Security: Frequently Asked Questions

MFA adds an additional layer of security by verifying not only that the person knows a password, but that the person also has access to a registered device, like a personal smartphone. UCSB has partnered with Duo Security, a system that makes it easy for you to enable MFA. MFA is an added layer of protection for services that use your UCSBNetid account. Learn how to get started with MFA. 

Google 2-step verification adds an extra layer of security to your Google Workspace Account. 2-step verification drastically reduces the chances of having the personal information in your Google account stolen by someone else. Google 2SV is an added layer of protection for Connect Functional Accounts and Former Employees or Student Accounts. Learn how to enable Google 2SV.

Duo MFA is used with active UCSB Identity accounts. These accounts use a UCSBnetid and password, and typically Campus Single-Sign-On (SSO). 

Current Employees, Students, and Campus Affiliates will use Campus SSO and Duo MFA to log into Google Workspace.

Connect Functional Accounts, and Former Employees, Students, and Campus Affiliates who no longer have an active UCSBnetid will use Google Authentication and 2SV to log into Google Workspace.

Both the nature of email and the public character of the University make email less private than users may anticipate. Do not use Connect to store or transmit sensitive data (as outlined in Electronic Communications Policy). Connect email is not encrypted and should not be used for sensitive communications. Your Connect account is your responsibility: do not share account passwords or access with others, or you may be held responsible for any misuse of your account that occurs as a result. Do not use your campus email for any commercial activity, including publishing your address in association with commercial activities. Unless you are appropriately authorized to do so, please don't use email to give the impression you are representing, giving opinions of, or making statements on behalf of the Campus. Other practices to avoid: sending unsolicited mass mailings without the consent of all addressees, unless authorized on behalf of the campus by an appropriate administrative official; sending chain letters, spam, or harassing email; knowingly forwarding or originating hoaxes, scams, viruses, or other types of fraudulent messages; forging messages or masking the identity of an account intentionally; engaging in practices such as "denial of service attacks" that impede the availability of electronic communications services to other users; or violations of copyright law. If you have questions about whether certain transactions are appropriate for campus email service, please contact policy@ucsb.edu.

The hosting provider does not own UCSB account holders' data. Google does not take a position on whether the data belongs to UCSB or the individual user, but they know it doesn’t belong to them. (For specific questions about UC’s intellectual properties and copyright policies, please refer to UCOP’s Copyright Resources.) Specifically, they won’t share your data with others except as noted in their privacy policies. They will keep your data as long as UCSB requires them to keep it. When asked to delete messages and content, the hosting provider makes reasonable efforts to remove deleted information from our systems within a commercially reasonable amount of time.

Each Connect person account is created using an individual’s name as listed in the UCSB Directory and his or her @ucsb.edu email address. No additional information is shared with the hosting provider. In particular, your UCSBnetID passphrase and information about your account is kept solely on campus servers and is not shared with them.

UCSB’s contracts with Microsoft and Google put in place stronger protective measures around data stored and transmitted in the UCSB implementation of cloud core services (eg, Connect email) than found in consumer-level cloud services. Data stored in our core services are not scanned for the purpose of displaying ads. Data stored in core services are also not accessible by non-core services, including consumer-level Microsoft and Google services and third party sites.

Using Connect core services protects data. An example of this protection would be if you log into your Connect account, then proceed to Google Search to look for something. Ads displaying in the Google Search results screen (a non-core service) will not be influenced by your data in Connect email (a core service). You can use non-core services from your Connect account knowing your data is protected.

Established providers of web-based services have gone to great lengths to protect against threats. They run their data centers using custom hardware running a custom OS and file system. Each of these systems has been optimized for security and performance. They work with external parties to constantly test and enhance security infrastructure to ensure it is impervious to external attackers. And because they control the entire stack running our systems, we are able to quickly respond to any threats or weaknesses that may emerge.

Internally, your data is virtually protected as if it were on its own server. Unauthorized parties cannot access your data. Your competitors cannot access your data, and vice versa. In fact, all user accounts are protected via this virtual lock and key that ensures that one user cannot see another user’s data. This is similar to how customer data is segmented in other shared infrastructures such as online banking applications.

The hosting provider maintains a number of geographically distributed data centers. Their computing clusters are designed with resiliency and redundancy in mind, eliminating single points of failure and minimizing the impact of common equipment failures and environmental risks. Access to our data centers is restricted to authorized personnel.

Your Connect account is managed separately from your personal Gmail account(s), therefore the data and settings from these accounts will remain separate.  Only data that you manually copy between the accounts will be shared (e.g. if you send a personal email to your Connect mail account). 

Whatever account you log into first will be the default account for additional applications in G Suite (Groups, Drive, etc).  If you want to use the same browser to monitor your Connect account and your personal gmail account, be sure to log into your Connect account first.

No, the hosting provider’s scanning and indexing procedures are 100% automated and involve no human interaction. Their automated systems will scan and index some user content in order to provide features that will either directly benefit users or help maintain the safety and security of their systems.

For example:

• Email is scanned to perform spam filtering and virus detection.
• There is no ad-related scanning or processing.
• Some user data, such as documents and email messages, are scanned and indexed so users can privately search for information in their own accounts.

Our hosting providers comply with valid legal processes seeking account information, such as search warrants, court orders, or subpoenas. They attempt to notify users before turning over their data whenever possible and legally permissible.

Our hosting providers comply with valid legal processes seeking account information, such as search warrants, court orders, or subpoenas. They attempt to notify users before turning over their data whenever possible and legally permissible.

Our hosting providers don't share or reveal private user content such as email or personal information with third parties except as required by law, on request by a user or system administrator, or to protect their systems. These exceptions include requests by users that the hosting provider's support staff access their email messages in order to diagnose problems; when they are required by law to do so; and when they are compelled to disclose personal information because they reasonably believe it's necessary in order to protect the rights, property or safety of their employees, its users and the public.

No. Google will not display any advertising in your Connect account.