Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Calls Out EFF Over Claims That It Snoops On Students With Chromebooks (hothardware.com)

Posted by timothy on from the snooping-is-hate-speech dept.

MojoKid writes: The Electronic Frontier Foundation (EFF) caused quite a stir this week when it alleged that Google is using its Chromebook platform, which has made a significant impact in education markets, to snoop on students. The charges were damning, with the EFF claiming that Google was violating its own corporate policies and using students' personally identifiable browsing data/habits to refine its services, in addition to sharing that data with partners. Obviously, Google would take such allegations seriously, and has thus responded to every claim brought forth by the EFF. "While we appreciate the EFF's focus on student data privacy, we are confident that our tools comply with both the law and our promises, including the Student Privacy Pledge..." said Jonathan Rochelle, the Director of Google Apps for Education. With respect to Google Apps for Education Core Services (GAFE), Rochelle asserts that all student data stored is "only used to provide the services themselves" and that student data isn't used for advertising purposes, nor are ads served to students. Rochelle also explains that personally identifiable data of students is removed, and only aggregated data of its millions of users is utilized to help improve its services.

50 of 100 comments (clear)

  1. Obviously by U2xhc2hkb3QgU3Vja3M · · Score: 1, Informative

    All your data are belong to us.

  2. Re:c'mon, man by Meshach · · Score: 4, Insightful

    nobody believes that. if you HAVE it, you have COLLECTED it and the RETENTION of such data fits YOUR purposes.

    When I send an email my ISP will will scan the email for viruses and to make sure it is not spam. How is this any different.

    --
    "Maybe this world is another planet's hell"
    Aldous Huxley
  3. Who you gonna believe? by PopeRatzo · · Score: 2, Insightful

    Google, or your own lying eyes?

    Tell you what, the EFF has credibility in the bank with me. Google on the other hand...

    --
    You are welcome on my lawn.
    1. Re:Who you gonna believe? by mrchaotica · · Score: 1

      Plus, the weasel words here are pretty obvious: Google admits to collecting students personal information, but tries to hide behind "we only use it in aggregate".

      Not to mention, the people at Google should know in more exquisite detail than just about everybody else (except maybe Facebook and the NSA) exactly how incredibly easy it is to dis-aggregate aggregate data.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    2. Re:Who you gonna believe? by sexconker · · Score: 2

      Wrong.
      What the FCC proposal actually says gives the FCC the power to require the locking down that the EFF was upset about.
      The FCC simply issued a statement after the fact saying "We won't use to to do that, honest.".
      Further, the truth of the matter is that the vast majority of commodity hardware is built as a SoC, and the manufacturers involved would sooner lock it all down than lock down only certain parts based on a current interpretation of the rules while leaving other parts open.

    3. Re:Who you gonna believe? by slimjim8094 · · Score: 5, Insightful

      The EFF has credibility with me as well (less than they used to, for similar reasons as PETA), but how can they possibly know what Google is using the data for internally? They don't have enough information to know anything beyond "it's being synced" - which for a feature called "Chrome Sync" seems pretty obvious. The reason it's being synced is also obvious and the blog post states it plainly - most schools don't buy a chromebook per student, they have a cart that's brought where required, and the sync is so that when the student signs in they have their personalization.

      Google has always said "we use aggregate data to make our services better". They say it everywhere. It's how Google works. But they also say "we're not looking at individuals or less-than-anonymized groups of people". And there's no evidence they're doing the latter in addition to the former. I can't figure out on what basis - and with what information - the EFF is making that claim other than "we don't like Google". It sounds like a PR stunt for their new initiative. Really if the EFF *did* know that the data was being used for nefarious purposes, it would mean there was some sort of external leak of user data - which would be much more damaging than the supposed activity they are concerned with.

      As a disclaimer, I do work at Google. I do in fact know what Google does with user data. It's pretty much what it says on the tin, and they are extremely serious about it. Nefarious use of user data is one of the few outright firing offenses, and they will find you.

