What Peeple Tells Us About Privacy

2 min read

The latest Internet furor-de-jour is over an app called Peeple. This post is not going to get into the details or problems with the app, as other people have already done a great job with that.

In brief, the app allows anyone with a Facebook account to rate anyone else. No consent is needed, or asked. All a person needs to rate another person is their phone number.

As seen in the links above (and in a growing angry mob on Twitter), people are pointing out many of the obvious weaknesses in this concept.

The reason many people are justifiably furious about Peeple is that it allows strangers to rate us, and makes that rating visible as a judgment we potentially need to account for in our lives. However, what Peeple aims to do - in a visible and public way - is a small subset of the ways we are rated and categorized every day by by data brokers, marketers, human resources software, credit ratings agencies, and other "data driven" processes. These judgements - anonymous, silent, and invisible - affect us unpredictably, and when they affect us we often don't know about it until much later, if at all.

While Peeple is likely just a really bad idea brought to life by people with more money and time than sense, I'm still holding out hope that Peeple is a large scale trolling experiment designed to highlight the need for increased personal privacy protections.

Some Tips For Vendors When Looking At Your Privacy Policies

4 min read

This post is the result of many conversations over the last several years with Jeff Graham. It highlights some things that we have seen in our work on privacy and open educational resources. This post focuses on privacy, but the general lesson - that bad markup gets in the way of good content - holds true in both the OER and the privacy space.

When looking at privacy policies and terms of service, the most important element is the content of the policy. However, these policies are generally delivered over the web, so it's important to look at how the pages containing these policies perform on the web. Toward that end, here are some simple things that vendors should be doing to ensure that their policies are as accessible as possible to as many people as possible, with as few barriers as possible.

Toward that end, here are four things that vendors should be doing to test the technical performance of their policies.

  • View the source. In a web browser, use the "view source" option. Does the text of your policy appear in the "main content" area of your page, or some semantic equivalent? Are you using h1-h6 tags appropriately? These are simple things to fix or do right.
  • Google your privacy policy and terms of service, and see what comes up. First, use the string "privacy policy OR terms of service [your_product_name]". See what comes up. Then, use the more focused "privacy policy OR terms of service site:yoursite.com" - in this search, be sure to omit the initial "www" so that your search picks up any subdomains.
  • Use an automated tool (like PhantomJS) to capture screenshots of your policies. If PhantomJS has issues grabbing a screenshot of your page, it's a sign that you have issues with the markup on your page.
  • Use a screenreader to read your page. Listen to how or if it works. Where we have observed issues with a page failing to behave in a screenreader, it's frequently due to faulty markup, or the page being loaded dynamically via javascript.

To people working on the web or in software development, these checks probably sound rudimentary - and they are. They are the technical equivalent of being able to tie your shoes, or walking and chewing gum at the same time.

In our research and analysis of privacy policies, we have seen the following issues repeated in many places; some of these issues are present on the sites of large companies. Also worth noting: this is a short list, highlighting only the most basic issues.

  • Pages where the policies are all wrapped in a form tag. For readers unfamiliar with html, the form tag is used to create forms to collect data.
  • Pages where, according to the markup, the policies are part of the footer.
  • Pages where, according to character count, the actual policies only account for 3% of the content on the page, with the other 97% being markup and scripts.
  • Sites where Google couldn't pick up the text of the policy and was only able to index the script that is supposed to load it.

We are not going to be naming names or pointing fingers, at least not yet, and hopefully never. These issues are easy to fix, and require skills that can be found in a technically savvy middle schooler. Vendors can and should be doing these reviews on their own. The fix for these issues is simple: use standard html for your policies.

We hear a lot of talk in the privacy world about how privacy concerns could stifle innovation - that's a separate conversation that will almost certainly be the topic of a different post, but it's also relevant here. When the people claiming to be the innovators have basic, demonstrable problems mastering html, it doesn't speak well to their ability to solve more complex issues. Let's walk before we run.

MySchoolBucks, or Getting Lunch with a Side of Targeted Adverising

6 min read

MySchoolBucks.com is an application that is part of services offered by Heartland Payment Systems, Inc, a company in New Jersey. MySchoolBucks processes payments from parents for school lunches.

