Unlike its website declaration, Google’s “Apps for Education” isn’t a tool that “schools can trust,” because it is spying on 40 million K-12 students and compiling all their online activities even though it pledged not to do that, according to online privacy advocates.

“Google is violating the Student Privacy Pledge in three ways,” said the Electronic Frontier Foundation (EFF), in a complaint filed with the Federal Trade Commission. “First… student personal information in the form of data about their use of non-educational Google services is collected, maintained, and used by Google for its own benefit, unrelated to authorized educational or school purposes.”

“Second, the “Chrome Sync” feature of Google’s Chrome browser is turned on by default on all Google Chromebook laptops – including those sold to schools as part of Google for Education – thereby enabling Google to collect and use students’ entire browsing history and other data for its own benefit,” EFF continues. “And third, Google for Education’s Administrative settings, which enable a school administrator to control settings for all program Chromebooks, allow administrators to choose settings that share student personal information with Google and third-party websites.”

EFF’s complaint to the Federal Trade Commission urges it to open an investigation into the company’s violation of privacy pledge drafted by the Future of Privacy Forum and Software & Information Industry Association, which Google signed last January. EFF notes that the FTC takes industry-created privacy pledges seriously, and “has brought enforcement actions against companies that made privacy-related promises to their costumers and then violated those promises.”

In 2011, Google paid “a $22.5 million civil penalty to settle Federal Trade Commission charges that it misrepresented to users of Apple Inc.’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC,” the complaint said.

In public, Google claims to be a big privacy advocate. However, according to EFF, the 40 million K-12 students who use its laptops and software tools are unaware that it “collects, maintains, and uses records of essentially everything that student users of Google for Education do on Google services, while they are logged in to their Google accounts, regardless of which device or browser they use.”

This may not be surprising to adults, who are used to Internet companies tracking their every search and move—mostly to analyze consumer preferences and target them for ads. But the privacy pledge that Google signed is supposed to protect the youths’ “personally identifiable information as well as other information when it is both collected and maintained on an individual level and is linked to personally identifiable information.” That includes all web searches, browsing, YouTube videos watched, all websites visited, other applications installed and passwords.

“Such data reveals highly personal information about students and is not necessary to deliver educational services,” EFF’s complaint said. “Google not only collects and stores the vast array of student data described above, but uses it for its own purposes such as improving Google products and serving targeted advertising (within non-Education Google services), as Google has represented to EFF.”

Google contends that it “anonymizes” this data—stripping off student identities—but that still violates the student privacy pledge, EFF said, “because Google still uses the data for its own benefit, unrelated to authorized educational or school purposes… and without authorization from the student or parent.”

Moreover, school administrators can also access and provide student information to third-parties, including businesses that are seeking to sell services or others trying to locate the student’s whereabouts. “In the same settings page where administrators can choose whether Google can collect a user’s passwords or browsing history, school administrators can also choose whether “websites are allowed to track the user’s [here, students’] physical location,” EFF said. “Sharing a student’s physical location with third parties is unquestionably sharing personal information beyond what is needed for educational purposes.”

EFF is asking the FTC to investigate Google’s privacy pledge-violating activities and tell parents exactly what records they have compiled on their children, and also destroy these accumulated data files. They are also asking the FTC to “order” Google to withdraw from the industry privacy pledge it signed, and “provide such other relief as the Commission finds necessary and appropriate,” which could include large fines.

The Industry Responds

Jonathan Rochelle, Director of Google Apps for Education, responded to the EFF complaint on the GoogleForEducation blog, saying that Google was following the industry’s privacy pledge.

“While we appreciate the EFF’s focus on student data privacy, we are confident that our tools comply with both the law and our promises, including the Student Privacy Pledge, which we signed earlier this year,” he wrote. “The co-authors of the Student Privacy Pledge, The Future of Privacy Forum and The Software and Information Industry Association have both criticized EFF's interpretation of the Pledge and their complaint.”

“We have reviewed the EFF complaint but do not believe it has merit,” wrote the Future of Privacy Forum’s Paul Keith. “Chrome Sync is a setting within the control of the school IT administrator, and can also be changed by parents or students. This feature allows students to log in at home or at a library and have access to their school bookmarks, favorites and other settings. Since Chromebooks may be shared among students in school (with password-protected accounts for each student using that particular hardware device), many schools rely on Sync so that multiple students have ready access to their accounts and settings on the same device. We understand that any data collected is not used for behavioral advertising and all other data uses are aggregated and anonymous.”

The Software & Information Industry Association spokesman Mark McCarthy wrote that EFF’s “complaint contains some important misunderstandings about the student privacy pledge.” Continuing, he said, “First, the complaint alleges that Google violated the student privacy pledge because it collected information about students who are using general purpose services. The pledge, however, only applies to applications, services, or web sites “designed and marketed for use in United States elementary and secondary educational institutions.”

“The complaint also alleges that Google violated the pledge by collecting personal information such as browser histories and bookmarks. However, this information is collected at the direction of the school as part of a student’s educational experience. The pledge was never intended to prevent the collection of personal information as part of students’ educational experience.”

Meaningless Words?

Taken together, these statements appear to confirm that Google is tracking and compiling information on student online activities. That data may be rendered anonymous, may not be used for commercial purposes, and may be controlled in part by parents and educators. However, it’s clear that the basic allegations by EFF appear true. Whether that prompts federal regulators to investigate further, conclude it violated an industry privacy pledge, or sanction Google is an entirely different matter.

But it’s clear that Google, the Future of Privacy Forum, The Software & Information Industry Association, EFF—and likely the general public—have very different ideas about what privacy means for 40 million K-12 students using Google’s tools.