> “My voice to text was being stored as well as any search my kids did, and I could say ‘sure my daughter was searching on Google,’ but my phone uses Safari. When I used my texting app on my iPhone, it recorded my voice, as well as typing out the words and saving it on my Google Drive,” said Brette Hay, the Ely’s daughter and a teacher at Pershing Middle School.
If it's possible to get voice recordings out of the iMessage app from a separate app (shouldn't be possible from an iMessage app either) this would be a major security hole and Apple would be pissed at google for doing it.
This is almost certainly a misunderstanding of what's actually going on.
This sounds like someone who doesn’t have an understanding of how the services they’re using are designed to interact with each other. This is a problem, but it’s not specific to Google: it’s difficult, if not impossible, to ensure that your average user actually understands how these services are meant to work. As the user starts to realize how integrated these services really are, it causes a level of confusion and paranoia; humans fear what they don’t understand. This, in turn, causes them to misunderstand how the services truly integrate; they feel helpless and don’t understand just how much control they have over their own data.
Many of these claims are outright false because they’re technologically infeasible and would require the exploitation of security vulnerabilities. Companies like Google are constantly having their apps inspected by hobbyists and professionals alike; there’s no way that’d go unnoticed for any length of time, plus it’s nearly impossible to begin with.
In short: a parent has just discovered the internet. They’re scared, paranoid, and confused. This is, unfortunately, quite normal.
There are legitimate privacy concerns regarding Google’s collection of data, but none of them are raised in this article. It’s a misunderstanding at best and outright propaganda at worst.
Parents complain about auto-sync of passwords, and browser history, past searches and things like that. They would like more control of what's stored/synced by default. It's not as benign as you describe it, especially when it comes to children.
It doesn't auto-sync without your permission; you have to request that the browser save your password. If you want to save passwords locally without syncing, it's trivial to disable. You can additionally encrypt the passwords with a master password so that Google doesn't have access to them.
Auto-syncing of passwords is a core feature of every modern browser. Safari does it, Firefox does it, Vivaldi does it, Edge does it, Opera does it, and, of course, Chrome does it.
Want the school to manage it for you? That's exactly what G Suite is.
Edit: The problem here is ignorance. It's easy to demonstrate that it's possible to control all the data about which this parent is concerned. Sure, there's data they can't easily control, but they make no mention of that. Your interests, demographics, everything else Google infers about you... you can't fully control that, and that's what parents should be worried about--not password syncing.
This suggests their main complaint is about logging into Chrome Sync with the EDU account, where expected behavior would be to store and sync history and passwords. (And if you don't keep separate Chrome profiles, obviously that would include everyone using the computer.)
And then they talk about saving voice recordings and transcriptions from their phone messages... I can only guess they did something like configured WhatsApp to store backups on Drive and forgot they had?
EDU accounts should be treated like work accounts: use them only for EDU- or work-related things. Don't visit your bank's website and save the password to Chrome when logged into syncing to your daughter's school account.
On the other hand, asking students, parents, and faculty to fully understand the Chrome login-and-sync model, and how it differs from website logins, may be asking too much. And it can be hard to tell the difference between Chrome sign-in and Apps sign-in, or to realize that signing out of one won't necessarily sign you out of the other.
I don't understand. What they are describing sounds like Chrome syncing. But you can certainly install Google Drive's sync client without using Chrome/Chrome syncing. Is this a new thing?
Thing is, you shouldn't expect this sort of thing to happen _by default_ Also, kids under 13 have different laws for having data about them in the US, so that's an issue, as well.
I'm pretty sure Google is COPPA compliant and will not let children, without parental consent, sign up for things on their own.
However, GSuite for Education may very well introduce a loophole whereby the onus is put on someone else to get that consent. I'm getting that vibe from this knowledge base article:
>Google is COPPA compliant and will not let children, without parental consent, sign up for things on their own.
How does Google do that? By having a 13 year old agree to Terms and Conditions/EULA (a legal contract), that the child has no legal authority to enter, which states the child obtained legal consent from the parents?
I think it's the parents who are expected to agree to the contract, thereby expressing their consent. Then if a child does it on their own, they are committing fraud against the company, which can then claim to be the victim and deflect all blame.
That’s cute but not at all how contract Law works.
Minors don’t have legal authority to enter into contracts, Google can’t claim (at least it’s not a legal defense) they were defrauded by a minor for agreeing to their contract that expressly states the minor will get their parents consent or permission. The burden is on Google.
Google would be liable for collecting data on the minor in violation of law, notwithstanding any agreement the minor agreed to, because that agreement isn’t legally enforceable.
- Your website or online service is directed to children under 13 and collects personal information from them;
- Your website or online service is directed to a general audience, but you have “actual knowledge” you’re collecting personal information from a child under 13; or
- You run a third-party service like an ad network or plug-in and you’re collecting information from users of a site or service directed to children under 13.
and
Although the Rule doesn’t define the term, the FTC has said that an operator has actual knowledge of a user’s age if the site or service asks for – and receives – information from the user that allows it to determine the person’s age. For example, an operator who asks for a date of birth on a site’s registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they’re under 13. An operator also may have actual knowledge based on answers to “age identifying” questions like “What grade are you in?” or “What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college.”
Note the "if a user responds with a year that suggests they’re under 13" part. If they don't, that would mean that there's no "actual knowledge" that the data being collected is associated with a child under 13. So "they lied to me" does appear to be a valid defense.
The law only provides if the child answered and acknowledged they are a minor that Google has “actual knowledge” in law that does != google does not have actual knowledge if the minor lied or didn’t answer. It’s simply a matter of the burden of proof, but in either case I think the evidence will be there that Google knew or should have known the user was/is a minor.
COPPA also requires “verifiable” consent of the minor’s parents...is a check box really verifiable consent? How can Even Google claim they verified who checked the consent box?
What’s the system/mechanism that doesn’t “allow” them to do it on their own. A legal disclaimer? That isn’t sufficient, You can’t contract around the law. In other words a minor can’t enter a contract, therefore, I can’t contract with a minor and include a provision that says the minor isn’t a minor and if they are then they got parental consent.
Google is the master of information. It would strike me if any company knew or should have known a user signing up for their service is a minor it should be them. Google literally makes it available to minors to agree to these contracts, so when you say google doesn’t allow them to...what do you really mean?
It’s clever of Google to tie verification to the parents credit card...of course in practice, in no way does that serve as actual verification a minor has consent of the parent to sign up for the Google service (I think we saw this is in enough cases with minors making in app purchases with parents credit card thru the App Store) but surely it places the parent in an unenviable position to make a claim Google unlawfully collected information on their child without parental consent even when true.
Snark aside, it is difficult to comply with the law and Google (amount others) is exposing themselves to potential liability by engaging in the collection of user data for users under the age of 13. Google is in a particularly difficult position because facts/evidence would show they knew or should know users are under 13 in many (not all instances) even when the users lie.
But you are wrong it’s not impossible to verify users age, and Google doesn’t have to delete user accounts...they can simply stop collecting user data of minors 13 and younger ;)
Edit: another loosely related example (dealing with age verification) is Girls Gone Wild where they paid underage girls to reveal themselves on camera, those minors signed the GGW contracts and provided fake IDs...yet GGW was liable.
Hard to have no snark. You've provided zero useful input on how to deal with this, and expensive lawyers with more school than you disagree that what is done now is not sufficient.
What helpful input have you added? Why do you think other lawyers have “more school” than me?
As you acknowledge Google is paying some expensive in-house and outside counsel, I disagree with you that they wouldn’t agree with me. I’m sure in an attempt to minimize legal risks and potential liability they would have offered the exact solutions I have, but executives (as they often do) ignore counsel, thinking they know better, and expose themselves to the legal risks in order to collect data on children 13 and under to monetize them.
Anyway if you can show me your input, or support any of your claims (show me a lawyer with “more school” than me, or a lawyer who disagrees) that would be at least something more than trolling.
> you shouldn't expect this sort of thing to happen _by default_
When I have chrome; it always asks me if I want to save passwords....
To one extent, this is a hard lesson to the parents; Check the security settings on any computer you are using; Check the "features" of every app you install.
To another end, it's a good lesson for the parents and children that school and work supplies are for school and work.
To yet another end, those passwords, if auto generated, are likely much more secure than other ways of storing passwords.
They must have signed into Chrome, but Chrome will explicitly tell the user if their data will be accessible to the GSuite administrator[0] so this is likely on them for not fully reading this popup or forgetting about it.
Being accessible to the G Suite administrator is understandable, but this is saying that anyone with an account on the school's G Suite plan could see the passwords for any other user.
This has to be something where the admins changed some default setting to change the default security on everything in G Suite, so that all other school accounts could have access to it.
Maybe someone intended to set it up so that all google sheets and docs were shared among everyone on the plan, but didn't realize the change they made applied to other things that got synced to G Suite, like Chrome sync passwords?
From my reading of it, they are saying that all passwords saved in the browser (potentially all users of the home PC or mobile phone) get associated with the google account but not that all users of the school system can see each others passwords.
Exactly. It’s been part of the standard HIG for both Microsoft and Apple not to use “OK” and “Cancel” and instead use more descriptive turns like “Allow Syncing”/“Don’t Allow Syncing” for a decade.
Yes, that is the pop-up and upon reading it, it is pretty clear to me that you want to start a new chrome profile to proceed (or else your home passwords will get sync'd to the controlled account). The trouble is that this is not clear to people who have never signed-in to Chrome.
I wonder if some of this is cause by not logging out from everything? You can probably log out of gmail, but not the chrome browser and not realize it. And the browser will still record everything. Or the opposite.
I am a bit curious about some of the claims about sync on iPhone. I don't have one, but is it even possible for another app to reach the internals of Safari? I would think that is locked down. Or are they logged into their google account in the browser? As for google getting the voice and text from a messaging app, how would that be possible unless its an actual google app?
The academic Google Drive does some weird stuff. I let my daughter access her school's G-Suite on my work laptop once last year. For weeks afterwards whenever I tried to surf to certain websites I would automatically get redirected to the school's web logon page. Which tells me that at the very least some Google software was tracking my web usage.
I basically had to do a full reinstall of the browser to stop it. It wasn't a case where she didn't log out.
So it set a cookie that indicated that on Google properties it should redirect you to the right place to log in, not take you to the main Google login?
I mean maybe it's not as clear as it should be, and maybe it should remove that cookie if you log out (ehhh...), and it should probably be easier to get rid of all of that... but we're hardly talking the conspiracy of the decade here.
Weird since my child is in this school district. They also don't mention much about the fact that every child (as far as I know) has a Chromebook provided, so I doubt this would be a common thing where kids are logging into Google Drive on another PC at home.
A lot of school districts allow the chromebooks to go home with the kids and there are ways to manage DNS filtering and chrome app management for those chromebooks. It is very attractive for cash strapped school districts or for eRate projects (every 5 years). G Suite is used by a lot of schools and a lot of teachers do the G Suite educational certifications as well.
that was not even google drive, but her myactivity page..
she logged into google when using the app. the stuff is in her account, and she looked at it. and then it was a local fox story.
If it's possible to get voice recordings out of the iMessage app from a separate app (shouldn't be possible from an iMessage app either) this would be a major security hole and Apple would be pissed at google for doing it.
This is almost certainly a misunderstanding of what's actually going on.