by Cheri Kiesecker
With mounting concerns about school safety, screen addiction, screen time’s known health and brain effects, increase in internet crimes against children, along with hyper focused national attention on data misuse, location tracking, breaches, Gmail data sharing, and data privacy–what about schoolchildren?
As this Google Transparency Project explains, Google is promoting itself via GSuite products and Apps into many classrooms across America (and the globe). What is Google doing with student data? Why is Google allowed to track Location, Voice Activity, Web & App Activity, Device Information, YouTube videos Searched and Watched of K-12 school children? How are these data being used and shared?
What data are being collected and stored (and shared?) via your child’s school issued Google GSuite account? We’ll show you how to start checking.
In August of 2018 Missouri Education Watchdog wrote this article detailing how one Springfield, Missouri family, discovered that their school district’s Google’s GSuite platform was collecting and storing surprising amounts of personal data about students and, apparently even storing information from parents’ and family members’ personal accounts (family members’ passwords to banking, work, shopping, bills). Others reported on this issue here and here.
Missouri Education Watchdog recently followed up with a story highlighting a group of parents and educators asking to stop online advertisements to students. The blog documents many pop ads (some very inappropriate) that students are receiving when logged into their school accounts, including recommendations from YouTube (owned by Google) and Apps available in the Google Play Store.
We wonder, how many parents have seen and agreed to these Terms of Service for your student to use GSuite at school?
—-PARENTS, HAVE YOU EVER SEEN AND AGREED TO THIS NOTICE?
Since reporting on this issue, we have been contacted by parents across the country who have reported similar experiences and many have raised questions on how to check their child’s school issued Google/GSuite account.
None of the parents we have spoken to thus far were shown the Google Terms of Service that their child had to agree to. In fact, many of the students themselves did not see the Terms of Service, either. Presumably, schools are consenting to the Terms of Service for the children, in place of parents, (as parent agent).
Some parents, when asked if their child could NOT use Google GSuite in school, have been told that if their student does not use the GSuite products (i.e., Google Classroom, Google Drive, Google Docs, or Gmail), it will be impossible for them to attend this school. Have other parents been told that their child must agree to use GSuite products as a condition of attending their public school?
How do you check settings in your child’s school issued Google GSuite account?
We are posting instructions below that we have found helpful. Your experience may be different, but we suggest parents click on the Learn More links, and any / all links within the Google Account. Set aside some time–or do it in pieces. You could take days and still find links, more permissions. TAKE NOTES or screen shots (hold down Print Screen and Control on your key board). Interestingly, parents have anecdotally reported that changes they make to their child’s permissions have NOT been saved, have reverted back to allow tracking or syncing, or even back to the original password after they have changed the GSuite password. We would be curious if this is happening to other parents and students. Talk to your school’s IT administrator, share your concerns and findings with others to see if they can replicate.
1.–Log into your child’s school Google GSuite Account. (Schools sometimes refer to these as Google Drive accounts, or Gmail, or Google Docs… but they are all part of the GSuite package.)
2.–Click on the little circle icon at the top right of the screen (might be a photo of your child, or your child’s initials.).
3.–Click Google Account.
4.–Start looking and documenting.
Below is what you might see if you go to Security Check up and then Activity Controls and then also look at Manage Activity. Are these tracking permissions turned ON or are they “Paused”? Notice the fine print such as, “activity may be saved from time to time” even if you have Web and App Activity paused. Maybe that’s why they label it “paused” and not STOPPED or OFF?
YouTube Search History and YouTube Watch History tracking are ON for most students we have spoken to. Ask your school IT admin why this tracking is on. Ask if they will turn this off for ALL students.
YouTube in K-12 schools.
If YouTube Search or Watch is ON for your student, BE SURE to click MANAGE ACTIVITY. You, and Google, and school administration can see every YouTube searched and watched while logged into GSuite.
Question: why does GSuite offer YouTube to k-12 students, without parent consent, when YouTube’s terms of service clearly state that users must be 18 years of age or have parent consent prior to using YouTube.
Even more curious: YouTube Live Chat is apparently available to students.
YouTube Live Chat for students?
This screen shot is from a 12 year old elementary student’s account, when signed into the school issued GSuite account. Who can communicate with an elementary student via YouTube Live Chat? Why is this offered to students?
Speaking of chats.
Can anyone outside of the school send an email to your child’s school gmail account? Can strangers communicate with school children via Google Hangouts? Can, as this report from in Australia suggests, total strangers communicate with and potentially groom children via Google Docs or other chats available via GSuite and Google Apps?
Given that the FBI recently warned that, “EdTech could present unique exploitation opportunities for criminals….and could help child predators identify new targets”, the ability for strangers to potentially contact k-12 children, via school issued GSuite accounts would seem a legitimate security concern.
The FBI warning also mentions using device information to track children:
Inter-connected Networks and Devices
“EdTech connected to networked devices or directly to the Internet could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments.”
Does Google consider a Device/IP address as personal information? Why do devices (regardless of whether it is a Chromebook or Mac, or Windows or cellphone) sync and stay signed-in even after logging out?
When checking Account Activity in the student’s Google Account, even with Location tracking and Device tracking “paused,“ and after logging out of GSuite account after every use, this 13 year old student still had 11 devices “signed-in”, complete with device information and location. (Many of these were home or family personal devices that the student had logged into to complete homework.)
Logging out is not enough?
Students must Remove the Device, after every use, in order to not be signed in. Do schools, parents, teachers, students know this?
Who else has access to your child’s GSuite Account? Check Apps and Third Parties.
Why should Google allow third party access /connections to school children’s shopping habits, social media, etc? Does your child’s GSuite account link to any third party shopping services?
Check if passwords are set to Auto-Save, Auto Sign-In. See what passwords have been saved in your child’s account.
There’s plenty more to look at, but this should get you started. Let us know what you find.
Thanks to the federal student privacy law FERPA being weakened in 2011 and 2008, a student’s personal data can be shared outside of school walls, without parents’ knowledge or consent. The data can be shared and analyzed by government agencies, nonprofits, businesses, researchers, and edtech companies who can further share with third parties, (or even sell student data), or used for advertising to students.
If you are concerned, talk to your school administrator, your legislators. Ask for strong student data privacy, security, transparency laws that allow opt-in consent, enforceable penalties and private right of action, like those passed in Europe (GDPR) and California (CCPA).