Yes, if you use software to work on some sort of information, this software will have access to this information.
Yes, if you use SAAS software, this information will be processed by remote servers.
Yes, if you use proprietary software, you will not know exactly how is this information processed.
And finally, if you have someone who is willing to work as school clerk, given how much do these jobs pay and how interesting they are, this person will likely not understand the complexity of these issues and will be a little bit lazy with their job, so she probably will not present parents with all the relevant information.
Now, every single one of these facts seem obvious; how is combination of these facts warrant an article in one of the biggest newspapers all of a sudden?
And finally, if you have someone who is willing to work as school clerk, given how much do these jobs pay and how interesting they are, this person will likely not understand the complexity of these issues
I think that is naive -- the general population understands perfectly that Google tracks users and uses that information to display ads. The GAFE apps are covered by different terms of service that restrict the collection of information, but Google draws the line in plain English in their GAFE/GAFW copy:
We do not scan for advertising purposes in Gmail or other Google Apps services. Google does not collect or use data in Google Apps services for advertising purposes. The situation is different for our free offerings and the consumer space.
I think the reason why schools go for GAFE is clear and simple: the choice is between having personnel on staff for maintaining servers, computer labs, and troubleshooting students' devices; or outsource it nearly for free to Google.
Which neatly leaves out non-advertising purposes. The statement even admits to collecting data for other purposes in the negative - otherwise the would simply say they "scan ... collect or use" the data at all.
This is just like the word-games the NSA likes to play when they insist they aren't collecting data "under this phone records program".
Both Google (for collecting and aggregating data) and the schools (for giving the data to a 3rd party) should be held liable for anything that happens from this data collection.
Well, presumably Google scans the e-mails for search indexing, for virus detection, and for spam filtering; and collect the e-mails for when the user asks to search or retrieve them.
Exactly! I want to support stronger privacy but this just smells like someone wants one big payout for themselves. IF it were found that Google were sharing student information with anyone, including the government, things might be different (well not the government anymore thanks CISA) but I could understand if they were caught selling the information to others or snooping on their users' emails and using that in a court case (looking at you, Microsoft you can't undo that).
Articles like these hurts privacy because they cause noise where none is deserved and people just get tired of hearing things like this that they ignore legitimate worries like CISA.
>The statement even admits to collecting data for other purposes in the negative - otherwise the would simply say they "scan ... collect or use" the data at all.
OTOH, this is obvious. If you drop an analytics tag on GAFW or you track data for purpose of bug collection, or you are even keeping server access logs, then you are de facto collecting data.
In which case they could say "we collect the following data for the following purposes". By leaving a big vague hole into which unspecified data is poured for unspecified purposes, they are bound to arouse suspicion.
I don't mean to defend Google, but only to sympathize that it could be very difficult for a well meaning actor to come up with a tightly worded TOS the way you are describing.
For example, consider "we collect the following data" - because everything is hosted in GAFE, isn't Google technically collecting your email data? And your calendar data? And your students research papers? The list of "following purposes" could be very long to just even describe the list of features the client is expecting - and may even have to be updated every time a new feature is deployed - imagine you had to go through legal every time you wanted to push a change prod.
To paraphrase 'extraordinary data collection requires an extraordinary privacy policy'.
I would absolutely want every change by Google to jump through lots of hoops. Facebook-style "Move fast and break things" and "Ask for forgiveness instead of permission" is fine when you're allowing people to share photos of their cats, but not when you're managing the education data of nearly every child in the country.
This article is actually far less helpful an overview then the earlier article mentioned at the top "Google is tracking students as it sells more products to schools, privacy advocates warn"[0]. It is really only introducing one new angle to the debate which is interesting enough, but I recommend reading the earlier one first.
It raises the far more interesting point that Google's Apps For Education policies are very granular and services such as Google Search and YouTube are allegedly not covered under the primary agreement - they carry completely different T&C's and may be used for advertising and data harvesting. It is highly likely that students logged in to GMail or Google Docs and doing schoolwork will be doing searches and watching (hopefully) educational videos to learn more about a subject. Those activities may not be covered by the educational use privacy policy.
What percentage of parents know this, even among those that bothered to check the T&C's? Did they notice the exception? What percentage of teachers or school administrators take the initiative and disable all non-core Google Apps For Education services like Google Search (which are enabled by default)? This is the conversation parents and school administrators need to be having.
I don't begrudge a advertising giant like Google from relentlessly collecting and data mining users to manipulate them, that's what ad companies do after all. Savvy users and regulators know this and can take appropriate action to guide the less-technical with safe defaults. I do think the defaults here are not safe from a privacy perspective, and I wonder if the time has come to re-examine whether the non-core services not covered by the educational privacy terms should be disabled by default.
Now, every single one of these facts seem obvious; how is combination of these facts warrant an article in one of the biggest newspapers all of a sudden?
Obvious or not, will this combination of circumstances result in what can widely be perceived as improper? Is that not worth note, just because your insight to the mechanisms means you understand the state of affairs?
What I find far more... something than FERPA being described as "an obscure law," is how brazen and obvious Google is about breaking it.
If Google is a "School Official," their FERPA obligations do not stop at any point short of/when operating in that capacity.
Further, the idea that they can somehow "switch hats," and somehow maintain discrete sets of both FERPA and non-FERPA behaviors is at best naive, and at worst a conspiracy to commit various felonies.
The money shot of the article: EPIC didn't have standing when they filed their lawsuit, not that they were wrong with regard to laws being broken. With that, I hope entire school districts of parents with school age children file suit.
The judicial branch's abuse of "standing" to refuse to hear cases is one of the great injustices in USA.
This was a huge deal in the USA PATRIOT domestic spying cases, where courts refused to hear lawsuits about spying, because plaintiffs couldn't prove they were being spied on before they won the right to collect evidence, because it was illegal for libraries/banks/IT companies disclose the spying!
I completely agree. In civil suits it may make sense, but when someone brings up a possible violation of federal law by another party, they shouldn't have to be harmed directly, they're helping prevent their fellow citizens from being harmed by someone or something breaking established law.
Most privacy-related school laws are "obscure" from the point of view of mainstream press.
The average American does not care to the level of granularity needed to even raise the question of whether Google (a company many people trust with their private email accounts) is a trustworthy steward of private student information.
As a parent with a child entering Kindergarten this upcoming school year, and as an avid privacy and free software advocate, I'm not looking forward to the types of discussions that I'm likely going to have to have with our schools. The reality is that these aren't systems that are easy to roll back---it costs a lot of time and money to implement, and then you have vendor lockin.
So while I can hope for a receptive district, action is probably going to be more difficult. My hope is that they haven't ddone anything too disagreeable yet.
Does anyone else have any personal experiences working with their schools?
If it's the school's, then I would just say no. It's theirs, they can do whatever they want with it. How about giving your chid a real general-purpose computer instead, running completely free software:
Just as Google et al. are trying to get kids conditioned to their ecosystems at a young age by pushing their product, those who advocate against them should do the same.
I registered my kid with whoisGuard toddler. It was a pretty good experience. They take care of paperwork, pta meetings and bake sales. Unfortunately, i didnt know about it until my daughter was in 2nd grade which meant she was registered for a full year. 4th graders spam her with offers for writing papers. One kid said he was getting PS4 and she could play it if she loaned him her mobile for a second so he could text his mom to get the right one, but he ran up the data plan.
I'm as adverse to reinterpretations like this as anyone but what might be more interesting or actionable would be evidence of what data Google are collecting and how Google are using this data.
How is that gonna work? You can't just sniff the traffic between Google and the students(SSL & stuff), and I very much doubt that Google itself will let you take a look in their datacenter.
You most definitely can sniff traffic between Google and students, this is widespread and completely normal behaviour at schools and also on many corporate networks. School computers have a MITM certificate installed which allows decryption and re-encryption, usually for the purpose of content filtering and malware detection.
My point is the insinuation that Google or other tech-ed companies are inappropritely classified as "school officials" which the allows them access to data to profit from is made. It's all speculative what-if without any substantive reporting. No where in the article is a comment "Google declined our requests for information" or "Google declined to comment". The closest thing is a general quote from an EPIC associate about tech-ed companies being hush about how they use their data.
Speculative what-if without any substantive reporting is the entire crux of the argument concerning Google as a steward of student information, including the original EFF complaint [https://www.eff.org/document/ftc-complaint-google-education]. The entire argument is one giant "what-if" scenario; Google is not the first major company to offer both private and commercial services (Microsoft and Oracle, for example, have both made decades of business on providing services to third-parties with competing interests and acting as a trusted steward of those parties' data).
Fortunately, the FTC is empowered to do the "old-fashion sleuthing" if they find the accusation has merit on its face.
That's fine but I'd expect if the issue is to be treated with any urgency we would have some sense of the problem. If parties are acting sensibly with data and self regulating then the urgency is quite less than top priority. Does it need to be addressed, yes but perhaps parties would spend some time to get it right before rushing to create privacy disclosures that will only add to the confusion.
Disclosing partner and vendor data usage to parents is likely a tricky issue for schools. My guess is the current loophole is more about laziness and lack of mature regulation than any insidious plan by Google to capture data about our kids so they can show more relevant ads.
Yes, if you use SAAS software, this information will be processed by remote servers.
Yes, if you use proprietary software, you will not know exactly how is this information processed.
And finally, if you have someone who is willing to work as school clerk, given how much do these jobs pay and how interesting they are, this person will likely not understand the complexity of these issues and will be a little bit lazy with their job, so she probably will not present parents with all the relevant information.
Now, every single one of these facts seem obvious; how is combination of these facts warrant an article in one of the biggest newspapers all of a sudden?