Before we proceed any further, we must highlight one thing here: this post IS NOT about the federal, state, or local school lunch programs. This post addresses a vendor that has inserted itself between students, schools, and lunches.

The premise of MySchoolBucks is pretty simple. Parents put money into an account on the site. Accounts are tied to a card used by the student to pay for lunch, and the system keeps track of how much money families have in their accounts.

To make this system work, MySchoolBucks collects a parent name, the name of any children enrolled in school, and the school they attend. Parents add money to their MySchoolBucks account via credit card, so MySchoolBucks also processes credit card payments.

However, reading the Privacy Policy of MySchoolBucks shows some oddities that have nothing to do with supporting parents, students, or schools with lunch. It's also worth noting that MySchoolBucks has a "feature" I have never seen before on any other policy: after six or seven minutes, the privacy policy page automatically redirects you to the home page. It's almost like the company doesn't want you to read their privacy policy at all.

But, for those of use who persevere, we discover some oddness in this policy.

In the opening "Glossary" section, MySchoolBucks defines a Business Partner as follows:

"Business Partners" means, collectively, third parties with whom we conduct business, such as merchants, marketers or other companies.

Then, in Section 4, MySchoolBucks states:

We (or our Vendors on our behalf) may share your Personal Information ... with relevant Business Partners to facilitate a direct relationship with you.

So, business partners include marketers, and marketers can be given personal information. As noted above, the personal information collected in this application includes parent name, child's name, and the child's school.

Taking a look back at at the glossary, we get this definition of non-identifying information:

"Non-Identifying Information" means information that alone cannot identify you, including data from Cookies, Pixel Tags and Web Beacons, and Device Data. Non-Identifying Information may be derived from Personal Information.

This definition omits that many of these elements can be used to identify you. Thousands of web sites collect this information, which means that there is a large dataset of what this vendor inaccurately calls "non-identifying information."

Further down in the policy, MySchoolBucks states that they share "non-identifying information" pretty freely.

We may disclose Non-Identifiable Information which does not include Protected Data:

  • with Business Partners for their own analysis and research; or
  • to facilitate targeted content and advertisements.

Because Heartland Payment Systems shares what they misleadingly call "non-identifying information" with marketers and 3rd party ad servers with no prohibitions on how it can be used, this "non-identifying" data can be combined with other data sets, and then tied to your precise identity.

Accordingly, the claim of "non-identifying" data is probably accurate from a very narrow legal perspective, but it does not represent the reality of what is possible when data from multiple datasets are combined and mined.

MySchoolBucks also supports login via Facebook, which creates additional problems:

You may register to use our Services using your existing Facebook account. If you opt to use your Facebook account to register to use our Services, you authorize Heartland to collect, store, and use, in accordance with this Privacy Policy, any and all information that you agreed that Facebook, Inc. ("Facebook") could provide to Heartland or Heartland's third party authentication agent through Facebook's Application Programming Interface ("API"). Such information may include, without limitation, your first and last name, Facebook username, unique Facebook identifier and access token, and e-mail address.

The inclusion of the unique Facebook identifier, combined with a device ID (which is likely collected as part of the "non-identifying information") would be sufficient to tie a precise identity to many occasions where a person clicked a "like" link, or shared a link on Facebook. If someone could explain why this information is needed to pay for a 2nd grader's lunch, I'm all ears.

There are other issues with the privacy policy and terms of service of MySchoolBucks, but getting into the deep weeds of every single issue with the policies obscures the larger point: paying for a kid's lunch at school shouldn't expose the student or parent to targeted advertising.

MySchoolBucks and Portland Public Schools

The MySchoolBucks.com site came to my attention a couple weeks ago when I was reviewing back to school emails for my child. My local school district uses this service. I attempted to find any information about this site on the district web site - in particular, any contract that would give more information on how student and parent data use was limited - but found nothing.

To be clear: the lack of information and disclosure from Portland Public Schools is unnecessary, and fosters mistrust.

