Common Sense Media Misses the Mark on COPPA

Recently Common Sense Media posted a summary of COPPA, the Children’s Online Privacy Protection Act, and unfortunately the piece had a number of fundamental misunderstandings about this key piece of privacy legislation.

Schools rightfully have a high regard for the information that Common Sense education publishes about student safety and digital citizenship, and are likely to presume that all of the privacy content from the education group is of similar quality. That is not always the case for privacy information. I know Common Sense Media has several very knowledgeable experts on data privacy and it is unfortunate that this expertise does not always seem to be used when editorial information on privacy is published.

First the article refers to COPPA as “a law dealing with how websites….collect data and personal information about kids under the age of 13.” This is incorrect, COPPA deals with information collected from children under the age of 13. (By contrast FERPA covers data directly about a student, maintained by the school or school’s agent).

Second, in listing three things about COPPA, the article states that under COPPA a vendor must “Not use kids’ data for marketing-related purposes.” COPPA says no such thing, in fact COPPA specifically provides mechanisms where parents approve this collection and use-that is kind of the whole point of COPPA.

Lastly the article suggests that “COPPA compliance might depend more on how teachers and students actually use the tool at the classroom level”. There is no basis in the COPPA regulation or FAQ that would give the impression that COPPA compliance is dependent on individual use. Determination is based on if a site is “child directed” or if the vendor has actual knowledge.

Rather that citing any primary sources on COPPA, the article attempts to summarize a very complex point about school consent made in EdWeek’s “COPPA and Schools: The (Other) Federal Student Privacy Law, Explained.”  In doing this it fails and ends up providing misleading information through incomplete summarization.

What Do Schools Really Need to Know About COPPA?

  1. Schools should think of COPPA as a subset of their overall privacy responsibilities.  I would argue that schools should prioritize overall privacy for students of all ages, and compliance with FERPA. There are few cases where paying attention to this would not also aid in the schools’ role in vendors’ COPPA compliance.
  2. There are only a very narrow set of circumstances where a school can provide consent on behalf of the parent (for COPPA) and they are described in the COPPA FAQ as
    • Where the school is contracting for a service solely for the benefit of their students and for the school.
      • In my opinion, contracting means there is a legal and direct relationship between the school and the vendor and would likely not mean cases where the student signs up directly with the vendor and the school has no control and solely for the benefit means among other things, no commercial use
    • The operator has provided the school with all the notices required under COPPA, including a description of the types of personal information collected and  full notice of its collection, use, and disclosure practices. Based on these notices, the school should be able to answer these questions
      • What types of personal information will the operator collect from students?
      • How does the operator use this personal information?
      • What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects?
      • What are the operator’s data retention and deletion policies for children’s personal information?
      • Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? If so, the school cannot consent on behalf of the parent.
      • Does the operator enable the school to review, prevent further collection and have deleted the personal information collected from their students? If not, the school cannot consent on behalf of the parent.





Google Adds Chrome Sync to gSuite for Education Core Services

Recently Google quietly made a change to include “Chrome Sync” in the list of “Core” tools in gSuite for Education. Chrome Sync provides the ability (when you sign in to Chrome or by default on a Chromebook), to sync Chrome data to your Google Account and to any other supported ChromeOS/browser that is signed in. Synced data includes chrome apps, autofill settings, bookmarks, chrome extensions, browser history, passwords, chrome settings, themes, wallpaper, open tabs and google payment data*

This change should provide official clarity as to how data in Chrome Sync is used, as described in the Education Privacy Notice.

This change also provides an opportunity for District g Suite Admins to remind users that they have the option to add an additional layer of privacy by setting a Chrome Sync passphrase. A sync passphrase encrypts all synced data at rest. If you set a passphrase, you can use Google’s cloud to store and sync your data without letting Google read it.

Users also have the ability to selectively disable syncing of some or all of elements that are synced.

