Open Letter 10/14/19

URGENT

RE: URGENT Child Privacy and Protection Concerns

10/14/19

Open Letter To:

Cape St. Claire Elementary School parents/guardians, administration, staff and community
Anne Arundel County Public Schools parents/guardians, administration, staff and community
Anne Arundel County Board of Education
Maryland State Department of Education
US Department of Education
Maryland State Police, Computer Crimes Unit

As a follow up to a previous open letter regarding administration and policy concerns at our public school, I wanted to break down the privacy and safety concerns that I noticed when adding my child’s G Suite for Education (referred to as “Google & ClassLink” by the school) to our home computer, as requested last week by 2 of his teachers for homework. (Exhibit 1)

I am writing this as an online technology developer with over 20 years’ experience working with national leaders in cyber security and a parent of an 8 year old child at Cape St. Claire Elementary School in Anne Arundel County, Maryland.

After noticing a list of my child’s home YouTube activity in my child’s school issued Google account, I started poking around in all settings and apps that my child has access to within the account and what I found was shocking and appalling. I believe there are major violations of the Child Online Privacy Protection Act as well as violations of Md. Education Code § 4-131, which affect my child, and at least every child in the Anne Arundel County Public School System. I believe there is a data breach on over 171,000 (Exhibit 2) Anne Arundel County Public School System domain users (all students, teachers, staff and administrators with an aacps.org domain email address).

My intention is to inform parents, teachers, staff and administration of the information I have found, the rights they have and to notify the operators, responsible parties and legal enforcement agencies. While I am 100% for using technology in the classroom, the privacy and protection of my child and the children in our community are of utmost importance. The school is responsible for protecting our children. I expect immediate remedies, and an investigation into faulty procedures and policies, in regards to online privacy and protection of minors.

Thank you,
Emily Johnson
Parent at Cape St. Claire Elementary School


Concerns:

  1. A G Suite for Education account  (referred to as Google) was created for my child at Cape St. Claire Elementary School at least a year ago without my knowledge or consent. I found out as I was adding Google & ClassLink last week for homework assignments. I noticed multiple Google docs containing my child’s work from the previous year. 
    1. The major concern here is that someone at the school agreed to the Google Terms on my child’s behalf (or my behalf, since my child is a minor). 
    2. Parents were not informed about the creation of accounts for their children.
    3. Minors were able to use accounts for at least a year without parent’s knowledge.
    4. Parents were not informed of G Suite for Education terms of service or privacy policies.
    5. School did not obtain parental consent for the use of Google services by minors.
      1. Google’s terms are as follows: “G Suite for Education administrators determine which Google services their users can access, and are required to provide or obtain consent for the use of the services by their minor users.”
      2. Google provides a template for schools obtaining consent and informing parents of terms and privacy, which can be found here: https://support.google.com/a/answer/7391849
      3. The terms provided in the G Suite for Education agreement that the school agreed to, in order to use product REQUIRES PARENTAL CONSENT: as you can read here: https://gsuite.google.com/intl/en/terms/education_terms.html
        1. Section 2.5: COPPA and Parental Consent. If Customer allows End Users under the age of 13 to use the Services, Customer consents as required under the Children’s Online Privacy Protection Act to the collection and use of personal information in the Services, described in the G Suite for Education Privacy Notice, from such End Users. Customer will obtain parental consent for the collection and use of personal information in the Additional Products that Customer allows End Users to access before allowing any End Users under the age of 18 to use those services.
  1. The school provides the email address and password for minor’s account and these credentials contain personal information. The usernames contain personally identifiable information and the password is extremely weak. (Exhibit 3)
    1. A major concern with this is unauthorized persons or bots can access, view, edit, add to or share student’s content by way of guessing, overhearing or any other way of discovering the very commonly used and statistically limited details used in the login credentials.
    2. Another major concern is that anyone with access to student files or credentials, which I assume is at least the entire staff at the school, can access the account.
  2. SafeSearch was not turned on for my child’s account and the toggle to turn SafeSearch on and off is accessible and editable by my child within his account. (Exhibit 4) SafeSearch is the filter that helps block violent and sexually explicit content on Google.
    1. I will be very clear about this: If SmartSearch is not turned on, students can potentially find violent and sexually explicit content in search results on Google and YouTube.
    2. Instructions for parents on how to turn on safe search on their child’s account can be found here: https://support.google.com/websearch/answer/510?co=GENIE.Platform%3DAndroid&hl=en
  3. Location (Exhibit 5) and YouTube activity (at the least) (Exhibit 6) is being tracked by default when a device is logged into my child’s account.
    1. Parents were not informed that activity on any computer or other device (regardless of what browser or app is being used) where this account is logged in is being tracked and stored.
    2. Parents have not been informed about what activity is being tracked and stored in school and outside of school, in what ways, by whom, and how this data is used.
    3. Although my child does not have access to email, YouTube activity, at school or home, when a computer is logged in to this account is set up to be emailed to his account on a weekly basis. (Exhibit 7)
    4. There are 8 devices located at Cape St. Claire Elementary School (as shown in location tracking) logged into my child’s G Suite for Education account. (Exhibit 8)
      1. There are 8 devices at the school able to access not only my child’s data, (including all information on his account, location tracking, home search and YouTube activity)  but also activity of anyone using a device where his account is logged in.
      2. Location and Device data including device type, city and state are being tracked every time the account is accessed. (Exhibit 5)
  4. Users have access to and are listed in a directory of over 171,000 users with an aacps.org email address (Exhibit 10). All of my child’s classmates, teachers and administrators are in there. It appears that every single student, teacher, staff member and administrator at AACPS is in the directory. The directory contains each users first and last name, student ID, email address, school, profile picture and many include phone numbers and other personal information. (Exhibit 11)
  5. Student’s Google Drive is set up in a way that allows anyone in the world to add files (including documents, photos, images, videos, etc.) directly to their drive if they have their student id (which is listed in the directory) and a google account. 
    1. As an experiment, with consent from the child’s parents, I looked up the child’s student ID in the directory by searching for their name. I was then able to share an image from my personal Google Drive to the child’s Google Drive by entering their student ID @aacps.org. When I clicked send, I received a notification on my device that showed the child’s first and last name and automatically added them to my contact list. The image appeared almost immediately in the child’s account. I was then able to “comment” on the image within my account and the comment appeared with the image in the child’s account. The parent then was able to comment back from the child’s account in a chat like feed. (Exhibit 12, 13)
  6. My 8 year old child has access to YouTube in his account at school. There is an app link within the account (Exhibit 14). Classmates are watching YouTube videos in class. YouTube Terms of Service state that children under the age of 13 cannot use the product, even with parental consent. 
    1. YouTube Terms of Service are as follows: “You affirm that you are either more than 18 years of age, or an emancipated minor, or possess legal parental or guardian consent, and are fully able and competent to enter into the terms, conditions, obligations, affirmations, representations, and warranties set forth in these Terms of Service, and to abide by and comply with these Terms of Service. In any case, you affirm that you are over the age of 13, as the Service is not intended for children under 13. If you are under 13 years of age, then please do not use the Service. There are lots of other great web sites for you. Talk to your parents about what sites are appropriate for you.” https://www.youtube.com/static?template=terms
    2. My child has access to “Create Channel” where a Channel can be created, videos can be uploaded – and can be shared publicly. There is access to YouTube Analytics – including any public comments made on child’s Channel. (Exhibit  15, 16)

These are my questions:

  1. How do you inform parents and get consent regarding online accounts created for minor children at the school? Is this policy school specific, county, state or federal?
  2. Who sets up the online accounts created for minor children at the school? Is this policy school specific, county, state or federal?
  3. Does the administration, school staff and whomever sets up online accounts created for minor children receive training on privacy and security specific to that product? Specifically, “G Suite for Education.” Is this policy school specific, county, state or federal?
  4. What are the school’s policies regarding setting up online accounts for minor children at the school?
  5. What are the school’s policies regarding security of minor’s online credentials?
  6. Are students required to use “G Suite for Education”? Is this policy school specific, county, state or federal?
  7. Are students required to have access to a computer and internet access outside of school to complete homework, quizzes, writing assignments or other graded schoolwork? Is this policy school specific, county, state or federal? If not, how are parents being informed that this is optional and what alternatives are offered?
  8. What is the school’s policy on allowing YouTube access at school? 
  9. What is the county and state policy on allowing YouTube access to children under the age of 13?
  10. Why is YouTube accessible by minors on their “G Suite for Education” product on school Chromebooks in the school?
  11. Who agreed to the YouTube Terms of Service on behalf of minors? Is this policy school specific or county?
  12. After you were informed on October 8th about students having access to YouTube on their accounts and students watching videos during the school day what steps have you taken to investigate or remove access? Please list the date and time of steps you have taken.
  13. Who is responsible for monitoring online activity by minors in the school? 
  14. What are all of the online websites or online services that my child has access to in school?
  15. What are all of the websites or online services that you have given my child’s personal information to, including but not limited to his first and last name?
  16. What websites or online services does my child have a username and password for that were created by staff or administration within the school or the county school system while he has been enrolled in AACPS system? What are those urls, usernames and passwords?
  17. What are the terms of service, privacy policies and other disclosures of every website and online service that my child has accessed or has access to?
  18. Who oversees online security and privacy for the school? 
  19. Who oversees online security and privacy for the county?
  20. Does the school participate in E-Rate or any other discount agreements for internet service, chromebook purchase, software purchase or any other purchase related to students use of online services within the school? If so, what are those programs, who are the vendors and what are the terms of the agreements? Also, who oversees this?
  21. Is the Principal of Cape St. Claire Elementary School, the school itself or any other persons receiving any financial benefit or other kickback from purchasing Chromebooks, using any websites or online products, especially Google products or Microsoft Products?
  22. Is the Principal of Cape St. Claire Elementary School, the school itself or any other persons receiving any financial benefit or other kickback from collecting data of minors?
  23. Are there any individuals, organizations or businesses directly in charge of cyber security and privacy for the school or the county? If so, who are they and what is the best way to contact them?
  24. Are you aware that the settings on students G Suite for Education accounts for YouTube activity on any computer or device, in or out of school, where a student’s account is logged in is being tracked by Google and is accessible by anyone with access to student files?
  25. Where are the email notifications that are being sent to my child’s account being collected and/or stored?
  26. Why is the toggle to turn on/off “SafeSearch” is accessible and editable by students in their G Suite for Education accounts?
  27. The Anne Arundel County Public School Parent Handbook states: “Anne Arundel County Public Schools has implemented a content-filtering system to ensure that students access information consistent with the goals of our instructional program. The filtering system is effective in blocking access to inappropriate content such as pornography, violence, and terrorist sites.” What is the content-filtering system this is referring to at Cape St. Claire Elementary School?



Resources that should have been given to parents along with request for consent:

https://support.google.com/a/answer/7391849

https://support.google.com/a/answer/6356509

Resources to share with parents and guardians

In addition to the template notice above, we recommend that schools share the resources listed below with parents and guardians as part of getting their consent:

CC:
Larry Hogan
Governor, Maryland
Maryland State Board of Education
James Dale CorneliusChief Information Officer, Department of Information Technology, Maryland State Department of Education
George ArlottoSuperintendent, Anne Arundel County Public Schools
Terry GillelandPresident, Anne Arundel County Public School Board
Michelle CorkadelVice President, Anne Arundel County Public School Board
Rita AlviStudent Member, AACPS Board
Candace AntwineAACPS Board
Melissa EllisAACPS Board
Eric GrannonAACPS Board
Julie HummerAACPS Board
Robert LeibAACPS Board
Dana ShallheimAACPS Board
Greg BarlowChief Technology Officer, AACPS
Lt. Matthew KailComputer Crimes Unit, Maryland State Police
Brian FroshMaryland Attorney General
Kristina PoistCSCES PTO President