Portland Public Schools could take three immediate steps to address these issues:

  • List out the district and school level vendors that have been designated school officials. Link to the privacy policies and terms of service of these companies, and upload the text of any additional contracts in place between these vendors and Portland Public Schools.
  • List out vendors used within schools where the vendor has not been designated a school official. Link to the privacy policy and terms of service of these companies. This list would require input and feedback from schools, as they would need to collect up information about the software used within each school to support teaching and learning.
  • Document the process and criteria used to select technology vendors for district wide services. Right now, the decision making process is completely opaque to the point where it's impossible to know if there even is a process.

The distinction between vendors who have been declared school officials and vendors that require parental consent is key, as the rules around data use and sharing differ based on the status of the vendor. The lack of any documentation around contracts is also problematic. Contracts are public documents, and these purchases are made with public dollars.

It's worth noting that this is information that should be on the Portland Public Schools web site already. At the very least, parents shouldn't need to wonder who is processing their children's information. I understand that there are numerous details competing for attention within the district, but at some point, excuses need to stop, and be replaced with results. The current level of awareness and attention to student privacy issues within Portland Public Schools is problematic, at best. The communications about these issues have been factually inaccurate, which begs the question: how can we trust Portland Public Schools to get the complicated issues right when they appear to be missing the basics?


Facebook, Privacy, Summit Public Charters, Adaptive Learning, Getting Into Education, and Doing Things Well

7 min read

One of the things that I look for within schools is how solid a job they do telling their students and families about their rights under FERPA. One crude indicator is whether or not a school, district, or charter chain contains any information about FERPA on their web site. So, when I read that Facebook was partnering with Summit Public Charter Schools, I headed over to the Summit web site to check out how they notified students and parents of their rights under FERPA. Summit is a signatory of the Student Privacy Pledge and a key part of what they do involves tracking student progress via technology, so they would certainly have some solid documentation on student and parent rights.

Well, not so much.

It must be noted that there are other ways besides a web site to inform students and parents of their FERPA rights, but given the emphasis on technology and how easy it is to put FERPA information on the web, the absence of it is an odd oversight. I'm also assuming that, because Summit clearly defines themselves as a Public Charter school that they are required to comply with FERPA. If I'm missing anything in these assumptions, please let me know.

But, returning to the Facebook/Summit partnership, the news coverage has been pretty bland. In fairness, it's hard to do detailed coverage of a press release. Two examples do a pretty good job illustrating the range of coverage: The Verge really committed to a longform expanded version of the Facebook's press release, and the NY Times ran a shorter summary.

The coverage of the partnership consistently included two elements, and never mentioned a third. The two elements that received attention included speculation that Facebook was "just getting in" to the education market, and privacy concerns with Facebook having student data. The element that received no notice at all is the open question of whether the app would be any good. We'll discuss all of these elements in the rest of the post.

The first oversight we need to dispense with is that Facebook is "just getting in" to education. Facebook's origins are rooted in elite universities. The earliest versions of the application only allowed membership from people enrolled in selected universities - Ivy League schools, and a small number of other universities.

Also, let's tell the students interacting on these course pages on Facebook - or these schools hosting school pages on Facebook - or these PTAs on Facebook - that Facebook is "just getting in" to education. To be clear, Facebook has no need to build a learning platform to get data on students or teachers. Between Instagram and Facebook, and Facebook logins on other services, they have plenty. It's also worth noting that, in the past, Facebook founder Mark Zuckerberg has seemed to misunderstand COPPA while wanting to work around it.

Facebook - the platform - is arguably the largest adaptive platform in existence. However, the adaptiveness of Facebook isn't rooted in matching people with what they want to see. The adaptiveness of Facebook makes sure that content favored by adverisers, marketers, self promoters, and other Facebook customers gets placed before users while maintaining the illusion that Facebook is actually responding directly to people's needs and desires. The brilliance of the adaptiveness currently on display within Facebook is that, while your feed is riddled with content that people have paid to put there, it still feels "personalized". Facebook would say that they are anticipating and responding to your interests, but that's a difficult case to make with a straight face when people pay for the visibility of their content on Facebook. The adaptiveness of Facebook rests on the illusion that they allow users to select the content of their feeds, when the reality of Facebook's adaptiveness as manifested in their feeds is more akin to a dating service that matches ads to eyeballs.

Looking specifically at how this adaptiveness has fared in the past raises additional questions.

Facebook's algorithms and policies fail Native communities.

Facebook's algorithms and policies fail transgender people.

Facebook's algorithms and policies selectively censor political speech.

Facebook's algorithms and policies allow racism to flourish.

Facebook's algorithms and policies ruined Christmas (for real - maybe a slight overstatement, but I'm not making this up).

Facebook allowed advertisers to take a woman's picture and present it to her husband as part of a dating ad.

Facebook's algorithms and policies can't distinguish art.

Facebook's algorithms and policies experiment with human emotions, without consent.

I could continue - we haven't even talked about how Facebook simplified government surveillance, but you get the point: the algorithms and policies used by Facebook tilt heavily toward the status quo, and really miss some of the nuance and details that make the world a richer place. In an educational system, it's not difficult to see how similar algorithmic bias would fail to consider the full range of strengths and abilities of all the students within their systems. Facebook, like education, has a bad track record at meeting the needs of those who are defined as outside the mainstream.

In educational technology, we have heard many promises about technologies that will "disrupt" the status quo - the reality is that many of these technologies don't deliver more than a new UI on top of old systems.

There Is An Easy Solution Here

Fortunately, none of these problems are insurmountable. If Facebook released the algorithms to its learning platform under an open source license, no one would need to guess how they worked - interested parties could see for themselves. Facebook has done this with many projects in the past. Open sourcing their algorithms could potentially be an actual disruption in the adaptive learning marketplace. This would eliminate questions about how the adaptive recommendations work, and would allow a larger adoption of the work that Facebook and Summit are doing together. This wouldn't preclude Facebook or Summit from building a product on top of this work; it would just provide more choices and more options based on work that is already funded and getting done.

It's also worth highlighting that, while there will be many people who will say that Facebook has bad intentions in doing this work, that's not what I'm saying here. While I don't know any of the people doing work on the Facebook project, I know a lot of people doing similar work, and we all wake up wanting to build systems that help kids. In this post, I hope that I have made it very clear that I'd love to see a system that returned control of learning to the learner. Done right, adaptive learning could get us there - but "doing adaptive right" requires that we give control to the learner to define their goals, and to critique the systems that are put in place to help learners achieve. Sometimes, the systems around us provide needed support, and sometimes they provide mindless constraints. Adaptive learning needs to work both ways.

Open sourcing the algorithms would provide all of us - learners, teachers, developers, parents, and other people in the decision making process - more insight into and control over choosing what matters. Done right, that could be a very powerful thing.

How Spotify Creates Needless Barriers To Deleting an Account

2 min read

Spotify recently updated their terms of service. While their terms were never especially good (and the use of Facebook login exacerbated the situation), their updated terms appear to take contact lists and geographic information.

This is not necessary to play music. I've used Spotify since the early days (back from the dark ages when you could actually create an account without Facebook), but these updated terms are too much. I headed over to Spotify to cancel, and found a great example of how a company shows that it has no respect for its users. The account cancellation process at Spotify is foolishly, unnecessarily complicated. To demonstrate this, I made a video of the process, and how it stalls out.

As shown in the video, you need to submit a form that explains you want to cancel your account. This then triggers two emails: one confirmation that says that Spotify is working on your request. Then, several hours later, Spotify sends a second email outlining the process that needs to be followed to actually delete your account. This second email ended up in my spam account; the first one came through with no problem. If I was cynical, I might almost think that Spotify was messing with the headers of their emails to trigger spam filters. But no company hates their users that much (I hope).

It also appears that Spotify has taken steps to make the account cancellation process more complicated. Earlier versions - while still not good - at least eliminated a few steps.

FERPA, Video Surveillance, and Law Enforcement Units

4 min read

In this post, we will take a look at what is potentially a large loophole in FERPA that has some obvious implications for school to prison pipeline issues.

However, I need to open with an enormous caveat. First, the FERPA brochure referenced in this post is from 2007. It is possible that these regulations have been updated over the last eight years. I searched in an effort to find updated versions, and asked other people if they knew of any more recent clarifications, and the closest thing I found from the Department of Education was this doc written after the Virginia Tech shooting. However, the fact that I didn't find anything more recent doesn't mean that additional clarification doesn't exist. If anyone reading this post knows of any more recent information on the use of surveillance cameras in schools, and how they are viewed under FERPA, please let me know either via email (bill at funnymonkey dot com) or on Twitter.

As the title of the 2007 brochure from the Department of Education indicates, the Department of Education is offering guidance on how to balance privacy of students with the security of schools, while complying with FERPA. The brochure highlights the role of "law enforcement units" - people or offices within the school who have been designated as having official responsibilities for enforcing laws, or communicating with law enforcement. FERPA specifically exempts records created or maintained by law enforcement units from protection under FERPA.

Under FERPA, investigative reports and other records created and maintained by these "law enforcement units" are not considered "education records" subject to FERPA. Accordingly, schools may disclose information from law enforcement unit records to anyone, including outside law enforcement authorities, without parental consent. See 34 CFR § 99.8.

As stated in FERPA, and highlighted here in this brochure, data collected or maintained by law enforcement units is not considered an educational record. Therefore, both parental and student rights over these records is limited.

The Department continues to offer the following advice (emphasis added):

Schools are increasingly using security cameras as a tool to monitor and improve student safety. Images of students captured on security videotapes that are maintained by the school's law enforcement unit are not considered education records under FERPA. Accordingly, these videotapes may be shared with parents of students whose images are on the video and with outside law enforcement authorities, as appropriate. Schools that do not have a designated law enforcement unit might consider designating an employee to serve as the "law enforcement unit" in order to maintain the security camera and determine the appropriate circumstances in which the school would disclose recorded images.

According to how FERPA is written, and based on the Department's own advice, schools appear to be encouraged to classify specific employees as "law enforcement units" to collect and manage data inside the school that is not protected by the specific law designed to protect data collected inside schools. This detail is odd on its own, but given that the stated purpose of this exemption is to stovepipe data sharing with law enforcement, this recommendation is highly problematic. Given that this FERPA brochure specifically addresses surveillance camera data, it remains an open question how this would affect the use of body cameras in schools.

In this Iowa school district, where it appears that principals and assistant principals will be wearing body cams to record interactions with students, it's unclear whether the data from the cameras is considered an educational record or not. However, in Houston, where all school resource officers will wear body cameras, it seems pretty clear that the officers - and all data collected via their body cams - are part of law enforcement units, and that the data collected by police within these schools will not be protected under FERPA.

We want kids to be treated as learners, not as the objects of surveillance. Creating a special class of employee and a special class of data that is collected inside yet handled outside the educational system seems destructive, and against the interests of learners. Mistakes are viewed differently by education and law enforcement. The broad exemptions granted under the auspices of a law enforcement unit provide ample opportunity for even well intentioned adults to make decisions that have long lasting negative repercussions for kids. The school to prison pipeline is real, and loopholes created by law enforcement units are part of the problem.

The Most Important Thing I Have Ever Written About Privacy Policies and Terms of Service

1 min read

Privacy Policies and Terms of Service need to be shorter. 

OER, or Making the World Better by Doing What You Are Already Doing

5 min read

Some of my teacher friends are in the midst of planning for next year. This planning work often involves creating new curriculum, tweaking old lessons or activities, or curating and organizing learning materials. For teachers who stay in the classroom for multiple years, it's an iterative process that's never done - there's always an improvement to make, a resource to be added, an approach to be modified. The toolkit - and the specific curricular elements within that toolkit - constantly morph over time. It's the place where the teacher/author/creater/specialist can shine.

As an OER advocate, this is also the place that has enormous untapped potential. Teachers constantly create material - some of it new, some of it remixed - and as this material gets used in classrooms, teachers are in an ideal position to make specific, targeted improvements based on what worked and what didn't. So, if you are a teacher and want to tap into the OER world, these steps will get you there.

At a high level, these steps are things that most teachers are already doing. By making some subtle shifts in emphasis, however, we can improve our planning process, and contribute focused, class-tested OER for others to use and adapt. The process plays out over the course of the academic year. With some minor tweaks to our planning process, we can make future planning easier, and create some quality OER in the process.

Initial Planning

This is the phase where scope and sequence is developed, and materials are prepared and mapped to the scope and sequence. In many classes, "materials" range from textbooks, primary source texts, vocabulary, projects, field trips, and/or classroom activities. In this planning phase, two elements are essential:

  • Whenever possible, put materials online in an accessible format. Google Docs works well, as do most blogging platforms like Wordpress or Known. When you put your materials online in a format that makes future editing easy, you eliminate barriers to adapting/modifying the content in the future.
  • Document all sources thoroughly - when we are planning, it's easy to focus on the plan and shortchange the sources. By focusing on documenting the sources (akin to a list of works consulted) we give ourselves a road map to recreate or verify our material if needed. This is valuable over time - while we might remember our sources two weeks out, we will certainly forget some of them after a few months

Additionally, when you are storing the work you create during your planning, be sure to put it in a space you control. Even if your district has a Google docs account, use your personal account.


As you and your students work through the material, flag elements that worked well, and elements that didn't. Time permitting, write up why you think things succeeded or failed. Do this periodically throughout the year - not daily, but every two to three weeks.

Clean Up and Organize

During school vacation times, edit/revise/clean up the lessons that worked. The goal here is to get them approaching a state where they make sense for other people (aka, someone who isn't you). This doesn't need to be comprehensive - it's more of a triage. The goal here is minor copyediting, and the ability to see activities that were more successful than others.

Planning and Maintenance

The planning and maintenance generally happens during longer breaks in the leadup to the new school year. The clean up and organizational work makes this easier (although, really, every step in this process makes the other steps progressively easier, and the benefits multiply over time, leaving teachers free to work more creatively on content and pedagogical approach).

During the planning and organizational periods, the more successful lessons get an additional layer of polish. Additionally, the licensing of any source materials can be checked, and the list of resources used can be double-checked and verified. Once the resource has been reviewed and cleaned up, you can select an appropriate license to use when you share the resource. The goal here is not to make any resource perfect, but to make it comprehensible to people who aren't you. At the end of the planning and maintenance phase, you will have accomplished two main things:

  • The most successful lessons from the course will be cleaned up, modified to incorporate changes based on classroom experience, and in a format where they can be shared and reused in other classes; and
  • You will have built the next version of your course, and benefitted from the work you have done in the past.

Over time, as you clean and share more material, you will have an increasingly larger and more polished body of teaching material to work with. Ideally, as people incorporate your material (and you incorporate theirs) you will develop a trusted group of colleagues. As additional years pass, the body of openly licensed and classroom tested material will increased - and as more people add their best lessons, the size and variety of the teaching materials will grow.

Build For Reuse, or Formats Matter

Earlier in the post, I mentioned formats. In this context, when I say "format" I mean "file format", or the way in which the information is stored. For example, pdf, docx, pptx, odt, are all file formats (used by Acrobat, Word, Powerpoint, and LibreOffice, respectively). The format you choose has implications for how your work is reused. PDFs are convenient for distribution, but horrible for reuse. The same goes for powerpoint, and even some videos. This is why an option like Google Docs or a simple blog is often the best choice for individuals, or even moderately large groups. Google docs or blogging software are both pretty straightforward to use, and are familiar to people with a broad range of technical expertise. Most importantly, both tools make it easy to share content - this simplifies the process of one person reusing and modifying content shared by another.

Being Tracked While Learning About Being Tracked

1 min read

It's really good to see Laura Poitras's film on the Art of Dissent over on the New York Times. The film is amazing; earlier this spring, Kashmir Hill had a great writeup on their work, and more.

Two things struck me while visiting the NY Times to watch the film: first, the number of trackers that loaded on the page. Second, the film is preceded by an ad from IBM extolling the virtues of big data in policing.

Just for kicks, I took a screencast of the experience. You can see the trackers stacking up in the lower right hand corner of the screen. The ad plays while the trackers stack up.

So, the process of watching a film about dissent in the age of mass surveillance means exposing data to a range of corporate trackers, and watching an ad extolling the virtues of mass surveillance.

Where The Sidewalk Ends: Wading Through Google's Terms of Service for Education

11 min read

Google Apps for Education has been very popular in K12 and higher ed. The service is free, and Google makes some carefully phrased claims about how Apps for Edu does not show ads to users within the core suite of Apps. These claims are often repeated with less nuance by consultants who have been certified to train schools and districts on using Google Apps. Unfortunately, as is often the case, the reality doesn't live up to the sound bite. In this post, we will examine the loopholes that permit data collected from students with Google Apps accounts to be used for non-educational purposes.

Google has five main issues that complicate absolute claims about what Google does or doesn't do with data collected from people within Google Apps for Edu.

We'll get into more detail in this post, but the tl;dr version runs like this:

Google defines a narrow set of applications as "core" Apps for Edu services. These services are exempt from having ads displayed alongside user content, and from having their data used for "Ads purposes". However, apps outside the core services - like YouTube, Blogger, and Picasa - are not covered by the terms of service that restrict ads. The same is true for integrations of third party apps that can be enabled within the Google Apps admin interface, and then accessed by end users. So, when a person in a Google Apps for Edu environment watches a video on YouTube, writes or reads a post on Blogger, or accesses any third party app enabled via Google Apps, their information is no longer covered under the Google Apps for Education terms.

To put it another way: as soon as a person with a Google Apps for Education account strays outside the opaque and narrowly defined "safe zone" everything they do can be collected, stored, and mined.

So, the next time you hear someone say, "Google apps doesn't use data for advertising" ask them to explain what happens to student data when a student starts in Google apps, and then goes to Blogger, or YouTube, or connects to any third party integration.


Google has been making a concerted effort to improve its privacy practices in education. In early 2014, it came to light that Google was data mining email in education products. This was followed up a few months later by the announcement that Google would no longer display ads in core Google Apps, and would no longer scan emails in Apps for EDU.

This shifted practice appears to be the origin of the claim that "Google doesn't collect any data on students." This post by Tracy Mitrano gives a more detailed overview and background.

There's A Hole In The Bucket

In an earlier post last week, I explored some basic issues with even finding the Google Apps for Edu terms of service. In that post, I also outlined some quick and easy fixes for some of the more basic problems.

One of the problems identified in the earlier post has been fixed in the last week: the link to the page that outlines the core services now actually points to the correct location. The list of apps covered under the core Apps for Edu terms includes Gmail, Calendar, Drive, Hangouts, Sites, Contacts, Groups, and Google Apps Vault.

The list of additional services not included and covered under Edu terms includes Blogger, YouTube, Maps, Custom Search, Picasa, and Web History.

So, if a school using Google Apps for Edu wanted to do a unit on digital citizenship and time management and use Web History as a teaching tool, the only way to do that would be to throw student data into Google's normal terms of service, where student data could be mined and sold.

Additionally, while Google's specific terms for edu state that search data would not be scanned for "Ads purposes" it looks like searches via any custom search appliance would be scanned and mined. I'd love to get clarification from within Google on how data in custom searches is handled.

When the administrator of a Google Apps for Education instance enables non-core services covered by different terms of service, it's not particularly clear to admins that different terms apply.

When end users access these services, they do it under the umbrella of their Google Apps account. From an end user perspective, it doesn't make sense that these services would be under different terms, and the login process does nothing to highlight that users are entering a different part of Google's corner of the web, governed by different rules. We go into additional detail on how this works later in this post.

Integration with Third Party Apps

The issues outlined above for non-Core apps are worse for third party integrations available through the Marketplace.

Third party integrations are enabled by admins within the Google Apps Admin console. Once these apps are enabled, users within the Google Apps domain can access these additional software packages. "Integration" usually starts with single sign on and a common identity between the Google Apps domain and the third party vendor, but it could potentially also cover sharing contacts and other data. It's not always clear and obvious to Google Apps admins that they are creating an environment where learner data is flowing to third party vendors. Additionally, when a learner or teacher accesses an app that has been enabled via Google apps, it feels like part of a unified experience. It's a great user experience, but it's a data privacy nightmare. Because the integration is clean, it feels like part of the same system, which implies that the same rules would be in place.

However, every time a learner accesses a third party app via their Apps for Edu account, their data flows to the third party vendor, and is governed by the terms set by that vendor. Google's rules no longer apply.

Let's Talk About "Ads Purposes"

In their education-specific terms of service, Google makes the following statement about data and ads:

Claim of no ads

1.4 Ads. Google does not serve Ads in the Services or use Customer Data for Ads purposes.

This statement sounds pretty good. Google doesn't serve ads.

However, it's worth remembering that not serving ads is not the same as not processing or mining data. You can mine data, and derive benefit from what you learn in the process, without serving ads. It's also unclear what exactly "Ads purposes" means - it is vague to the point of meaningless. Google could improve this individual issue in two ways. First, they could define exactly what they mean when they say, "Ads purposes." Second, they could define exactly how they process data collected within the core Apps for Edu suite, and how they use that data.

In section 2.2, Google buries a reference to Non-Google Apps Products in the Compliance section (emphasis added):

Non-Google Apps terms

2.2 Compliance. Customer will use the Services in accordance with the Acceptable Use Policy. Google may make new applications, features or functionality for the Services available from time to time, the use of which may be contingent upon Customer's agreement to additional terms. In addition, Google will make other Non-Google Apps Products (beyond the Services) available to Customer and its End Users in accordance with the Non-Google Apps Product Terms and the applicable product-specific Google terms of service. If Customer does not desire to enable any of the Non-Google Apps Products, Customer can enable or disable them at any time through the Admin Console.

By burying the concept of Non-Google Apps Products, Google makes this element of the Apps for Education terms unnecessarily complicated.

In section 16 of the terms, Google lists out nearly fifty separate definitions, including this one:

Link from section 16

"Non-Google Apps Product Terms" means the terms found at the following URL: http://www.google.com/apps/intl/en/terms/additional_services.html, or such other URL as Google may provide from time to time.

So, for those playing along at home, Google starts with an absolute statement in section 1. They undercut that statement in section 2. They then provide the link to the actual terms in section 16, but the link is buried within nearly 50 other definitions.

When we follow the link to the Non-Google Apps Product Terms, the first point finally spells out the condition that allows user data from within Google Apps for Education to leak into more permissive terms of service:

Not covered. At all.

Not Subject to Google Apps Agreement. The Additional Services are not governed by the Google Apps Agreement, but are governed only by the applicable service-specific Google terms of service.

After knitting together related clauses from three different sections of the terms of service, and following a link to a completely separate set of terms, we finally see that the terms make a clear distinction between core Apps for Education, and everything else. However, because all of these apps appear in the Admin Panel of Google Apps for Edu, and in many cases the person administering Google Apps is not the person in charge of vetting terms for Google Apps, this difference is, at best, unclear.

So What Does All This Mean, Again?

We've covered a fair amount of ground in this post, and gotten deep in the weeds in Google's policies. The way the policies are written, it seems like one clear absolute is that ads will not be displayed alongside user content.

It's not entirely clear, however, what Google does do with any data collected from the core apps within Google Apps for Education.

It is also clear that as soon as a student or teachers leaves the narrowly defined limits of core Google apps, their data is up for grabs to be used for advertising, or any other purpose defined in Google's general terms of service. Unless a Google Apps for Education account is set up in an incredibly locked down setup, it's hard to see how learners can avoid - or even know - where their information is going, and the terms under which it is being used.

But the clear takeaway: as soon as a learner strays outside the core Google Apps offerings, their data can be used for a range of non-educational purposes.

Suggested Improvements

There are a range of ways that Google's terms for education could be improved. The suggestions here are the tip of the iceberg, and ONLY address the issues that make it difficult to understand exactly what Google is doing. Once Google has improved the readability and transparency of their terms, we could go into more detail on specific ways that the terms can be improved to protect student privacy.

To improve some of the issues listed here, Google should:

  • Explain exactly how learner data will be scanned within the core Apps for Edu purchases;
  • Extend the education terms of service for all other Google apps that aren't currently covered as part of the Core apps suite. If there are applications that Google owns where this is not possible, they should be removed from the free offering list and treated like any other third party integration;
  • For third party integrations and Google products that use a different terms of service, add a step into the process for Google Apps domain admins that highlights and explains that all end users will be sending data to a third party, to be covered under different terms;
  • On a regular basis (every three to six months?), Google should email an apps report to the purchaser of the domain and all domain admins summarizing the enabled apps, and which ones fall outside Google's core Apps for education. This way, unused apps could be pruned, and in the case of staff turnover, the existing setup could be reviewed. This would also allow domain admins the chance to review privacy policies and terms of enabled apps within the domain.

There are a host of other things that could be done that include editing the terms of service for clarity. However, the issues highlighted in this post provide some easy starting points.