Gmail Prohibited in Austrian Public Agencies

"We of course must examine each service on an individual basis and determine whether or not it is suitable for the cloud and what providers would meet our requirements," said Roland Ledinger, ICT officer of the federal government, in an interview with futurezone. "Putting personal or sensitive information on servers operated by companies like Google and Microsoft is unthinkable at the moment," said Ledinger.

Forwarding to Gmail prohibited
The federal government goes even farther. It prohibits its employees from forwarding e-mails from their work accounts to Gmail addresses. This is prevented by technical means, assured Ledinger. "With e-mails, 98 percent of their content is entirely irrelevant. But when two of every hundred e-mails contains sensitive, personal information, this clearly violates the principles of data protection," Ledinger told futurezone.

Especially Google has been trying for years to convince institutions like universities, government agencies and municipal administrations to use its services, such as e-mail infrastructure and web-based office programs. The most convincing arguments are flexible access and especially cost savings. It was the latter argument that finally convinced the University of Salzburg to

Six-figure savings for University of Salzburg
"With over 18,000 students, the university can save a low six-figure amount every year, and use this money for other investments," said Florin-Cezar Guma, head of IT at the University of Salzburg, in an interview with futurezone. The savings come from the elimination of redundant mail servers, antivirus solutions, storage and backup systems, and all the associated licenses.

"In terms of efficiency, there is no way that a local system could ever keep up. With Google, we use three major data centers that are at different locations around the world. They are of course a better solution for handling the two peak periods that occur every year during registration than designing a local system with enough excess capacity to handle these two peaks, and then operating this entire infrastructure the whole year," explained Guma. But they would be interested in a European or Austrian alternative to the US companies.

"Messages are not scanned"
The skepticism of "some students" with regards to the storage of personal data and e-mails at Google was eliminated with information events and by taking individual criticisms into account. Unlike the publicly available Gmail system, the Google mail system that has been implemented in Salzburg is a closed cloud solution. Unlike with Gmail, Google apparently does not scan the messages for advertising customers, and the user password stays on the university servers, at least for the desktop version.

But if students use the Google services on smartphones or tablets, Guma explained that there is no way to prevent the password from being transmitted to Google when they log in. But students are informed of this fact every time they log in, before they log in. "Transparency and self-responsibility are absolutely crucial here," said Guma.

No 100 percent guarantee
That a contract with a provider is not a 100 percent guarantee that data will not be accessed by unauthorized persons is clear to the responsible administrators at the University of Salzburg, however. "For this reason, test results and grades are no longer sent directly to the student`s inbox, but can only be accessed on the university web site by means of a link," noted Guma. Research groups are asked to not share sensitive results online or using collaboration tools from Google or other providers.

That the US cloud providers are facing headwind in their own country was shown by a recent warning from the US president`s National Security Council. The National Security Telecommunications Advisory Committee (NSTAC) came to the conclusion in a report (PDF file) that the existing offers do not yet meet the requirements for access priority, reliability, interoperability and security. For this reason, government agencies and authorities should not yet start using cloud services.

A position paper on cloud computing in public administration prepared by the Austrian federal government and the city of Vienna came to a similar conclusion, and said that the risks must be assessed carefully before such services are used. In addition to data protection, which experts note

"Austrian legal system at risk"
Ledinger provided an example to show why availability is as important as data protection in some respects. Since 2004, the federal law gazettes in the Austrian Legal Information System (RIS) have no longer been printed, but only provided in digital form. "Because data protection is not relevant for legal gazettes, you could think that these documents are predestined for the cloud. But: If the RIS were to go offline and become unavailable for five days, that would put the Austrian legal system at risk," said Ledinger.

This means that the US companies only have good chances of being considered for cloud services for non-critical data. Ledinger said that cloud services from companies like Google and Microsoft are definitely an option for open data initiatives, where publicly available data unrelated to any individual are provided.

Mehr zum Thema

• “Wenn Amazon offline geht, gehen wir mit”
• Wild Wild Cloud: Datenschutzkontrolle unmöglich
• EU will einheitliche Regeln für Cloud-Dienste