Australian unis in mass Microsoft email migration

Microsoft is in the midst of a mass transition of students off its Live@edu email service which will see millions of Australian users migrated to Office 365.

In June 2012, Microsoft announced the launch of Office 365 for Education and the retiring of Live@edu services. The migration project has rolled out around universities and colleges the world over in recent months, with the bulk of activity in Australian institutions reserved for this month.

The University of Technology Sydney, Curtin University, Victoria University, Flinders University, Sydney University, the University of Wollongong and the University of NSW have either recently undergone or are preparing for the Office 365 upgrade.

The free Live@edu service offered Outlook Live, Office Web Apps, Windows Live Messenger and SkyDrive storage and was used by a large number of universities and TAFEs across Australia for student and staff accounts.

There are three flavours of Office 365 for Education, one which remains free and two that are paid subscriptions. The free product offers Exchange Online, Lync Online, SharePoint Online and Office Web Apps. The migration from LIve@Edu to Office365 aims to tempt users of the former to consider paid upgrades.

After the upgrade is complete, users are left with two accounts: one to access Office 365 services and another, personal, Windows Live account to access SkyDrive and Messenger. 

Mass migration

The migration process is expected to affect around 22 million students across 130 countries and 10,000 institutions and last until September 2013.

Microsoft would not disclose how many users would migrate in Australia. 

Since 2009, tertiary institutions in Australia have been offered free email hosting for staff and students from either Microsoft Live@Edu or Google Gmail. 

Almost five million students have enrolled in Australia's 40+ universities between then and halfway through 2012.

Seven universities surveyed by iTnews had a combined 873,000 users on the Live@edu service, suggesting the migration impacts email accounts numbering in the millions, given the majority of local universities have opted for Microsoft email.

Microsoft has previously promised the upgrade process would be painless and require little effort on the part of the end-user IT teams.

Where is the data going?

When signing up with Live@edu, university CIOs were given a choice of hosting the service in either the United States or Singapore. Despite its huge scale in Australia and network of 100 such facilities across the globe, Microsoft is yet to host solutions within Australian territory and has not indicated plans to do so.

Peter James, director of IT infrastructure and operations at The University of Technology Sydney, told iTnews the university picked the US to store its data due to percieved similarities between US and Australian privacy law.

UTS has around 280,000 Live@edu accounts, predominantly alumni, with 35,000 of those active students. UTS went through the Office 365 upgrade two weeks ago, choosing to move the data over a weekend.

The university also has its own on-premise data centre, where it stores backups and copies of all Live@edu emails sent between UTS students and staff.

James told iTnews the offshore location of the university’s email data centre was of little concern. 

“Where the data is hosted doesn’t really make much difference because for us, over 60 percent of people were forwarding their email elsewhere anyway,” he said. 

“There are privacy issues, but the American privacy laws are much the same as ours. I know everybody goes on about the Patriot Act, but we’ve got to remember that if our Federal Government and Police say they want to see our email we have to give it to them, and in America it’s roughly the same.”

The University of Wollongong, which has around 60,000 Live@edu accounts, is currently in the midst of its upgrade and has also chosen to host in the United States.

Most other universities surveyed by iTnews opted for the Singapore solution.

Victoria University has 170,000 accounts on Office 365 as of last Friday, with the data stored in Singapore.

Its acting director for information technology operations Zoran Sugarevski told iTnews the institution had a five-year explicit requirement not to host data in the US.

“For us, the decision is around the retention and storage of our students’ data, and the Singapore proposal and contract offered by Microsoft was better aligned to Australian law,” he said. 

The university does not store any of the data locally as the cost of 170,000 accounts would be prohibitive. Sugarevski said it ensured the safety of offshore data by undertaking regular, six-monthly risk assessments of all companies contracted to supply services to the university. 

“We have around five to six different systems in the cloud, and we’ve gone through around three or four iterations with Microsoft over the years,” he said.

“Our criteria is around making risk assessment of the organisations; their policies, procedures and practices in the way of managing and securing data, and how they apply archival and destruction processes. 

“As long as they’ve got the right policies, practices and procedures, we’re not too concerned.”

Sydney University also stores its data in Microsoft’s Singapore data centre. Its students account for around 50,000 Live@edu accounts, which will move across to Office 365 on July 26. Sydney University doesn’t store any of the email data on-site.