      So you don't believe me. That's fine, and I'm not surprised. But why do you believe the EFF, which is the party with the less information, in absence of evidence beyond their say-so? That's firmly conspiracy theory territory. Even if they did have a better track record (hard to say, they're not without mistakes), and didn't have any agendas (not true) they simply can't back up their assertions here with any evidence. You're left with an unverifiable claim from someone who can't know, vs unverifiable claim from someone who does know.

      Which is more likely - the EFF made a bullshit accusation with no evidence that they suffer no penalty for and might even help them anyways, or Google making a bald-faced, PR-damaging lie that can be discovered with a simple subpoena?

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    4. Re:Who you gonna believe? by slimjim8094 · · Score: 2

      My argument isn't predicated on me being right about how the data's being used, it's solely that the EFF can only be talking out their nether regions when they say that they do know how it's being used. Indeed, if there is some huge conspiracy that's so secret that not even the engineers working on the systems in question know about it, then it's even less likely that the EFF knows, right?

      Don't bother replying, I'm not trying to convince you and I know I won't succeed. But other people read these comments.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    5. Re:Who you gonna believe? by Tough+Love · · Score: 1

      the weasel words here are pretty obvious: Google admits to collecting students personal information, but tries to hide behind "we only use it in aggregate".

      What is the minimum size of an aggregate, one might fairly ask.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    6. Re:Who you gonna believe? by AmiMoJo · · Score: 2

      The EFF's point is that the data shouldn't be collected because even if Google is being responsible with it today, tomorrow they might change their policies or sell the data to someone else who then abuses it. We have seen this happen in the past with companies that go bankrupt and then sell off their databases to cover the CEO's golden parachute.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Sounds Familiar by konohitowa · · Score: 2, Informative

    I seem to recall a similar response when accused of collecting WiFi data.

    1. Re:Sounds Familiar by taustin · · Score: 1

      Mindless idiots will love Google anyway.

      Or hate them anyway, even if they cure cancer and end world hunger.

    2. Re:Sounds Familiar by Zero__Kelvin · · Score: 1

      Exactly. I'm not a huge Google fan, nor a big fan of any company for that matter, but I have yet to see any evidence that they are malicious or underhanded.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:Sounds Familiar by Solandri · · Score: 5, Informative

      Google self-reported their excessive wifi data collection. Basically a government agency accused them of collecting more wifi data than just SSIDs. Google said, "No, we're only collecting SSIDs. Here, we'll prove it." Then they audited their own records, came back, and said, "Oops, you were right, we accidentally recorded more info than just the SSID."

      Contrast this with, say, Microsoft who still won't say what data Windows 10 is collecting. Or Apple, who commandeered people's iPhones to report location and SSIDs back to them (to accomplish what Google did by paying people to drive company cars around), and still haven't admitted it, brushing it off as an oversight instead of prep for their own mapping program. I'm not sure why Google keeps getting brought up as the quintessential example of a bad guy in these privacy issues, when they've been pretty open about what they do and admit when they make mistakes. Other companies are far worse. The way the EU handled the Google case vs. the Apple case basically tells companies: if you accidentally break the law, it is better to obfuscate and deny it, than the be honest and admit it.

    4. Re:Sounds Familiar by konohitowa · · Score: 1

      Like I said, it sounds familiar. They were accused and denied it, just like this case. Furthermore, after they claimed to have stopped it they continued to fight in court claiming, as they are right now, that what they were/are doing is perfectly legal. The "no laws were broken" defense.

    5. Re:Sounds Familiar by konohitowa · · Score: 1

      Get back to us when they cure cancer and end world hunger. I'll be more than happy to hail them. Until then, that's just a bunch of hyperbolic bullshit.

  5. Re:Tinfoil hats. by FatdogHaiku · · Score: 3, Funny

    I love that every response so far on slashdot is by a conspiracy theorist.

    That, sir, is stereotyping!
    Some of us are just nuts...

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  6. Just for balance by Anonymous Coward · · Score: 5, Informative

    Since the awful TFA didn't include a link to Google's post defending itself from EFF's accusations even though it quoted from that source, here's the link to it:
    http://googleforeducation.blogspot.com/2015/12/the-facts-about-student-data-privacy-in.html

    Also here a link to the Student Privacy Pledge that EFF has accused Google of violating:
    http://studentprivacypledge.org/

    The Student Privacy Pledge will hold school service providers accountable to:

            Not sell student information
            Not behaviorally target advertising
            Use data for authorized education purposes only
            Not change privacy policies without notice and choice
            Enforce strict limits on data retention
            Support parental access to, and correction of errors in, their children’s information
            Provide comprehensive security standards
            Be transparent about collection and use of data.

    Here are links to the co-authors of the Student Privacy Pledge stating their objections to the EFF's complaint:
    https://fpf.org/2015/12/01/future-of-privacy-forum-statement-regarding-electronic-frontier-foundation-student-privacy-complaint/

    In response to the allegations made today that Google has violated commitments of the Student Privacy Pledge (SPP), FPF Executive Director Jules Polonetsky issued the following statement:

    We have reviewed the EFF complaint but do not believe it has merit.

    http://blog.siia.net/index.php/2015/12/some-misunderstandings-of-the-student-privacy-pledge/

    The Electronic Frontier Foundation has filed a complaint with the Federal Trade Commission against Google for violation of the K-12 School Service Provider Pledge to Safeguard Student Privacy. The FTC will assess the complaint on its merits and make a judgment one way or the other. But, it is important to point out that the complaint contains some important misunderstandings about the student privacy pledge.

    1. Re:Just for balance by Krishnoid · · Score: 1

      The Electronic Frontier Foundation has filed a complaint with the Federal Trade Commission against Google for violation of the K-12 School Service Provider Pledge to Safeguard Student Privacy.

      The EFF and Google -- both nominally good faith actors with regards to privacy -- are in conflict, and they're taking their issue up with ... the government?

  7. Define a student... by Anonymous Coward · · Score: 1

    If ads are not served to students, how do I tell google that I'm a student?

    Learn something new every day.

    1. Re:Define a student... by ledow · · Score: 1

      Be part of a verified educational institution that is given unlimited-storage Google Apps for Education (identical to Google Apps for Business - go look at the prices) for free.

      The signup for my schools consisted of proving we were a registered school in the UK, and that our domain belonged to us, and some guy checked that our domain was the official school website.

      Now I have an admin interface that lets me create unlimited accounts or unlimited size to assign to registered students, while tracking their every move myself (not that there's anything of interest there that we can't already get from web-filters, network shares, school databases etc.) and being able to poke into their accounts, and report on what files they are using and who they are sharing them with.

      To be honest, if you have one of these accounts, the SCHOOL being the people who can see more of what you do is the concern, not Google. Which is exactly why you shouldn't be using them for non-school purposes anyway. Which is why my EULA states that, quite clearly, for both parents and students alike to be aware.

      And, no, I've never, ever seen a single piece of advertising or even suspect a single piece of advertising is tracking via the Google Apps for Education functionality. They've got the best and most up-to-date data protection documents I've seen (which the UK law REQUIRES from them before we can use them, and which goes far beyond what the UK/EU require). By comparison, Apple barely bother to even publish one for iCloud, etc.

      Big fuss about nothing.

      If you have a school-issued Chromebook, or a Chromebook under Device Management for a school, the school (including the school IT guy) are capable of listening in to anything you do. That's infinitely more worrying than any trend you might trigger on Google Ads from what you searched for, if that's even happening at all.

  8. First party links? by Lunix+Nutcase · · Score: 1

    Can we actually get original links to the EFF and Google blog posts not some third party regurgitator?

    1. Re:First party links? by Lunix+Nutcase · · Score: 1

      Cool thanks. Seems you made your post just as I was making mine.

  9. After PRISM whats left to consider? by AHuxley · · Score: 1

    The wider network is even more secure from other ad services. Data is more anonymized and everyone is more happy with the free happy services given away for free. Learning is a happy time too, with all the advanced branded products and free services offered for free.
    No other marketing communication brand can see the very secure network.

    --
    Domestic spying is now "Benign Information Gathering"
  10. Re:c'mon, man by taustin · · Score: 4, Insightful

    My ISP hasn't built their entire business on collecting as much information as possible and selling it to advertisers.

