How to protect your Google Account

This past week a massive phishing scam impacted millions of Google users. You may have seen this email. Clicking "open" gave a hacker access to your address book and email, allow them to send the same email to everyone in your address book.

While annoying, this attack wasn't terribly malicious. The hacker did NOT get your password - they just sent out a LOT of emails.

This issue is a good reminder that we need to be vigilant when working on the web.

How can you protect your Google Account?

1. Think before you click - the original email looks nothing like a normal Google Drive email. That should have been the first clue.

Bonus tip: If you share a file with someone via Google Drive, I strongly encourage you to write a short note explaining why you are sharing the file. This will help your recipient verify that you are the one sharing this file with them. 

2. Don't just click "allow." For most of us, this is a familiar screen, but don't just click "allow."Make sure you know who you are giving your account information to. In the Docs phishing scam, clicking the "open" button prompted the user to give access to an app called "Google Docs." This is suspicious because you don't have to give Docs permission before you can view a file.

3. Periodically review your connected apps. Single sign on with your Google account is awesome. But over time you can have dozens of services accessing your data, even ones that you aren't using any more. If any of these services are compromised, you could be at risk (this recently happened with my account). Remove any apps or extensions that you no longer use.

To review the services that are connected to your Google Account, click here.

Issues like the Google Docs phishing scam are bound to happen. It will happen again. Make sure you learn how to secure your personal information and follow appropriate security practices. What are these practices? Check out the series of posts that I wrote on data security for teachers:

• Security basics
• Know your Data
• Set up Chrome Profiles

Enable Drive Archiving for Google Vault

Google Vault is an e-discovery and archiving tool included with G Suite for Education. Schools can use Google Vault to comply with state and federal data retention regulations (Freedom of Information Act), monitor student activity, and retrieve lost or destroyed user data.

If you are not familiar with the initial setup and configuration of Google Vault watch my comprehensive overview available here.

As of March 2017, Google Drive is now fully supported by Google Vault. Retention of Drive data adds an additional layer of data security and protection, especially in cases where someone attempts to destroy important information.

Source: https://goo.gl/W3wIpO

Support for Drive retention is NOT enabled by default. Follow the following these steps to ensure that Drive data is included in your retention policy.  

1. Visit Google Vault (ediscovery.google.com) and select "retention".

2. You will see Mail, Drive, and Groups listed as supported services. Drive must have a retention policy applied to it before it will begin archiving data.

Your retention policy can be indefinite, or a set period of time. Most school districts have a board-issued retention policy (3, 5, or 7 years is common). Check with your legal team to determine the appropriate retention period.

3. You must also indicate how you want to calculate your retention period - from date of creation or date of modification. This is a very important setting. Most districts will want to use the "last modified" option.

4. One final option must be selected - what to do with files that are past the retention period. 

For the majority of schools, "expunge what has been deleted" is the best choice. This setting will not impact the files within a users Drive account, only the files they have deleted. 

The second option can be very disruptive as it will remove any file that is older than your retention period, even if it was not deleted. This option should only be used in very specific circumstances as it could result in the deletion of important documents. 

Questions about setting up and configuring Google Vault? Leave me a comment; happy to help! 

Does your Chromebook have a Virus?

No. The answer is no. But there are a LOT of people who would like you to think it does! 

It all starts when you end up on a sketchy website and are immediately greeted with a very scary looking warning that indicates your system has been infected, locked, disabled, etc. You are warned against turning off or restarting the computer (to prevent "data loss") and are urged to call a number or visit a website and complete some sort of form.

The scary part is that you usually can't get the warning message to go away. Clicking "okay" just brings it back again. This can cause some people to think that they do actually have a virus. 

If you are on a Chromebook, I am 100% sure that you do NOT have a virus, because there are NO known viruses for ChromeOS. This is the result of ChromeOS "verified boot" which ensure that the ChromeOS operating system can't be modified from the official release from Google.

Furthermore, any warning that indicates your disk drive, memory, or storage has been compromised can't be true because data is not locally stored on a Chromebook (for the most part anyway!).  

The message that you are receiving is a "Phishing" attack that is designed to make you nervous enough about this "virus" that you provide personal information to someone in order to get them to help you remove the "virus". Some scams will provide you with a tech support phone number (don't call it!) or suggest that you visit a certain website and enter your personal information (don't do it!).

What should you do? Here are the steps you can take:

1. Prevent more warnings - ChromeOS usually provides a small check box on pop-up notifications to "prevent this page from creating additional dialogs." Click this box and press okay. You won't see any more warnings from this site.

2. Re-trace your steps - How did you end up on the phishing website? Usually there are two options:

•  You clicked on a link from an email, social media post, If this is the case, notify the person that sent it to you so that they don't continue passing it on. No other action required. 
• You recently installed a new Chrome Extension. Sadly, there are some Chrome Extensions that are designed to take people to websites with phishing scams. Google does its best to review and prevent such rogue extensions, but it happens. If this is your situation, you will need to uninstall the extension by visiting chrome://extensions/ and deleting the extension that is causing trouble. If you aren't sure which one it is, disable them all and turn them on one at a time until the problem occurs again. 

3. Powerwash - this step is only necessary if the recommendations above didn't work. Powerwashing restores your Chromebook to factory default settings, eliminating any issues you are having. Because all of your data is stored "in the cloud" (except your download folder) you don't have to worry about backing up data prior to powerwashing your Chromebook. To powerwash your Chromebook visit Chrome settings and look for the powerwash button (at the very bottom). 

If you are really in bad shape and can't even get to the settings menu due to constant pop-up notifications, you can powerwash your device from the login screen. Turn off your Chromebook (hold down the power button) and restart. When you get to the sign-in screen, press Ctrl + Alt + Shift + R to initiate the Powerwash process. 

Here are the important things to remember from this situation: 

1. Your Chromebook does NOT have a virus. 

2. Do NOT provide any personal information (credit cards, phone number, etc) to someone to "fix" this issue. 

If you or your students have experienced an issue like this please leave a comment and let us know how it happened and what steps you took to eliminate the issue. Hopefully we can put together a collection of bad extensions to avoid.

Is Google violating student privacy rules?

On December 1 2015, the Electronic Frontier Foundation (EFF) announced that it was filing a formal complaint against Google with the Federal Trade Commission (FTC). The EFF is focusing on "Chrome Sync" which collects and stores user information. The fact that Chrome Sync is enabled on by default on Chromebooks used in K-12 classrooms was the primary concern cited in the EFF complaint. The EFF claims that such data collection practices violate the Student Privacy Pledge of which Google is a signatory.

Google has not replied to the complaint, other than to say that they do not believe that their data collection practices violate the Student Privacy Pledge. It is not my responsibility to defend Google and their business practices. What I am interested in exploring is the increasingly cloudy area of data collection, mining, and use by large technology companies (Facebook, Google, Apple, Twitter, etc)

There have been dozens of lawsuits related to the collection and use of user data:

• Microsoft sued for collecting Windows phone locations (2011)
• Facebook sued for violating wiretapping laws with tracking cookies (2011) 
• Apple sued over location tracking in iOS (2011)
• Google sued over data mining of student email (2014)

It would be fairly simple to conclude that "data collection / tracking / mining is bad and should be stopped". If only it was that easy. The services we have come to rely on are made better through the collection and use of personal information: 

• If Facebook didn't know who your friends were, your stream would be chaos. 
• If Siri didn't know what "home" or "call my wife" meant, she would be useless. 
• If my Chrome preferences aren't saved and synced to all of my devices, I wouldn't like it as much. 

There is a delicate balance at play here between the collection of personal information and the use and application of that information. Furthermore, the majority of the web-based services we use are free. The "cost" of use, is your data. If Facebook, Google, and Pinterest aren't able to collect and mine information on their users, they would be out of business. 

So where does all this leave us? These companies have our information, and have the potential to misuse that information. How can we balance the personal nature of these products with privacy, safety and security? What is the responsibility of individuals in securing their information? As educators, how can we protect our students while educating them, and their parents, about the importance of digital citizenship?

I believe that individuals must carefully consider their own tolerance and concerns related to personal information that is collected by technology companies. I have four reasonable requirements for the companies that I allow to collect my personal information: 

1. Tell me what you are doing

I expect that technology companies will tell me when personally identifiable information is being collected. Not every time, but at least the first time. It is the responsibility of the user to be aware of these notices and take action as appropriate (see expectations 2, 3, and 4 below)

2. Let me review and adjust my settings at any time

I expect the ability, at my discretion, to review and adjust settings related to the collection of my personal information. These settings should be easily found and adjust, not hidden under layers configurations. 

