“Just Google It”

How student privacy is under attack by the world’s largest data harvester.

Photo Credit: PC World

James Connor, Freelancer

According to Google, Chromebooks – their line of laptops sponsoring a custom operating system – are “secure” and “smart.” What happens though, when they’re a little too smart? Google has a history of privacy violations, documented by various organizations including the Electronic Frontier Foundation. These range from supplying police with users’ location history, to recording supposedly private conversations without permission. Evidence seems to point to the fact that these consistent malpractices translate over into Google’s educational products, including the Chromebooks that the Northport – East Northport School District has wholeheartedly embraced.

The Electronic Frontier Foundation (EFF) is a non-profit organization dedicated to fighting for civil rights online. The EFF is committed to securing privacy rights, defending digital freedom of speech, and protecting software and internet users from abuse by corporations. The EFF has a history of standing up to Google on a wide variety of issues, including privacy infringement allegations. Articles dating from 2015 and 2017 outline the dangers that Google devices and software pose to students. In a complaint filed with the Federal Trade Commission (FTC) in 2015, the EFF outlined three major issues that, according to the organization, are in direct violation of the Student Privacy Pledge.

The EFF starts by claiming that when students are logged into educational Google accounts, “personal  information in the form of data about [students’] use of non-educational Google services is collected, maintained, and used by Google for its own benefit.” According to the EFF, this occurs regardless of which web browser a student uses, meaning even students who use browsers designed to protect against data collection are vulnerable to being harvested for personal information. This activity is in direct violation of the Student Privacy Pledge that Google signed, which they use as a promotional tool towards school districts.

Another issue the EFF presented can be seen right now on every student Chromebook in the district. The “Sync” setting option is enabled on all student devices by default and results in the storage of many aspects of student data on Google servers. This data includes Apps, Autofill Data, Bookmarks, Chrome Extensions, Browsing History, Passwords, Browser Settings, Themes, Wallpapers, Open Tabs, and Payment Methods used through Google Pay. In other words, any website a student opens, any form they fill in, any login they enter, and any credit card they use through Google Pay is considered “fair game.” This data is uploaded by default to Google servers to sync to other Google devices. But what this means is that anything done on a student’s Chromebook is systematically recorded, uploaded, and stored on Google servers. The educational devices of students have been turned into data harvesting machines. When asked about these privacy concerns, Northport-East Northport’s Director of Technology, Judy Proscia, referred students to the Google for Education Privacy and Security Center and reminded all students that should they believe their data has been used outside of the School District, they should contact her office at (631) 262 – 7198.

So how does one go about securing a Chromebook from data collection? There are a number of settings that should be turned on or off to protect private data. Sign in to your Chromebook, go to to lower left-hand corner of the screen, click the icon, and hit the settings icon, as shown in Figure 1.

Figure 1

 

Photo Credit: James Connor

 

The first step is to scroll to the section titled “People” and click the setting titled “Sync.” Next, toggle every option to the off position so it looks exactly like Figure 2. Then, click “Manage Synced Data on Google Dashboard” at the bottom of the page. Scroll down and click the “Reset Sync” button. The combination of these steps will stop Google from storing sync data on their servers and then delete any data they did manage to collect already.

Figure 2

 

Photo Credit: James Connor

 

After this has been done, scroll to the Autofill section. Click the “Passwords,” “Payment Methods,” and “Addresses and more” sections each in turn and toggle the save option off. It should appear as it does in Figure 3. This stops Google from collecting and storing personal data like passwords, credit cards, addresses, phone numbers, and emails.

Figure 3

 

Photo Credit: James Connor

Then, scroll to the “Privacy and security” section. This contains many options, some of which are more harmful than others. Below is a list of what each means and what I recommend they be set to:

  • Use a prediction service to help complete searches and URLs typed in the address bar or the app launcher search bar
    • What it does: When enabled, this setting sends whatever you type in the URL bar to Google as you type it. Many people tend not to be comfortable with Google knowing what they’re typing or what websites they’re visiting.
    • Recommended setting: Off
  • Use a web service to help resolve navigation errors
    • What it does: While this can help with “404 errors,” which occur when you mistype a URL or when a website doesn’t exist, it also means that Google will know which website(s) you’re trying to visit every time you making a spelling mistake.
    • Recommended setting: Off.
      • Help improve Chrome security
    • What it does: As Google itself says, when this option is enabled, “Chrome sends URLs of some pages you visit, limited system information, and some page content to Google.” Basically this gives Google the right to record your browsing information, including what websites you’re visiting and what device you’re using. Needless to say, this isn’t ideal for privacy.
    • Recommended setting: Off
  • Send a “Do Not Track” request with your browsing traffic
    • What it does: According to Google, this feature sends a special request to websites to not track or collect your browsing data. It basically tells websites not to record what you do while looking at them.
    • Recommended setting: On
  • Allow sites to check if you have payment methods saved
    • What it does: This gives websites permission to automatically check for stored credit card or payment methods on your Chromebook. However, this presents the same issue as with the Autofill settings: the storage of payment methods. For that reason, it should be switched off.
    • Recommended setting: Off
  • Use a prediction service to load pages more quickly
    • What it does: This setting causes Google to use something called “pre-rendering technology” and looking up IP address. It sends the contents of the page you’re looking at to Google’s servers to download the website for each link on the page that you’re looking at. This means that when you click a link, it will download much faster. However, in terms of privacy, this is bad. As I said, it sends what you’re looking at to Google’s servers.
    • Recommended setting: Off

Finally, scroll to the ‘Site Settings’ option under ‘Privacy and security’. Clicking it will give you a variety of settings to mess with. Here again are my recommended settings and what they mean:

  • Cookies
    • Recommended Settings:
      • Allow sites to save and read cookie data: On
      • Keep local data only until you quit your browser: On
      • Block third-party cookies: On
    • What this does: When these options are set as such, this still allows cookies to be used, but limits the information sites can know because of them. Cookies are pieces of information stored locally on your machine. Among other things, they’re used to maintain logins, provide personalized pages, and keep data consistent across a website. However, they can also be used to track you across the Internet by acting as personal identifiers. Their contents are read by different sites to know where you’ve been and tailor your experience and advertisements through them. That’s why the second option is set to “On.” It keeps Cookies only as long as your browser is open. Once you close it, those personal identifiers are gone. This is also why third-party cookies are blocked. Otherwise, web services like Google Analytics could add cookies to your device and track you across the web.
  • Location
      • Recommended Settings:
        • My recommendation would be to toggle until it says “Blocked.” Unfortunately, you can’t change this setting due to district restrictions, which are discussed later on in the article.
      • What this does: Having location enabled allows sites to know where you are physically. Essentially, sites will know your home address, where you work, where you go to school, and other places considered personal information. All because of the site you’re visiting.
  • Camera
      • Recommended Settings:
        • Toggle until it says “Blocked”
      • What this does: This gives websites the ability to access your camera. Unless you’re using Google Hangouts, this should probably be blocked so you don’t accidentally give sites permission to record you.
  • Microphone
      • Recommended Settings:
        • Toggle until it says “Blocked”
      • What this does: For the same reasons the camera should be blocked, this should too.
  • Protected Content
    • Recommended Settings:
      • Toggle the second one regarding unique identifiers to “Off”
    • What this does: Protected Content is defined as music or videos that are protected by copyright. Whether or not you allow this to be played is up to you. However, the second option is much more important. To automatically ensure that you’re allowed to watch the copyrighted material, by default, Google uses unique identifiers stored on your Chromebook used to know who you are. This means that they are able to identify who you are anywhere on the Internet, simply by looking at your unique identifiers. They can also learn what you watch and what you listen to. More personal information that you submit to Google.

Google has made quite a habit of collecting data from Chromebooks through default options, despite the use of such machines for education. 

The final issue brought up in the the EFF’s complaint to the FTC is that no matter how privacy-conscious a student may be, district administrators still have the ability to toggle options on and off at their own discretion. Northport-East Northport School District officials are no exception, having permanently set various settings across the board. Regarding privacy, the most significant of these are “Safe Browsing” and “Automatically send diagnostic and usage data to Google,” both of which are permanently enabled. The “Safe Browsing” option sends URLs of some of the pages you visit to Google’s servers, in the name of “security.” However, as mentioned earlier, this means that Google knows what websites you visit on your Chromebook. The other option- “Automatically send diagnostic and usage data to Google”- allows Google to collect all sorts of data from you and your device. According to Google, this includes, but is not limited to, battery life, how long you use certain apps, and the stability of your connections.

As you go through these settings, you may ask yourself, “Am I being paranoid? Am I playing this up too much?” If you want to know for yourself, visit takeout.google.com and follow the instructions. This website allows you to export and download all of the data that Google has on you. I did it and, despite my privacy savvy settings, I found that Google had still managed to collect a wealth of data on me from various different sources including my phone and my personal laptop, all through my school-assigned Google account. After sifting through the data, I discovered that they knew, among other things:

  1. My home router’s IP address
  2. The school router’s IP address
  3. My android device model
  4. My YouTube search history
  5. My Drive download history

This was collected before I became fully of aware of the privacy issues and changed the settings. I’ve elected to show some of this data to you in Figure 4, with a few redactions of personal information and unique identifiers.

Figure 4

 

Photo Credit: James Connor

 

Some of this data is from when I was 13 years old. They were about 8 months away from violating COPPA, a law specifically designed to protect children under 13 years of age from data collection. Imagine the information they would have had if I hadn’t started securing my privacy online. Google is known to collect data on students, as demonstrated through both my research and that of the Electronic Frontier Foundation. This data collection machine is being fueled by school districts like the Northport-East Northport District who continue to create Google accounts on behalf of students, supply Google devices to students, and require the use of Google apps by students. By no means is this saying that the district should completely cease using Google products. They have amazing potential for engaging 21st century learners in the classroom. However, we as a district, as a community, and as a nation need to exercise more caution before accepting Google into our lives. We must also learn how to better control our own privacy. Google provides a great possibility for education, but also a very real threat of misuse. These are the steps both students and parents can take to better take control of their privacy. Despite individual efforts, nothing will replace a more serious initiative by the Northport-East Northport School District towards the protection of student privacy.