Security and Privacy Information for Google Apps

Staying Secure with Google

With UCSB's increasing use of Google’s services, it is important to remember that sensitive information often requires special protection. It is also important to remember that although Google provides enhanced security features and UC’s contract with Google provides assurances regarding the security and privacy of customer information stored on Google’s systems, most security cautions that apply to UC systems apply to Google.

Following are several proactive steps you can take to help maximize security and privacy when using Google.


Google's two-step verification uses a code in addition to your username and password. Each time you log in, Google sends a new code via text or voice message that you will need to enter. This means that to access your account, a hacker would not only need your username and password, but also your phone in order to get in.

(back to top)


(back to top)


Don't use Google to send or store highly sensitive information such as PII or other restricted data. If you must, encrypt it first.

  • Email security: Remember that email is inherently neither private nor secure. This is true for our campus email systems as well as most third-party email providers, including Google. Highly sensitive information should never be sent through email unless it is protected, e.g. by encryption. This includes attachments.
  • Protect our most sensitive information: Highly sensitive information should be stored on UC servers designed for its storage or should be encrypted. Attachments containing highly sensitive information should be encrypted. Google does not encrypt documents, so be sure to encrypt your docs before putting them in Google.
    • And remember to securely delete highly sensitive information when you no longer have a business need to keep it. The less you have to store, the better!
  • Ask your IT staff for assistance or alternatives.
  • Encryption information

(back to top)


With UCSB using Google for email, calendar, docs and sites, among other things, it is increasingly likely that people will use non-UC devices, especially mobile devices, for work. All devices used for work must meet UC and UCSB security requirements. 

(back to top)


It is important to know Google's default settings and sharing options in order to avoid accidents related to over- or under-sharing.

When creating a new document or collection in Google, it will either default to be private to you or inherit the permissions of the collection under which you created it. Click on the “Share” button to review who it is shared with.

  • Click the "Advanced" link in the "Share with Others" box to see who has access. This brings up the "Sharing Settings" box.
  • At the top of the "Who has access" list, it should say, "Specific people can access". This means only the specific people listed below can access the doc. You can change this setting by clicking on the "Change..." link to the right of this setting. Be cautious about opening up access beyond specific, named individuals.
  • You can delete people by clicking the "x" to the right of their entry on the sharing screen.You can add people by name, email, or group (pre-existing groups in Google only) in the "Invite people" box. Be sure you know who is in groups before sharing with them.
  • To the right of the "Invite people" box (once you click on it), there will be a role drop down menu which defaults to "Can edit". Unless you really want someone to be able to edit, change their access level to something else. Access levels are "owner" (there can only be one owner), "edit," "comment," and "view".
  • For documents/collections that others can edit:
    • The default sharing settings allow editors to change permissions, including who has access to documents, their access levels, and where the documents are stored. This can result in documents and collections "disappearing." The following change will help prevent this:
    • Find the line at the bottom of the "Sharing Settings" box that says "Editors will be allowed to add people and change the permissions." Click on "[Change]" and select "Only the owner can change the permissions."
  • It is important to understand that when you move or delete a Google doc or collection, you are moving the ORIGINAL doc/collection, not your own, personal copy. You are moving it for everyone!
    • Only the creator/owner can permanently delete a doc/collection. If something has been moved, the owner can still find it in the "Owned by me" section of their Google Docs/Drive homepage. If the owner is no longer at UCSB, the item(s) may be deleted permanently.
  • Once permanently deleted from the trash, Google Docs and collections cannot be recovered. This is also true for Google Sites, email, and anything else under your Google account that has been permanently deleted for any reason.

A note about Google Sites:
Google Sites is used to display information to others. The default in Google Sites is to share the Site with everyone in the UCSB domain -- this means everyone with an account can find and edit the site. If you want to change this,

  • Click on the Share button
  • Click on "Change..." next to this setting to select a more appropriate option
  • If you want everyone in the UCSB domain to be able to view but not edit the site, uncheck the "Allow anyone within UCSB Connect to edit" checkbox.

(Other resources from UCSC)


Be sure you know who you are sharing your calendar and meeting information with. The default sharing setting at UCSB is that your Google Calendar and meetings on it are visible to everyone in the university.

Meeting privacy settings are at the bottom of each meeting's Event details page. There are three options:

  • Default: the event's privacy setting is the same as the calendar's overall privacy setting. See "Calendar settings," below.
  • Public: makes that event's details available to everyone who can view your calendar, regardless of your regular calendar settings (see below).
  • Private: only you, meeting invitees, and people you have granted 'Make changes to events' or 'Make changes AND manage sharing' privileges to your calendar can see the event and its details.
    • Important privacy note: If you create a private meeting in Google Calendar and invite people, those attendees can change the private meeting to public on their own calendar.This means that people viewing that invitee's calendar will be able to see the meeting details. It's good practice not to put any confidential or personal information in the event title or description of a meeting, even if you make it "private".
  • Additional information about these settings

Calendar settings:
To review your calendar sharing settings, click the down-arrow button next to your calendar's name in the My Calendars list on the left side of the page, then select "Share this Calendar" (or edit settings") under "SHARING".

  • Share this calendar with others should be checked unless you want your calendar to be private to only you and specific individuals you designate (see below).
  • Make this calendar public should be un-checked. Checking this box will make your calendar publicly available and searchable on the Internet.
  • Share this calendar with everyone in the organization UCSB Connect should be checked unless you chose not to share your calendar in step 1.

To share your calendar with specific people:

  • Follow the instructions in "Calendar settings," above, to get to your Share this Calendar page.
  • In the text box under Share with specific people, enter the complete email address of the person you want to share your calendar with.
  • From the drop-down menu, select a permission level, then click Add Person. Once you click "Add Person," the person will receive an email invitation to view your calendar.

    You can grant any of the following levels of access to each individual user when sharing your calendar:
  • Make changes AND manage sharing
    This person has owner rights to this calendar, and can do anything that you (as the owner) can do
  • Make changes to events
    This person can see and change all events, including private ones.
  • See all event details
    This person can view the details of all events except those marked as private.
  • See free/busy information (no details)
    This person can see when your calendar is booked and when it has free time, but will not be able to see the names or details of any of your events

Additional information from Google about sharing your Google Calendar:
Calendar Sharing Options for Google Apps
Share your calendar

(back to top)


Report email spam and phishing directly to Google. This helps put these emails on their radar. You must do this from your email on GWA. If you don't normally access your email via the web, go to and log in with and UCSBnetID password. When your mailbox loads, select the message you'd like to report.

  • For spam, click on the spam button in the toolbar above your message list (the one that looks like a stop sign with an exclamation mark). See Google's instructions for more details about reporting spam.
  • To report phishing, please open the message and click on the little drop-down arrow next to the reply button in the top right corner of the email and select "Report phishing" (you can also report spam this way). See Google's instructions for details and screenshots.

Report Calendar spam to Google: If you receive an unsolicited calendar invitation that you believe to be spam, report it to Google by clicking "Report Spam" on the detail page for the event - click the event title to get to the event detail page. The "Report Spam" link is at the top of the screen to the right of the reply options ("Yes" "Maybe" or "No). Clicking the "Report Spam" link will remove the event, along with any other events on your calendar created by the same organizer.

  • Note: If you already responded to the meeting, you'll need to click the "Add a note or change your response" link at the top left of the event detail page to see the "Report Spam" link.

(back to top)


Last Account Activity - gmail only
Last account activity can help you detect if someone is using your gmail account without your knowledge. It shows information about recent access to your email, including when, from where, and how your mail was accessed. It also lists the IP address that accessed your mail. There is also an option at the bottom of the page to show an alert for unusual activity.

To see your recent email account activity, click on any of your gmail folders, or your inbox, then click the Details link next to the Last account activity line at the bottom of the page. Additional information

Your Recent Activity - entire Google account
The "Recent activity" section of your Account Security page lists security-related actions you’ve taken, such as signing in to your Google Account, changing your password, or adding a recovery email address or phone number. This information is for your entire Google Account, so sign-ins from any Google product (such as Blogger, Gmail, or YouTube) will be listed in this section.

If you notice anything suspicious, e.g. a sign-in from a browser you've never used, or a location you've never been to, you are prompted to change your password to secure your account. If you notice a recovery option change you did not make, be sure to update the recovery option in addition to changing your password. Additional information

Account Activity - entire Google account
Google's "Account Settings" page includes a number of tools to help you manage your google account. Click on "Device activity & notifications" under "Sign-in & security" to see an overview of the recent activity on your Google account. See Google's instructions for additional instructions and details.

  • You can have Google send you a monthly reminder to check your account activity. Just click the box next to "Send me monthly reminders to check my account activity" at the top of your Dashboard.

