Have you checked out a school Chromebook? If you are a student who has been swept up in Mountain View’s initiative to bring its curriculum into the digital age, you may have taken advantage of the library book-like policy surrounding the free checkout of Chromebooks. You may then be aware that each chromebook can be accessed by the MVLA School District. The degree to which these machines can be accessed has remained vague, and I myself have simply been told not to do anything incriminating on my device. After a little research, I discovered the specific policies that govern what information is available on loaned out chromebooks to the organization that owns them, MVLA.net. Every three hours, a new batch of information is sent from your chromebook to MVLA’s server, this information being determined by the policies enacted on the Chrome Operating System. We break down several policies here:
The “ReportDeviceActivityTimes” function shows a precise record of the time you are active on your device.
The “ReportDeviceUsers” function sends a list of all of the accounts that have been signed into on the chromebook in the last three hours, whether or not they are associated with MVLA.net.
The “ReportDeviceNetworkInterfaces” function gives the receiver of the information a list of the “names” that uniquely identify the physical network connections of your chromebook, such as the address of your computer’s ethernet or Wi-Fi port.
The “AttestationForContentProtectionEnabled” function takes anonymity out of any interaction with content that mvla.net has deemed to be “protected.” This means that if you access something that MVLA has marked in a specific way, you can be remotely identified with something called a certificate that your computer must present to the server.
According to Chromium.com (Google’s Chrome OS support website), the “ExtenstionInstallForcelist” function “Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled by the user. All permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension.”
One of the all-powerful extensions among the list of extensions that MVLA.net forces you to install on your operating system is Synergyse Training for Google Apps™. In the application’s description, it says it is designed to give its users assistance in using Google Apps. Closer observation raises some red flags. The permissions granted to this tool, created and maintained by an independent company called Synergyse, allow them to do the following:
- Read and change your data on all google.com sites
- Read your browsing history
- Read any data you copy and paste
Not only has MVLA.net granted these invasive permissions to a private, for-profit corporation, but because the policy that governs this extension allows for additional permissions requested by Synergyse to be blindly accepted by student’s computers at any time.
Student data collection is not just limited to this one Chrome extension. There are two other compulsory extensions, a third-party screenshot tool, and something called “Auto HD For YouTube” which both have permission to do the following:
- “Read and change all your data on the websites you visit”
Every student that uses a school-issued chromebook (data about chromebooks checkout here) is subject to the policies implemented on them by the MVLA School District. It is up to the MVLA School District to ensure that they are not compromising the data its students produce, and interact with. When they fail to do so, students must make the decision as to whether they should continue to participate in a system that forgoes privacy entirely.