Ask Slashdot: Explaining Cloud Privacy Risks To K-12 Teachers?

hyperorbiter writes "With the advent of Google Apps for Education, there has been a massive uptake by the K12 schools I deal with on signing students up with their own Google powered email address under the school domain. In addition, the students' work when using Google Apps is stored offshore and out of our control — with no explicit comeback if TOS are breached by Google. It seems to me that the school cannot with integrity maintain it has control over the data and its use. I have expressed a concern that it is unethical to use these services without informing the students' parents of what is at stake e.g. the students are getting a digital footprint from the age of seven and are unaware of the implications this may have later in life. The response has often been that I'm over-reacting and that the benefits of the services far outweigh the concerns, so rather than risk knee jerk reactions by parents (a valid concern) and thereby hampering 'education', it's better to not bring this stuff up. My immediate issue isn't so much about the use of the cloud services now, but the ethics over lack of disclosure in the parental consent process. Does anyone have ideas about defining the parameters of 'informed consent' where we inform of risks without bringing about paranoia? (Google Apps is just an example here, I think it applies to many cloud services.)"

What *are* the implications?

[Dputiger]

This question needs a bit more detail. What *are* the implications of using these Google services? Is Google using the same boilerplate contract? Does it sweep emails for words and phrases to show advertising? Is it collecting anonymous data?

I think you probably need some school-specific clauses to address the particular privacy and safeguards but you haven't articulated any specific examples of areas where you think Google is falling short or why this might become a problem. Kids are going to have digital footprints as children. I might not like that very much, and as a parent I may try to limit it, but you can't stop it.

Re:What *are* the implications?

[Dputiger]

"Send you child to a different school, speak with the school board, whatever it takes; you the parent have complete control..."

You're assuming a level of income and engagement that only exists at the high level. 1). The parents have to be educated on these issues *specifically*. 2). The parents need to have the money to make the changes you suggest.

You can't just change school districts. Generally, you're assigned a school based on where you live. Sending your kid to a different school means paying a penalty, at minimum, or paying for private school, where tuition can approach college-level. Can you afford to lay out $8,000 - $12,000 a year for your kid to go to a different school, while still paying property taxes to support the local ones? Keep in mind, you have to handle transportation to and from the school as well, which again, assumes you're rich enough to do so .

Of course there's home schooling -- provided, again, that you're rich enough to be able to afford not to work or have a spouse who can support your family on a single income. And it's a lot harder to be as engaged as a parent if you're the only one earning an income, leaving the house at 7 AM, and getting home 12 hours later to young kids who still need dinner made and homework checked.

All of *this* assumes that the school district itself properly understands the programs in question well enough to communicate them and that the programs are administered appropriately.

Re:What *are* the implications?

[hairyfeet]

Dude I've found what the meat of the matter is and its MUCH deeper than that...folks don't understand how the Internet WORKS, and THAT is a serious problem!

I work with ordinary folks 6 days a week and you'd be shocked how many truly believe the net is this big ball of blackness where things just disappear,never to be seen again, that these websites only know they are there when they are there, its a serious problem man. i had a customer just the other day set him up a Yahoo Chat (Boy MSFT shot themselves in the foot by killing Live Messenger, been a LOT of folks jumping ship lately) and he was shocked! shocked i tell you! That Yahoo had names showing up under his friends that he hadn't spoken to in like half a decade. he honestly thought that once he had stopped talking to people that was it, that just went poof and it was like it never existed.

So I think even before we talk about this specific case we really need to figure out how to explain how this thing we call the net REALLY works, because frankly its this misconception that the corps are using to gather all this info and data on us. Folks just don't understand that once something reaches the net it NEVER goes away, delete means nothing, its ALWAYS on a server somewhere.

Re:What *are* the implications?