(back to top)


Be sure to sign out of your Google account when you're finished, especially when using a public computer. Just click on your username/icon at the top right corner of the screen and select "Sign out." If you're using a public or shared computer, to be extra thorough you can also clear the browser's cache, cookies and history. Then, completely close the browser.

(back to top)


Google privacy and security tips:

Privacy settings for Google+: Like all other Google Consumer Apps, Google+ (G+) is not covered by UC's agreement with Google. The default G+ settings makes your G+ information public, so information you put into G+ is visible to others outside of UCSB. See Google's instructions on how to change your settings. See UCSB main Google page for additional information about Google Consumer Apps.

(back to top)

Secure Transmission

UCSB's Google domain is configured to access all data using encrypted transmissions. This means that when you access your gmail or Google Apps via Google's web applications with your Google account, your email and docs are transmitted securely. This is true for the mobile email client, too. Google also requires encryption for third party email clients (e.g. Thunderbird, Apple Mail, etc.) to access your email data. Google does not offer encryption on the Start Page service at this time.


Google Privacy Policy and Terms of Service

The University of California has a contract with Google that provides assurances regarding the security and privacy of customer information stored on Google’s systems. UC's contract with Google takes precedence if there is a conflict with Google's posted terms or policies. For more information about how to protect your own privacy using Google Apps., please visit: Privacy Tools

See also:

(back to top)

Google Security & Privacy Mythbusters

MYTH: My email is less secure with Google than with the old UCSB-managed email.


  • While it is true that UCSB-run email lived on UCSB-managed servers, Google undergoes significant independent audits and certifications of their security practices
  • Google has better spam and virus filtering than UCSB could provide
  • Google is constantly developing new security-related features for its services
  • Google gives you the ability to check for suspicious activity on your account, such as locations (e.g. cities) from which your account has been accessed
  • Google supports optional two-factor authentication for added account security
  • Google's data is replicated in multiple data centers for redundancy and consistent availability
  • UC’s contract with Google also provides assurances regarding the security and privacy of customer information stored on Google’s systems.


MYTH: Google accesses people’s email for marketing purposes.

FACT: Google Apps for Education is ad-free for students, faculty, and staff. This means that your email is not processed by Google's advertising systems.


MYTH: Everything I create in Google Docs is available online to the whole world.

FACT: Google Apps for Education’s default is to set everything you create in Google Docs to “private”. This means that unless you actively grant someone access to something you created in Google Docs with your UCSB Google account, only you can access it.

Google Sites, on the other hand, defaults to allowing access to everyone at UCSB.

See above for information on changing sharing settings in Google Docs and Sites.


MYTH: Anything I create or put up on Google Docs becomes the property of Google.

FACT: UC’s contract with Google ensures that UC (its students, faculty, and staff) are the sole owners of their data.


MYTH: If Google receives a subpoena or search warrant for my email or files, I will never know about it.

FACT: UC’s contract with Google includes a requirement that Google notify UC if it receives a court order for UC-owned data. The one exception is if the court order includes a “gag request” that prohibits them from notifying the University. Even in this case, Google has agreed to ask the agency issuing a gag order subpoena or warrant if they can notify UC.

(back to top)

Google Security-Related Articles

  • Google's Security and Privacy Main Page
  • Google Apps for Education: Security & Privacy
  • Stay Safe Online by Google - Tips and advice for staying more secure on the web.
  • Reset cookie functionality on Google Apps
    • Administrators can invalidate a user’s active connection to Google Apps services from the Google Apps control panel. More specifically, administrators can reset a user’s sign-in cookies to help prevent unauthorized access to their account. This will log out that user from all current web browser sessions and require new authentication the next time that user tries to access Google Apps. Combined with the existing ability for administrators to reset user passwords, this new feature to reset users’ sign-in cookies improves security in the cloud in case of device theft or loss.
  • Security First: Google Apps and Google App Engine complete SSAE-16 audit
    • “This year the SAS70 Type II audit has evolved into the SSAE 16 Type II attestation and its international counterpart, ISAE 3402 Type II. We’re happy to announce that Google is one of the first major cloud providers to be certified for compliance to these new audit standards....Together with the SAS 70 Type II (covering dates prior to June 15th, 2011), these third party audits provide additional assurance to customers that their data is well protected.”
    • 2012 Security audit
  • Google Apps Security Whitepaper

(back to top)