  11. Re:Tinfoil hats. by Hognoxious · · Score: 1

    Conspiracy theorists? They're all pissing in the same pot, you know.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  12. Re:Good faith all burned up by Zero__Kelvin · · Score: 1

    After all that Google has done? Maybe you could just name one atrocity to get us started?

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  13. Re:c'mon, man by Zero__Kelvin · · Score: 5, Insightful

    "When I send an email my ISP will will scan the email for viruses and to make sure it is not spam. How is this any different."

    People, at least here on Slashdot at the present moment, don't have an irrational hatred for your ISP.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  14. I am shocked that there is gambling in this casino by WillAffleckUW · · Score: 1

    (Google hands bribe to regulators)

    Shocked I tell you!

    --
    -- Tigger warning: This post may contain tiggers! --
  15. First be Evil by WillAffleckUW · · Score: 1

    wasn't that Google's motto?

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:First be Evil by beastofburdon · · Score: 1

      No, that's Alphabet's motto, they had to change company names to ditch the "don't be evil" slogan for good.

  16. Re:c'mon, man by WillAffleckUW · · Score: 1

    you're confusing data - which they say they don't collect - with metadata, which has the meaning of the data they collect, stored.

    It's easy to say you're not collecting data, when you're actually storing the metadata after you process the data.

    The end result is the same.

    --
    -- Tigger warning: This post may contain tiggers! --
  17. rebuild identity by bigtreeman · · Score: 1

    The more de-identified data aggregated the easier to rebuild identity.
    Data mining is all about finding a needle in a haystack,
    extracting coherency from apparent chaos.

    --
    Go well
  18. Re:c'mon, man by farble1670 · · Score: 2

    more Google FUD. please link to the evidence that google has sold your personal data, or has lost it in a breach.

    google doesn't sell your data. they collect it and use it to serve you ads. it's google that decides which ads to point at you, not the advertiser. and i don't need an auditor to prove that to me since it's common sense. data is google's most (only?) valuable asset. they aren't going to sell it off, and they will darn sure safeguard it for the same reason. they like money. they want to keep getting money. pretty simple.

  19. Re:c'mon, man by farble1670 · · Score: 1

    My ISP hasn't built their entire business on collecting as much information as possible and selling it to advertisers.

    any company that has the ability to collect personal data is doing so. phone, TV, PC, or any other smart device that can phone home does phone home. whether they are utilizing it to the extent google does is another question, but every one of them aspires to grab a piece of google's pie.

    don't mistake business incompetence for altruism.

  20. Re:Good faith all burned up by s.petry · · Score: 1

    I get that reading is hard, and harder when it's legal stuff but you should give it a try sometime. You have to work for this one, but links are already posted in this thread.

    To my IANAL eye the EFF claims could be valid,. Google's response avoids or ignores the allegations and tosses out a few red herrings for people to chew on. I have not tested the EFF's claims but I'm guessing that they have more than speculation backing their complaint. The Google response is carefully worded, leaving lots of maneuvering room if they are found to be in violation.

    Google is not some altruistic company parading around in a halo. At the same time, they are not as evil as another IIT company that comes to mind. (At least that we know of). Given that there has been prior incidents I'll wait for the evidence to play out o this one.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  21. Re:Good faith all burned up by sexconker · · Score: 1

    Yuuuuuuuuuup!
    The Google doth protest too much.

  22. Re:c'mon, man by Anonymous Coward · · Score: 1

    how do you know?

  23. Google vs. The EFF? by RobotRunAmok · · Score: 1

    The Big Evil vs. Pomposity, Inc.? Just too good...

    In the mean time, while I'm waiting for the corn to finish popping, here's a link detailing how to install Linux on said chromebook http://www.digitaltrends.com/c...

  24. Privacy Pledge! by ememisya · · Score: 1

    Google pinky swears that it will only use the data for improving its services. As long as that's the case we can all rest assured.

  25. Re:Good faith all burned up by HiThere · · Score: 1

    There's also the lamentable ease with with anonymized data has been repeatedly de-anonymized.

    MAYBE they actually did it this time. Perhaps. I guess. But there have been so many failures, often apparently without malice on the part of the anonymizing agent, that I find it difficult to believe.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  26. Re:c'mon, man by HiThere · · Score: 1

    FWIW, I haven't yet seen evidence that Google sells consumer data. I'll admit they might, but their business model revolves around being the keeper of the data and acting as a man in the middle whenever anyone wants to use the data. I.e., they sell access to the individuals, not who the individuals are. Once they sell who the people are they loose their monopoly.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  27. Trust by manu0601 · · Score: 1

    In a nutshell, they collect personal data but ask us to trust them to never misbehave with it.

  28. Re:c'mon, man by Col.+Klink+(retired) · · Score: 1

    And they DON'T serve ads on school accounts.

    --

    -- Don't Tase me, bro!

  29. title grammar by mattwarden · · Score: 1

    "Ambiguous pronouns lack a clear antecedent, while vague pronouns lack an antecedent altogether. Remember that antecedent refers to the noun or pronoun that a pronoun refers to (ante meaning âoebeforeâ in Latin). In the following sentence, the pronoun is bolded: Fred visited Bob after *his* graduation.

    Not just being a nazi. I had to read the title 3 times to understand it.

  30. GGG by tehlinux · · Score: 1

    Good Guy Google, knows most students hadn't heard about the claims. Draws more attention to them.

    --
    Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
  31. Re:Good faith all burned up by Aighearach · · Score: 1

    I get that reading is hard, but they're not actually accused of anything nefarious.

    In other words, when a student logs into their educational account, and then uses Google News to create a report on current events, or researches history using Google Books, or has a geography lesson using Google Maps, or watches a science video on YouTube, Google tracks that activity...

    That is from the EFF response to the Google defense.

    It turns out the accusation is not the accusation it appears to be at first. The accusation is simply that a Chromebook can be used to connect to the internet. That is the whole accusation.

  32. Re:c'mon, man by Carewolf · · Score: 1

    nobody believes that. if you HAVE it, you have COLLECTED it and the RETENTION of such data fits YOUR purposes.

    When I send an email my ISP will will scan the email for viruses and to make sure it is not spam. How is this any different.

    Your ISP presumably doesn't collect data from your emails and sell that on, or use it to advertise to your.

  33. Re:The real crime here is by Rob+Lister · · Score: 1

    No crime in a Chromebook. I bought one for my father to replace his Win7 laptop. It does everything he needs a computer to do; email, banking, writing, accounting, surfing, etc. And so, I no longer spend my Saturday mornings teamviewing into his computer to fix everything that [he/M$/a myriad of others] broke in the last week. For him it has been both a relief and a joy. For me I have to find an excuse to otherwise call and chat.

  34. Re:c'mon, man by phorm · · Score: 1

    No , but in all honestly Google - while collecting more data - seems to be doing a better job of being upfront about said collection and policing how it's used than the ISP's I've seen that do so, especially when it comes to nasty stuff like mobile carrier supercookie insertion etc.

  35. Re:c'mon, man by martin-boundary · · Score: 1
    No, you're being disingenuous. There's a world of difference between an organization keeping tons of data in a random hodgepodge of logs and temporary files with incomplete and missing data mixed, and effectively no ability to datamine except by painstaking manual ad hoc methods, against an organization that purposely builds state of the art data retrieval systems and AI algorithms to maximize the information gain from every collected tidbit.

    It's the difference between some company keeping a basement full of old paperwork and other junk they just don't know what to do with, and a stasi-like multi-billion dollar spying bureaucracy that has up to date files on every citizen, dead or alive. In both cases they can find out if you paid off that bill in Augst 2011, but in the first case it takes three days for an underpaid intern to open thousands of folders and flip pages for that one piece of data, and in the other it takes a button press and you not only get the exact information, but you also get a two hundred page dossier with the names of your neighbours, children's teacher, the brand of food your cat eats and how many years you've been secretly gay.

    It's the difference between some company for whom the data is not related to the business model, and some company for whom the data IS the business model.

    ISP != Google