RE: URGENT Child Privacy and Protection Concerns
Open Letter To:
Cape St. Claire Elementary School parents/guardians, administration, staff and community
Anne Arundel County Public Schools parents/guardians, administration, staff and community
Anne Arundel County Board of Education
Maryland State Department of Education
US Department of Education
Maryland State Police, Computer Crimes Unit
As a follow up to a previous open letter regarding administration and policy concerns at our public school, I wanted to break down the privacy and safety concerns that I noticed when adding my child’s G Suite for Education (referred to as “Google & ClassLink” by the school) to our home computer, as requested last week by 2 of his teachers for homework. (Exhibit 1)
I am writing this as an online technology developer with over 20 years’ experience working with national leaders in cyber security and a parent of an 8 year old child at Cape St. Claire Elementary School in Anne Arundel County, Maryland.
After noticing a list of my child’s home YouTube activity in my child’s school issued Google account, I started poking around in all settings and apps that my child has access to within the account and what I found was shocking and appalling. I believe there are major violations of the Child Online Privacy Protection Act as well as violations of Md. Education Code § 4-131, which affect my child, and at least every child in the Anne Arundel County Public School System. I believe there is a data breach on over 171,000 (Exhibit 2) Anne Arundel County Public School System domain users (all students, teachers, staff and administrators with an aacps.org domain email address).
My intention is to inform parents, teachers, staff and administration of the information I have found, the rights they have and to notify the operators, responsible parties and legal enforcement agencies. While I am 100% for using technology in the classroom, the privacy and protection of my child and the children in our community are of utmost importance. The school is responsible for protecting our children. I expect immediate remedies, and an investigation into faulty procedures and policies, in regards to online privacy and protection of minors.
Parent at Cape St. Claire Elementary School
- A G Suite for Education account (referred to as Google) was created for my child at Cape St. Claire Elementary School at least a year ago without my knowledge or consent. I found out as I was adding Google & ClassLink last week for homework assignments. I noticed multiple Google docs containing my child’s work from the previous year.
- The major concern here is that someone at the school agreed to the Google Terms on my child’s behalf (or my behalf, since my child is a minor).
- Parents were not informed about the creation of accounts for their children.
- Minors were able to use accounts for at least a year without parent’s knowledge.
- Parents were not informed of G Suite for Education terms of service or privacy policies.
- School did not obtain parental consent for the use of Google services by minors.
- Google’s terms are as follows: “G Suite for Education administrators determine which Google services their users can access, and are required to provide or obtain consent for the use of the services by their minor users.”
- Google provides a template for schools obtaining consent and informing parents of terms and privacy, which can be found here: https://support.google.com/a/answer/7391849
- The terms provided in the G Suite for Education agreement that the school agreed to, in order to use product REQUIRES PARENTAL CONSENT: as you can read here: https://gsuite.google.com/intl/en/terms/education_terms.html
- Section 2.5: COPPA and Parental Consent. If Customer allows End Users under the age of 13 to use the Services, Customer consents as required under the Children’s Online Privacy Protection Act to the collection and use of personal information in the Services, described in the G Suite for Education Privacy Notice, from such End Users. Customer will obtain parental consent for the collection and use of personal information in the Additional Products that Customer allows End Users to access before allowing any End Users under the age of 18 to use those services.
- The school provides the email address and password for minor’s account and these credentials contain personal information. The usernames contain personally identifiable information and the password is extremely weak. (Exhibit 3)
- A major concern with this is unauthorized persons or bots can access, view, edit, add to or share student’s content by way of guessing, overhearing or any other way of discovering the very commonly used and statistically limited details used in the login credentials.
- Another major concern is that anyone with access to student files or credentials, which I assume is at least the entire staff at the school, can access the account.
- SafeSearch was not turned on for my child’s account and the toggle to turn SafeSearch on and off is accessible and editable by my child within his account. (Exhibit 4) SafeSearch is the filter that helps block violent and sexually explicit content on Google.
- I will be very clear about this: If SmartSearch is not turned on, students can potentially find violent and sexually explicit content in search results on Google and YouTube.
- Instructions for parents on how to turn on safe search on their child’s account can be found here: https://support.google.com/websearch/answer/510?co=GENIE.Platform%3DAndroid&hl=en
- Location (Exhibit 5) and YouTube activity (at the least) (Exhibit 6) is being tracked by default when a device is logged into my child’s account.
- Parents were not informed that activity on any computer or other device (regardless of what browser or app is being used) where this account is logged in is being tracked and stored.
- Parents have not been informed about what activity is being tracked and stored in school and outside of school, in what ways, by whom, and how this data is used.
- Although my child does not have access to email, YouTube activity, at school or home, when a computer is logged in to this account is set up to be emailed to his account on a weekly basis. (Exhibit 7)
- There are 8 devices located at Cape St. Claire Elementary School (as shown in location tracking) logged into my child’s G Suite for Education account. (Exhibit 8)
- There are 8 devices at the school able to access not only my child’s data, (including all information on his account, location tracking, home search and YouTube activity) but also activity of anyone using a device where his account is logged in.
- Location and Device data including device type, city and state are being tracked every time the account is accessed. (Exhibit 5)
- Users have access to and are listed in a directory of over 171,000 users with an aacps.org email address (Exhibit 10). All of my child’s classmates, teachers and administrators are in there. It appears that every single student, teacher, staff member and administrator at AACPS is in the directory. The directory contains each users first and last name, student ID, email address, school, profile picture and many include phone numbers and other personal information. (Exhibit 11)
- Student’s Google Drive is set up in a way that allows anyone in the world to add files (including documents, photos, images, videos, etc.) directly to their drive if they have their student id (which is listed in the directory) and a google account.
- As an experiment, with consent from the child’s parents, I looked up the child’s student ID in the directory by searching for their name. I was then able to share an image from my personal Google Drive to the child’s Google Drive by entering their student ID @aacps.org. When I clicked send, I received a notification on my device that showed the child’s first and last name and automatically added them to my contact list. The image appeared almost immediately in the child’s account. I was then able to “comment” on the image within my account and the comment appeared with the image in the child’s account. The parent then was able to comment back from the child’s account in a chat like feed. (Exhibit 12, 13)
- My 8 year old child has access to YouTube in his account at school. There is an app link within the account (Exhibit 14). Classmates are watching YouTube videos in class. YouTube Terms of Service state that children under the age of 13 cannot use the product, even with parental consent.
- YouTube Terms of Service are as follows: “You affirm that you are either more than 18 years of age, or an emancipated minor, or possess legal parental or guardian consent, and are fully able and competent to enter into the terms, conditions, obligations, affirmations, representations, and warranties set forth in these Terms of Service, and to abide by and comply with these Terms of Service. In any case, you affirm that you are over the age of 13, as the Service is not intended for children under 13. If you are under 13 years of age, then please do not use the Service. There are lots of other great web sites for you. Talk to your parents about what sites are appropriate for you.” https://www.youtube.com/static?template=terms
- My child has access to “Create Channel” where a Channel can be created, videos can be uploaded – and can be shared publicly. There is access to YouTube Analytics – including any public comments made on child’s Channel. (Exhibit 15, 16)
These are my questions:
- How do you inform parents and get consent regarding online accounts created for minor children at the school? Is this policy school specific, county, state or federal?
- Who sets up the online accounts created for minor children at the school? Is this policy school specific, county, state or federal?
- Does the administration, school staff and whomever sets up online accounts created for minor children receive training on privacy and security specific to that product? Specifically, “G Suite for Education.” Is this policy school specific, county, state or federal?
- What are the school’s policies regarding setting up online accounts for minor children at the school?
- What are the school’s policies regarding security of minor’s online credentials?
- Are students required to use “G Suite for Education”? Is this policy school specific, county, state or federal?
- Are students required to have access to a computer and internet access outside of school to complete homework, quizzes, writing assignments or other graded schoolwork? Is this policy school specific, county, state or federal? If not, how are parents being informed that this is optional and what alternatives are offered?
- What is the school’s policy on allowing YouTube access at school?
- What is the county and state policy on allowing YouTube access to children under the age of 13?
- Why is YouTube accessible by minors on their “G Suite for Education” product on school Chromebooks in the school?
- Who agreed to the YouTube Terms of Service on behalf of minors? Is this policy school specific or county?
- After you were informed on October 8th about students having access to YouTube on their accounts and students watching videos during the school day what steps have you taken to investigate or remove access? Please list the date and time of steps you have taken.
- Who is responsible for monitoring online activity by minors in the school?
- What are all of the online websites or online services that my child has access to in school?
- What are all of the websites or online services that you have given my child’s personal information to, including but not limited to his first and last name?
- What websites or online services does my child have a username and password for that were created by staff or administration within the school or the county school system while he has been enrolled in AACPS system? What are those urls, usernames and passwords?
- What are the terms of service, privacy policies and other disclosures of every website and online service that my child has accessed or has access to?
- Who oversees online security and privacy for the school?
- Who oversees online security and privacy for the county?
- Does the school participate in E-Rate or any other discount agreements for internet service, chromebook purchase, software purchase or any other purchase related to students use of online services within the school? If so, what are those programs, who are the vendors and what are the terms of the agreements? Also, who oversees this?
- Is the Principal of Cape St. Claire Elementary School, the school itself or any other persons receiving any financial benefit or other kickback from purchasing Chromebooks, using any websites or online products, especially Google products or Microsoft Products?
- Is the Principal of Cape St. Claire Elementary School, the school itself or any other persons receiving any financial benefit or other kickback from collecting data of minors?
- Are there any individuals, organizations or businesses directly in charge of cyber security and privacy for the school or the county? If so, who are they and what is the best way to contact them?
- Are you aware that the settings on students G Suite for Education accounts for YouTube activity on any computer or device, in or out of school, where a student’s account is logged in is being tracked by Google and is accessible by anyone with access to student files?
- Where are the email notifications that are being sent to my child’s account being collected and/or stored?
- Why is the toggle to turn on/off “SafeSearch” is accessible and editable by students in their G Suite for Education accounts?
- The Anne Arundel County Public School Parent Handbook states: “Anne Arundel County Public Schools has implemented a content-filtering system to ensure that students access information consistent with the goals of our instructional program. The filtering system is effective in blocking access to inappropriate content such as pornography, violence, and terrorist sites.” What is the content-filtering system this is referring to at Cape St. Claire Elementary School?
Resources that should have been given to parents along with request for consent:
Resources to share with parents and guardians
In addition to the template notice above, we recommend that schools share the resources listed below with parents and guardians as part of getting their consent:
- Our G Suite for Education Privacy Notice describes how Google products and services collect and use information when used with G Suite for Education accounts.
- Information about the legal commitments Google makes for G Suite for Education Core and Additional Services is available in our Help Center.
- Information about how Google’s products work to protect privacy is available in our Product Privacy Guide
and at privacy.google.com. Note that Google does not use any user personal information (or any information associated with an G Suite for Education Account) to target ads for G Suite for Education users in primary and secondary (K–12) schools, and any statements about ads on those pages are overridden by this restriction from our Privacy Notice.
- Information about Google’s compliance with international legal obligations on data protection can be seen in the Data Processing Amendment to G Suite and/or Complementary Product Agreement, which describes extensive measures for data security that Google and its customers have agreed.
- Answers to many top questions about privacy and security appear on our Google for Education Privacy and Security Center.
- Parents can visit myaccount.google.com while signed in to their child’s G Suite for Education account to view and manage the personal information and settings of the account.
|Maryland State Board of Education|
|James Dale Cornelius||Chief Information Officer, Department of Information Technology, Maryland State Department of Education|
|George Arlotto||Superintendent, Anne Arundel County Public Schools|
|Terry Gilleland||President, Anne Arundel County Public School Board|
|Michelle Corkadel||Vice President, Anne Arundel County Public School Board|
|Rita Alvi||Student Member, AACPS Board|
|Candace Antwine||AACPS Board|
|Melissa Ellis||AACPS Board|
|Eric Grannon||AACPS Board|
|Julie Hummer||AACPS Board|
|Robert Leib||AACPS Board|
|Dana Shallheim||AACPS Board|
|Greg Barlow||Chief Technology Officer, AACPS|
|Lt. Matthew Kail||Computer Crimes Unit, Maryland State Police|
|Brian Frosh||Maryland Attorney General|
|Kristina Poist||CSCES PTO President|