Google under fire for data-mining student email messages
by Benjamin Herold for Education Week
As part of a potentially explosive lawsuit making its way through federal court, giant online-services provider Google has acknowledged scanning the contents of millions of email messages sent and received by student users of the company’s Apps for Education tool suite for schools.
In the suit, the Mountain View, Calif.-based company also faces accusations from plaintiffs that it went further, crossing a “creepy line” by using information gleaned from the scans to build “surreptitious” profiles of Apps for Education users that could be used for such purposes as targeted advertising.
The U.S. District Court for the Northern District of California is hearing the complaint, which alleges that the data-mining practices behind Google’s Gmail electronic-messaging service violate federal and state wiretap and privacy laws. Gmail is a key feature of Google Apps for Education, which has 30 million users worldwide and is provided by the company for free to thousands of educational institutions in the United States.
A Google spokeswoman confirmed to Education Week that the company “scans and indexes” the emails of all Apps for Education users for a variety of purposes, including potential advertising, via automated processes that cannot be turned off — even for Apps for Education customers who elect not to receive ads. The company would not say whether those email scans are used to help build profiles of students or other Apps for Education users, but said the results of its data mining are not used to actually target ads to Apps for Education users unless they choose to receive them.
Student-data privacy experts contend that the latter claim is contradicted by Google’s own court filings in the California suit. They describe the case as highly troubling and likely to further inflame rising national concern that protection of children’s private educational information is too lax.
“This should draw the attention of the U.S. Department of Education, the Federal Trade Commission, and state legislatures,” said Khaliah Barnes, a lawyer with the Electronic Privacy Information Center, or EPIC, a Washington-based advocacy group. “Student privacy is under attack.”
In recent months, a broad cross-section of public officials, industry leaders, and advocates has coalesced around the principle that students’ educational data should not be used for commercial purposes.
Regardless of whether the alleged data-mining practices of Google Apps for Education are found to constitute illegal wiretapping, such practices would constitute a direct violation of that principle, advocates say.
These questions about Google Apps for Education also have major implications, observers say, for how the Family Educational Rights and Privacy Act (FERPA) will be interpreted and enforced in the new era of digital technology and “big data” in schools.
The Education Department’s recently issued guidance on student-data privacy appears to deem the alleged practices of Google Apps for Education as violating FERPA. Some experts, however, argue that the federal law is too antiquated to effectively address the complex privacy concerns raised by such high-tech data mining.
The confusion is contributing to a growing wariness of cloud-based education service providers, such as Google, among some K-12 officials.
The 210,000-student Houston Independent School District, for example, recently declined to adopt the popular Google Apps for Education tool suite as part of its high-profile 1-to-1 computing initiative. Chief technology officer Lenny Schad said that decision was due in large part to concerns over how Google would handle student information.
“The landscape of what districts are facing is changing at light speed,” Mr. Schad said. “We have to come together as educational entities and say to vendors that certain privacy protections are non-negotiable, and we won’t do business with you until they are in place.”
In California, a total of nine plaintiffs are accusing Google of violating federal and state law. They hope to turn the case into a class action and are seeking financial compensation for millions of Gmail users, as well as better disclosure by Google of its practices.
U.S. District Judge Lucy H. Koh, whose court is based in San Jose, is expected to determine soon whether to grant the plaintiffs class certification. In September, Judge Koh denied a motion from Google to dismiss the case, Google Inc. Gmail Litigation, 13-md-02430.
Although much of the California litigation is focused on consumer Gmail users, two of the plaintiffs — Robert Fread of the University of Hawaii and Rafael Carrillo of the University of the Pacific in Stockton, Calif. — are students who say they were required to use Gmail accounts when their institutions adopted Google Apps for Education.
Their universities are among the thousands of institutions of higher education and K-12 schools to adopt the “cloud productivity” suite in recent years. (Google could not provide a current number of K-12 users in the United States.)
Proponents say Google Apps for Education contains powerful, easy-to-use free tools that allow users to perform a wide variety of basic digital functions, such as sending email and maintaining a calendar; maintaining cloud-based storage of their information; and collaborating using word-processing, spreadsheet, and other software applications.
Apps for Education is also the foundation for the increasingly popular Chromebook, an inexpensive laptop computer that is now used by 22 percent of school districts in the United States, according to the company.
“I don’t think there’s another product on the market that provides the same level of power to its users, regardless of price,” said Henry C. Thiele, the assistant superintendent for technology and learning for the 6,800-student Maine Township High School District 207 in Illinois.
Mr. Thiele said his district has used Google Apps for Education since 2008. Officials there have always been aware that the company does “back-end processing” of students’ email messages, he said, but the district’s agreement with Google precludes such data from being used to serve ads to students or staff members.
As long as the company abides by those terms, Mr. Thiele said, “I don’t have any problem with it.”
In an emailed statement provided to Education Week, Bram Bout, the director of Google Apps for Education, said that “ads in Gmail are turned off by default for Google Apps for Education and we have no plans to change that in the future.”
A company spokeswoman also noted that email scanning supports such features as virus protection, spelling checks, and Gmail’s “priority inbox,” and said that there is “no processing of information” stored in Google Drive, Docs, or other applications in the product.
But Mr. Carillo and Mr. Fread say that doesn’t tell the whole story.
Those plaintiffs in the California lawsuit allege that Google treats Google Apps for Education email users virtually the same as it treats consumer Gmail users. That means not only mining students’ email messages for key words and other information, but also using resulting data — including newly created derivative information, or “metadata” — for “secret user profiling” that could serve as the basis for such activities as delivering targeted ads in Google products other than Apps for Education, such as Google Search, Google+, and YouTube.
The plaintiffs allege that Google has employed such practices since around 2010, when it began using a new technology, known as Content Onebox, that allows the company to intercept and scan emails before they reach their intended recipients, rather than after messages are delivered to users’ inboxes, regardless of whether ads are turned off.
Mr. Fread and Mr. Carillo say that neither they nor any other users of Google Apps for Education consented to such practices. They are seeking financial damages amounting to $100 per day of each day of violation for every individual who sent or received an email message using Google Apps for Education during a two-year period beginning in May 2011.
Although the allegations by the plaintiffs are explosive, it’s the sworn declarations of Google representatives in response to their claims that have truly raised the eyebrows of observers and privacy experts.
In November, Kyle C. Wong, a lawyer representing Google, also argued in a formal declaration submitted to the court in opposition to the plaintiffs’ motion for class certification that the company’s data-mining practices are widely known and that the plaintiffs’ complaints that the scanning and processing of their emails was done secretly are thus invalid. Mr. Wong cited extensive media coverage about Google’s data mining of Gmail consumer users’ messages, as well as the disclosures made by numerous universities to their students about how Google Apps for Education functions.
Mr. Wong’s inclusion of the following reference to the disclosure provided to students at the University of Alaska particularly caught the attention of privacy advocates:
The University of Alaska (“UA”) has a “Google Mail FAQs,” which asks, “I hear that Google reads my email. Is this true?” The answer states, “They do not ‘read’ your email per se. For use in targeted advertising on their other sites, if your email is not encrypted, software (not a person) does scan your email and compile keywords for advertising. For example, if the software looks at 100 emails and identifies the word ‘Doritos’ or ‘camping’ 50 times, they will use that data for advertising on their other sites.”
“The fact that Google put this in their declaration means we take it as true,” said Ms. Barnes of the privacy watchdog group EPIC. "Google’s sworn court statements reveal that the company has violated student trust by using students’ education records for profit.”
Indefinite digital profiles
To illustrate the potential harm of Google’s alleged data-mining practices, Bradley S. Shear, a social-media and digital-privacy lawyer based in Bethesda, Md., posed a hypothetical situation in which a teacher using Google Apps for Education emails a parent with information related to a child’s disability status or mental health.
If the full range of allegations in the California suit is true, Mr. Shear said, the contents of such an email could be used by Google to build a digital-user profile that might follow that student indefinitely.
“Who knows what the hell Google is doing with that information, and who knows what problems it could cause for that child in the future,” he said. “Years ago, it might have been put in a filing cabinet, but it wouldn’t be tagged to the child forever.”
Mr. Shear said he saw “major FERPA violations” in Google’s activities and suggested that the Education Department should investigate the company. The Federal Trade Commission, which is responsible for monitoring deceptive business practices, should also take note, he said.
The Family Educational Rights and Privacy Act was enacted in 1974 to protect the privacy of children’s educational records and to prevent unwarranted disclosure.
Last month, the Education Department issued guidance to schools and districts for how to interpret and apply the law in the new age of cloud-based educational services, massive collection of digital data, and increased outsourcing to ed-tech vendors.
One of the scenarios detailed in the guidance appears to closely describe the alleged data-mining practices of Google Apps for Education:
EXAMPLE 4: A district contracts under the school official exception with a provider for basic productivity applications to help educate students: email, calendaring, web-search, and document-collaboration software. The district sets up the user accounts, using basic enrollment information (name, grade, etc.) from student records. Under FERPA, the provider may not use data about individual student preferences gleaned from scanning student content to target ads to individual students for clothing or toys, because using the data for these purposes was not authorized by the district and does not constitute a legitimate educational interest as specified in the district’s annual notification of FERPA rights.
If a student, parent, or educator complains about a vendor potentially violating FERPA or other federal statutes, the department has the authority to investigate those claims and issue written findings back to the school in question and to the public.
Education Department spokeswoman Dorie Nolt said the department would be concerned if a vendor were using personally identifiable information from students’ educational records to target them with ads, but she would not comment on whether the department believes the alleged data-mining practices of Google Apps for Education violate federal law.
Joel R. Reidenberg, a law professor at Fordham University and the author of a much-discussed recent study of districts’ contracts with cloud-service providers such as Google, says that’s an open question, in part because the 40-year-old FERPA does not adequately define what constitutes an educational record in an era in which a previously unthinkable amount of digital data about students proliferates.
“The data-mining and data-processing activities involved in Google Apps for Education are very problematic for student privacy,” Mr. Reidenberg said. “But the complexity of these arrangements exceeds what FERPA is really capable of addressing.”
Greater scrutiny ahead
Some of Mr. Reidenberg’s recent work has been funded by Microsoft, the Redmond, Wash.-based computer and software corporation that has been competing with Google for business and challenging the younger company’s privacy policies and practices for years.
In an interview with Education Week, Cameron Evans, Microsoft’s chief technology officer for education, called on Google to be more transparent.
“If they’re not doing anything wrong, they need to step up and say it and explain to people in unambiguous terms how they capture and use [students’] data,” he said.
Mr. Bout of Google, in his statement to Education Week, said the company is “committed to protecting the privacy and security of our users — and that includes students — to make sure their information is safe, secure, and always available to them.”
Of course, the problem extends far beyond Google, Mr. Evans said. A growing number of companies rely on “freemium” business models in which they provide technology services to schools in exchange for access to an increasingly comprehensive body of information about students — including “ambient” data about where they are located, what devices they are using, with whom they are interacting, and more.
As consumers grow savvier, lawsuits such as the one in California will become more frequent, Mr. Evans predicted, and pressure to modernize state and federal data-privacy laws will grow more intense.
This is a reprint of an article that originally appeared at Education Week.