Springfield Public Schools, the school district for the third largest city in Missouri, are at the center of a frightening breach of data privacy. Any student or staff member with a district-issued Google Drive account could have personal data compromised.
Cheri Kiesecker at Missouri Education Watchdog reported earlier this month:
What is reportedly happening with Springfield Missouri Public School’s use of Google Drive offers a rare glimpse into Google’s potential to collect data. School-issued student Google accounts connect to Google Drive which can allow for the ability to Auto-Sync devices to Auto-Save passwords, browsing history and other digital data points from numerous devices used by a single user. For students in SPS this could include digital data from non-school related accounts.
Fox 5 KRBK originally broke the story reported on what one family, the Elys, found:
Springfield residents Norman and Diane Ely went before the school board earlier this year and asked that the district check into safety concerns regarding private information that was being stored on SPS’s Google Drive. They claimed that since that meeting, nothing has changed.
Tuesday, the Ely’s addressed the board again with more alarming discoveries.
The Elys claim that the SPS Google Drive, given to all SPS employees and students, automatically begins to store information from any device the drive is accessed on. This includes browser history, but also personal information such as files and passwords. They add that even if you log out of the drive, it stays running and recording in the background.
After bringing their concerns forward this past May, they say that despite the evidence presented, no serious action has been taken on behalf of the district.
“They have a lot of evidence and have had it since December, and we have not heard one word from any of them, said Dianne Ely.
With more searching, the Elys have now found even more sensitive information that’s been stored to their daughter’s Google Drive, including 139 passwords to both her and her husband’s different accounts and also voice recordings of both her and her children.
“My voice to text was being stored as well as any search my kids did, and I could say ‘sure my daughter was searching on Google,’ but my phone uses Safari. When I used my texting app on my iPhone, it recorded my voice, as well as typing out the words and saving it on my Google Drive,” said Brette Hay, the Ely’s daughter and a teacher at Pershing Middle School.
Cheri raised a pertinent question: “Why is Auto-Syncing of devices and Auto-Saving of passwords allowed on any school-issued Google account?”
It shouldn’t be allowed. Cheri notes this breach represents potential problems of several federal laws including Protection of Pupil Rights Amendment, Family Educational Rights and Privacy Act, and Children’s Online Privacy Protection Rule. Read Cheri’s piece as she addresses different questions related to each law.
There’s more to this story at PogoWasRight.org, a privacy news website, they reported what is even scarier than the data collection, but the accessibility of that data.
To their horror, Henderson and Hay (school district employees) could see what they estimate as the school and personal account credentials of more than 25,000 students and employees in the district. The credentials could be viewed in plaintext and made accessible to anyone with a SPS google account.
So this information was being collected without their consent, but it was accessible by others with district-issued Google Drive accounts and one employee was dealing with identity theft as a result.
The data collection wasn’t limited to school-owned devices, but parents’ personal and work devices as well if they logged into their student’s Google Drive account.
Parents if your student has a school-issued Google Drive account you need to start asking questions. Here are three pertinent ones to ask:
- Can the school district disable Google Auto-Sync and Auto-Save?
- Did the school district inform parents and students about the types of data collected by Google Drive?
- Who in the school district, as well as, Google can access that information?
I would also encourage parents and students to only log into a district-issued Google Drive account on a school-owned device and only allow your student to do schoolwork on it. At least maintain this practice until your school district can explain to you exactly what data is being collected, who has access to it, and how they are protecting it.