 8 clear principles.

    What this means : The 8 principles are pretty simple to follow and the key areas of concern with cloud based systems is where the data is stored, how it gets there and how access to it is controlled. This is not about risk management where you can be willing to accept the risk, as the law says you *must* comply with all aspects of it.

    2) When you provide access to, manage or create a tool which may hold such data you have to apply all aspects of the law. This includes remote access to MIS, WebDAV based storage, cloud-based file sync solutions, IdPs, etc. If you have a contract with a system provider (e.g. VLE provider) they have a responsibility to also be within the law, but you ... as the purchaser of the system ... are also responsible to ensure they are doing.

    What this means : If you provide a VLE then you are solely responsible for making sure you follow the law. If you buy a product in then you have to be happy that you know the vendor will also follow the law. If there is a breach then you are both at fault. If you don't know what they are doing and it is pointed out that there is the possibility of a problem (even if there hasn't been yet) then you are also at fault. An example would be that CEOP have had to sign an undertaking because their online forms did not transit over https ... they should have checked the creators of the tools did the job properly. You cannot pass the buck by claiming you didn't know any better.

    3) Some systems are aimed at particular groups of people and will have contracts / T&Cs to reflect this. Although the T&Cs will have to operate within the laws of the land, you may be asking them to do more than can be expected to fit in with laws you also have to adhere to.

    What this means : If you sign up for Dropbox it is expected that you know what you are doing, that you know that if you are using it for 'business' use that you are happy it fits within the laws you have to follow and that they are not held responsible for when things go wrong (and so begins a long discussion about whether companies can get away with this!) ... because you should have known better. It also expects that you are signing up for it as an individual and that you are not using it to provide a heap of other stuff to others ... If you want that then you go into a different contract and that is why they have Teams. In short ... as tempting as it is just to click 'I Accept' you really do need to read the T&Cs.

    I know there are some generalisations in the above points but it should give enough of a background.

    Discussion about whether the law is appropriate, will be enforced to the full extent, whether the guidance available (including previous stuff from Becta) covers everything it should do ... these are almost moot points. The law says "do X ... don't do Y!"
    Last edited by GrumbleDook; 20th September 2011 at 02:37 PM. Reason: Some formatting for easier reading

  4. #49
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,738
    Thank Post
    894
    Thanked 414 Times in 348 Posts
    Blog Entries
    12
    Rep Power
    85
    OK, all makes sense

    Simple question then.....

    Assuming A Cloud Service doesn't loose/sell/hack our data: Do I have to worry about anything?

  5. #50

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,528
    Thank Post
    513
    Thanked 2,406 Times in 1,862 Posts
    Blog Entries
    24
    Rep Power
    822
    Quote Originally Posted by zag View Post
    OK, all makes sense

    Simple question then.....

    Assuming A Cloud Service doesn't loose/sell/hack our data: Do I have to worry about anything?
    Scatter gun police raids on data centers taking all the servers and with it your data?

  6. #51

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,780
    Thank Post
    1,469
    Thanked 591 Times in 443 Posts
    Rep Power
    168
    Assuming A Cloud Service doesn't loose/sell/hack our data: Do I have to worry about anything?
    Well - they are not going to sell it and I'd be amazed if the year 7 cat scores ended up in the Guardian

    Si

  7. #52


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by GrumbleDook View Post
    1) There is a law in the UK (and equivalent laws within the EU which are compatible with it) called the Data Protection Act. This is a very clear law as to what people can and can't do with data and information of belonging to others, how you let others know you are going to use / handle their data and supported by 8 clear principles.

    What this means : The 8 principles are pretty simple to follow and the key areas of concern with cloud based systems is where the data is stored, how it gets there and how access to it is controlled. This is not about risk management where you can be willing to accept the risk, as the law says you *must* comply with all aspects of it.
    This seems contrary to the ICO link you posted earlier in the thread, which actually says that you can store data in 'non-approved' countries by doing a risk assessment. ie - it is about risk management. Clearly it is easier to 'prove' to a court that you are satisfied if X were safeharbour, but DPA doesn't prohibit use of non-EU non-Safeharbour sites. It does seem to be directed more towards the county they are stored in, rather than the company though.

