Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an "extreme action" designed to get the attention of both its users and Google.
The ill-conceived move has generated attention, all right, mostly in the form of widespread complaints from those affected, as well as criticism from outside network professionals.
From a lengthy Oxford blog post attempting to explain the decision:
Over the past few weeks there has been a marked increase in phishing activity against our users. ... We are keen to see that compromises and associated spam runs do not adversely impact the University's "reputation" with external email services such as Hotmail and GMail. We have had problems in the past in which Hotmail have rejected all mail from us over a period of many days, owing to too high a proportion of the mail from us being marked as spam. Such incidents can cause major disruption to legitimate University business. ...
Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action. While this wouldn't be effective for users on other networks, in the middle of the working day a substantial proportion of users would be on our network and actively reading email. A temporary block would get users' attention and, we hoped, serve to moderate the "chain reaction."
They apparently got more than they had bargained for.
It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services. This was taken into account along with changes to the threats and balance of risks over the course of the afternoon, and after around two and a half hours, the restrictions on access to Google Docs were removed.
Oxford's "extreme action" was too extreme, according to the overwhelming majority of those commenting on the university's blog post and in other forums.
"To me, it seems like a knee-jerk reaction whose legitimate effects may be less than fully positive. And may, in fact, be worse, since limiting access from on-campus could provide a false sense of security to IT staff," says Drew Perry, a security analyst at Murray State University. "Instead of a half-successful technical response, effort should be placed on information security awareness. Teach your users to identify phishing attempts themselves and not respond. Now, I fully understand how daunting a task that is, but it's the only way to truly protect your user base."
"I was disappointed to see this action being taken," says one commenter on the blog post. "It seemed like a point score against Google rather than a serious attempt to improve security."
"Aren't you guys closing the wrong door?" asks another commenter. "If the spam problem is volume, why not implement an email quota for your users? 100 emails a day? Come on guys, if a university of your prestige can't deal with that, who can?"
"The response seemed disproportionate to the perceived risk," says the director of network services at a New England college who asked to remain anonymous. "They were worried about being used as a spam platform and subsequently being blacklisted -- not having student/medical/financial info pilfered. Email rate/quantity limiting might have been a better response.
"Hopefully this got some media traction somewhere," he adds. "Google's inaction on this long-standing issue is regrettable."
The Oxford blog post also called out Google:
"We will also be pressuring Google that they need to be far more responsive, if not proactive, regarding abuse of their services for criminal activities. Google's persistent failures to put a halt to criminal abuse of their systems in a timely manner is having severe consequences for us, and for many other institutions."
I've asked Google for comment.
(Update: A Google spokesperson replies: "Google actively works to protect our users from phishing attempts. Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes. Users can report phishing pages using this form or directly through Gmail.")
Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.