3. Let me review collected data and delete it at my discretion

If I change my mind, I expect to be able to remove collected data - permanently. 

4. Protect my data

I expect companies that store my personal information will protect it with industry standard security protocols. I also expect that these organizations will not sell or make personally identifiable information available to others without my consent. 

This is what I expect from Google, Apple, Microsoft, Facebook, Twitter, etc. 

In exchange for the services that I use and rely on, I understand that my data will be used to serve targeted advertisements and offers. That's the deal. If I don't like it, I can stop using the service.

Understanding Google Vault for Education

As of January 2015, Google Vault (formerly Postini) was made available to all Google Apps for Education customers. Formerly a paid service, Vault is now FREE for Educational institutions.

Google Vault is a e-discovery and archiving tool designed to help you retain district data. For public institutions, state and federal regulations require the retention of information for set period of time that varies by state. Vault will make you compliant with these regulations. Vault currently fully supports Gmail and Hangouts with partial support of Google Drive data.

During the 2015 Indiana Google Education summit I led a breakout session focused on the appropriate setup of Vault as well as using Google Vault to comply with Freedom of Information requests (FOIA), internal investigations (i.e. cyber bulling) or recovery of lost data.

The presentation below was captured using a Swivl camera. It's a long session, but you can skip to the parts that pertain to you by selecting any of the slides- the video will automatically jump to that point in the recording.

I have also embedded the original slide deck as well.

Data Security for Teachers: Know Your Data!

The first step in protecting your data and privacy is to know what data has been collected and is know about you. Most **good** data companies will give you full access to the data and information they have collected about you; that you are storing with them.

Google does a nice job of giving you access to the data it has gathered about you and that you have connected to your Gmail or Google Apps account.

To view your Google data, click on your profile picture in the top right corner of a Google service (Gmail works well) and select "account."

There is a wealth of information here, including all of the personal information that is connected to your account. Here you can change your display name, contact information, profile picture and more.

In the "security" tab you can change your password and view account permissions. I highly recommend that you take a few minutes to go through the "secure your account" section which will:

• Display your account recovery email address and phone number. 
• Display your login activity by location to ensure that only you are accessing your account. 
• Display apps and devices that are connected to your account. It is a good idea to remove any devices or services you are no longer using. 

Once you have completed this security audit, I recommend that you click on the "data tools" tab and select "view account data". This page displays all of the data associated with your Google account by product. You can see how many emails you've sent, appointments are on your calendar, etc. Sign up for a monthly summary of this data by clicking the check box at the top of the screen. Each monthly, quickly review the email to ensure that no unauthorized devices or services are accessing your account and that there is no suspicious activity going on. 

The final step is to periodically (monthly) create a backup of your Google account data. Just find the "download your data" box and create a new archive (note: this is the Google Takeout service). You can leave it on the web, or download a copy to your computer (it may be large depending on how much you use your Google Account! My backup was 20gb!)

Once you know the data, devices, and services that are connected to your account, you can monitor, clean up, and manage that data to minimize the risk of unwanted intrusion or misuse of your information. 

Data Security for Teachers - Setting Up Chrome Profiles

Google Chrome has become the browser of choice for the majority of computers users. Chrome is a great browser. One of the best features is the ability to "sign-in" to the browser and sync your settings, bookmarks, apps, extensions, and more across all of your devices that are running the Chrome browser. Here are all of the things that you can sync through Chrome:

Chrome Sync Settings: Chrome Menu --> Settings --> Advanced Sync Settings

Chrome Sync is incredibly useful, but also has the potential to cause a few issues.

If you log in to Chrome using your school provided Google Apps for Education account, all of your data will be connected to this managed account. Need to check your bank account during your planning period? Your bank username/password is now saved to your school account. Casually browsing the web in the evening on your laptop? Your "off the clock" browsing history is now saved to your school account. 

First of all, just because your bank password or personal browsing history is saved into your school GAFE account doesn't mean that your administrator or IT Director is sitting around sifting through your data. It is very safe and secure. The only way someone would be able to access this data would be to log into YOUR account by obtaining your password or resetting your existing password. 

The bigger issue/concern about your private/personal information ending up in your school account would be a FOIA (freedom of information request) that would force your school to search for information on a person or topic. 

To avoid this risk, you should setup multiple profiles in Chrome to keep your personal and professional data separate. This is also a good idea to do for each member of your family (if you have a shared computer).  With multiple profiles. each person can have their own bookmarks, settings, apps, and extensions. 

Watch the video below for instructions on setting up multiple Chrome profiles. The steps are the same regardless of whether you are using a Mac or PC. 

Data Security for Teachers - The Basics

As we put more and more data into "the cloud," keeping your data safe, secure, and away from prying eyes is more important than ever! For teachers, this is especially true. Classroom teachers are using tools like Google Apps for Education, iCloud, Moodle, Office365, Chromebooks, iPads at an ever increasing rate. All of the data created and stored in these services and devices should be protected and safeguarded.

There are [at least] three "bad things" that can happen to your personal data stored "in the cloud:"

1. You get "hacked"
The term hacking is a very broad term that basically means someone without permission has accessed your account or information without your consent. Once someone gains access to your account they can:

• Send email through your email account (most likely scenario)
• Delete/copy/move data
• Search for personal information (bank accounts, passwords for other services, credit card information, etc)
• Lock you out of your own account by changing your password. 

2. You get "locked"

If your accounts get "locked", you lose access to the data and services you rely on; bad news. An account will get locked for several reasons: 

• Suspicious activity like sending LOTS of email or performing repetitive actions much quicker than a normal human. This typically happens if you get hacked, but sometimes accounts can be locked if you deviate from your normal activity (like when your bank cancels your CC when you travel out of state/country without notifying them). 
• Too many failed password attempts

3. Accidental Destruction

It sounds funny, but there are ways that you can delete, corrupt, deactivate, cancel or otherwise mess up important data and information. Always good to have a backup!

Common Sense Tips to Keep your Data Safe: 

1. Choose a secure password. 

You know this, but do you actually know what "secure" means?

• Your password should be at least 8 letters. (lots of debate on this, but I wouldn't go less than 8)
• Your password should contain uppercase letters, lowercase letters, a number, and a symbol.
• Avoid dictionary words
• Avoid using personal information as your password such as your birthday, address, or phone number. 

Teacher Tip: Use the "license plate rule" to create your password. Create a password that would fit on a license plate (8 characters). Shorten words and add special characters to make your "license plate" password more secure.

Secure Password Examples (please don't use these!!): 

• English Teacher → Eng-tcHr
• I Love Chemistry → i<3chemm li="">
• Math Teachers → Y=mx+bee

2. Backup Your Data Regularly

Again, common sense here, but backing up important data is a good idea. As we have moved away from data stored on our computers, we've also become less concerned with backing up our information. Many people believe that if their data is "in the cloud" they don't have to back it up.

While cloud-based products have improved the redundancy of our data, if your account is hacked, locked, or you experience accidental destruction, you will be very glad that you kept a backup of your data.

There are two ways you can "backup" your information:

"Share" your information with a secondary account. 
If you are using Google products, many of them allow you to share your documents, calendars, sites, etc with other people. A great way to safeguard your data is by sharing important information with a second email account that you own. For example, if your schools uses Google Apps for Education, share all of your Google Drive files with your personal  Gmail account. This doesn't "mix" or combine the data, it simply provides access to a second account which can be removed at any time.

Download a Copy of your Data Periodically
It's never a bad idea to download a backup copy of important information, even if it is "in the cloud." Keep in mind that in a cloud based environment, you are worried about hard-drive failure. you are worried about losing access to your account.

Saving a backup file will vary depending on the service you are using. Dropbox, Google Drive and iCloud allow you to download copies of your information.

You can also consider third party solutions such as Backupify, Spanning, or Mover to help you backup, migrate, and copy your cloud data.

Google Takeout - a FREE services
for Gmail/Google Apps users

Teacher Tip: If you are a Google Apps/Gmail user, take advantage of Google Takeout to generate a backup of your data across [most] of Google's services. With a single click you can backup your email, contacts, calendars, documents, and more!

If you've made it to this point in this post, hopefully you are thinking "wow, I knew all of that; can't believe I just read that entire article." If so, GREAT! The tips listed here are basic, common sense things that most of us don't do. 

Back Up Your Google Docs!

I know that cloud-based applications were supposed to eliminate the need to back up your files. Call me paranoid, but I have begun to back up my Google Docs account.

In the event that someone hacks into my account, causing it to be locked by Google, I could lose access to some very important documents and information. To mitigate this risk, I have begun saving a copy of my documents on a semi-regular basis. Here's how to do it.