The San Francisco-based non-profit Electronic Frontier Foundation (EFF) filed a complaint with the Federal Trade Commission (FTC) that says Google collected personal information and internet usage behavior of students using Chromebooks and Google Apps for Education beyond what is allowed for educational purposes in violation of the Student Privacy Pledge.
EFF says the Privacy Pledge is a legally binding and FTC-enforceable agreement. The organization further argues that Google’s conduct (unauthorized data collection) “constitutes unfair or deceptive acts or practices in violation of Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45).” The organization has asked the FTC to investigate and issue an injunction against the activity, which Google told EFF it would stop.
Below are EFF’s top-level factual allegations against Google:
Google collects, maintains, and uses records of essentially everything that student users of Google for Education do on Google services, while they are logged in to their Google accounts . . . This includes recording students’ browsing behavior on every single Google-operated site students visit regardless of its relation to schoolwork . . . Such data reveals highly personal information about students and is not necessary to deliver educational services.
The “Chrome Sync” feature is enabled by default on all Chromebook devices . . . For a non-educational user of Chrome Sync, the information collected about browsing history and bookmarks, along with information collected through Gmail and other Google applications, is used to create an individualized user profile for targeted advertising. Google asserts that it does not collect information from student users of Google for Education for advertising purposes . . .Google has acknowledged that it collects, maintains, and uses student information via Chrome Sync (in aggregated and anonymized form) for the purpose of improving Google products, similar to how Google uses browsing data collected within its own services
Google’s design choice permits school administrators to enable impermissible collection of student data, even if some parents make an informed choice to turn it off, thereby placing Chrome for Education outside the bounds of the Student Privacy Pledge.
In the same settings page where administrators can choose whether Google can collect a user’s passwords or browsing history, school administrators can also choose whether “websites are allowed to track the user’s [here, students’] physical location.” . . . Sharing a student’s physical location with third parties is unquestionably sharing personal information beyond what is needed for educational purposes . .
(Emphasis added.)
Taken together, these Google data collection activities are “unfair and deceptive” practices under federal law because EFF says they violate the Student Privacy Pledge to which Google is a signatory. The Pledge is a statement that signatories will:
Not sell student information.
Not behaviorally target advertising.
Use data for authorized education purposes only.
Not change privacy policies without notice and choice.
Enforce strict limits on data retention.
Support parental access to, and correction of errors in, their children’s information.
Provide comprehensive security standards.
Be transparent about collection and use of data.
In its request for injuctive and other relief, EFF asks the FTC to order Google to destroy the data, notify parents and students of the prior data collection and prevent Google from capturing such data and usage behavior in the future:
Order Google to destroy ALL personal student information collected by Google, without student or parent authorization, that is not necessary for educational purposes associated with ALL Google for Education student accounts (browsing history, passwords, tabs, bookmarks, etc.).
Order Google to, prior to destroying any personal student information not necessary for educational purposes, provide all student account holders and, as is reasonably feasible, all parents, notice of Google’s previous collection and use of student personal information in violation of the Student Privacy Pledge.
Enjoin Google from collecting, maintaining, using, or sharing any personal student information not necessary for educational purposes (including in aggregated or anonymized form), without student or parent authorization, as long as it remains a signatory to the Student Privacy Pledge.
Other remedies and relief at the FTC’s discretion.
The FTC can impose fines to varying degrees, but its greatest power is to enjoin or prohibit activities deemed deceptive or unfair. As a practical matter, Google’s exposure in this case is not so much about fines but about its brand reputation and image.
The perception of Google among school administrators, teachers and parents could be tarnished, depending on how widely publicized the case is. Indeed, the data mining allegations could make schools think twice before adopting Chromebooks and Google educational or cloud services. While the latter could have some revenue implications, Google’s reputation and usage with the broader public are unlikely to suffer.
Despite the allegations, it’s not yet clear whether there was willful behavior on Google’s part or whether this was more a failure of internal communications and oversight.
Postscript: Google has now drafted a detailed response to EFF’s complaint. The bottom line is that the company says it hasn’t violated the Student Privacy Pledge, as EFF argues, and that its Chromebooks, software settings and apps are compliant:
While we appreciate the EFF’s focus on student data privacy, we are confident that our tools comply with both the law and our promises, including the Student Privacy Pledge, which we signed earlier this year. The co-authors of the Student Privacy Pledge, The Future of Privacy Forum and The Software and Information Industry Association have both criticized EFF’s interpretation of the Pledge and their complaint . . .
Comments