google apps

Have Fun Explaining This To Parents As Your School Transitions To Google Apps

While this is likely an isolated incident, it certainly raises questions about what happens to a student's personal information (also known as their thoughts, and portions of the intellectual explorations that make up their life) when it is sent to a large company. In this case, an engineer at Google was allegedly fired for accessing the accounts of minors:

In other cases involving teens of both sexes, Barksdale exhibited a similar pattern of aggressively violating others' privacy, according to our source. He accessed contact lists and chat transcripts, and in one case quoted from an IM that he'd looked up behind the person's back. (He later apologized to one for retrieving the information without her knowledge.) In another incident, Barksdale unblocked himself from a Gtalk buddy list even though the teen in question had taken steps to cut communications with the Google engineer.

So, as schools make decisions to outsource essential services to external companies (aka the cloud), it's worth remembering that there are people working around the clock to keep the cloud running. Most of these people do the right thing all of the time, but for schools rolling these services out (and requiring students to use them as part of their school work) what recourse would you have if your student's privacy was violated? More to the point, how would you know? Is there even any guarantee that you would be told?

At what point does convenience trump the ability to guarantee your students and your parents that you have taken reasonable steps to ensure the privacy and integrity of work done within your school?

Google Apps, and Privacy

I came across another discussion on the use of Google Apps within K12 organizations -- this is a lightly edited version of my reply in that thread:

With Google Apps, the real value for Google isn't in "owning" your content. The value for them is in mining it, and then using that information to hone their business selling ads and working with affiliate advertisers -- and their privacy policy expressly states that your data will be used in this way.

From Google's Privacy Policy, at http://www.google.com/privacypolicy.html


Log information – When you access Google services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.

So, they can track a request for a specific web site to a specific user, and can keep track of what an individual does over time.

Affiliated Google Services on other sites – We offer some of our services on or through other web sites. Personal information that you provide to those sites may be sent to Google in order to deliver the service. We process such information under this Privacy Policy. The affiliated sites through which our services are offered may have different privacy practices and we encourage you to read their privacy policies.

The approximate translation: when using Google Apps, you might get sent to another site, and this site might have a different privacy policy, and this site might share a different set of your private information with us. You may or may not know when this is happening, but it's your responsibility to know when to check for the privacy policy of these sites.

Then, the policy goes on to list why Google is collecting this information:

  • Providing our services, including the display of customized content and advertising;
  • Auditing, research and analysis in order to maintain, protect and improve our services;

I've chosen a very small section of the privacy policy here, but the full policy goes into much more detail, including info about geographical data.

For a sense of what can be inferred from even very rough user data, take a look at the fallout that occurred when AOL released search data from it's userbase. This search data is nowhere near as precise as what Google collects, but it still revealed an astonishing range of information about its users.

So, when schools are using Google Apps, every member of that community is participating in unpaid marketing research. If you are buying Google Apps as part of a service, you are paying to participate in market research.

As a closing thought, I'd like to hear the conversation that ensued if a person walked into the head of school's/principal's office and said the following:

"I'd like to enroll all of our Middle School students in an unpaid marketing research program. They'll never know it's going on, and every facet of their online collaboration will be tracked as part of the study. Oh, and it comes with email."

Selling Out Student Privacy

Over on his blog, Will Richardson has an interesting post on using the power of cloud computing. The comment thread also gets interesting; some responders conflate the idea of cloud computing with the more general notion of web-based tools and Software as a Service, but one of the other issues that gets either overlooked or undervalued is the issue of student and faculty privacy. It's also clear that in some cases, the terms and conditions of these services remain unread or ignored.

I left a version of this post as a comment on the blog, in addition to an earlier comment. As this comment has been caught in the gaping maw of spam prevention for the last 24-36 hours, I figured I'd post it here as well.

One commenter asks whether Google is liable for any data loss.

RE: "Do they (Google) have any liability for lost documents?"

No. See the Terms of Service

Two relevant sections:

"13. Warranty Disclaimer. CUSTOMER UNDERSTANDS AND AGREES THAT EACH SERVICE MAY CONTAIN BUGS, DEFECTS, ERRORS AND OTHER PROBLEMS THAT COULD CAUSE SYSTEM FAILURES. CONSEQUENTLY, THE SERVICE INCLUDING ALL CONTENT, SOFTWARE (INCLUDING ANY UPDATES OR MODIFICATIONS TO THE SOFTWARE), FUNCTIONS, MATERIALS AND INFORMATION MADE AVAILABLE ON OR ACCESSED THROUGH THE SERVICE, AND ANY ACCOMPANYING DOCUMENTATION ARE PROVIDED “AS IS” AND ANY USE THEREOF SHALL BE AT CUSTOMER'S OWN RISK."

and

"15. Limitation of Liability. IN NO EVENT WILL GOOGLE OR ITS LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES, AND INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF DATA, LOST PROFITS, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, HOWEVER CAUSED (INCLUDING BUT NOT LIMITED TO USE, MISUSE, INABILITY TO USE, OR INTERRUPTED USE) AND UNDER ANY THEORY OF LIABILITY, INCLUDING BUT NOT LIMITED TO CONTRACT OR TORT AND WHETHER OR NOT GOOGLE WAS OR SHOULD HAVE BEEN AWARE OR ADVISED OF THE POSSIBILITY OF SUCH DAMAGE REGARDLESS OF WHETHER ANY REMEDY SET FORTH IN THIS AGREEMENT FAILS OF ITS ESSENTIAL PURPOSE; OR FOR ANY CLAIM ALLEGING INJURY RESULTING FROM ERRORS, OMISSIONS, OR OTHER INACCURACIES IN THE SERVICE OR DESTRUCTIVE PROPERTIES OF THE SERVICE."

The convenience of the service is also mentioned.

RE: "As soon as we go to Google Apps, all our students will have a similar conventional email address so all students will be able to use Docs, Calendar, GTalk, Reader, Sites, etc. in a collaborative way."

This type of comprehensive user experience makes an ideal terrain for data mining. One user ID can be tied to chat content, email content, various documents (both created and read) and links followed from all these documents. Additional mining can include looking at groups of students, and student surfing behavior based on time of day. This is advertising gold, and it gives some amazingly useful information about a coveted advertising demographic.

For a cautionary tale on privacy, see this post that goes over the recent Viacom suit against Google, and lays out some of the privacy implications. Imagine that a media company has detected copyright violations coming from within a district. Then, read the article linked above. Substitute "Google Apps for Education" for "youtube." Then, imagine your district's cost savings vaporizing faster than you can say, "I wish we had invested in our own infrastructure" as gaggles of lawyers flood your district. For extra fun, imagine the lawsuit involves students under the age of 13. Considering that you can sign into YouTube with your Google ID, it's conceivable that many students would use their school account for their personal video use.

Seriously, folks. Think long term, just for a second. We don't encourage our students to cut corners. We should have the same expectations for our critical infrastructure. Open source virtualization options exist; these options would deliver some of the same advantages of cloud computing, but without selling out student and faculty privacy as the price of convenience.

Update: My comment has been freed from the moderation queue, and the conversation continues.

Subscribe to RSS - google apps