Google was slapped with a lawsuit this week that alleges that it has been covertly collecting data of students via its G Suite for Education program, which offers its productivity services to students for free. Google’s G Suite for Education program (formerly known as Google Education) offers free tools for K-12 students, including free access to its Gmail, Calendar, Drive, Docs and other applications. As part of this program, 25 million students are also using Chromebook, Google’s laptop that’s targeted for classrooms. A new lawsuit filed by the state of New Mexico’s Attorney General, Hector Balderas, alleges that this free service has been slurping up data of the students using it – including minors under the age of 18, for which data collection warrants parental consent. “Google Education is now used by more than 80 million educators and students in the United States… essentially giving Google sole and exclusive access to millions of students’ digital lives and their personal data,” according to the [lawsuit, filed on Thursday](<https://cdn.vox-cdn.com/uploads/chorus_asset/file/19734145/document_50_.pdf>). “More valuable still, Google has captured generations of future customers who are trained to use Google’s platform as early as kindergarten.” [!(https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) The lawsuit alleges that Google has used the service to collect data of children using the service, including their physical locations, websites they visit, terms used in Google’s search engine and videos watched on YouTube. Also alleged, is that Google has collected personal contact lists, voice recordings, saved passwords and other behavioral data. The lawsuit also alleges that until April 2014, Google also mined students’ email accounts and extracted that data for advertising purposes. In all of these cases, the lawsuit alleges, Google has not properly disclosed to users that it’s collecting this data. The lawsuit claims that when students log into their Chromebook, the Chrome Sync function – which is used by Google to sync apps, auto-fill information, and more – is turned on by default. The feature then automatically starts uploading Chrome usages data to Google servers, including online browsing habits, web searches and passwords. If true, this level of data collection would be a blatant violation of the Children’s Online Privacy Protection Act ([COPPA](<https://threatpost.com/ftc-aims-overhaul-children-s-privacy-rights-091611/75663/>)), which requires parental consent for the collection and use of that personal data if a user is under the age of 13. It would also violate the Family Educational Rights and Privacy Act (FERPA), a federal law that governs the access to educational information and records by public entities. Google denied the claims as “factually wrong.” “G Suite for Education allows schools to control account access and requires that schools obtain parental consent when necessary,” a Google spokesperson told Threatpost. “We do not use personal information from users in primary and secondary schools to target ads. School districts can decide how best to use Google for Education in their classrooms and we are committed to partnering with them.” According to Google’s G Suite for Education information page, G Suite for Education can be used in compliance with COPPA and FERPA. “We contractually require that schools using G Suite for Education get the parental consent required by COPPA,” [according to the information page](<https://support.google.com/a/answer/139019?hl=en>). “Our services can be used in compliance with COPPA as long as a school has parental consent.” Google (along with YouTube) was previously hit by the Federal Trade Commission (FTC) with a $170 million fine last year [for COPPA violations](<https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations>), after the FTC alleged that YouTube illegally collected personal information from children without their parents’ consent. “The truth is that Chromebook device adoption has boomed in the last few years in the education sector,” Rui Lopes, Engineering and Technical Support Director at Panda Security, told Threatpost. “This has left the cybersecurity world… facing the circumstances that the so-called ‘defense in depth’ in the ChromeOS operating system platform is totally and utterly dominated by Google itself.” Data privacy issues and vulnerability relating to children are a continual problem in the infosec space. In 2018, 60 apps were [removed from Google Play](<https://threatpost.com/apps-exposing-children-to-porn-ads-booted-from-google-play/129400/>) that were infected with malware dubbed AdultSwine that in some cases generated pornographic ads on apps aimed at children. In 2019, researchers found an array of [security issues](<https://threatpost.com/kid-tracking-watches-location-data/141335/>) in the Gator portfolio of watches from TechSixtyFour, and found flaws exposing sensitive data of 35,000 children. In [February](<https://threatpost.com/eu-recalls-childrens-smartwatch-that-leaks-location-data/141511/>), the European Commission issued a recall for the Safe-KID-One, an IoT watch made by German company Enox Group, due to “serious” privacy issues. And, in November, The Misafes “Kids Watcher” GPS watch [was found to have vulnerabilities](<https://threatpost.com/connected-wristwatch-allows-hackers-to-stalk-spy-on-children/139118/>) that translate into a stalker or pedophile’s ideal toolset.
Microsegmentation and Isolation: 2 Essential Strategies in Zero-Trust Security
Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy
Google Updates Ad Policies to Counter Influence Campaigns, Extortion
Lifeline Assistance Phone Users Targeted with 'Uninstallable' Adware
Unpatched Bugs in Oracle iPlanet Open Door to Info-Disclosure, Injection
In multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.
In onCreate of ConfirmConnectActivity.java, there is a possible leak of Bluetooth information due to a permissions bypass. This could lead to local escalation of privilege of a pairing Bluetooth MAC address with no additional execution privileges needed. User interaction is needed for exploitation.
Android Security Bulletin—October 2020