The G Suite Services Summary page now includes the following text:

G Suite for Education” is an edition of G Suite comprised of the G Suite Core Services, excluding Google+ and Google Cloud Search. …. This edition also includes Classroom and Chrome Sync as G Suite Core Services.

  • Classroom” is a web-based service that allows End Users to create and participate in classroom groups. Using Classroom, students can view assignments, submit homework, and receive grades from teachers.
  • Chrome Sync” is a feature that allows End Users to synchronize bookmarks, history, passwords, and other settings across all the devices where they are signed in to Chrome.

And the G Suite for Education Core and Services Admin help page is updated to say:

G Suite Core Services are Gmail (including Inbox by Gmail), Calendar, Chrome Sync, Classroom, Contacts, Drive, Docs, Forms, Groups, Sheets, Sites, Slides, Talk/Hangouts and Vault.

Prior to this change, Google offered this statement, about the use of Chrome Sync data in response to a request for information from Sen. Al Franken.

Users who have Chrome Sync enabled (whether on a Chromebook or using the Chrome
browser) will have additional information about their browser settings stored in their Google Account, including browsing history, any saved apps, extensions, bookmarks, and passwords. ….. If any of this data is associated with a student’s GAFE account — which is the case when a student is logged into a Chromebook with Chrome Sync enabled with their GAFE account — we consider this data to be the student’s personal information and do not use it to target ads.

Google stated that it “collects, maintains, and uses information via Chrome Sync (in aggregated and anonymized form) for the purpose of improving Google products”. For context, this is comparable to similar language and use by Apple who states that …

“We may collect and store details of how you use our services, including search queries. This information may be used to improve the relevancy of results provided by our services”

And with Microsoft’s Cortana service, which states that

“Microsoft uses your voice data to improve Cortana’s understanding of how you speak to keep improving Cortana’s recognition and responses, and to improve other Microsoft products and services that use speech recognition and intent understanding”


*Google payment data is a non-core service, only available to users 13 and older. Schools are required to get parental permission if this is enabled for users 13-18.


Testing – New Google Search “Personal” Tab absent in gSuite for Education

This weekend Google rolled out a change to search to add a “personal” tab described by cmswire as…

“results come directly from your Google accounts. According to reports, personal ads may also appear in these results. The tab can be found under the ‘More’ option on the search page and surfaces everything related to a keyword in email messages, calendar events and photos.”

Recently I’ve been testing the differences between Consumer Google Accounts and gSuite for Education accounts, so I thought it would be good to check if this feature was rolled out to gSuite users.

Short answer, it is currently not. 

Google features often appear the consumer version first and move to gSuite but Google has to announced any plans to move the feature into gSuite for Education.

Here is my consumer gmail account, with the “personal” tab highlighted and the “more” menu shows videos, shopping, books and flights

consumer google search

Here is my gSuite for Education account, with  videos highlighted, no “personal” tab and the drop down only shows books and flights

gSuiteGoogle search

Tracking Google and Microsoft Adoption in Higher ED

Earlier this month, New York Times columnist Natasha Singer wrote How Google Took Over the Classroom, a detailed look at the rise of Google in primary and secondary education. (Also worth a listen is the NPR interview on All Sides with Ann Fisher).

The article did not address Google at the post-secondary level, but Joshua Kim of Inside Higher ED asked “I’ve been looking for recent data on the Google vs. Microsoft enterprise e-mail battle – but I can’t find anything recent. Can you help?”

Challenge Accepted.

I have a history (or a mild obsession) of tracking edtech. Back in 2010 and for a few years after, Forbes blogger Eric Lai and I tracked the growth of the iPad in K12, Higher Ed and the enterprise. I have been tracking the growth of Google Apps (now gSuite) and Office 365 in K12 and to a lesser extent Higher Ed since 2014.

Back in December, I posted a domain / DNS analysis of adoption in K12 for O365 and gSuite, so I thought it would be a good time to update the numbers for Higher ED.

