Milton
Friedman, a famous economist, popularized the phrase, "there ain't no such thing
as a free lunch". In other words, one always has to pay for a
good or service, whether by exchanging money or giving up something of value. During the past decade, a growing number of digital companies have
adopted a model where they offer their services for free in the hope that their
platform gains widespread acceptance. In
return, those utilizing these services pay for the service by giving up their
personal privacy by accepting agreements that enable service providers to
monetize their personal information.
Education
budgets in some European member states have been slashed during the past
several years due to the economic downturn.
Some cloud computing providers appear to be capitalizing on these deep budget cuts as part of
their pitch to governments and educational institutions. Unfortunately, some digital service
providers do not have the best intentions because strong privacy protections are not built
into the design of some of their platforms.
These companies may require schools to execute agreements that do not properly protect the personal data of students. For example, Sweden's data protection authority recently ordered a school district to stop utilizing Google Apps for Education because the service contract didn't comply with Sweden's Data Protection Act. In other words, Google's agreement with a municipality in Stockholm did not provide the proper safeguards to protect student data.
These companies may require schools to execute agreements that do not properly protect the personal data of students. For example, Sweden's data protection authority recently ordered a school district to stop utilizing Google Apps for Education because the service contract didn't comply with Sweden's Data Protection Act. In other words, Google's agreement with a municipality in Stockholm did not provide the proper safeguards to protect student data.
The
model UK Google Apps For
Education Agreement,
states, "Customer agrees that Google may serve advertisements (“Ads“)
in connection with the Service to End Users who are not designated by Customer
as enrolled students." Does this
clause mean that teachers, administrators, and almuni are served ads? Since students most likely are utilizing
school provided email to communicate with their teachers and teachers may discuss student matters with administrators via email are teacher-student
and administrator-student, and teacher-administrator emails data mined and monetized by Google?
Another troubling agreement clause states, "Customer agrees that any
revenue generated by Google from the Ads or otherwise derived by Google from
the Services will be retained by Google and will not be subject to any revenue
sharing." Does this indicate
that in addition to serving ads based upon teacher-student/administrator-student/teacher-administrator digital interactions, the information contained in these emails may be
monetized in other forms not necessarily mentioned in the agreement?
SafeGov.org recently
released a report about cloud computing and student privacy. The organization conducted "in-depth
interviews with over a dozen
representatives of European Data Protection Authorities (DPAs) as well
as a number of European Commission officials involved in the development of
data protection policy." Their
report found, "wide support for the idea that vulnerable data subjects
such as school children deserve special protection."
SafeGov.org's findings stated that some cloud providers may be offering schools services that
were initially built for the consumer behavioral advertising market and that
these services do not appear to have privacy by design built into their architecture. According to SafeGov.org,
"advertising-oriented cloud services may jeopardize the privacy of data
subjects in schools, even when ad-serving is nominally disabled."
Some
major threats to student privacy noted in SafeGov.org's report include:
Lack of privacy
policies suitable for schools: "[C]loud providers may
deliberately or inadvertently force schools to accept policies or terms of
services that authorize user profiling and online behavioral advertising."
Potential for commercial
data mining:
"When school cloud services derive from ad-supported consumer services
that rely on powerful user profiling and tracking algorithms, it may be
technically difficult for the cloud provider to turn off these functions even
when ads are not being served."
User interfaces
that don't separate ad-free and ad-based services: "By
failing to create interfaces that distinguish clearly between ad-based and
ad-free services, cloud providers may lure school children into moving
unwittingly from ad-free services intended for school use (such as email or
online collaboration) to consumer ad-driven services that engage in highly
intrusive processing of personal information (such as online video, social
networking or even basic search)."
Contracts that
don't guarantee ad-free services:
"By using ambiguously worded contracts and including the option to
serve ads in their services, some cloud providers leave the door open to future
imposition of online advertising as a condition for allowing schools to
continue receiving cloud services for free."
SafeGov.org's
findings are very troubling and demonstrate the need for regulators and
lawmakers in the EU to be proactive to protect the personal privacy of our next
generation of leaders. While this report
was based upon research performed in the EU, it would not surprise me if regulators
and lawmakers around the world have similar thoughts and ideas regarding the
need to protect vulnerable groups such as students and children from behavioral advertising. Shouldn't all students and children, regardless of their
geographic location, be afforded the same privacy protections?
Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.
