Privacy & Security

Google Acknowledges Data Mining Student Users Outside Apps for Education

By Benjamin Herold — February 17, 2016 5 min read
  • Save to favorites
  • Print

Online-services giant Google has acknowledged that it collects and data-mines for some commercial purposes a wide range of personal information on student users who log in through its popular Apps for Education service, then venture to the company’s search engine and other products.

What kinds of student-data-privacy concerns are raised by that revelation, included in a letter from Google to U.S. Senator Al Franken last week?

Depends who you ask.

“This is the first time that Google has admitted that it is in fact spying on children in schools,” said Joel Reidenberg, a law professor and privacy expert at Fordham and Princeton universities, in an interview. “They are appropriating [students’] educational login to be able to track students when they use the [account] for non-Apps for Education purposes.”

Industry representatives, on the other hand, argued that Google is doing nothing wrong, the company should be applauded for its increased transparency, and that it appears to be making a good-faith effort to navigate tricky technical waters faced by many large technology companies who provide both commercial and educational products and services.

“I think they’re within their right to improve their products by using student information,” said Brendan Desetti, the director of education policy for the Software & Information Industry Association, a Washington-based trade group.

A Google spokesperson did not immediately respond to a request for further comment.

Google Scrutinized on Student-Data-Privacy

The new information about Google’s practices is the latest in a stream of controversies surrounding the Mountain View, Calif.-based company’s handling of student information. In 2014, the company found itself in hot water after Education Week reported that it had acknowledged “scanning and indexing” student email messages sent using Google Apps for Education, or GAFE. Google officials say the company has since stopped that practice.

But in December, privacy-advocacy group the Electronic Frontier Foundation filed a complaint against Google with the Federal Trade Commission, alleging in part that the company was using information collected from GAFE users who venture to other Google services in ways that violate the volunteer Student Privacy Pledge. That complaint prompted Franken last month to demand answers.

Google’s response to the senator’s request was sent on February 12 and signed by Susan Molinari, the company’s vice president for public policy and government relations in the America’s. It includes the following description of what types of information the company collects from student users who venture outside of Apps for Education to use the company’s other services:

If a school permits access to one of Google’s additional services outside the GAFE core
services, such as Google Maps, Google collects the information described in our Privacy Policy. The information we collect in these services is similar to that collected from any other Google user, and includes: Information the user gives us, including personal information like name, email address, or telephone number. Device information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Log information, including user entries like maps queries, the network’s IP address, and device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of the request and referral URL.

If any of that information is associated with a student’s Apps for Education account, according to the letter, some additional protection for that student kicks in—namely, that Google will not use the information to target ads to that child.

In describing how the company does use such information when it is collected, however, Google’s letter does reference other commercial purposes:

Google may use the data from additional services outside of the GAFE core services for the purposes described in our Privacy Policy, which include, for example, product improvement and product development. We make further commitments for GAFE users in our GAFE Privacy Notice, including a commitment not to use personal information from K-12 GAFE users to target ads. In other respects, the additional services outside of the GAFE core services work for students just as they do for any other user.

Privacy advocates and industry representatives are likely to interpret such uses of those data in different ways, said Desetti of the Software & Information Industry Association.

“I think it really comes down to what we mean by ‘commercial purposes,’” he said. “Ultimately, it will be the FTC who really makes that determination.”

Also a challenge: regulating what happens when students jump back and forth between an educational service and a commercial product.

State and federal laws and the voluntary Student Privacy Pledge now signed by Google and more than 200 other companies cover only that information collected within an educational service, said Brenda Leong, senior counsel and director of operations with the Future of Privacy Forum, a Washington think tank with industry ties that is the prime mover behind the pledge.

“We feel that Google’s actions and response are consistent with observing those requirements,” Leong said in an interview.

A ‘Thorough’ Response From Google

Among the other issues Google’s letter addresses:

  • What kind of information is collected on students within Apps for Education and how it used (personal, device, and login information, but only to provide those educational services).
  • Whether Google has ever used personal information to target ads to students (still unclear)
  • Whether it is possible for the company to require parent to opt-in to the types of data collection described above (the company puts the burden on schools).
  • Whether Google shares or sells student information (only under exceptional circumstances commonly cited by most companies).

In a statement, Senator Franken called the company’s response “thorough,” but said there are issues he hopes to further clarify.

“I’m still concerned about what Google does with the information it collects and processes from students who are browsing outside websites—like YouTube—while logged into Google’s education service,” Franken said. “I’m also still interested in whether or not Google can provide parents and students with stronger privacy protections.”

The company’s letter stressed that it is up to schools to grant access to students to venture outside of GAFE and to secure parental consent for allowing them to do so.

Reidenberg, the Fordham privacy professor, took particular issue with that stance.

“Number one, school administrators are generally not informed that this is what Google does,” he said. “Second, we have very strong public policies trying to get schoolchildren online for educational purposes and Internet research. If administrators follow those [policies], and kids are logged into Apps for Education, this is letting Google spy on them.”

Photo: The Google sign at the company’s headquarters in Mountain View, Calif.--Marcio Jose Sanchez/AP-File

See also:

A version of this news article first appeared in the Digital Education blog.