Dec 2, 2015 · 5 minutes

“We are committed to protecting the privacy and security of all of our users, including students … We signed the Student Privacy Pledge to reaffirm the commitments we’ve made to schools.”

- Google for Education website

“Google's use of students' browsing history for its own benefit and without authorization from the student or parent runs contrary to the letter and the spirit of the Student Privacy Pledge."

-Petition filed 12/1/2015 by the EFF to the FTC

Google is tracking and spying on America’s schoolchildren for its own benefit. This may not surprise you, it may not appall or even unsettle you. After all, what makes schoolchildren think they deserve special treatment? But, according to a complaint filed yesterday by the Electronic Frontier Foundation with the Federal Trade Commission, the situation has got to stop.

At the heart of the EFF’s complaint is the K-12 School Service Provider Pledge to Safeguard Student Privacy, or Student Privacy Pledge. The EFF alleges that Google is violating the terms of that pledge, which the advertising giant signed onto this spring. The policy group is asking the FTC to compel Google to destroy all student data gathered in violation, and to stop doing so in future. 

According to EFF, the company’s student data policies constitute an unfair and deceptive business practice. Since the Student Privacy Pledge does not allow for third party organizations or parents to sue the company, and since the EFF claims that its own entreaties for Google to alter its practices, over the course of months of conversation with the company, have not yielded meaningful commitments, only an FTC action can hold the company accountable.

“Google promised not to use student data without authorization from students or parents, and they have gone back on that,” said EFF staff attorney and author of the FTC complaint Nate Cardozo, by phone.

The FTC does not comment on active complaints or investigations. A Google spokesperson did “the right thing” by replying to my extensive questions with the following boilerplate statement:

“Our services enable students everywhere to learn and keep their information private and secure. While we appreciate EFF's focus on student privacy, we are confident that these tools comply with both the law and our promises, including the Student Privacy Pledge."

In recent years, Google has entered the education space with a big splash, contracting directly with school districts for the use of its Google Apps for Education (GAFE) – the contract can be viewed here – and also providing Chromebooks for student use. This line of Google’s business has cut into that of established players Microsoft and Apple, respectively, by offering low-cost alternatives. Google is now the perceived market leader in education hardware and software.

Google claims to have signed up 40 million global users of GAFE. For context, there are only 50 million K-12 students in the entire US. The company’s education business is also likely keeping Chromebooks afloat, accounting for 60.3 percent of 2014 Chromebook sales in the US, and an even higher proportion elsewhere.

This is not the first time Google’s education initiative, and the data collection practices stemming from it, have fallen afoul of regulators. A lawsuit in the spring of 2014 alleged that Google was mining student GAFE emails for advertising purposes, and in a pretrail document in that case Google admitted that was true. Chastened, the company pledged to stop doing so, and to remove all advertising from the GAFE suite.

Earlier this year, Google was implicitly scolded by President Obama for not having been among the original batch of signatories to the Student Privacy Pledge, which had included Microsoft and Apple.

Said Obama: “And if you don't join this effort, then we intend to make sure that those schools and those parents know you haven't joined the effort.”

Google signed on to the SPP shortly thereafter.

In contrast to the various laws that protect student data privacy at the national and state level, the SPP is a fairly straightforward document, with few loopholes. The EFF contends that Google is violating the following provisions of the SPP, which state that companies will:

  • “Not collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.”
  • “Not build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student.”
  • “Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student.”

Since the settling of the litigation cited above, Google does not use student behavior within GAFE to target advertising or build profiles on students. But, since the GAFE do not include such core (and educationally pertinent) Google services as search, Youtube and maps, students who venture outside the GAFE and into the web, while still logged into their school-assigned account, may be subject to tracking, profile building, and data collection.

Chromebooks issued to schools come with only the Chrome browser, and with a default setting that stores student data in the cloud via Sync rather than locally on the machines. Once in Google’s servers this data can be used for non-educational purposes. Futher, the GAFE suite allows school administrators to opt for settings which turn on Sync, store passwords and allow student data to be shared with third party websites – even if parents or students opt out.

This is especially concerning since in many districts that issue Chromebooks and use GAFE, use of these devices and services are mandatory for students.

In short, the EFF is charging that US schoolchildren are only slightly more protected against Google’s privacy incursions than the average user of the company’s products. Where does the policy outfit stand on threats to privacy that Google presents for the rest of us?

“For that, we point to the FTC’s Fair Information Practices Principles which state that if an advertiser or cloud provider wants to collect data they need notify users and provide them with a choice of whether to participate. We think Google fails on both fronts,” Cardozo said.

The complaint against Google may be the first of many such actions that the EFF takes against education service providers, as part of its newly-launched “Spying on Students” initiative. Cardozo said that they are also looking into violations of student privacy by other companies, including Apple, Microsoft and Facebook, and are soliciting tips from concerned parents.

As for Google, it has just pledged to change the default Sync setting on student Chromebooks, which Cardozo characterizes as a small step in the right direction. The company continues to insist that it does everything in its power to protect student privacy, from everyone but itself.