Privacy advocates at the Electronic Frontier Foundation have again outlined how Google is successfully dumping millions of low-cost Chromebooks on U.S. schools, enabling the mass collection and storage of information on children without the consent of their parents or even the understanding of many school administrators.
Two years after it filed a federal complaint against Google alleging that it was "collecting and data mining school children's personal information, including their Internet searches," the EFF has issued a new status report detailing how Google is still working to erase minor students' privacy "often without their parents notice or consent, and usually without a real choice to opt out."
Educational technology services often collect far more information on kids than is necessary and store this information indefinitely" - EFF
The latest EFF report, written by Frida Alim, Nate Cardozo, Gennie Gebhart, Karen Gullo and Amul Kalia, noted that "the way the educational system treats the privacy of students is undergoing profound changes," due to a massive rollout of low-priced Chromebooks paired with educational services that "are often available for a steeply reduced price, and are sometimes even free."
The privacy groups investigation has "found that educational technology services often collect far more information on kids than is necessary and store this information indefinitely," tying personally identifying information (including names and birthdays) with children's "browsing history, search terms, location data, contact lists, and behavioral information."
The EFF noted that "some programs upload this student data to the cloud automatically and by default. All of this often happens without the awareness or consent of students and their families."
In stark contrast, Apple has emphasized in its education site that it "will never track, share, or sell student information for advertising or marketing purposes" and that the "security, privacy, confidentiality and integrity of student information is always protected." The site also provides a data and privacy overview for schools and privacy guide for parents.
A Chromebook and Google account for every child
Last year, a report cited former IDC analyst Bob O'Donnell as pointing out that "people buy Chromebooks because they're looking for the cheapest device." Now an independent analyst running Technalysis Research, O'Donnell referred to Chromebooks' primary attraction as being cheap enough to attract "price sensitive" buyers.
Many parents of schools rolling out cheap Chromebooks to their children are finding themselves "kept in the dark about what apps their kids were required to use and what data was being collected."
Increasingly, U.S. schools have adopted mandatory polices for grade-school students that assign children Chromebooks and enroll them into cloud services that collect data, without notice and without any alternative options.
Parents have reported to the EFF that schools have mass-enrolled their children into Google email accounts using their full names, posted their photos on social media sites and enrolled them into other services that collect data without any notification.
Additionally, schools commonly assign students passwords that are easy to guess, such as their birthdays or student IDs, and are then often prohibited from changing their passwords, resulting in Chromebook security being worse in practice than Googles "embarrassing" Android.
The report notes that parents commonly "did not receive any information about ed tech use until after the technology had already been implemented and was in active classroom use," and that even in California, where strong student privacy laws exist, no specifics were presented to parents until after the implementation, at which point "the teacher emphasized the Chromebooks value for individualized instruction."
Despite federal protections under the Family Educational Rights and Privacy Act that bar U.S. public schools from sharing student names, ID numbers and birthdays with third parties like Google without written parental consent, parents across the U.S. are finding that Google is routinely collecting lists of student data from schools without any notification or consent.
One parent cited in the report stated that he isn't only concerned about Google collecting data on his seven-year-old daughter in third grade, but also the "long-term ramifications for children who are taught to hand over data to Google without question."
He noted "in the end, Google is an advertising company. They sell ads, they track information on folks. And were not comfortable with our daughter getting forced into that at such an early age, when she doesn't know any better."
Phony privacy policies
The EFF said it "investigated the 152 ed tech services that survey respondents reported were in use in classrooms in their community, and found that their privacy policies were lacking in encryption, data retention, and data sharing policies."
"We're putting all our eggs in one basket that were not in control of. We dont know where this student data is going." - school Chromebook administrator
Beyond weak policies, there's no real evidence that any student data was protected "in practice as well as in policy."
A so-called "Student Privacy Pledge" voluntarily signed by providers "features glaring loopholes in its definitions of what constitutes 'student information' and 'educational service providers," the EFF noted.
In many cases even educators rolling out Chromebooks have a limited understanding what Google and its partners are doing. One school administrator in the report admitted, "were putting all our eggs in one basket that were not in control of. We don't know where this student data is going."
He stated that "we have privacy policies for our website, and for our student academic records, but not so much for students information in regards to what Google is collecting. We can't guarantee what Google is or is not doing with this information. It's all pretty vague, and it's not the kind of thing you want to be vague about."
Lobbying for loopholes
States that have enacted additional student privacy legislation, including California, Colorado, and Connecticut, are also having to defend privacy laws against intense industry efforts to gut those laws.
This week, California Assembly bill A.B. 165 which "attempted to create a carve-out in the California Electronic Communications Privacy Act (CalECPA), one of the strongest digital privacy bills in the nation" was pulled only after public outcry from the EFF and its supporters.
The intense pressure to intentionally weaken privacy protections for children indicates that there is tremendous value in installing spying hardware in schools, clearly greater than the loss-leader hardware Google is working to put in front of grade-school students.
Apple sells hardware, Google sells you
The EFF has outlined a series of steps parents and schools can take to defend their students' privacy, while also noting many challenges, including a lack of transparency and a general indifference to questions that many parents have experienced in trying to find answers.
Two years ago, Google batted down the EFFs complaints in a statement from Jonathan Rochelle, its director of Google Apps for Education, who maintained that the company's policies are in line with current laws and industry standards and that Google was committed to keeping student data private and secure.
However, as noted by parents and school administrators, Google's business model is based on surveillance advertising. It earns nothing from hardware sales of Chromebooks, and even its hardware partners have razor thin margins selling and supporting the devices.
Google's premium-priced Chromebook Pixel was recently discontinued as a product after failing to sell in meaningful quantities, leaving the platform a basic low-end netbook that almost exclusively targets cash-strapped U.S. schools.
Chromebook are not effectively "not a product," as evidenced by the fact that virtually nobody uses them outside of education. Despite not being profitable, they exist to collect information, much the same way as the company's free Google Maps. In both cases, the product is Googles users, and the paying customer is Googles advertisers.
Back in 2014, Apples chief executive Tim Cook outlined the importance of customers data security in an open letter stating "our business model is very straightforward: We sell great products."
Cook added, "we don't build a profile based on your email content or web browsing habits to sell to advertisers. We don't 'monetize' the information you store on your iPhone or in iCloud. And we don't read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple."