Nearly two years after Google agreed to stop data-mining email accounts provided through its Google Apps For Education (GAFE) program, a group of current and former college students have sued the Internet giant for the snooping that did occur for years on the Gmail accounts provided by their university.

The plaintiffs in the lawsuit [PDF] used University of California at Berkeley email accounts that were provided through GAFE. And between 2010 and 2014, when Google officially ended the practice, they say the company scanned and processed the “content of every email received by or sent” from these accounts “to develop sophisticated advertising profiles of the user and for other, still unrevealed, purposes.”

The suit acknowledges that the plaintiffs were not advertised to directly during their use of these accounts, but contends that the content of their emails “nevertheless was extracted, analyzed, and used by Google to create user profiles and otherwise to enhance Google’s marketing and advertising business interests.”

This collection of information was neither necessary for Gmail to function properly, nor was it incidental, argues the lawsuit.

Part of the problem for Google is that, before it ended the data-mining practice, the company’s policies claimed that it was not collecting the sort of information it’s accused of gathering from these accounts. Below is what Google’s Security and Privacy overview page explained to users in Aug. 2013:



For the two years before that, Google’s privacy policy had stated that GAFE was “completely ad-free—which means your school’s content is not processed by Google’s advertising systems.”

“In short,” argues the complaint, “Google lied to GAFE users’ affiliated Educational Institutions and made public statements that concealed its true intentions and the programmatic actions of its systems and services… By these means and devices, and under these false pretenses, Google stole and obtained Plaintiffs’ information.”

While the named plaintiffs in the lawsuit are, or were, Berkeley students, the complaint notes that the potential class action could involve students from schools across the nation. The plaintiffs have identified nearly a dozen schools — including the University of Arizona, Yale, the University of Maine, the University of Washington, and SUNY Stony Brook — as institutions that, based on information provided by Google, explicitly told students that their GAFE email accounts would not be scanned for advertising purposes.

The lawsuit contends that, because the emails were scanned during the transmission process, that Google violated the Electronic Communications Privacy Act. More precisely, the company’s actions allegedly run afoul of that law’s prohibition against intentionally intercepting “any wire, oral, or electronic communication,” and against the intentional use or attempted use of “contents of any wire, oral, or electronic communication.”

This is just the latest arrow to be directed at Google’s alleged snooping on educational accounts. In December, the Electronic Frontier Foundation filed a complaint with the FCC claiming that Google was violating its own pledges by tracking GAFE users’ web-browsing activities.

Google is one of more than 200 companies that have signed on to the “Student Privacy Pledge,” in which it promises to, among other things, “Not collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes.”

But the EFF believes that when students are logged in to GAFE accounts, Google collects and uses for its own benefit data about the students’ use of non-educational Google services, including browsing behavior, search history, YouTube viewing and search history, installed browser extensions, and saved passwords.

[via Ars Technica]