[matria]

When my children were in school, granted this was some years ago, in the first and second grades (this is at age 7 or 8, mind you) they had weekly visits from a psychologist. The children were instructed to not tell their parents about these visits, or show their parents the worksheets and other materials they were given. One of my children was disturbed by the outright instructions to disobey parents if the child didn't want to do something, like take a bath or go to bed at a specified time, and told me about the whole thing. I had to take it to the school board to keep that child from being disciplined by the school (in-house detention during lunch and recess periods), and even then he was exposed to harassment and humiliation in front of his classmates, being called a "snitch", a "traitor" and a "mamma's boy". So on the one hand children were being taught to ignore and disobey their parents, exercising their "rights" to self-expression, yet on the other hand when this same child did not want to engage in a certain sporting activity he was threatened with suspension for not obeying the teacher. The ironic thing is that I happened to meet that school psychologist some time later, and he confided to me that he does not at all agree with what he was teaching, but it was his job to teach what he was told to teach: that children had the right to do what they pleased, not what they were told to do - at least by their parents.

Data May Be *Safer* Overseas

[BuildMonkey]

What gives you the idea that data is safer stored within the US? In reality, I think it is less likely to fall into the 'wrong hands' (someone who wants to embarrass or blackmail your child later in life) stored overseas.

First, make sure *you* understand the implications

[93+Escort+Wagon]

If you can't articulate what the implications are of using Google Apps for Education, then at least one of the following is true.

1) You don't actually have sufficient understanding of the situation
2) You're the wrong person to attempt being the spokesperson for the "opposition"

You need to be able to articulate your specific concerns regarding use of the service - not just make hand waving statements. If its bad that students have a "digital footprint" from age seven, explain *why*. And, even then, be aware that others may not share your concern (or may have adopted a fatalistic attitude about the situation).

Just how would you explain the risks?

[aegl]

We already have groups of people afraid of wifi, vaccines, and a host of other things that are non-issues. They are also disproportionately afraid that their child will be abducted (by strangers, or even by aliens).

Pretty much whatever you say will either be misunderstood by some subgroup, or deliberately misconstrued by another - and then a school faces the problem of providing a special exception* for some group of students that have been opted out.

* Note that I'm generally in favour of special exceptions in schools because children do have different learning styles and paces - but this would be a crazy addition

Re:Just how would you explain the risks?

[rubycodez]

non-issue? people die and are sickened from vaccines (allergic reactions, bad batch of not totally deactivated virus, etc.)....but that's ok with you until your child flops over dead, right?

Re:Just how would you explain the risks?

[SuricouRaven]

The number of lives lost as a result of vaccine reactions is far, far less than the number of lives saved by the elimination of what would otherwise be endemic and often fatal diseases. Overall, the vaccines are saver. People just percieve them as dangerous because their danger is obvious, while all the times their child *didn't* get polio are not so easily apparant.

HOW do you teach the implications?

[Frobnicator]

Obviously there are valid issues. The question is not IF we should teach them, but HOW.

Right now there are few ways to articulate the risk. There is the vague handwaving education of "bad guys will steal it".

Even when doing this professionally it is difficult to fully understand what the risks are, who exactly the "bad guys" includes, the kind of stuff they want to take, and the reasons they want it. The bad guys may include governments, vandals, corporate espionage, advertisers, news agencies, and more. The stuff they want may include not just credit card numbers, but also patterns of what you like, where you go, and who you are with. That stupid-looking photo may be cute today, but it may destroy your bid for public office two decades later. The fact that your facebook friends have some overlap with a suspected terrorist may put you on a watch list. Knowing the bad guys, and knowing the data they are looking for, is hard.

Then you have the difficulty of explaining it clearly. It is hard enough to explain to a teenager that their quick goofy photos (or much worse, sexting) might, twenty years from now, prevent them from getting their dreams fulfilled. Sometimes it is easier to point out that public stupidity can prevent them from getting a job in three years, but even that seems difficult to teach.

Since that wasn't quite asked, here's the evolved question:

HOW do you teach K12 students about the risks in the digital world?

Re:HOW do you teach the implications?

[number11]

"Who gives a rip about little Johnny's 5th grade book report".
No company, not even Google themself, is going to dig through Johnny's school papers and test reports, because privacy violations would be financially devastating, as would the legal ramifications if it were found out

Who, exactly, would prosecute them if it is found that they have looked at the school papers of some kid in another country? Or made use of them in any way they wished? Hell, the TOS probably let them do that no matter where the kid is.

Not to speak of which, the secret police have a very long view. No, they're unlikely to be interested in a 12-year-old, but maybe they're interested in the kids parents or relatives. Anything in there that might be useful for blackmail? To target someone for kidnapping? And down the road, if that 12-year-old becomes the country's leader, you don't think that it would be valuable for the secret police to have all his school work since he was a child? I'd think that would be very useful, especially if that country has something the US wants, or perhaps is not on good terms with the US (either now, or 30 years from now).

Without knowing the writer's location, how can they state for sure that the data is stored off-shore, and if the writer was in the US, wouldn't having it off shore be better?

The reasonable explanation is that the writer is not in the US. And we have made it clear that such people have no rights in the eyes of the US.

For a US citizen, having it offshore might be better. There's a lot of potential failure points, either way.

Re:HOW do you teach the implications?

[tsa]

The MegaUpload case shows that it doesn't matter where the data resides. If the US wants it or wants it gone they will take it no matter what.

Re:HOW do you teach the implications?

[Runaway1956]

" it is difficult to fully understand what the risks are, who exactly the "bad guys" includes, "

To complicate things yet further, the identity of the good guys and bad guys aren't cast in stone for all eternity. Life happens, and sometimes good guys go bad, and sometimes bad guys go good. The fact that you were trustworthy a year ago doesn't necessarily mean that you are trustworthy today.

So basically...

[sunking2]

You have this belief of a boogieman in the closet, but have nothing that actually backs it up. But because you think you are so smart you can't possibly imagine that your beliefs aren't true and you are over reacting you expect us to back you up as surely everyone with half a brain must believe what you do.

It's not paranoia.

[fustakrakich]

In the cloud, or any other computer network, you have no privacy. What is there to explain, other than you voted for this?

what *are* the risks?

[stenvar]

I have expressed a concern that it is unethical to use these services without informing the students' parents of what is at stake e.g. the students are getting a digital footprint from the age of seven and are unaware of the implications this may have later in life.

And what precisely are the implications and risks according to you?

but the ethics over lack of disclosure in the parental consent process

What precisely do you think isn't being disclosed?

Express your specific concerns in writing...

[Bearhouse]

It is an interesting point...
Sugget you do some research, (look into the big G's T&Cs), and write down exactly what you think the issue may be.
Try and be balanced, then fire it off to yor boss.
Your duty is then done, and your ass covered.

Paranoia is a problem? Why?

[BenEnglishAtHome]

Does anyone have ideas about defining the parameters of 'informed consent' where we inform of risks without bringing about paranoia?

Why is "bringing about paranoia" a problem? Where security is concerned, I generally consider paranoia to be a good default reaction to any situation until I understand it well enough to relax.

Explain the situation well and allow the parents and others to be as paranoid as they consider prudent. Don't try to manipulate them into being more or less paranoid just because you or the system think they should adopt a different mindset. You provide facts then it's their choice to make.

If, OTOH, you're excessively concerned about and wish to avoid creating paranoia you'll hamstring your efforts to be intellectually honest and technically accurate when you "define the parameters of informed consent."

Easy to explain:

[Hartree]

It's easy to explain cloud privacy issues. We'll do it in terms of purses and wallets as those are common items of value that people understand can contain very private information:

Someone is doing the digital equivalent of asking you to keep your purse (or wallet) securely and have it available at all times for you. They won't try to steal the money or credit cards, etc in it (or whatever else of value if you choose to store it). Yes, there may be a security breach, but it's less likely than you dropping or forgetting your purse or wallet.

On the other hand, it means that if you put them in your purse (or wallet) they know how many birth control pills or condoms you kept in it and by when you used them what part of your menstrual cycle you're on or when you had a hot date that turned into an all night.

Now, extend that to your son or daughter that will have records on them from the time they enter grade school until, well... forever.

(In some ways it's not a big deal, but in some ways it is, and that rather graphic example gets across the level of info that can be mined from long term records.)

Re:Yup

[ShanghaiBill]

>The response has often been that I'm over-reacting

Because you are.

Allowing children under 13 to disclose identifying information online, without parental consent, is not only a bad idea, it is illegal. Read up on the Children's Online Privacy Protection Act. If these kids are using their real names, their photographs, or their email addresses online without written parental consent, then the school may find themselves in legal trouble. COPPA lays out some pretty specific rules, so if you are using the internet with kids under 13, you need to be familiar with that law.

Re:First, make sure *you* understand the implicati

[Frobnicator]

If you can't articulate what the implications are then at least one of the following is true.

1) You don't actually have sufficient understanding of the situation 2) You're the wrong person to attempt being the spokesperson for the "opposition"

I very much agree with this. Unlike the IT worker in the headline I can articulate many of those implications. Unfortunately getting it through a child's view is difficult. Even communicating it to an ADULT is difficult.

We see these things on /. all the time:
* Goofy pictures as a teen, but as 47 year old fired from executive job due to bad public response.
* Seemingly innocent banter about being insane, Texas teenager in jail.
* Picture of children in a bathtub, ten years in prison for child porn.
* "Why would I want to live there?" to your friends, fired from Microsoft.
* Sexting images go public, lives ruined.

And those are the EASY cases.

On their surface none of them seem like threatening issues. I post pictures of myself, friends and, family. I publicly chat with friends. I hope that they never come back and bite me, but in this world even the smallest innocent thing can be taken out of context and destroy lives.

How exactly do you communicate rational responses (not just fear) for these actual risks that we read about daily without sounding crazy?

Re:First, make sure *you* understand the implicati

[LordLimecat]

You also need to be able to explain why "their cloud" is less secure than "your cloud". The data / work is being stored on servers somewhere, and if students can access it there is ALWAYS the chance for some misconfiguration or breach that exposes their information. So with that understanding, you need to justify why storing stuff in house would be more secure than with google-- and the truth is, a lot of the time, its not.

Re:Yup

[ShanghaiBill]

And where did you get that any of this was being done without the parent's permission?

From the summary.

Re:First, make sure *you* understand the implicati

[SuricouRaven]

Don't forget the bit about posting comments insulting religious or political views, and then potential employers not hireing you over it. The annoying thing is it can't be proven: If an employer looks you up and finds you've been insulting his religion, he isn't going to give that as the reason in your rejection letter - you'll just get a generic form rejection saying 'your application has not been successful on this occasion.' It probably happens all the time.

Re:Yup

[recoiledsnake]

>The response has often been that I'm over-reacting

Because you are.

No he isn't.

See http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-on-chats

in at least four cases, Barksdale spied on minors' Google accounts without their consent, according to a source close to the incidents. In an incident this spring involving a 15-year-old boy who he'd befriended, Barksdale tapped into call logs from Google Voice, Google's Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid's account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her.

In other cases involving teens of both sexes, Barksdale exhibited a similar pattern of aggressively violating others' privacy, according to our source. He accessed contact lists and chat transcripts, and in one case quoted from an IM that he'd looked up behind the person's back. (He later apologized to one for retrieving the information without her knowledge.) In another incident, Barksdale unblocked himself from a Gtalk buddy list even though the teen in question had taken steps to cut communications with the Google engineer.

Re:Paranoia is a problem? Why?

[spasm]

'Why is "bringing about paranoia" a problem?'

Seriously. I do research with human subjects. If I don't have at least some people choose to decline participation at the point of informed consent, then I assume my consent isn't good enough - participating in any given research project is *always* not a good choice for at least one person.

Then again, you have the interesting situation that formal school-based education is not the correct solution for every single human; using google apps (or whatever cloud-based system a school is considering) is not the correct situation for every child, yet in both cases the benefits to society (shared childhood experience, guaranteed minimum education level; cheaper infrastructure) may wildly outweigh the relatively minor risks for the individuals.