Student Privacy by Practice - Not by Policy
by Matrix8967
Hello 2600 readership.
I'm a systems administrator at a large (for the region) school district. I've been in K-12 for about ten years. I left my high school saying: "I'll never go back, even if they paid me!" Then my school said they'd pay me, and I went back immediately. I've changed districts a few times, but I've noticed an alarming trend that's already overtaken K-12: Google, and its lust for your student's data.
To lay the land of the K-12 environment: K-12 has been rife with old, dilapidated, and abandoned software. Companies will develop "curriculum" for students in things such as Flash, Shockwave, or Java and sell it to schools for mind boggling premiums. The next step is to hold the schools for ransom for upgrades where one of two things happen:
1.) K-12 decision makers won't understand paying for software twice, and ride the old version. As a real example of this: I learned to type in elementary school, and when I began work as an intern in high school, I was tasked with installing the same software...
2.) The district begrudgingly pays for the upgrades, and experiences all the joys of "vendor lock-in." For example: Three year contracts on testing data aggregation, where the test is only administered every two years...
This software ecosystem created a tinderbox for our friendly neighborhood data aggregation company. Google makes its Google Apps For Education suite (GAFE, formerly GSuite) available for free to all K-12 schools. This goes hand-in-hand with its literal truck-loads of Chromebooks that are being dropped off at schools each year. Districts are buying these in warehouse quantities trying to go 1:1. In a modern classroom, students will walk in and pick up a Chromebook, login with personally identifiable information, and browse the web with the world's largest advertising agency at the helm.
Google has done some fancy footwork to side-step data collection regulations. GAFE splits its products into "Core Services" and 'Additional Services." Core Services are things like Google Sheets, GoogleDocs, etc. Google's Core Services End User License Agreement (EULA) says:
"User personal information collected in the Core Services is used only to provide the Core Services. Google does not serve ads in the Core Services or use personal information collected in the Core Services for advertising purposes."
However, this is where "Additional Services" comes in. GAFE Additional Services are things like Google Maps and YouTube. Google's Additional Services EULA says:
"We also use this information to offer users tailored content... We may combine personal information from one service with information, including personal information, from other Google services... Google may serve ads to G Suite for Education users in the Additional Services."
Google's PR department came out in full swing after case studies from the EFF started to ask invasive questions concerning Google's privacy policies. Google's PR privacy site states:
"For G Suite users in Primary/Secondary (K-12) schools, Google does not use any user personal information (or any information associated with a Google Account) to target ads."
We know that Google would never lie in order to turn a profit, so let's take them at their word for this and ask: "What does Google do with all the student data once the students graduate and move to their own personal Gmail accounts?" It'd take nearly no time at all to marry two sets of data about students, especially if they use the same devices to create a personal Gmail account.
Compounding issues: There's a huge lack of opt-out policies, since this is handled on a district-to-district basis. Assuming a district has an opt-out policy in place, if the whole classroom is using GSuite, it singles out the kid who isn't complying. Special arrangements will need to be made for the privacy conscious student which can also cause issues. (I'm sure each of us can think of a time when being different from the majority ended with an upsetting exchange.)
I've looked at removing the personally identifiable information from student logins in our district, but Google has a fix for that too. In Google Classroom, teachers are able to fill in any blanks it has on children's Google Profiles in order to get their digital classroom up to date. There's also the legal questions surrounding Children's Online Privacy Protection Act (COPPA) violations of IT staff (us) signing up kids under 13 to use GAFE services. Google says that it's products can be used in compliance with COPPA, which is not very reassuring.
So, what can be done? Thankfully for public schools, the school board has to answer to the taxpayers and voters. Attending school board meetings and asking for more information about opt-outs and alternatives could yield positive results. In my opinion, Pi Tops are the best alternative to Chromebooks since they encourage discovery and come with a great set of STEM curriculum. They're similarly priced and easier to repair/upgrade, which saves money in the long term. When presented with a viable alternative, the administration and decision makers will be more open-eared, since you're offering solutions, not just problems. (These do have Alexa capability, so that also warrants some strict policies.)
Another viable alternative is flashing GalliumOS onto the existing Chromebooks, which can be a fun learning experience for the students. It's also very satisfying to turn the tools of your enemies against them.
I don't believe in an abstinence-only approach to software. I think privacy by practice, instead of privacy by policy, can set a positive example for students.