General Chat Thread, Article: Is DropBox ok to use? in General; Does the new Dropbox safe harbour certification now make Dropbox something we can now recommend to staff, or is there ...
29th February 2012, 05:08 PM #76
- Rep Power
Does the new Dropbox safe harbour certification now make Dropbox something we can now recommend to staff, or is there still an issue with data leaving the EU?
29th February 2012, 05:55 PM #77
I'm sure GD will find one
or is there still an issue with data leaving the EU
[Comment of whole thread]
(Its non-issues like this that make me despair of modern society! )
Do a risk assesment - count the possible data breaches - count the possible damage - do the maths
29th February 2012, 05:58 PM #78
Apologies for not putting an update on for this after Daniel's post ... I have been trying to follow it up to try and cover the other queries about The Patriot Act too. I'll stick up a longer article shortly but the summary is as follows.
Dropbox have now agreed and certified to the US-EU Safe Harbor Agreement, and have put in their entry what they comprehensively cover, process, store, etc ... and this does indeed meet the requirements under the DPA for transfer of data outside of the European Economic Area. The issue that surrounds them being a US company and under The Patriot Act has to be a judgement by the school (as they would for any other service such as Google, Microsoft, Apple, Box, etc) as to whether they believe this is a risk (that a law enforcement agency may seize the data), but understand that we have a similar section in our DPA to cover our companies operating overseas. I have requested an update from the ICO as to whether this needs to be considered a risk and so far, again there is no quotable response, but the points raised previously stand.
If the issue was the lack of Safe Harbor Agreement then that has now been met, if the issue is with it being outside of the EU then we know that DropBox use Amazon servers in San Francisco and if the issue is one of the The Patriot Act then it is a judgement call as to whether you believe that it is or isn't correct that a law enforcement agency from another country can seize data, in the same manner we have equivalent laws to seize data in the UK and this already applies to many services already used within schools (and there has been no issue so far or significant legal challenge).
For me ... it is no longer a risk assessment about whether they are a risk as to whether there could be a problem (i.e. break the law but no harm, no foul) but now simply a case of they *can* follow the law ... but, as with all such firms, you are making an assessment about whether they will and there is nothing to indicate that they won't.
2 Thanks to GrumbleDook:
elsiegee40 (1st March 2012), steele_uk (1st March 2012)
29th February 2012, 07:48 PM #79
TBH the patriot act is the last of our worries; the US government can already close you down and have you extradited to the states without presenting any evidence to a British court. The fact they might be able to cease my data sort of pails into insignificance given that I could face an indeterminate sentence in a US prison if one of my users so much as looked at some copyrighted material.
Originally Posted by GrumbleDook
29th February 2012, 08:15 PM #80
For some organisations it is an issue and the proposed changes to the EU data laws which are likely to deal with these concerns might make some consider it as an issue too, until it is resolved.
Originally Posted by CyberNerd
Whilst some may make light of it, the law is there for a reason.
25th April 2012, 10:41 AM #81
So what are peoples thoughts on this now?
We are just rolling out skydrive desktop app to all staff. I need to be able to give them some guidelines on its usage.
I've heard all the arguments and to be honest I am pretty happy them saving files to their skydrive accounts. They have already been using live@edu email in the same way for a year now with no problems so far.
25th April 2012, 12:08 PM #82
I've just installed Skydrive app on my laptopm to see what it's all about.
I'm still not really sure about it, or any 'cloud' based storage, that will potentially have student confidential data saved to it. It's a MS app after all, and it's Windows Live based, which to my mind, makes it a target for hacking, password-publishing and all the rest of it. One of the reasons I gave for retaining our Exchange server and not migrating to Live@Edu.
I'm firmly of the opinion that, if we used Live@Edu or Skydrive or Dropbox here, someone, somewhere here would store something confidential, their account would get hacked amongst thousands of others and it would all end in tears........and I'm too short-time for that.
25th April 2012, 12:32 PM #83
We've been on Live@edu for a while now for email and had all those conversations before moving. Now we are on it, I really do wonder what the fuss was all about.
Originally Posted by Earthling
Touch wood, We have not had a single incidence of hacking or any kind of data loss since we started using it.
Storing files in the cloud is just another step along that path I think. But I do have the same reservations as everyone else about the security. So far though I have not seen any evidence of this happening on live@edu.
Last edited by zag; 25th April 2012 at 12:34 PM.
25th April 2012, 12:54 PM #84
Originally Posted by zag
I think I'm being realistic when I think that it WILL happen sooner or later. Hotmail was always being hacked every couple of years and I'm sure Windows Live will be just as much a target, if (maybe) a bit harder to crack. But hey, if it works for you, good luck. I have other reasons for not wanting to go Live@Edu, too. That's just one of them.
25th April 2012, 03:26 PM #85
Thanks, as you can probably tell I'm trying to convince myself here as well
25th April 2012, 06:32 PM #86
If it is now just an issue of password security how is a pupil giving out their password for Dropbox or Live@EDU any worse than giving out their password for the school domain (if you have some form of remote access to your internal servers set up). In fact in this senario if users are compromised on your network then the piossiblilites for some heath-robinson remote access solution being hacked are worse as your INTERNAL network and servers could be compromised.
My point is surely from a IT security point of view having less "vectors" into your internal network is preferable. Cloud storage is one way of allowing sharing between home and school without opening up your network.
Google and Microsoft should be tailoring their products to allow lock downs on sharing files with users outside your organisation and the online editing/viewing features should be used to facilitate the disabling of download permissions entirely (of course copy and paste and screenshot is a loophole) so files could not be downloaded from a secure folder and then distributed.
Another idea is that the web application detects that when you are sending e-mail to an external domain and pop's up a reminder of your responsibilities under the DPA and gives you an "are you sure" message.
Just basic e-mail has allowed the worst kind of DPA infringements in history but we don't all block hotmail and gmail in schools.
25th April 2012, 06:34 PM #87
What I'm basically saying is PLEASE CAN WE HAVE GROUP POLICY (like functionality) FOR LIVE@EDU/GOOGLE APPS!!!!
25th April 2012, 06:38 PM #88
The main reason you don't want people getting into your servers is so they can't get a hold of all the sweet gooey data inside them - sure them being trashed is annoying but the data is key - if all that data is now external you still have the issues but little control of the system. In short, your protecting your internal network by removing many/all targets of value from it, moving the problem, not solving it.
Originally Posted by Alis_Klar
25th April 2012, 07:55 PM #89
The key from a managerial point of view, is that you move it to being some one else's problem.
Originally Posted by SYNACK
Provided you jump through the correct hoops, you get the bonus of deny-ability to boot.
If MS servers get cracked and data leaked, we've done all we need to from ICO point of view - we checked their safeharbour status and it isreasonable to assume that they have more technical security knowledge to secure their servers than I do. If my servers get cracked and data leaked, I'm in a whole heap load more trouble and could be criminally liable.
25th April 2012, 08:38 PM #90
Sorry, but that is wrong. What you are doing is sharing the responsibility and giving yourself the option of taking someone else to court *after* you have been hung, drawn and quartered first (though the knives will probably be well and truly blunt before they get to a school after having gone through the hosting provider but the risk is still there). You cannot completely devolve legal responsibilities on data protection and safeguarding, and it is the school's legal responsibility to appropriately choose the right partners to work with. This is one of several reasons why the large scale frameworks sorted out by LAs, RBCs and central Govt go through so many legal hoops ... to save schools having to the same amount of investigation because it has already been done and deemed as appropriate as possible.
Originally Posted by CyberNerd
By SimpleSi in forum Educational Software
Last Post: 9th September 2011, 09:49 AM
By Dos_Box in forum General Chat
Last Post: 5th February 2008, 11:31 AM
By Brad in forum Hardware
Last Post: 28th March 2006, 11:16 PM
Last Post: 31st August 2005, 08:38 AM
By mark in forum School ICT Policies
Last Post: 24th June 2005, 12:18 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)