Topic Thread

Expand all | Collapse all

Privacy issues using Google account

  • 1.  Privacy issues using Google account

    Posted 07-30-2018 18:34

    I have been increasingly concerned about students using their school district provided Google account to log into free Web 2.0 Tools.

    What account information is available to vendors when students do this? Is their account information really kept private?

    Do Districts have policies on restricting teachers from promoting this to students or do most allow this practice?

    Thank you.

     

    Tom Hering

    Director of Information Technology

    Great Falls Public Schools

    1100 4th St. S.

    Great Falls, MT   59405

    406.268.6068

     



  • 2.  RE: Privacy issues using Google account

    Posted 08-02-2018 09:04
    Hi Tom,

    If I'm missing the point of the question, please let me know.  Each vendor is different in what they collect, hold and how they use it.  We use a third-party assessment tool called EducationFrameworks which rates the app/company.  The rating looks at those questions such as how do they hold the information?  For how long?  Can parents request a purge of the data?  We then lock down our Chromebooks to only allow students access to approved apps.  We leave it open to teachers as we want them to be able to explore and trust in them as professionals.  If they find something they want kids to use, they put it in for an evaluation and we can turn it around in less then a day.  It might not close every door, but at least it gives us some reasonable procedure and due diligence.  It also takes it out of being our opinion, regardless of our ability to sluice the facts.

    Hope that helps.
    Chris

    ------------------------------
    Christopher Thieme
    Senior Director of Educational Technology
    Oak Park and River Forest High School - District 200
    Oak Park IL
    (708) 434-3275
    ------------------------------



  • 3.  RE: Privacy issues using Google account

    Posted 08-03-2018 08:45

    Hi Tom,

     

    The following link is for developers, but it sheds some light on what basic data is being shared via OAuth by Google when someone uses their Google account to log into a third party product or service.   

     

    https://developers.google.com/identity/sign-in/web/people

     

    I believe Chris is on the mark that each product needs to be treated case by case.  Try to start with the basics: 1) What data is being shared? 2) Does the product have a privacy policy? 3) Is the privacy policy FERPA/COPPA compliant?  The last question is the hard one.  I plan to check out Chris's recommendation to use EducationFramework. 

     

    Thanks,

    George

     

    George Frazier, M.Ed., CISSP

    Director of Information Systems

    Lower Merion School District

    301 E. Montgomery Avenue

    Ardmore, PA 19003

    Phone: 610-645-1925 Email: frazier@lmsd.org

     






  • 4.  RE: Privacy issues using Google account

    Posted 08-03-2018 11:30
    Thanks George, that is helpful.
    We do have a process for evaluating vendors before approving for use. It just concerns me that vendors may have access to more information than we think if we use the Google account to login.

    ------------------------------
    Tom Hering
    Director of Information Technology
    North Central Region (META)
    Great Falls MT
    (406) 268-6068
    ------------------------------



  • 5.  RE: Privacy issues using Google account

    Posted 08-03-2018 11:25
    Thanks for the reply Christopher. Actually what I was asking is how much account information do third party vendors have access to when a student uses their school supplied google account to login to their app?
    I did find a help article from Google that says the full name, email address and profile picture is available to vendors by allowing students to use their google account credentials to login to their apps. It also indicated that vendors could request more information if the account holder approved. I'm not sure students would know better and may just click to go through it.
    So I'm considering telling teachers that they have to setup an account in the app for each student vs using their google account. I'm already getting push back from Technology Coaches as I suspect is is easier to just them use their google account.
    I just want to hear back if anyone is doing this same process or whether using the school supplied google account is not a concern.
    Thanks,

    ------------------------------
    Tom Hering
    Director of Information Technology
    North Central Region (META)
    Great Falls MT
    (406) 268-6068
    ------------------------------



  • 6.  RE: Privacy issues using Google account

    Posted 09-14-2018 12:06
    Tom,

    The developer article on OAuth2 gives good info on what the developer could have access to, but to see what specific high level API permissions the apps that users in your domain are using actually have access to you can go to the Google API Permissions tab in the Security section of the Google Admin console. It will show a breakdown by specific API (gmail, drive etc)

    You can enable white-listing (see  Whitelisting connected apps) but until Google provides the ability to have this setting by ORG, it is not as useful, since you can't differentiate between teachers and students and you have to test / evaluate the app in another domain or personal account.

    This is high level, and won't distinguish between an app that has read only permissions to drive vs one that can read/write.

    You can get a view into the log of OAuth2 token creation/deletion per user in the reports section of the admin console (Sign in - Google Accounts) and you can dump all info by using GAM, though it is a ton to wade thru
    https://github.com/jay0lee/GAM/wiki/SecurityExamples#checking-for-a-single-oauth-token-for-users

    I also think that it helps to communicate to users what "Login with  Google" (and O365, twitter, Facebook etc) is actually doing. I think most people assume that it means you are not actually creating an account on the third party site (a problematic understanding if your App Vetting policy trigger is it has to be vetted if the site requires an account). I explain it to non-techies like this:

    Login with Google is several things, first it is a "Federated Credential", think of your Drivers licence, it is issued by you state DMV, but it is accepted as proof of identity for renting a car, boarding a plane, checking in to a hotel or a doctors office. But in addition to identifying who you are it  it also delegates the ability to act on your behalf-like a shareholder's voting proxy, or power of attorney.

    We are going to be stepping up communication this year for folks to run the Google privacy checkup-which includes reviewing the apps you have granted permission to

    ------------------------------
    Jim Siegl
    Technical Architect, CITP
    Fairfax County Public Schools
    ------------------------------