A spokesperson for the university said there were some “mild” concerns with the data being hosted offshore, but said “the benefits of the service outweigh the risk.”

The University of NSW, with 210,000 Office 365 accounts as of its upgrade on July 8, was not given a choice as to where its student and stafff data now resides.

None of the UNSW email data is backed up on-site, nor does the university consider the data’s offshore location in Singapore an issue. 

“We do not have specific concerns about storing student email offshore,” said UNSW chief technology officer Denise Black.

“It is not mandatory for our students to use the Microsoft email service, they can direct their email to an email provider of choice, which may be onshore or offshore.”

Flinders University has around 46,000 total and 18,000 Office 365 student and alumni accounts. It completed its upgrade last week.

When it first signed on to Live@edu, it chose Singapore as its data centre owing to concerns with the US Patriot Act. The University's IT team was satisfied with Microsoft’s “very strong” security and privacy policies. 

Curtin University’s 57,000 active users will move over to Office 365 as of July 31. Curtin relies solely on Microsoft’s Singapore data centre for email, opting not to store any of the data in its own facilities.

Curtin University CIO Chris Rasmussen told iTnews any concerns around the location and storage of data had been addressed when the university first signed on to Live@edu.

Read on for privacy implications....

Look to the Privacy Act

Universities need to keep in mind two key pieces of legislation when hosting emails containing personal information offshore, according to Malcolm Burrows, practice director of Brisbane-based privacy law firm Dundas Lawyers.

The first is the Australian Privacy Act, which is due to be updated in March 2014. The second is the United States Patriot Act's Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.

“Australian organisations storing information in the cloud are still subject to regulation by the Privacy Act and in particular must comply with National Privacy Principals,” Burrows said. “NPP 9 deals with transborder data flows and requires an organisation to consider the destination country to have similar privacy laws or to obtain consent.

“The first threshold question is whether personal information is being sent offshore which may subsequently be accessed because of the broad powers contained in the Patriot Act.”

The Patriot Act accommodates for nation-wide search warrants for emails, and because of the breadth of the Act’s powers, there is risk of inadvertent disclosure of all content in and attached to emails, Burrows said.

“Law enforcement agents do not have to physically visit the ISP, and prosecutors and judges have no control over determining whether a warrant may be obtained,” Burrows said. 

"Whilst the right to obtain and subsequently use information appears limited, as with the disclosure of any information there is a risk that there may be further inadvertent disclosure."

Burrows said while the Patriot Act was not designed to allow for malicious objectives, the broad powers for foreign intelligence gathering and the granting of warrants meant emails may not be as secure as the senders and receivers think. 

“The use of emails to send and receive information ... is subject to the whims of the United States government,” Burrows said.

“The information sent and received could be subject to a foreign intelligence investigation for the sole reason that such information could be of benefit to the United States. This could lead to further implications, if information accessed by the United States is, for example, used by researchers in patents.” 

Additionally, the new incoming Australian privacy law will require all organisations to notify affected parties if there is a likelihood their data will be held offshore and where it might be held - a new requirement.

James Moore, partner at law firm HWL Ebsworth with a speciality in data privacy, told iTnews at the time of the collection of personal information such as at enrolment, universities will be required under the new Act to make a disclosure.

“When somebody enrols in a university, that university will know that it’s likely that personal information will at some point get into the university’s systems and perhaps be sent in an email, to the extent that the student’s data will be accessed through Office 365,” he said.

“It’s very likely that if the university is signed up to such a service, some information about each student or academic will ultimately be sent to America or Singapore.

"So at the time the university collects the personal information, it would become a requirement under the Act to actually make a disclosure that they use Microsoft products and as a result the information is likely to be held on a server in the US or Singapore.”

Moore said data in offshore systems is subject to the laws of the country it resides in and to Australian privacy law. 

“Where [personal] information is sent offshore, the organisation is responsible for making sure that it is dealt with in accordance with Australian privacy principles, and if it is dealt with inconsistently the organisation in Australia is actually in breach,” Moore said. 

He said many organisations were currently wrestling with how they would deal with the new requirement around location of data ahead of its inclusion in the new privacy laws.