In my work at a large school district I spend much of my time testing education technology products to make sure that they are safe, secure and private. I read a lot of privacy policies and regularly push back on vendors to hold them accountable for what their policy say and their products do. In recent years privacy advocacy groups have played an important role in keeping the conversation about the importance of student data privacy in the public eye, but sometimes it is also necessary to apply the same “critical thinking” to the claims of both sides.
On December 1st, the Electronic Frontier Foundation (EFF) submitted a complaint* to the Federal Trade Commission (FTC) alleging (https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade ) that Google had violated assurances that it made when signing the Student Privacy Pledge http://studentprivacypledge.org/. As an advocacy group the EFF has been a strong voice for privacy for all, including students and provided information to teachers on a balance approach to copyright (https://www.teachingcopyright.org/) and produced important privacy enhancing technologies (HTTPS Everywhere, Privacy Badger, Lets Encrypt).
The EFF complaint raises three allegations but for this discussion the first and third are best considered together, and they are that…
- When students are logged in to their Google for Education accounts (GAfE), student personal information in the form of data about their use of non-educational Google services is collected, maintained, and used by Google for its own benefit, unrelated to authorized educational or school purposes.
- Google Collects Student Personal Information Through Changeable Administrative Settings In Chrome and Google Apps for Education Accounts
Regardless of IF the privacy pledge just covers education tools (as the creators of the pledge have indicated, and is the case with SOPIPA, widely regarded as the best of the current crop of student privacy laws),
I think it is important to ask whose responsible (and accountable) for the decision to enable or disable a service outside of the “core” google apps for Education tools. For me it is not Google, it is the school. That is our job, and our responsibility. When I log into the Google Admin Console, it is very clear what is and is not part of google apps as shown in this image from Google’s help section
And even more clear when I drill down into a specific service (Chrome Sync), which is the one that is the 2nd of the 3 complaints.
This concept, that the school has “direct control”, in this case the ability to turn on and off services, seems to be fundamental to the idea of outsourcing specific technical functions to Google, as a “school official”. So in the absence of a solid assurance from Google that an “additional google service” is not collecting, using or sharing data for purposes other than providing a service to a user, schools should turn off (or not turn on) the tool, OR get parent permission before turning it on, as some schools do for a variety of “web 2.0” tools . So let’s see if we focus on what is needed., which is…
- Making sure the people in schools that have the responsibility for this, have the training (and the backing from school leadership) to do this, and
- Making sure that that vendors (all vendors, not just the ones the media, legislators, advocacy groups and competitors fixate on) provide accurate, clear information about what information is collected, used and shared, (not just if it is used for ads). Senator Franken’s letter (http://techcrunch.com/2016/01/13/sen-franken-raises-questions-regarding-googles-student-data-collecting/) to Google is a good example of questions some school leaders may have, and that should be asked of ANY EdTech vendor.