In the heart of Silicon Valley, it's no surprise that Mountain View schools are moving full steam ahead adopting new technology in the classroom. Google Chromebooks, iPads, laptops and classroom-based software are now the norm from kindergarten through the end of high school, as school administrators strive to stock schools with a one-to-one ratio of devices to students.
At the Mountain View-Los Altos High School District, all students are required to bring a device -- such as a Chromebook or a laptop -- to school, and students are automatically signed up for a Google account, complete with Gmail and Google Apps for Education, a suite of software programs designed for school work. The district owns 2,500 Chromebooks, many of which are checked out and in use at any given time.
But with the rise of the tech-in-the-schools frenzy, there is a growing concern over student privacy. What kind of student information and tracking data is being collected by companies like Google, and what is it being used for? Google's outreach efforts boast student privacy as a top concern, but the company has not been transparent about its data-mining practices.
Google did not respond to multiple requests for information regarding the company's student privacy policies starting Feb. 1.
In recent years, Google has been the target of several lawsuits claiming privacy rights violations. Four former and current UC Berkeley students filed a suit against Google last month, alleging that the company had intercepted and scanned their emails for commercial purposes and without consent from 2010 to 2014. The students didn't receive advertisements while using the education apps, but the information was collected, analyzed and used by Google to create "user profiles" to enhance the company's ability to deliver ads outside of Google Apps for Education, including Google's search engine, according to the complaint.
Specific details regarding Google's privacy policies with high schools also remain a mystery to parents and students, as school officials from the Mountain View-Los Altos High School District were unable to locate the agreement signed between Google and the district.
The latest national call for Google to come clean on its data-collecting practices comes from Minnesota Sen. Al Franken, who sent a letter to Google CEO Sundar Pichai last month. The letter did not condemn the company, but insisted that too many privacy-related questions remain unanswered and unclear, leading to concerns that the company could be overstepping its boundaries collecting and using data from millions of school-aged children in the country.
Among Franken's questions are what kind of data Google collects when students are signed in to their Google accounts, but are using services outside of Google Apps for Education.
The school-related apps ditch ads and don't collect student data for advertising purposes, according to a blog post by Jonathan Rochelle, director of Google Apps for Education. But when a student remains logged in and ventures outside the limits of the education apps, privacy policies get murky fast. Franken's letter points out a potential "discrepancy" in how Google treats student data from noneducational services like Google's search engine, Google Maps and YouTube.
"I am concerned that this collection of data may enable Google to create detailed profiles of the students and ultimately target advertising to them or use the profiles for non-educational purposes without the students' knowledge," Franken wrote.
Just weeks before the letter, the nonprofit group Electronic Frontier Foundation filed a complaint with the Federal Trade Commission claiming that student data is "collected, maintained and used by Google for its own benefit, unrelated to authorized educational or school purposes." The claim also calls out Google's "Chrome Sync" feature -- which is automatically enabled on Chromebook laptops -- which gives the company access to students' entire browsing history.
Google under fire
Significant controversy over Google's student privacy policies started in 2013, when Robert Fread and Rafael Carrillo filed suit against the company claiming it had broken state and federal wiretapping laws. The suit alleges that the company, unbeknown to millions of students using Google accounts, had been collecting student data for advertising purposes.
The suit states that Google had collected student email data unlawfully by collecting a type of metadata called PHIL -- Probabilistic Hierarchical Inferential Learner -- clusters. This information allows Google to to track specific words or phrases in emails, which the suit claims the company then uses for "multiple undisclosed purposes and for profit."
Amid the controversy that followed the legal action, Google announced in an April 2014 blog post that it would discontinue the practice of "ads scanning" for Gmail accounts linked to Google Apps for Education.
The company had not been forthcoming about its email-scanning policies prior to ditching it entirely. The suit filed by the UC Berkeley students last month contended that Google had intentionally misled the students and denied that email-scanning had taken place on its website, which stated "there is no ad-related scanning or processing in Google Apps for Education ... with ads disabled," and "your school's content is not processed by Google's advertising systems."
The suit notes 11 other universities that use Google's core education services -- including Gmail -- where the school's privacy policies assure students that their emails and other personal data would not be used for advertising purposes. Universities on the list include UC Santa Cruz, Yale and Harvard. An excerpt from UC Santa Cruz's security information goes so far as to call it a "myth" that Google accesses student emails for marketing purpose.
Google officials argued that the company was transparent all along about the email-scanning practice. One example of where the practice was supposedly confirmed was buried in the "frequently asked questions" section of the privacy policies on the University of Alaska website, which was unearthed in a court declaration by Google lawyer Kyle C. Wong months after the 2013 lawsuit was filed.
The policy states "software does scan your mail and compile keywords for advertising. For example, if the software looks at 100 emails and identifies the word 'Doritos' or 'camping' 50 times, (Google) will use that data for advertising on their other sites."
The Berkeley student lawsuit slammed Google's blog post that revealed the email-scanning practice, calling it fraught with "vague, flowery and self-serving language" that still leaves an open question as to whether Google, in some way or another, is still collecting student data for advertising purposes. Nothing in the blog post explains what will happen with the already-collected email data, either.
"That carefully-crafted post ... was incomprehensible, at least on some of the relevant points," the lawsuit states.
Historically, state and federal laws haven't done much to protect student privacy information, according to Khaliah Barnes, associate director of Electronic Privacy Information Center in Washington, D.C. The federal Family Educational Rights and Privacy Act, or FERPA, protects student education records maintained by the schools, and gives parents the right to fix inaccurate or misleading student information.
Barnes said FERPA plays an important role, but federal laws need to go beyond just authorizing what companies can and cannot do with student information: they need to impose a hard limit on data collection so it remains strictly for purposes of education.
"A more privacy-protected stance is to limit the collection of data to what is absolutely necessary," Barnes said. "If you have a company gobbling up all types of information and stores that information indefinitely, there is a high possibility it will be used for other purposes."
Barnes created a "Student Privacy Bill of Rights," which includes a comprehensive list of protections that students ought to have when school districts share student data with outside, third-party companies. The framework calls for schools and companies to make public the types of data they collect, the purposes it is used for, and what security practices are in place -- all of which would lead to big improvements in transparency for companies like Google, Barnes said.
"(Google) has been opaque about the level of information they are collecting," she said.
The Internet security issue has also risen in significance. Schools can store anything from health and financial information of students to Social Security numbers -- all of which could be compromised as districts continue to move information to the cloud. Barnes said the education world is increasingly becoming a hub for valuable and useful information, prompting a need for greater accountability.
"Parents and students should be able to hold companies and districts accountable," Barnes said.
Are Mountain View schools any different?
In August, Mountain View-Los Altos High School District officials announced that all students will automatically be hooked up with a personal Google account order to take advantage Google Apps for Education, with the goal of better integrating technology in the classroom.
Amid the embrace of new technology, however, it's not clear what privacy terms the district has agreed to. When the Voice requested any agreements between Google and the district on the use of Google Apps for Education, Associate Superintendent Mike Mathiesen said the IT department was unable to find any relevant documents. The former IT director who signed the district up for Google's services didn't leave much documentation behind when he left the district, Mathiesen said.
The Mountain View Whisman School District has been signing up students and staff with Google accounts since 2009, according to Jon Aker, the district's technology director. When asked about terms of the agreement, Aker cited the company's general terms and conditions for using Google Apps for Education.
Most school districts rely on cloud services from outside companies, but few can pinpoint what student information is being collected and retained. A 2013 study by Fordham University professor Joel Reidenberg found that the use of cloud services by school districts has generally been "poorly understood, non-transparent and weakly governed," and that a sizable number of districts have "rampant gaps in their contract documentation, including missing privacy policies."
"The lack of transparency for the agreements themselves and for the kinds of student data at stake in the agreements makes effective public oversight of school districts' privacy practices extremely difficult -- if not impossible," the study states.
The agreement that customers sign to use Google Apps for Education includes a section on privacy that governs what information the company collects from students. The terms state that no ads will be shown while students are using core services -- including Gmail, Google Classroom, Google docs and other apps -- and personal information associated with the student Google account will not be used to for advertising purposes. But many of the privacy concerns brought up in by Franken and mentioned in the Berkeley lawsuit remain unaddressed.
The high school district's Mathiesen said Google Apps for Education has been a great resource for the district, but it can be a hard sell to families worried about whether the company can be trusted collecting and storing student information. Going forward, he said, the district will be vigilant in protecting student information.
"We're going to be sensitive about who we enter in agreements with, protect student data and be cautious about what software has access to it," Mathiesen said.
While federal laws may be lagging behind new education technology, state laws are catching up. The California Legislature passed the Student Online Personal Information Protection Act (SOPIPA), effective Jan. 1 this year, which goes much further than FERPA to protect student data. It prevents companies from collecting data for targeted advertising or any other non-school- related purpose.
"SOPIPA is a vendor responsibility," Fitzgerald said. "It puts the onus on vendors to improve their practice."
JR Starrett, a senior director for Common Sense Media, called SOPIPA a "brand standard" that has served as the basic template for 22 states looking to pass similar laws. He said there's a growing commitment by school administrators to avoid turning schools into marketplaces for companies, and some educational app creators have embraced the new legislation, publicly stating that their products are SOPIPA-compliant.
"Over the past six years you've seen activists and policymakers find that FERPA had some holes on it," Starrett said. "States really haven't waited for the federal policymakers and have taken action themselves."
Outside of legislation, Google voluntarily signed on to the Student Privacy Pledge last year. The pledge, which has over 230 signatories, calls on companies to collect student data only for educational and school purposes, and publish clear and transparent student privacy practices that are easy to understand. Starrett said the pledge incorporates several aspects of SOPIPA and has been overwhelming supported by industry leaders, but does little to actually force companies to follow the restrictions.
"It's a self-governing pledge that is toothless," Starrett said.
The crux of the Electronic Frontier Foundation complaint against Google, which was sent to the Federal Trade Commission in December, was that Google's data collection practices flies in the face of the Student Privacy Pledge. While Starrett called the pledge mostly powerless, the complaint claims that the pledge is enforceable by the FTC, and that having Google remain as a signatory amounts to an "unfair or deceptive act ... and is thus subject to enforcement."
The consequences of data mining
Google's educational services are increasingly popular in schools across the country, in part because it can be a boon in the classroom while costing school districts nothing. Barnes said the free services provided by Google and other companies are attractive when there are few resources to go around, but the cost-free aspect of the service should raise some flags.
"If it's free, why is it available? Is it because of the data collection?" Barnes said.
As schools continue to adopt new technology in the classroom, Barnes said, she is concerned that it may have a chilling effect on student speech if their information is tracked by outside companies like Google. It could stifle intellectual and academic freedom, she said, knowing that anything students type can be used against them.
Mathiesen took a different approach, and said Google's opaque privacy policies could be used as an opportunity to teach students about the importance of good digital citizenship, and the idea that they leave a digital footprint everywhere they go online. Included in that, he said, is that students need to start separating personal email accounts from work and school emails, and be mindful of what they store on the Google drive.
"You're going to be using this email (account) when you apply for college. What do you want your professional and academic email to say?" Mathiesen said.
Rather than live with the idea that companies are going to extensively track student data, Barnes said, school district officials ought to put their foot down and carefully evaluate and vet deals that allow the data collection in the first place.
"There needs to be a way for the schools to have and use innovative technology in the classroom without sacrificing a student's privacy," Barnes said.