Reasonable student privacy


I came across this report from the EFF (Electronic Frontier Foundation) claiming that companies with an online presence are “spying” on children. Google was singled out. This caught my attention as I have been a fan of both the EFF and Google so I have been trying to understand just what is going on.

Spying is a strange choice of words, but I assume it was selected because it attracts attention. The accusation concerns the collection of user data without appropriate disclosure. This is a touchy subject for me. I have been upset that the FCC has eliminated expectations that ISPs not collect and sell user data so it was of great concern that Google be accused of doing something similar within its program for K12 schools. This should not be happening.

Close reading of the EFF announcement did not provide the detail I needed. The EFF “spying” piece reported data collected from educators, parents, and students establishing according to EFF that there was a lack of awareness or acceptance that limited possible safe guards. For example, if parents were aware of issues and wanted their children not be involved this was difficult because it would make more work for administrators and educators wanting to have all members of a class involved in the same project. These issues make some sense, but the issue is not really Google’s fault.

There were still vague references in the recent EFF statement that seemed to place blame on the companies providing services. I eventually located a better source. Several years ago EFF filed a complaint with the FTC (Federal Trade Commission) identifying the ways in which Google had violated the provisions of the Student Privacy Pledge. The privacy pledge is a set of provisions a panel established and offered to online companies as a way to document commitment to the provisions. The EFF claims this commitment establishes a legal commitment.

I have excerpted and included below the three major violations the EFF claims in the complaint to the FTC.

Google is violating the Student Privacy Pledge in three ways.

First, when students are logged in to their Google for Education accounts, student personal information in the form of data about their use of non-educational Google services is collected, maintained, and used by Google for its own benefit, unrelated to authorized educational or school purposes.

Second, the “Chrome Sync” feature of Google’s Chrome browser is turned on by default on all Google Chromebook laptops –including those sold to schools as part of Google for Education –thereby enabling Google to collect and use students’ entire browsing history and other data for its own benefit, unrelated to authorized educational or school purposes.

And third, Google for Education’s Administrative settings, which enable a school administrator to control settings for all program Chromebooks, allow administrators to choose settings that share student personal information with Google and third-party websites in violation of the Student Privacy Pledge.

My interpretation and comments
Google does not differentiate what students do as school work and what they might do for personal reasons while connected to their accounts at school or elsewhere. This means Google collects data on:
  • browsing behavior on every single Google-operated site students use,
  • stores what students have searched for on the Internet and the results they click on, and
  • the videos they search for and watch on YouTube.

Even when Google aggregates and anonymizes the student personal information it collects, as the company does for Google for Education core services, Google still uses the data for its own benefit, unrelated to authorized educational or school purposes.

If chrome-synch is enabled, Google collects a student’s entire browsing history and chrome-synch comes enabled on all chrome books or may be enabled by school personnel.

Students could also use other equipment outside of the school setting to complete course assignments and the settings associated with this equipment may allow student data to be collected.

I have tried to summarize and convey concerns accurately, but I do encourage you to read the legal complaint yourself.

If I understand the concerns I am left wondering:

  • What is reasonable to expect, and
  • What do we expect for free?

I suppose Google could add some type of permission priorities that would allow the system to use parent permissions to trump any priorities set by the school. First, there would be the issue of getting parents to input their wishes. This would not be easy. There is also the what do you expect for free issue. What should users expect of Google to safe guard against educators over-riding parental wishes should there be a purposeful or accidental contradiction in what educators and parents want. I must admit to some sympathy for educators who have a couple students whose parents do not agree with assignments for the rest of the class.

The issue of whether the chrome-synch default is set to off or on for Chromebooks could be something Google could address. I am guessing Google does not control this as devices as chromebooks are mainly now provided by other companies and these companies do not sell only to educational institutions. The chromebook providers assume certain benefits of having synch engaged and do not want to explain the advantages and disadvantages to all users many of whom are looking for a simple device and do not want to mess with settings. This would seem to imply that checking the settings would be pushed to schools and there is then the EFF concern that schools may not make the necessary adjustment  (or may even switch the synch feature on for chrome on other devices).

Finally, there is the issue of what students might do on their own at school or at home. Yes, students might do things they should not or they might fail to take precautions that have been recommended to them and their parents. Mixing work and personal interests is certainly something I do all of the time. Expecting Google to somehow control for such behavior seems unrealistic. The risk could be diminished by using only school provided equipment under school supervision, but this seems both unrealistic and contrary to hoping students will work in multiple settings. If EFF wanted to take a strict position on this issue, they would come out against BYOD programs (bring your own device) which would make the issues described here even more difficult for Google and schools.

I am a fan of the EFF. I think identifying some of these concerns is worth doing. However, expecting Google to remedy these issues is unrealistic for multiple reasons some of which would be very difficult to address issues assuming the lack of cooperation from schools, parents, and students. If EFF had discovered that Google was selling student data to third parties, I would be concerned. Google would then be using its free services in a way that clearly was contrary to what it had promised. If parents and educators are concerned about students viewing ads on sites not controlled by Goggle, I would propose that the solution is to stick with Google apps.