    Obviously you couldn't assess that dropbox's servers have an adequate level of protection if you don't know what country they are stored in.

    the ICO page says this:

    How do I assess adequacy?

    You will need to be satisfied that in the particular circumstances there is an adequate level of protection. For UK personal data the Act sets out the factors you should take into account to make this decision. These relate to:

    the nature of the personal data being transferred;
    how the data will be used and for how long; and
    the laws and practices of the country you are transferring it to.
    This means doing a risk assessment. You must decide whether there is enough protection for individuals, in all the circumstances of the transfer. This is known as an assessment of adequacy. To assess adequacy you should look at:

    the extent to which the country has adopted data protection standards in its law;
    whether there is a way to make sure the standards are achieved in practice; and
    whether there is an effective procedure for individuals to enforce their rights or get compensation if things go wrong.

  8. Thanks to CyberNerd from:

    GrumbleDook (20th September 2011)

  9. #53

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593
    I had hoped that now referring back to previous posts would have worked ... I didn't quite put enough information in it. I should have repeated that this is in reference to Dropbox and Safe Harbor.

    The countries which have been assessed and show an adequate level of protection is covered within the same page. The US is not in the list but
    Although the United States of America (US) is not included in the European Commission list, the Commission considers that personal data sent to the US under the “Safe Harbor” scheme is adequately protected. When a US company signs up to the Safe Harbor arrangement, they agree to:

    follow seven principles of information handling; and
    be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes.

    Certain types of companies cannot sign up to Safe Harbor. View a list of the companies signed up to the Safe Harbor arrangement on the US Department of Commerce website.
    In the example you have given (assessment of adequacy) is an assessment of whether they comply with the law. This differs from a Risk Assessment where there is risk that they might not comply with the law yet you are happy to accept this. Apologies if I didn't explain that bit fully. In the US a company is deemed adequate if they have signed up and been certified under Safe Harbor (remembering to check what they have agreed to within that agreement ... as they may not be covered for everything you want), although it is a voluntary scheme and some sections are restricted from being part of this (and covered under other acts and regulations to do with finance and telecommunications) a company who has not signed up to it (never mind the wooliness of the T&Cs) gives no guarantee of adequacy.

    Paraphrasing from a conversation with a DP expert who worked on the Becta advice ...
    If you go down the route of trusting to a contract which has the terms to dictate adequacy then you take the responsibility on yourself as you can only deal with them for breach of contract and not breach of law. At that point the school itself cannot guarantee the law is being complied with. The school has a responsibility to ensure all who process the data comply with the law ... (I forget the exact section of the act but part of principles 7 & 8) and if this cannot be guaranteed then the school is in breach. The example given to me (and pretty relevant) is if you have an insecure online form you don't have to lose data to be in breach ... the fact that it is possible means you have not done your job right. This is pretty relevant right now since this is what CEOP got collared for recently and had to sign an undertaking.

    I have probably mangled the explanation a bit now ... (might have to clean it up tomorrow when awake) but I'm just trying to point out the difference between accepting risk and assessing adequacy. Drawing the line of how you then firm up that is looking like a grey area, but all the advice I have had so far (Becta, ICO, Cabinet Office) has been that for US they have to have signed Safe Harbor for the relevant data uses you want. Since Dropbox can't even guarantee using US data centres, have a history of security problems, then I don't think it would be beyond the realms of acceptance to say it is doubtful whether we could say they are taking the right measures to allow users / schools to regard them as adequate. Especially since they will not respond to questions on their forums about it and have yet to respond to 5 requests that I am aware of asking them this question (3 from me and 2 from teachers looking at the same issue). We can only work with hard facts at this point ...

    Sleep calls ... out tomorrow so I'll look at any response tomorrow night.

  10. Thanks to GrumbleDook from:

    CyberNerd (20th September 2011)

  11. #54


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    That does make sense to me, although it does seem like a minefield, even without taking into account what actually constitutes private data!
    I've already given SLT advice against using dropbox, although we use a google apps domain. I believe that I've made the correct decisions so far with regards to google, dropbox. And MS's track record for complying with the law (assessment of adequacy) kind of put them out of the frame anyway, regardless of where there data sits.

  12. #55
    znova's Avatar
    Join Date
    Jan 2009
    Location
    Derbyshire
    Posts
    154
    Thank Post
    20
    Thanked 5 Times in 5 Posts
    Rep Power
    13
    Just to add my twopenneth - did a fair ammount of research on DPA & US Safe Harbor, and I have a BIG issue with Safe Harbor - unlike the DPA, it NOT legally enforcable. So if anyone wanted to be picky, your data stored in a data centre in US is pretty vulnerable. Grumbledook is correct in saying that you do not need to store data in the EU PROVIDED you can insure it will receive the same level of protection. But if Safe Harbor isn't legally enforcable and trigger-happy US government can raid data centres at any time, US for me isn't really an option. The other point which came up during discussions on this issue in my uni course; what happens to the data which crosses country boundaries? That data will have to be encrypted to the level on lowest common denominator between the countries it crosses during the transfer. If I remember correctly, one of our lecturers (from States) was travelling to the States with an encrypted memory stick but the encryption was higher than the US goverment permits and he could have been tried under some obscure weapons law (can't remember which one though) To be honest, it is a maze, I was thinking about all the cloud-centred software schools use (mymaths springs to mind) and we really don't have a clue where these companies really store the data...

  13. #56

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,780
    Thank Post
    1,469
    Thanked 591 Times in 443 Posts
    Rep Power
    168
    I was thinking about all the cloud-centred software schools use (mymaths springs to mind) and we really don't have a clue where these companies really store the data...
    so lets stop bothering worrying about it then
    Si

  14. #57

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Re. "trumping" I posted an angle on thatl last Dec. Re: SkyDrive I thought MS explicitly said data stored there could end up anywhere in the world (unlike Live@edu which is, and Office365 sharepoint which is supposed to bee EU)? Have they changed that?

  15. #58
    SlimBUK's Avatar
    Join Date
    Mar 2011
    Location
    Abingdon, Oxfordshire
    Posts
    5
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I use sugarsync, but not for any sensitive information. (sorry if it's already been mentioned, I've not read the whole thread)

  16. #59
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,738
    Thank Post
    894
    Thanked 414 Times in 348 Posts
    Blog Entries
    12
    Rep Power
    85
    Well I'm going to continue to use dropbox as my main storage area.

    Will take my chances I think! Its just too convenient.

  17. Thanks to zag from:

    SimpleSi (22nd September 2011)

  18. #60

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,528
    Thank Post
    513
    Thanked 2,406 Times in 1,862 Posts
    Blog Entries
    24
    Rep Power
    822
    Quote Originally Posted by zag View Post
    Well I'm going to continue to use dropbox as my main storage area.

    Will take my chances I think! Its just too convenient.
    I'll continue storing all my money in a big box outside my door. Its just too convenient...

  19. Thanks to localzuk from:

    zag (22nd September 2011)

SHARE:
+ Post New Thread
Page 4 of 7 FirstFirst 1234567 LastLast

Similar Threads

  1. Primary: Is Eprofile 3.2 latest version to use?
    By SimpleSi in forum Educational Software
    Replies: 0
    Last Post: 9th September 2011, 08:49 AM
  2. Is Microsoft beginning to 'lose it'.
    By Dos_Box in forum General Chat
    Replies: 17
    Last Post: 5th February 2008, 10:31 AM
  3. Which Backup Hardware to use
    By Brad in forum Hardware
    Replies: 19
    Last Post: 28th March 2006, 10:16 PM
  4. Five reasons NOT to use Linux. :)
    By Geoff in forum *nix
    Replies: 2
    Last Post: 31st August 2005, 07:38 AM
  5. Parental Consent to use the internet at school
    By mark in forum School ICT Policies
    Replies: 20
    Last Post: 24th June 2005, 11:18 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •