This device is managed by MVLA.net

1

Screen Shot 2015-10-23 at 8.51.56 AM

Have you checked out a school Chromebook? If you are a student who has been swept up in Mountain View’s initiative to bring its curriculum into the digital age, you may have taken advantage of the library book-like policy surrounding the free checkout of Chromebooks. You may then be aware that each chromebook can be accessed by the MVLA School District. The degree to which these machines can be accessed has remained vague, and I myself have simply been told not to do anything incriminating on my device. After a little research, I discovered the specific policies that govern what information is available on loaned out chromebooks to the organization that owns them, MVLA.net. Every three hours, a new batch of information is sent from your chromebook to MVLA’s server, this information being determined by the policies enacted on the Chrome Operating System. We break down several policies here:

Screen Shot 2015-10-23 at 8.52.15 AM

The “ReportDeviceActivityTimes” function shows a precise record of the time you are active on your device.

Screen Shot 2015-10-23 at 8.52.31 AM

The “ReportDeviceUsers” function sends a list of all of the accounts that have been signed into on the chromebook in the last three hours, whether or not they are associated with MVLA.net.
Screen Shot 2015-10-23 at 8.52.54 AM

The “ReportDeviceNetworkInterfaces” function gives the receiver of the information a list of the “names” that uniquely identify the physical network connections of your chromebook, such as the address of your computer’s ethernet or Wi-Fi port.

Screen Shot 2015-10-23 at 8.59.25 AM

The “AttestationForContentProtectionEnabled” function takes anonymity out of any interaction with content that mvla.net has deemed to be “protected.” This means that if you access something that MVLA has marked in a specific way, you can be remotely identified with something called a certificate that your computer must present to the server.
Screen Shot 2015-10-23 at 8.59.35 AM

According to Chromium.com (Google’s Chrome OS support website), the “ExtenstionInstallForcelist” function “Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled by the user. All permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension.”

One of the all-powerful extensions among the list of extensions that MVLA.net forces you to install on your operating system is Synergyse Training for Google Apps™. In the application’s description, it says it is designed to give its users assistance in using Google Apps. Closer observation raises some red flags. The permissions granted to this tool, created and maintained by an independent company called Synergyse, allow them to do the following:

  • Read and change your data on all google.com sites
  • Read your browsing history
  • Read any data you copy and paste

Not only has MVLA.net granted these invasive permissions to a private, for-profit corporation, but because the policy that governs this extension allows for additional permissions requested by Synergyse to be blindly accepted by student’s computers at any time.

Student data collection is not just limited to this one Chrome extension. There are two other compulsory extensions, a third-party screenshot tool, and something called “Auto HD For YouTube” which both have permission to do the following:

  • “Read and change all your data on the websites you visit”

Every student that uses a school-issued chromebook (data about chromebooks checkout here) is subject to the policies implemented on them by the MVLA School District. It is up to the MVLA School District to ensure that they are not compromising the data its students produce, and interact with. When they fail to do so, students must make the decision as to whether they should continue to participate in a system that forgoes privacy entirely.

Jason Greenberg
Jason is a senior this year. When he isn't getting the scoop, he loves to rock climb, sail, and run. He enjoys leading the Investment Club, and the playing in the cult that is marching band.
Share.

1 Comment

  1. Working for the school’s IT department, I can say this with certainty:

    The staff I work alongside with do not look through any data that students use. We advise people to not do anything incriminating on their devices in order to protect the property we’ve invested in, nothing more. (And plus, we’re too busy fixing computers to do that anyway :P)

    However, I cannot speak the same for the entities that have created the extensions that we’ve set on the browsers for students’ convenience. Syngergyse is a great tool for us, but just like any other person, you always have to be vigilant about online security. We are not responsible for anything that these companies do, and we’ve taken measures such as giving students school emails under our domain so your personal accounts are not vulnerable.

    I’m glad that you’ve shown your concerns for security! Thank you so much for posting this article.

    -John