Go Directly to Page Content
Go Directly to Site Search
Go Directly to Site Navigation
ITS Safe Computing

Security and Privacy in the M+Google Environment

M+Google is a cloud computing service that provides a large selection of collaboration tools to U-M users. Find more specifics about U-M's approach to security in the cloud in Cloud Computing and Information Security.

For information about Google's data security and privacy, see

U-M owns its own data, and Google may process or otherwise use UMICH account data only as required for the purposes of providing services and performing its obligations under the agreement. This includes processes for preventing spam and ensuring the technical functioning of Google's network (including detecting, preventing or otherwise addressing fraud, security or technical issues).

Core Services vs. Additional Services

M+Google Core Services are covered by the university's Google Apps for Education agreement with Google and provide a secure environment for maintaining or sharing the university's sensitive unregulated data, as well as some kinds of sensitive regulated data. M+Google Additional Services are not covered by this agreement. To learn which M+Google Services are Core Services and which are Additional, see the M+Google List of Services.

The distinction is important because the Core Services have certain privacy protections that are not found when using the Additional Services, which are not protected by U-M's agreement and may be subject to individualized data mining and advertising.

Almost all of the information found in Google Safety Center applies to M+Google Core services. However, there are some important differences between Google Apps for a general consumer audience and M+Google, the enterprise version under contract with U-M. For example, account holders using M+Google Core services will not see any advertising. In addition, two-step verification is not currently available in the M+Google environment.

Google's Privacy Policy and Terms of Service do not affect the contractual agreement between the University of Michigan and Google with respect to the Core Services, but they do apply to the Additional Services. The Terms of Service state that if a user is signed in to one of the Additional (non-Core) services, Google may combine information that the user provides in one non-Core service with information provided in another non-Core service. New users will be presented with the Terms of Service acceptance page the first time they log in to their M+Google account. If you do not want to accept the Terms of Service, which apply just to Additional Services, please contact the ITS Service Center to be set up with an account that does not have Additional Services activated.

Sensitive University Data and M+Google

U-M is responsible for all regulatory requirements, whether it stores its data locally or in the cloud. While M+Google is appropriate for most communication and collaboration, the sensitivity and regulatory status of information and data must be carefully considered before storing data in the M+Google environment.

Faculty, students, researchers, and staff need to assess whether federal and state laws, contractual obligations, and/or grant restrictions limit the ability to maintain institutional or research data in M+Google Apps. You can see at a glance whether it is is permissible or not to store or share a specific data type in a U-M or external vendor cloud services using the Sensitive Data Guide To IT Services.

Users who work with certain types of regulated data do not receive M+Google Mail and Calendar. They do have access to M+Google Drive and other collaboration tools, but must always be cognizant of the Proper Use Policy and guidelines for implementing it and Sensitive Regulated Data Standard when using those tools.

Users with both med.umich.edu and umich.edu email accounts may not forward email from their med.umich.edu to their umich.edu account to ensure that HIPAA data remains in a compliant environment.

Google stores data on its secure servers, which may be located outside the U.S. or within the U.S. and accessible to foreign nationals. For this reason, U-M users working with regulated export-controlled data that must be housed in the U.S. and managed by U.S. citizens may not use some M+Google Apps, such as Mail and Calendar. Their use of other Google Apps must be in accordance with the Proper Use Policy and guidelines for implementing it and the Information Technology Standard Sensitive Regulated Data: Permitted and Restricted Uses.

University Policy and M+Google

Under the terms of U-M's agreement with Google, U-M continues to own its own data, so consequently its security and privacy policies continue to apply for members of the U-M campus community using M+Google Core Services. For example, information in M+Google is subject to the same university rules, obligations, and procedures related to FOIA as is university information stored elsewhere. For more about FOIA, visit the Office of the Vice President & General Counsel's website and the FOIA Office.)

Use of M+Google is also subject to the university's General Information Technology Policies and Student Information Technology Policies.

Passwords and M+Google

When you log in to your M+Google account via the web, you log in using U-M's Weblogin service. That service will then pass on assurance of your identity and authorization to Google without passing on your password. For details, see Signing In and Out of Your M+Google Account Via the Web (S4389).

When you log in to your M+Google account using a desktop mail client, such as Outlook or Apple Mail, or from a mobile device, such as a smartphone, you log in directly to Google. In this case, Google needs to have an encrypted copy of your UMICH password so you can log in. U-M transfers your password to Google in encrypted form over a secure connection for this purpose. For details, see UMICH Password Hub.