In a new filing with the FTC, the Electronic Frontier Foundation (EFF) alleges that Google is tracking students’ internet usage through its Google Apps for Education program. The problem is that Google signed the Student Privacy Pledge — it’s the old logo, so does the signature still count? — stating it wouldn’t use students’ personal information for “bad” purposes.

EFF Google FTC Complaint

The EFF says that Google didn’t keep its promise:

While Google does not use student data for targeted advertising within a subset of Google sites, EFF found that Google’s “Sync” feature for the Chrome browser is enabled by default on Chromebooks sold to schools. This allows Google to track, store on its servers, and data mine for non-advertising purposes, records of every Internet site students visit, every search term they use, the results they click on, videos they look for and watch on YouTube, and their saved passwords. Google doesn’t first obtain permission from students or their parents and since some schools require students to use Chromebooks, many parents are unable to prevent Google’s data collection.

Obviously, if this is true, Google has some “‘splainin’ to do.”

The EFF alleges that Google’s privacy violations occur in three instances:

  1. When students are logged into their Google accounts;
  2. Having Chrome Sync on by default on Chromebooks; and
  3. Through Administrative settings in GAFE and Chrome.

The issues the EFF addresses in this complaint are similar to issues some businesses have regarding Google’s data collection practices. And the three allegations are definitely ones to check and monitor if you’re concerned about sharing information.

The EFF isn’t seeking monetary relief. Rather, EFF wants the FTC to investigate Google’s conduct, stop the company from using student personal information for its own purposes, and order the company to destroy all information it has collected that’s not for educational purposes. I don’t know the feasibility of the destruction portion, but I’m sure Google can figure that out.

Personally, provided Google isn’t tagging my information by IP address — certainly an easily identifiable marker — I’m not opposed to sharing with Google how I use its products or the internet specifically. And I suspect many folks feel the same way. However, I am concerned when Google, or anyone else, begins sharing my information with third parties.

What’s your opinion on this matter? Is the EFF “fighting the good fight” here? Or is this something we should waste time discussing and investigating? Let me know in the comments.


EFF updated its position on Google Sync and student tracking:

Google has promised not to build profiles on students or serve them ads only within Google Apps for Education services. When a student goes to a different Google service, however, and they’re still logged in under their educational account, Google associates their activity on that service with their educational account, and then serves them ads on at least some of those non-GAFE services based on that activity.

In other words, when a student logs into their educational account, and then uses Google News to create a report on current events, or researches history using Google Books, or has a geography lesson using Google Maps, or watches a science video on YouTube, Google tracks that activity and feeds it into an ad profile attached to the student’s educational account—even though Google knows that the person using that account is a student, and the account was created for educational purposes.

This is our biggest complaint about Google’s practices—that despite having promised not to track students, Google is abusing its position of power as a provider of some educational services to profit off of students’ data when they use other Google services—services that Google has arbitrarily decided don’t deserve any protection.

This post was updated to add EFF’s clarification.

Jeff Taylor

I'm just an ordinary guy living an extraordinary life. I'm also an attorney and I blog about Android for lawyers. You can follow me on Twitter, LinkedIn, YouTube, or Google+.


Paul McGuire (@pdmcguirelaw) · December 1, 2015 at 10:16 pm

The thing is, sync as a feature is not about tracking but about making the experience the same between different chromebooks. So assuming students are allowed to have individual accounts then it is helpful because they can keep the same records when they finish one school year on one set of chromebooks and move on to a separate set elsewhere. All of this information is linked to the user’s Google account so I don’t see what the big deal is.

    Jeff Taylor · December 2, 2015 at 6:35 am

    Good point, and I agree. But, the Privacy Pledge has specific ways signatories agree to use or not use the data collected. Specifically, EFF is focused on the pledge to “Not collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.”

    The complaint alleges that Google’s use of the data exceeded the specific “educational/school purposes”:

    Google not only collects and stores the vast array of student data described above, but uses it for its own purposes such as improving Google products and serving targeted advertising (within non-Education Google services)

    If true, this use would theoretically fall outside of the pledge’s purview. EFF alleges that this, and the two other actions, amount to a deceptive trade practice as defined in 15 U.S.C. § 45(a)(1).

    EFF does a decent job of outlining the ways Google Sync “injures” a student, and how the administration, not the school or parents, controls Google’s ability to collect the information:

    Google’s violations of the Student Privacy Pledge cannot be reasonably avoided by students and their parents. Google collects student personal information when students are logged in to their Google for Education accounts. And even if Chrome Sync can be turned off at the device (Chromebook) level, it and other settings are controllable by school administrators, enabling Google’s collection and sharing of personal student information.

    Lastly, Google’s collection and sharing of personal student information in violation of the Student Privacy Pledge does not enable Google to provide a benefit to users that outweighs the unfair act. Google already does not create advertising profiles to monetize personal student information like it does for its standard free Gmail services, so stopping future collection would not necessitate a significant price increase for schools that currently partner with Google for Education or those that want to in the future.

    Perhaps Google’s best counter-argument is that its tracking/collection methods were used to improve services. The Pledge exempts those activities; “Nothing in this pledge is intended to prohibit the use of student personal information for purposes of adaptive learning or customized education.”

David M. Pellow · December 2, 2015 at 7:46 am

New York State Education Law Section 2-d requires schools to state in their agreements with “third party contractors” that receive individually identifiable student data what the purpose is for sharing that data, and states that the data may not be used for any other purpose.

First problem: virtually all school districts in New York State using GAFE are not in compliance with 2-d because the only “agreement” they have with Google is the online terms they “accepted,” and (surprise!) Google has not modified those terms to comply with Section 2-d since it was adopted.

Next problem: If a school district defined the purpose for which it was sharing data, it would presumably say something about efficiency in fulfilling its education mission, and not say anything about helping improve Google’s search algorithms. By letting Google define the purpose as “improving” its services, I think the schools and the vendor are ignoring the intent and the letter of Section 2-d.

Third problem: I don’t think the Pledge, even if adhered to, brings school districts into compliance with Section 2-d because it is not an “agreement” between the vendor and the school district. I haven’t yet located any online terms, from Google or other cloud service vendors, that incorporates the Pledge into an enforceable contract.

We are waiting for regulations in New York State, and a new version of FERPA is on the horizon. It will be interesting to see if either one squarely addresses the interface of public education and Big Data.

David M. Pellow
School Attorney
Madison-Oneida BOCES
Verona, New York

    Jeff Taylor · December 2, 2015 at 8:24 am

    Good point, though I will note that Google will enter into business service agreements with companies and schools to expressly address the “agreement” problem. Second, arguably, the terms of service are “agreements” — although I appreciate the “sharing” disclosure and the needed update — that both parties are accepting. This could alleviate some of the issues.

Let's discuss this (you can use Markdown in your comment)

%d bloggers like this: