Close this Advertisement

Privacy | Features

Google's Apps for Education and the New Privacy Policy

  • By Dian Schaffhauser
  • 02/15/12

In late January when Google announced that it was replacing 60 different privacy policies across its multiple sites and services with a single one, you might have thought Congress had taken up SOPA and PIPA again. That's how loud the outrage was from much of the social galaxy, as reflected in this Gizmodo headline: "Google's Broken Promise: The End of 'Don't Be Evil.'" Other observers, such as Forbes "privacy pragmatist" Kashmir Hill, questioned what the big deal was; after all, she wrote, Google wasn't changing much other than how it targets ads to users and creates new innovative services: "Using information from Gmail to suggest more appropriate YouTube videos or reminding an Android smartphone user that they have a Google calendar appointment in a half hour on the other side of town doesn’t strike me as the work of Lucifer."

But what has been ignored in these discussions is the impact that could be felt by schools that have signed up for Google Apps for Education. Will the new privacy policy affect the agreements Google has with K-12 schools? According to Google, the short answer is no, but with a nuance.

The Basics of the Privacy Policy
If you haven't bothered to read through the new privacy policy, which takes effect on March 1, 2012, here are the basics.

Google said that the goal of a single privacy policy is to make it "simpler and more readable." Rather than having to work through dozens of different policies, users only have to understand a single one. The company insisted that its privacy principles haven't changed: "We'll never sell your personal information or share it without your permission," it stated in an email delivered to Google account holders.

At the same time Google has rewritten its terms of service, which explain the legal terms referred to in the policy and lay out how it will treat the material, such as YouTube videos, submitted by users.

Besides legal clarity the company said it hopes to use the new policy in order to "create one beautifully simple, intuitive user experience across Google." If, for example, you've been sending emails in Gmail to your spouse about fuel efficiency and different types of engines, watching YouTube videos about how to negotiate with car salesmen, and you're logged in and search on "Jaguar," Google wants the ability to deliver search results focused more on the car and less on the animal. Likewise the company wants to be able to show you ads about car dealerships and not include ads about a safari in Africa.

Behind the scenes, the data accumulated through your use of Picasa, Google Plus, Mobile, and Alerts will finally be put to some better use than keeping the storage experts on the data center staff gainfully employed. "I think it's exciting because we're going to be able to improve the services that we already offer our users," company spokesman Tim Drinan noted. "Because of all the information they've already provided, we'll now be able to connect it more consistently."

Note, however, that the privacy policy doesn't affect anonymous public users. If all you do is perform searches and view YouTube clips, but you never post videos and you never send a Gmail message--or anything else that requires you to log in--you won't be enjoying that newly enhanced user experience. You'll have the same experience you've always had--for better or worse.

The biggest misconception the company is battling right now is the concept of "opting out" of Google's new privacy policy, which doesn't make sense, according to Drinan. "No company lets you opt out of their privacy policy or terms of service and continue to use their service," he said. "By going to the New York Times Web site, by reading an article, you agree to their privacy policy. If you download a new version of iTunes, you must accept the new terms of service in order to install it. There's never any option to remain under some previous version of that document."

Getting Outside the Box (of Google Apps for Education)
Ironically, Google Apps for Education already exploits data on the backside to deliver tighter integration on the front end, similar to what the new privacy policy aspires to enable on the consumer side. Data interacts between Calendar and Docs or between Calendar and Gmail, for example. "That's why a lot of our users enjoy the product," noted Drinan.

When a school signs up for Apps for Education, a free service, what it's really getting is the core productivity suite: Gmail, Calendar, Docs, Sites, Video Search, and Groups.

The contract Google has with a school district gives the administrator the power to make any or all of those applications available to users through their school accounts. "They choose exactly what they're going to turn on," Drinan said. And in those cases the contract supersedes the privacy policy. In other words, the agreement the school has with Google takes precedence over the new privacy policy.

According to a statement sent to Apps for Education customers by Google's Vice President of Enterprise, Amit Singh, Google will continue maintaining its enterprise customers' data "in compliance with the confidentiality and security obligations provided to their domain. The new privacy policy does not change our contractual agreements."

The nuance is this, however: If the institution were to decide to turn on additional services outside of that core suite, such as YouTube, Blogger, or Google Plus, those products would fall under the privacy policy and would be affected by the change.

"When you've enabled a consumer product like YouTube, you're saying these accounts will be used like consumer accounts when they're using consumer products," Drinan said. "The agreement covers the core productivity suite. If [something else is] enabled, it falls under the privacy policy."

Most schools tend to keep the official services to email and documents. Likewise, they don't expose their users to Google advertising. That's an additional control that Google makes available specifically in Google Apps for Education.

The Question about FERPA
Still, schools are in a wait-and-see attitude regarding the latest change. Steve McDonald, Rhode Island School of Design's general counsel, said FERPA as it relates to Google's new use of data is the big area of concern for him. The Family Educational Rights and Privacy Act protects the privacy of student records by giving parents certain rights regarding their children's education records, rights that transfer to the student when he or she reaches the age of 18.

Under FERPA, said McDonald, a school can outsource the processing of education records, which may include email, since that's frequently from or to a student. But that outsourcing can only happen if the service provider is subject to the same terms the school is subject to. That's why the standard agreement for Apps for Education explicitly states that Google will be considered a "school official and will comply with FERPA" for the purposes of being able to work with education records.

Under the agreement, Google can use the student data for email; the company can scan it for spam or viruses. What they can't do, said McDonald, is data mine the information.

When McDonald was negotiating the agreement with Google for Google Apps for Education for his school, he put the question: "Are you going to data mine it?" Their reply: "Oh, we're not serving ads--don't worry about it.'" His response to Google: "We understand that; but are you data mining it and correlating it through cookies that aren't part of that, because that would be the same problem. You'd be using our data for your own benefit. Under FERPA you can't do that."

Several months ago, prior to the latest privacy policy change, Google came back to schools and told them that if they turned on additional apps outside of the core suite, those apps weren't subject to the agreements. "They were subject to the standard consumer terms of service," McDonald said. Among those terms was one that said compliance obligations--including FERPA--were the burden of the school, not Google.

"Which would suggest to me," he added, "that they do plan to get in and data mine all that stuff. That would be a problem. If we're providing the information, that's a problem."

What McDonald said he fears is that a student will log into a school account and access non-core services that don't fall under the Apps for Education agreement, and then Google will use that as a backdoor route to also reach in and look at the FERPA-protected data as well.

"It may be they're doing that. It may not be they're doing that," he said. "I just haven't seen a definitive answer on that."

Privacy Choices
If there's anything the cacophonous coverage of the new privacy policy may accomplish, it could be to help more users recognize that they do have choices regarding their privacy while using Google's services--choices they've always had, according to the company.

First, users can remain logged in but use many of the existing privacy controls built into the services. For example, said Drinan, "You can view your search history at google.com/history if you have an account. You can delete individual items you've searched for or your entire history, or you can pause the collection of your search history temporarily or permanently. The same thing is true with YouTube video history. A preferences manager lets you turn off ad personalization entirely or edit the interests that you receive ads about. You can have your Google Chats off the record. You can use incognito mode in Chrome. There are many, many tools already available for privacy."

Second, users can set up multiple accounts. "If you never want your jaguar videos associated with your jaguar searches, just create a separate account to use with your YouTube videos," Drinan said.

Third, users can stick with the services that are public--YouTube, search, Google maps. "You don't have to be signed in to use them," Drinan said.

Ultimately, the company asserted, privacy isn't a policy; it's a practice, and the more intuitive that practice, the more likely it is users will participate in setting their own levels of privacy comfort.

"It boils down to, do users actually have control over their privacy and information? The answer is yes," Drinan said. "Do they have less under the new policy? No. Because we're not collecting any new information, and we're not sharing the information with anybody new. We're only taking the information you've shared with us and connecting it better to serve you."

Some observers still aren't persuaded. Getting students to dig into Google services to configure privacy settings will probably never be easy. Also, it may be that users don't want Google to better target their unique needs. "They said, 'Hey, this is great, because we can tell you're going to be late for a meeting based on your location and your calendar and your traffic in your area.' They thought that was a good thing," McDonald said. "It seemed kind of scary to me."

Comments

Tue, Apr 24, 2012 Lane USA

Honestly, I kind of disagree with Zed and Randy on this, IT technology should not come at the expense of being vague or blurring the lines of engineering ethics. GAFE and google is honestly too vague when they merged this privacy policies, so I cannot recommend google for education or unless make amends to promise no "data mining". Google has cross a line when it comes to balancing the general public good and what advertisers want.

Thu, Apr 5, 2012 Randy

I completely agree with Zed. As a teacher for the past 13 years I have watched school and district IT Departments move from being education facilitators to being education roadblocks. Technology is moving forward faster than they can keep up, and they've adopted the mantra of "NO" rather than doing their jobs and finding a way to provide access to the content we need to effectively teach. GAFE is a great workaround for these roadblocks, and it has IT Departments scared because they realize their kingdoms are wearing away. I'm a user and admin for our GAFE installation and we've moved farther forward using GAFE in the past two years than our IT people could have work for us in 10 years. Honestly, give me classrooms and labs filled with laptops that only have a browser on them and an internet pipe hooked up to them (filtered, of course). Do away with all the Microsoft nonsense and the resulting requirement to have a legion of IT people who only server the purpose of keeping the MS machine running. Google laptops that only take you to a google desktop and GAFE. We can do EVERYTHING we need to using those simple tools, and we can instantly cut 50% or more of our IT staff and have the remaining ones send their time installing and maintaining basic hardware (CPS's and monitors.) As with any rice bowl, however, the entrenched IT departments of the world will only be reduced kicking and screaming......and also making ridiculous "what if" arguments like the ones above. As I said up front - IT has become the problem, not the solution.

Fri, Mar 9, 2012 Lance Texas

How is it shielding our children, if administrators and parents aren't aware their privacy is being invaded? Maybe Eric Schmidt is right, we should not have an EXPECTATION OF PRIVACY if we are on the Internet.

Wed, Mar 7, 2012 CATE

Bill, It would be nice if schools followed GAFE, but my sons had a GAFE account that uses their first and last name as a login. Nice. And Zed, you can merrily go about your way when the violations of FERPA or CIPA are brought against a district because administration and IT personnel will take the fall. Do you really think Google has your best interests at heart...think again. Necessary for students future? I think they would survive and thrive quite nicely without Google's influence and control.

Fri, Feb 17, 2012

Just as a note on "person" as mentioned by "concerned". Person is a legal term which doesn't mean individual human being. Companies and boats can be persons. Black people and woman haven't always had that priviledge.

Thu, Feb 16, 2012 Concerned

Google does not meet the legal requirements for being a "school official" as their contracts attempt to claim. When this news breaks, Google will be out of the University data mining business. Please spread this information far and wide. A recent opinion issued by the United States Department of Education confirms that Google can not be considered a “school official.” In response to the question: What is the definition of "school official", and what organizations or private companies are entitled to such a designation by a State university? The  Department  of  Education  responded  on  Feburary  9,  2012  as  follows:   As  shown  on  the  part  titled  'Defining  "Legitimate  Educational  Interests"'  of  the  "Forum  Guide  to   Protecting  the  Privacy  of  Student  Information"  http://nces.ed.gov/pubs2004/privacy/section_4b.asp,  a   school  officials  is  generally  defined  as: - a person employed by the agency or school in an administrative, counseling, supervisory, academic, student support services, or research position, or a support person to these positions; or - a person employed by or under contract to the agency or school to perform a special task. Please note that the term refers to 'a person' and not an organization. Family Policy Compliance Office U.S. Department of Education 400 Maryland Avenue, SW Washington, D.C. 20202-4605 February 9, 2012 Email from US Department of Education (emphasis added) MORE!!! Additional Federal guidelines show that Google represents the type of institution which the United States Secretary of Education specifically defined as not being permitted the designation of a “school official”, as stated in the Code of Federal Regulations (“CFR”) interpreting FERPA: The requirement (34 CFR 99.31a) serves to ensure that the ‘school officials’ exception does not expand into a general exception to the consent requirement in FERPA that would allow disclosure any time a vendor or other outside party wants access to education records to provide a product or service to schools, parents, and students. As explained in the preceding paragraphs and in the NPRM, 73 FR 15578-15579, the statutory basis for expanding the ‘school officials’ exception to outside service providers is that they are ‘acting for’ the agency or institution, not selling products and services. 74814 Federal Register/Vol. 73. No. 237/Dec 2008.

Thu, Feb 16, 2012 Bill Kansas

Privacy has changed a lot with the advent of technology and it doesn't appear to be slowing down. This trend is obviously going to continue and other companies are going to follow Google's example. That said, this should be used as an opportunity to teach students about privacy and their rights. Additionally, the work around is simple. If you use GAFE, don't use the student's real name when creating his/her account. Google would not be able to identify the individual student so any information collected would be anonymous. The student would be able to take advantage of GAFE's new features and teachers could talk to students about the features, options, and privacy issues that they bring up. Also, correct me if I am wrong, but FERPA allows for parents to authorize the release of their child's educational records. Having the parent sign a release for the use of GAFE, as well as agreeing to the GAFE Terms and Conditions, would protect the School/District. Please, let's not be naive about reality. Most students 6th grade and up probably have Google accounts that they use personally. Some without their parents' consent. This is technology in action today. I don't feel the burden of FERPA compliance should be left up to companies like Google. Google is offering a great service free of charge which is just an extension of their existing service. All this FERPA compliance issue is going to do is force Google to drop GAFE or start charging for it. Both options are severely bad for public education. As educators, we need to focus more on educating our students about these changes rather than shielding them constantly.

Thu, Feb 16, 2012 Zed Ohio

While I'm happy to see discussion - and these details are good to know - most teachers who use technology see FERPA and CIPA as the excuse IT-Departments hide behind to prevent moving into the 21st Century. I've often seen gross misrepresentation of both used to scare school boards and superintendents from using tools that are extremely useful, inexpensive (my district saved close to $100,000 a year by moving to GAFE), and necessary for students' future careers.

Wed, Feb 15, 2012 Cate

I am really glad to see other IT personnel posting questions and concerns on this issue. I have always had a questions about how student data would be protected, used, stored, mined or otherwise in Apps for Education. This is why I chose not to participate. Seems very scary to me, when our department, district will be the ones who have to answer to violations, not Google.

Add your Comment

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

White Papers:

  • Dallas County School District Overcomes Coverage Gaps with MOTOTRBO Digital Radios PDF screen shot

    Dallas County School District needed to quickly resolve their radio coverage gaps throughout the county for more efficient transportation communication and to ensure student safety. Download this whitepaper to see how this district has found their solution with improved coverage area, clear audio and private communications, in addition to improved efficiency and student safety. Read more...

all white papers