What’s Stored in your School Google Drive Account? You Might be Surprised.

Reposted with permission from Missouri Education Watchdog.

Don't Be Evil

If you or your child have a Google account through school, you are going to want to read this.

WATCH THIS FOX 5 NEWS CLIP from Springfield, MO. They show one teacher log into her school issued Google Drive account where her personal information, including 139 passwords and audio of voice to text messages and Siri searches were stored, allegedly unencrypted.

While many have questioned Google’s invasion of the classroom and how Google Apps for Education, (now called G-Suite), collects and uses student or teacher information, few have really gotten much in the way of answers. What is reportedly happening with Springfield Missouri Public School’s use of Google Drive offers a rare glimpse into Google’s potential to collect data. School-issued student Google accounts connect to Google Drive which can allow for the ability to Auto-Sync devices to Auto-Save passwords, browsing history and other digital data points from numerous devices used by a single user. For students in SPS this could include digital data from non-school related accounts.  This July 17, 2018 Fox 5 KRBK  news story explains how one family discovered this practice and reported it to the school district.

“The Elys claim that the SPS Google Drive, given to all SPS employees and students, automatically begins to store information from any device the drive is accessed on. This includes browser history, but also personal information such as files and passwords. They add that even if you log out of the drive, it stays running and recording in the background.

After bringing their concerns forward this past May, they say that despite the evidence presented, no serious action has been taken on behalf of the district.

“They have a lot of evidence and have had it since December, and we have not heard one word from any of them, said Dianne Ely.

With more searching, the Elys have now found even more sensitive information that’s been stored to their daughter’s Google Drive, including 139 passwords to both her and her husband’s different accounts and also voice recordings of both her and her children.

“My voice to text was being stored as well as any search my kids did, and I could say ‘sure my daughter was searching on Google,’ but my phone uses Safari. When I used my texting app on my iPhone, it recorded my voice, as well as typing out the words and saving it on my Google Drive,” said Brette Hay, the Ely’s daughter and a teacher at Pershing Middle School.

The Elys hope with this new evidence, not only will parents, employees and students take action to check what private information of their own could be stored on the drive, but that the school district will also take the appropriate steps to make their Google Drive safe.” [Emphasis added]

Parents want to know: Why is Auto-Syncing of devices and Auto-Saving of passwords allowed on any school-issued Google account?

Google changed its Google Drive syncing in September 2017. This new policy raises several questions:

  • How does this Google change affect privacy and security and access to school-issued Google Drive accounts? Does it allow cross device tracking?
  • Are students, parents, school employees, (who are often required to use the school-issued Google Drive), informed that their devices could be automatically synced, and remain synced even when the log out? Are  users informed of what information, including personal passwords, could be stored on their school-issued Google Drive?
  • Since district administrators can set permissions, do districts have the ability to disable the Google Auto-Sync and Auto-Save function?

Each state has consumer protection laws and state privacy laws that may prohibit the collection or reporting of individual’s biometric information such as facial or voice recognition. There are also several federal privacy laws, highlighted below, that apply specifically to student information.

PPRA  The law requires that schools obtain written consent from parents before minor students are required to participate in any U.S. Department of Education funded survey, analysis, or evaluation that reveals information concerning the eight protected areas.

FERPA    34 CFR § 99.3 defines an education record as “The term education record means those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution.  Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record.” However, FERPA allows schools to disclose covered information in education records, without consent, in certain situations.

The auto-syncing capability of Google Drive raises additional concerns for schools using this technology:

  • If personal devices are synced and passwords stored, and if a student’s personally identifiable (PII) is collected, does the district’s or Google’s access to student Google Accounts meet the requirements of federal and state laws? Should the district be required to obtain informed written parental consent prior to this PII data being aggregated on the Google Drive?
  • Has covered information stored on the Google Drive ever been accessed by anyone other than the student, parent, or school official?
  • Is posting a student’s ID on each school device, and generating a uniform password for all students, in compliance with best practices and FERPA? (See Dr. Ely’s May testimony for an example of this practice.)
  • If parents feel their student’s personally identifiable information has been disclosed improperly, they can file a FERPA complaint.

COPPA  “The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.”

  • If personal information of children under the age of 13, such as their browsing history or location was collected when they were online (including when they accessed non-educational websites outside of school, while not actively logged into their synced Google Drive) and if the information from this synced device was stored on the school-issued Google Drive, along with saved passwords, who has access to this information? Is informed parental consent required?
  • Can this personal information in the Google Drive ever be accessed by anyone other than the student and their parent?

HIPAA  “The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.”

While information contained in a student’s education record is generally not covered by HIPAA, it is generally covered by FERPA.  This leads to a larger set of questions when Auto-syncing devices and storing  information in a school-issued Google Drive:

  • Is a student’s personal information stored in a school-issued Google Drive considered part of a student’s education record? What if the personal information was obtained outside of school, without the student’s or parent’s knowledge?
  • Does HIPAA apply if information stored on a school-issued Google Drive, is personal information about someone other than a student?
    • Is access to your family’s health record part of a student’s educational record, both FERPA and HIPAA compliant if you did not knowingly supply the information to the school?
    • Is audio of a parent discussing personal medical information considered part of a student’s education record?
    • If a relative or friend is a medical professional and you used his/her computer to log into your Google Drive, and now the device is synced, are the auto-saved passwords and medical information on this personal computer part of the student’s education record?
  • In general, is Google Drive HIPAA compliant? If passwords are exposed, does the district and Google follow the necessary steps to ensure Google HIPAA compliance?

Best Practices

In the Fox 5 news story, the School District claims that they followed best practices and there is no breach within the SPS system.  In response to these allegations, SPS stated:

“We believe that our data systems remain safe and secure. In reviewing the concerns brought forward, no data breach has been identified within the SPS system, nor are we aware of any personal information on our servers beyond the appropriate staff and student information provided to the district. We want to assure our community that SPS will always support any investigation into allegations, such as these, in order to address concerns. SPS is committed to doing all that is necessary to keep our staff and students safe and secure. This is true for both facility and cyber security. We work with third-party vendors to regularly monitor and evaluate our procedures and information systems. We implement ongoing updates to our best practices and information systems to maintain and strengthen, wherever appropriate. Our IT Department continues to review best practices in the industry, refining and enhancing district procedures on a regular basis, while also strictly adhering to the manufacturer’s terms of use for any software or other product. We know that ongoing training is essential to protecting the security of each individual and the district-at-large. Over the past three years, we have focused on new training for both staff and students regarding how to be responsible digital citizens. Because this is a personnel matter, we are limited in the details that we can provide, but we remain vigilant in our work to protect the safety and security of our systems, in the best interest of all SPS constituents. At this time, our internal and independent assessments do not indicate that there is a reason for the community to be concerned.”

Screenshot of teacher checking passwords saved on the SPS Google Drive account. The teacher has shown that if you click on the eye icon of any of these accounts, the passwords are exposed. (We redacted the email addresses and the Amazon account that shows the password has been deactivated.)

We wonder about the reported non-school related information and non-school related passwords to accounts (including accounts with personal banking information, medical accounts) that are allegedly stored unencrypted on school-issued Google Drive accounts?  Would this situation comply with Missouri’s new law, HB1606,  on student cybersecurity and breach reporting?

Regardless of the school district’s claim that there is no reason for concern, many people are concerned and are questioning the ethical and legal implications. Many are wondering if Google Drive Auto-Syncing and Auto-Saving is happening in other school districts across the nation. We have posted videos and links to public testimony presented at Springfield Public School Board meetings with detailed explanations from people who have experienced this first hand and have reported it both to the school district and have filed a police report. We have also posted instructions at the bottom of this blog for you to check what is in your (or your child’s) school-issued Google Drive account.

 

Public testimony of the July board meeting begins at the 4 minute mark.

 

Public testimony of the May board meeting begins at the 18 minute mark.

 

What do you think?  

If personal, non-education related information is being stored in school-issued Google Drives, would that data collection cross the line? After reading this blog and reviewing the testimony etc, let us know what you think and let us know what you find in your school Google Drive. 

(You can post a comment on this blog but please do not share your passwords or personal log-in information that would leave you open to hacking; just tell us the types of information you found in your Google Drive.)

We wonder why any school district would want the liability and security risk associated with storing personal information and allegedly unencrypted passwords to personal accounts. With cyber hacks targeting schools at an alarming rate, think of the security issues and potential for harm.

Ask your school district how their Google Drive is set up and look at the information stored in your school-issued Google Drive.

Here’s how to see what is in your school-issued Google Drive, according to May 2018 testimony provided by Dr. Ely. (It may look slightly different depending on the device you are using. )

Steps for checking your/your child’s/your grandchild’s SPS Google Drive Account

Sign- in and security (passwords and devices)

  1. Log into your account.
  2. Once into the Google Drive click on the top left the 3 lines, which pops open your Google drive account info. Look all the way at the bottom and click on the round picture of the round circle with your initial in it.
  3. Click on my account
  4. Click Sign-in & security
  5. Scroll all the way to the bottom of the sign in and security page to where it says saved passwords. This is where you can see all of the passwords stored to the SPS Google Drive Account. For the passwords, it might look like an eye but you just need to click on it to reveal the password.
  6. From the sign in and security screen you can also see what devices have been used to log into your sps Google account and allow you to see what devices have been synced with your account.
  7. You may need to click on “Mange My Activities” to see stored voice to text speech, location tracking, YouTube and search history.

 

References and related links:

May 15, 2018 Springfield Public Schools Board Meeting. Public comment starts at about 18 minutes https://www.youtube.com/watch?v=WIbjpjsKAc8

May 15, 2018 Written testimony from Dr. Norman Ely https://drive.google.com/open?id=1HKBAAvyZ39pSxASq2p6OCM-EoL9BbU2L

July 17, 2018 Springfield Public Schools Board Meeting. Public comment starts at about 4 minutes https://www.youtube.com/watch?v=kDREN3CCO3E 

July 17, 2018 Written testimony from parent and teacher Brette Hay https://drive.google.com/open?id=1PdFLlqaR-gvUB32nFsz-_ILoEt3fkpPA

July 17, 2018 Written testimony from Dr. Norman Elyhttps://docs.google.com/document/d/14Ikjd8TkQhhnGnwh7RdLdGGlo6VnFzKQ2GdXEjImPjs/edit?usp=sharing

July 17, 2018 Written testimony from Brooke Hendersonhttps://docs.google.com/document/d/1zvqD2p54Co1zStAkj7AoH1RDxx8Ys3LdwXtDSEkHHDQ/edit?usp=sharing

FOX 5 KRBK Family claims SPS Google Drive is storing personal information http://www.fox5krbk.com/story/38669634/family-claims-sps-google-drive-is-storing-personal-information#.W09T9C4KOr0.facebook

KOLR10 Parents of SPS Employee say Their Family was Hacked  https://www.ozarksfirst.com/news/parents-of-sps-employee-say-their-family-was-hacked/1181643101

Computer hacking, massive data breach revealed to Springfield Board, Attorney General reportedly investigating https://rturner229.blogspot.com/2018/05/computer-hacking-massive-data-breach.html

Springfield Public Schools 2017-18 School Handbook  https://isharesps.org/websitedoc/CommunityRelations/Student%20Handbooks/2017-2018%20handbook%20final%20complete.pdf

Springfield Public Schools 2018-19 School Handbook https://www.sps.org/Page/2623

How Google Took Over the Classroom https://www.nytimes.com/2017/05/13/technology/google-education-chromebooks-schools.html

EFF: Google’s Student Tracking Isn’t Limited to Chrome Sync
https://www.eff.org/deeplinks/2015/12/googles-student-tracking-isnt-limited-chrome-sync

State Attorneys General are next headache for Google 2017 https://www.wired.com/story/state-attorneys-general-are-googles-next-headache/

37 Attorneys General settle against Google for Consumer tracking violations 2013 https://www.privacyandsecuritymatters.com/2013/11/google-pays-big-to-state-attorney-generals-for-improper-consumer-tracking/

YouTube is Improperly Collecting Children’s Data, Consumer Groups Say  https://mobile.nytimes.com/2018/04/09/business/media/youtube-kids-ftc-complaint.html?smid=tw-share

Transparency and the Marketplace for Student Data
https://www.fordham.edu/info/23830/research/10517/transparency_and_the_marketplace_for_student_data/1

U.S. Education Dept. responds to TheDarkOverlord attacks with new cyber advisoryhttps://www.databreaches.net/u-s-education-dept-responds-to-thedarkoverlord-attacks-with-new-cyber-advisory/

Missouri Consumer Protection Law https://ago.mo.gov/civil-division/consumer/identity-theft-data-security/identity-theft

New Student Data Breach Reporting Requirements in Missouri  https://k12cybersecure.com/blog/new-student-data-breach-reporting-requirements-in-missouri/

Missouri Student Privacy Bill  HB14-1490 as found on the Missouri Department of Elementary and Secondary Education Data System Management website.   https://dese.mo.gov/data-system-management/data-access-sharing-and-privacy

HB-1490:

(4) Develop a detailed data security plan that includes:

(a) Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;

(b) Privacy compliance standards;

(c) Privacy and security audits;

(d) Breach planning, notification and procedures;

(e) Data retention and disposition policies; and

(f) Data security policies including electronic, physical, and administrative safeguards, such as data encryption and training of employees;

 3. The department of elementary and secondary education shall not collect nor shall school districts report the following individual student data:

(1) Juvenile court delinquency records;

(2) Criminal records;

(3) Student biometric information;

(4) Student political affiliation; or

(5) Student religion.

4. Any rule or portion of a rule, as that term is defined in section 536.010, that is created under the authority delegated in this section shall become effective only if it complies with and is subject to all of the provisions of chapter 536 and, if applicable, section 536.028. This section and chapter 536 are nonseverable and if any of the powers vested with the general assembly pursuant to chapter 536 to review, to delay the effective date, or to disapprove and annul a rule are subsequently held unconstitutional, then the grant of rulemaking authority and any rule proposed or adopted after the effective date of this section shall be invalid and void.

5. Each violation of any provision of any rule promulgated pursuant to this section by an organization or entity other than a state agency, a school board, or an institution shall be punishable by a civil penalty of up to one thousand dollars. A second violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to five thousand dollars. Any subsequent violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to ten thousand dollars. Each violation involving a different individual education record or a different individual student shall be considered a separate violation for purposes of civil penalties…

 

Missouri Student Privacy Bill  HB14-1490 as found on the Missouri Department of Elementary and Secondary Education Data System Management website.   https://dese.mo.gov/data-system-management/data-access-sharing-and-privacy

HB-1490:

…The department of elementary and secondary education shall develop criteria for the approval of research and data requests from state and local agencies, researchers working on behalf of the department, and the public
(3) Shall not, unless otherwise provided by law and authorized by policies adopted pursuant to this section, transfer personally identifiable student data;

(4) Develop a detailed data security plan that includes:

(a) Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;

(b) Privacy compliance standards;

(c) Privacy and security audits;

(d) Breach planning, notification and procedures;

(e) Data retention and disposition policies; and

(f) Data security policies including electronic, physical, and administrative safeguards, such as data encryption and training of employees;

 3. The department of elementary and secondary education shall not collect nor shall school districts report the following individual student data:

(1) Juvenile court delinquency records;

(2) Criminal records;

(3) Student biometric information;

(4) Student political affiliation; or

(5) Student religion.

4. Any rule or portion of a rule, as that term is defined in section 536.010, that is created under the authority delegated in this section shall become effective only if it complies with and is subject to all of the provisions of chapter 536 and, if applicable, section 536.028. This section and chapter 536 are nonseverable and if any of the powers vested with the general assembly pursuant to chapter 536 to review, to delay the effective date, or to disapprove and annul a rule are subsequently held unconstitutional, then the grant of rulemaking authority and any rule proposed or adopted after the effective date of this section shall be invalid and void.

5. Each violation of any provision of any rule promulgated pursuant to this section by an organization or entity other than a state agency, a school board, or an institution shall be punishable by a civil penalty of up to one thousand dollars. A second violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to five thousand dollars. Any subsequent violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to ten thousand dollars. Each violation involving a different individual education record or a different individual student shall be considered a separate violation for purposes of civil penalties…

 

-Cheri Kiesecker

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: