Data Breaches and Ostriches
Why would anyone be concerned about personal data used by companies and governmental agencies? It’s all for the collective good…if you have your head in the sand. The *collective good* is only *good* for the hackers and the corporatists.
Three years ago in a Missouri House Education Committee, Representative Margo McNeill wondered why many of us were so worried about personal data retrieval on students. Last year we wrote about evidence of data breaches in private companies and governmental agencies that included a nifty graphic that has since been updated. It’s rather astounding on the number of data breaches that includes educational agencies and governmental agencies which receive student personally private information.
We wrote at that time:
If the ‘bubble’ graphic does not alarm you, perhaps this current information from the Electronic Freedom Frontier will create concern about Google’s grab of student personally private information. From Google’s Student Tracking Isn’t Limited to Chrome Sync:
Many media reports on (as well as at least one response to) the FTC complaint we submitted yesterday about Google’s violation of the Student Privacy Pledge have focused heavily on one issue—Google’s use of Chrome Sync data for non-educational purposes. This is an important part of our complaint, but we want to clarify that Google has other practices which we are just as concerned about, if not more so.
In particular, the primary thrust of our complaint focuses on how Google tracks and builds behavioral profiles on students when they navigate to Google-operated sites outside of Google Apps for Education. We’ve tried to explain this issue in both our complaint and our FAQ, but given its significance we think it’s worth explaining again.
To understand what’s going on, you first have to understand that when it comes to education, Google divides its services into two categories: Google Apps for Education (GAFE), which includes email, Calendar, Talk/Hangouts, Drive, Docs, Sheets, Slides, Sites, Contacts, and the Apps Vault; and everything else, which includes Google Search, Blogger, Bookmarks, Books, Maps, News, Photos, Google+, and YouTube, just to name a few.
Google has promised not to build profiles on students or serve them ads only within Google Apps for Education services. When a student goes to a different Google service, however, and they’re still logged in under their educational account, Google associates their activity on that service with their educational account, and then serves them ads on at least some of those non-GAFE services based on that activity.
In other words, when a student logs into their educational account, and then uses Google News to create a report on current events, or researches history using Google Books, or has a geography lesson using Google Maps, or watches a science video on YouTube, Google tracks that activity and feeds it into an ad profile attached to the student’s educational account—even though Google knows that the person using that account is a student, and the account was created for educational purposes.
This is our biggest complaint about Google’s practices—that despite having promised not to track students, Google is abusing its position of power as a provider of some educational services to profit off of students’ data when they use other Google services—services that Google has arbitrarily decided don’t deserve any protection.
Of course, that’s not to say that Google’s use of Chrome Sync data for non-educational purposes isn’t a problem. While we agree that Chrome Sync is an incredibly useful service, we don’t think students should be guinea pigs in Google’s efforts to improve its products without explicit parental opt-in—even if their data is anonymized and aggregated. The Student Privacy Pledge website clearly says that service providers will “use data for authorized education purposes only”—and anonymized or not, using Chrome Sync data for anything other than the Chrome Sync service itself does not constitute an educational purpose. MEW bolded
While our FTC complaint is focused on Google, rest assured that we’re not limiting our campaign to one company. In the coming weeks and months we intend to continue investigating the practices of other cloud-based education services. And if you’re a parent or teacher with first-hand knowledge of other cloud-based education services, you can help us out by filling out our survey so we can gather more information to decide where to focus next!
We are once again introducing a data privacy bill in the Missouri Legislature which has been successfully blocked the last two years by Google. It is becoming evident with factual information that education is indeed a cash cow for Google and other companies using student data (without your approval) for revenue. Representative Margo McNeill has received an answer to our worst case scenario from three years ago that is currently a reality…we don’t think students should be guinea pigs in Google’s efforts to improve its products without explicit parental opt-in—even if their data is anonymized and aggregated. The Student Privacy Pledge website clearly says that service providers will “use data for authorized education purposes only”—and anonymized or not, using Chrome Sync data for anything other than the Chrome Sync service itself does not constitute an educational purpose.
Take the EFF survey on school issued electronic devices and privacy measures.