The methodology is the same as I used for K12 districts, a scan of DNS records, looking for specific known markers in MX, TXT and other records. However, for Higher Ed the data is likely more accurate given that the root domains are well know (.EDU)

For this analysis, I pulled the US based listing from a list of EDU domains on GitHub. The list included only the root EDU domain, and individual colleges or campuses (sub-domains) may run different email systems than what is used on the primary domain but this approach of  using a large data set provides an overview of the adoption of Google and Microsoft email systems.

I scanned the DNS records of 2,276 US EDU domains and got the following results for domains that had DNS MX records that indicated they were routing mail directly through Google or Microsoft servers. The Google numbers are lower than I had expected.

Google MX Records  18.31%
Microsoft MX Records  40.84%


One result worth noting was that 30.96% of the sites returned DNS markers that were indicative of a domain that had started the process of verifying domain ownership with Google . Take together with the 18.31% of domains that are actively routing mail through Google, this would strongly indicate that  12.65% of root EDU domains had either started or were using Google and are now not using Google for mail. 


Google’s Response to gSuite Admins in Phishing Incident

[Updated: as Doug Levin notes, Google was warned about the potential of this problem in 2011]

On May 3rd, a small percentage (~.1%) of Google users were hit with a sophisticated phishing attack (it used at least 13 different application “clientIds”) . The phishing took the form of a link that directed users to an application  claiming to be “Google Docs” and routed users to Google’s login/permission pages (Oauth2) to grant access to gmail and contact scopes.

For districts using gSuite for Euducation, it was impressive to see how quickly the EDU user community jumped on this issue. AmplifiedIT crowd-sourced the collection of clientIds and posted remediation steps. Google shut down the applications within an hour and Admins of impacted domains received an email similar to the one below late on the evening of 5/4/17.


Dear G Suite Administrator,

On Wednesday, May 3, we identified, investigated, and resolved an email phishing campaign . This issue was addressed within approximately one hour from when Google became aware of it. Please note that we have already taken action to protect all users, and no further action is necessary. To assist you in understanding what happened and better educating your users on email security, we are sharing details on how the campaign worked and how we addressed it.

What happened:

The affected users received an email that appeared to be from a contact offering to share a Google doc. Clicking the link in the attacker’s email directed the user to the attacker’s application, which falsely claimed to be Google Docs and asked for access to the user’s account. If the user authorized the application, it accessed the user’s contacts for the purpose of sending the same message to those contacts. This access only retrieved contacts and sent the message onward—customer data such as the contents of emails and documents were not exposed.

Upon detecting this issue, we immediately responded with a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems.

We have taken the following steps to protect your users:

  • Disabled the offending Google Accounts that generated the phishing link
  • Revoked any access that the affected users authorized to the attacker
  • Disabled the malicious projects and apps that sought access

In addition, Google is taking multiple actions to combat this type of attack in the future such as updating our policies and enforcement on OAuth applications, updating our email filters to help prevent campaigns like this one, and augmenting the monitoring of suspiciously behaving third-party apps that request consent from our users.

As a general precautionary measure, you may choose to take the following actions regularly for your users:

We thank you for your continued business and support. If you have any questions, please let us know by contacting Google Support and referencing the issue number [removed].


The G Suite Team



Reporting of 3rd Party Authentications in Google Apps for Education


Unlike Federation technologies like SAML, CAS or Shibboleth that are centrally controlled and must be established by the identity provider, social sign-ons such as Open ID Connect in Google Apps for Education are initiated by the end user. This means that while an institution has a high degree of awareness and control over 3rd party systems that authenticate via SAML, there is much less control or visibility into social sign-ons such as “Login with Google” for Google Apps for Education (GSuite) institutions.

There are several commercially available tools that will report on this data, and this can also be done via the free command line tool GAM with the  domain report which includes much more than just 3rd party authentications.

For anyone looking for a simple way of auditing 3rd party authentications, this Google Apps script, which needs to be run by an account with google administrator privileges, produces a report of all of the 3rd party tools (websites, apps, extensions) that the users in the domain have granted authentication to (e.g. via a “login with Google” button). The report lists the total number of users in the domain that have authenticated to that tool, the tool name and the tool id.

To run the report:

  • Login to an account with Google Admin rights and create a new folder.
  • Get the Folder ID (the long GUID in the URL).
  • From Google Drive, create an new Google Apps script and  paste in the code below, replacing  with the folder ID.
  • From the Resources> advanced services menu, enable the Admin Reports API.
  • From the   Resources> Developer Console menu, enable  the Admin SDK API.
  • Run the Script (or use the “current project’s trigger” menu to run the script on a set schedule)
function createAppReport() {
  var today = new Date();
  var oneWeekAgo = new Date(today.getTime() - 7 * 24 * 60 * 60 * 1000);
  var timezone = Session.getTimeZone();
  var date = Utilities.formatDate(oneWeekAgo, timezone, 'yyyy-MM-dd');
  var rows = [];
  var parameters = [
    var pageToken, page;
   // var ss = SpreadsheetApp.getActiveSpreadsheet();
   // var sheet = ss.getSheets()[0];
   // sheet.clear();
//create a new spreadsheet
  var my_ss = "3rd Party Apps_" + oneWeekAgo;
  var files = DriveApp.getFilesByName(my_ss);
  var file = !files.hasNext() ? SpreadsheetApp.create(my_ss) :;
  var ss = SpreadsheetApp.openById(file.getId());
  } catch (e){;} 
  var sheet = ss.getActiveSheet();
    var response = AdminReports.CustomerUsageReports.get(date, {
     parameters: parameters.join(','),
     pageToken: pageToken
  var activities = response.usageReports[0].parameters[0].msgValue;
      for (i = 0; i < activities.length; i++) {
          var activity = activities[i];
             var row = [
     // Append the headers.
    var headers = ['num_users', 'client_name', 'Login client_id', 'Date'];
     // Append the results.
    sheet.getRange(2, 1, rows.length, headers.length).setValues(rows);
// Sorts the sheet by the first column, descending
    sheet.sort(1, false);
//Moves the file into the Reports folder
  var fileID= ss.getId();
function fileMove(fileID) {
  var file = DriveApp.getFileById(fileID);
  var folder= DriveApp.getFolderById('REPLACE FOLDER ID HERE');
  // Remove the file from all parent folders
  var parents = file.getParents();
  while (parents.hasNext()) {
    var parent =;

Describing the Privacy of Complex Things is Complex… so is testing black box behavior of same, both could do better.

Recently the Mississippi Attorney General sued Google, revisiting some of the same claims that the EFF made in late 2015, alleging that Google is mining student data in violation of agreements and the student privacy pledge.

The title of this post is my TL|DR summary of an excellent post by Bill Fitzgerald, the Privacy Initiative Director at Common Sense Media. It raises  an important point, which is that it is important that the vendors that provide EDTech services be accurate, transparent and comprehensible, about what is happening with use data, it is equally important to hold those that criticise, advocate, lobby, and enforce privacy to similar standards.

Based on the information currently available, the Mississippi AG lawsuit does not appear to meet this standard.

1.The lawsuit lacks specific evidence of any actual evidence of data mining. This was pointed out in the ED Week article about this by Benjamin Herold , where he says

“The Mississippi attorney general’s office, meanwhile, has provided only limited information about how it determined that Google is tracking students, using their data to build profiles, and targeting them with ads. Officials “tested” …[but] declined to provide any details about the nature of those tests, citing their ongoing investigation. The lawsuit itself contains no information demonstrating that any of Google’s allegedly deceptive practices actually occur.” 

