EFF sues Google tweet

{{ story.headline }}

{{ story.subheading }}

{{ story.timestamp }}

This piece originally appeared on Raleigh startup Cellbreaker's blog The Breakery, which offers commentary and analysis of common consumer complaints and abuses of cell phone and other service providers.

The Electronic Frontier Foundation (EFF), as part of its Spying on Students campaign, recently filed a Federal Trade Commission (FTC) complaint alleging that Google engaged in unfair and deceptive business practices by violating several components of the Student Privacy Pledge, a voluntary (and legally enforceable) agreement to which Google is a signatory. 
 
This isn’t the first time Google has been accused of deceptive practices: In 2012, the FTC ordered Google to pay a record $22.5 million civil penalty for violating a previous settlement with the FTC and intentionally bypassing default privacy settings to use cookies in the Apple Safari browser. The previous settlement barred Google from making future privacy misrepresentations after the company used deceptive tactics regarding its information-collection practices with Google Buzz. 
 
But, back to the issue at hand: Signatories of the Student Privacy Pledge agree that they will “[n]ot collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.” However, the EFF alleges that Google Apps for Education users, signed into Google accounts, are subject to data collection “on every single Google operated site students visit regardless of its relation to schoolwork.” This would include the student’s entire browsing history, Gmail messages and photos, videos viewed on YouTube, and could even include default password collection for Chrome users. 
 
Chrome Sync, a feature that collects and stores browsing data in the cloud, is enabled by default on all Chromebooks. Even where a parent disables the Chrome Sync feature, school administrators have the ability to override this setting, and even enable sharing of students’ physical locations with third-party websites. 
 
The EFF claims that Google uses student data to improve its own services and for targeted advertising outside of Google Apps for Education services—claims denied by Google Apps for Education Director Jonathan Rochelle
“Students’ personal data in (Google Apps for Education) Services is only used to provide the services themselves, so students can do things like communicate using email and collaborate on assignments using Google Docs. There are no ads in these Core Services, and student data in these services is not used for advertising purposes.” 
Google agreed that it will disable the Chrome Sync feature on school Chromebooks, but reportedly has not yet agreed to destroy previously mined and stored student data, and states that its practices do not violate the Student Privacy Pledge: 
“While we appreciate EFF’s focus on student privacy, we are confident that these tools comply with both the law and our promises, including the Student Privacy Pledge.” 
The Software & Information Industry Association (SIIA), co-founders of the Pledge, say the EFF has it wrong. According to the SIIA, Google collects student information at the school’s direction and “as part of students’ educational experience,” in accordance with the Pledge’s intent, and protects privacy by aggregating and anonymizing the collection information. Otherwise, the SIIA seems to suggest that Google permissibly collects data from students using “general purpose services” and states that “the pledge is intended to allow administrators to make judgments about the use of student information for educational purposes. “ 
 
If true, the EFF allegations seem to run afoul of other privacy protection laws. The Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent before a website operator can collect, use, or disclose any information about children under the age of 13, where the information is for commercial purposes. COPPA usually doesn’t apply to schools, except here, where a school requires a student to use a commercial service. The FTC has specifically noted that, 
“the school’s ability to consent on a parent’s behalf is limited to the educational context – in other words, it applies only when an operator collects personal information from students just for an educational purpose, and for no other commercial purpose. Thus, in addition to the central role schools play in creating an engaging learning environment, they also have a part to play in protecting student privacy.”  
The 41-year-old Family Educational Rights and Privacy Act (FERPA) requires schools that receive federal funding obtain parental consent prior to sharing student information with third parties. Under FERPA, student information includes education records containing personally identifiable information and behavior metadata containing direct or indirect identifiers with third parties. According to the EFF, school districts attempt to get around this rule by labeling contracting software companies as “school officials.” Nevertheless, to permissibly sidestep the parental consent requirement, the contractors must serve a legitimate educational interest, be under the school district’s direct control with regards to the education records being shared, and only use these records for the specific purpose for which they were disclosed. 
 
As is usually the case with federal law, big data and online privacy, limited protections exist and the rest is unclear. The EFF allegations are specific and the defense is rather generic. The outcome, of course, hinges on what information Google does, in fact, collect and how it is used. The specific conduct alleged by the EFF certainly seems in violation of what the Pledge actually says (not what was supposedly intended). Considering the amount of time I spend dissecting Facebook privacy updates, it isn’t a far stretch to imagine confusion amongst the 30 million+ users of Google’s education products. 

Whether Google violated the Pledge or not, it shouldn’t take much technological sophistication to understand what and how information is being collected about your child. Maybe there’s an app for that?