This is also born out in the FAQ which says:

Q: What information is Google collecting?
A: It is unclear at this time exactly what information Google is collecting from its GSFE users. Through this lawsuit, the Attorney General seeks to uncover exactly what information Google is accessing and collecting. The lawsuit also seeks information as to how Google is using that data.

2.The allegations about Chrome Sync are both technically incorrect and refers to functionality (sync passwords, browser history, bookmarks etc.) that is similar to functionality that exists in nearly every modern browser/operating system. For reference see both Google’s response to Sen. Franken and the Chrome help page for adding a “trust no one” passphrase that prevents Google from reading sync data (see ) the descriptions of what does not work if this is done make it very clear what it is used for.

3. The references to non-core services ignore the clear statements that Google makes to schools (in the terms and in the admin console) that schools are responsible for obtaining parental approval for all users under 18 prior to enabling a non-core service . One question that has not been answered in Mississippi is if the student accounts the AG used had YouTube enabled for students, and if so, did the school obtain the parental permission.

4.On the claim that the Google policies are complex and in places contradictory. I’d point folks to the EDU privacy notice  which is a short (<1200 word), easy to read document that summarizes the policies provides answers to that would lead one to believe the Miss. lawsuit got the facts wrong and very clearly addresses the concern about multiple conflicting polices by saying…

“Where there are terms that differ, as with the limitations on advertising in G Suite for Education, the G Suite for Education agreement (as amended) takes precedence, followed by this Privacy Notice and then the Google Privacy Policy.”

As far as them being complex, yes, that is a fair point, because it is a complex system and yes there are areas for improvement, but one very clear area I’d point to is where the word “privacy” links to depending on consumer or GSuite accounts.


5.In a video clip of an interview with journalist Anna Wolfe, Hood make the claim that his office looked at “some other class action lawsuits that Google settled where they were in fact mining data of children”. No details were provided, but I cannot identify what “Class action settlements” he was referring to. The most likely one (Matera v. Google) appears to have been modified so that it does not include Google Apps for Education. The settlement document says

“Subsequently, on October 17, 2016, Plaintiff Matera filed an Amended Complaint (ECF No. 58), …… eliminating allegations pertaining to Google Apps”

6. As long as we are on the subject of court settlements and prior bad acts, it is worth remembering that a federal court shut down AG Hood’s abuse of authority in a prior case against Google after a series of Pulitzer prize winning articles on how the influence of lobbyists can sway congressional leaders and state attorneys general.

Some privacy and transparency areas that Google could improve on include:

  1. Disabling all non-core Google services by default for newly created GSuite for Education domains.
  2. Specifically clarifying what takes precedence for schools the ADmin notice that it is the schools responsibility to get permission from parents for students under 18 (and therefore under 13) to use services such as YouTube, Google + etc..) or the terms corresponding language that prohibits the use by under 13 in these services 9e.g. YouTube, Google + and the Google Chrome Store).
  3. Requiring developers to post links to terms and privacy policies in their listing in the Chrome Apps Store, and conspicuously displaying the link.
    • Require the same for Apps found apps discovered through Google Drive’s “connect more apps” feature.
    • Require the same for 3rd Party “google add-ons” for sheets, docs and forms. This last is particularly important as the user interface presents access to these 3rd party services from a menu within a document or spreadsheet. This has the potential to  create confusion over what is a Google product. Also since these services are listed with a tool (Google Drive) that is provided by the school it may create the impression that these tools are recommended, vetted, sanctioned or approved by the district.
    • This is shown below-the Drive App Pear deck has a link to policies, the Docs Add-on EasyBib does not.

  4. Clarifying the behavior of data collection for GSuite EDU users that are:
    1. Logged into GSuite but have YouTube disabled by the Admin
    2. Logged into GSuite but have YouTube enabled by the Admin

An example that raises this question is the network traffic when a non-logged in user searches YouTube and traffic appears to be going to google search services.