Skip to content
Naked Security Naked Security

Two schoolkids sue Google for collecting biometrics

The suit is about biometrics and children's privacy in Google's education apps, which are suddenly, wildly popular now due to COVID-19.

Two schoolchildren have sued Google, alleging that it’s illegally collecting their voiceprints, faceprints and other personally identifiable information (PII).
The students were identified only as HK and JC in the complaint, which was filed on Thursday in San Jose, CA, in the US District Court of Northern California. The children are suing through their father, Clinton Farwell.
The complaint notes that Google has infiltrated the country’s primary and secondary school systems by distributing its Chromebook laptops, which come pre-installed with its G Suite for Education platform. That suite includes student versions of Gmail, Calendar, Drive, Docs, Sheets, and other Google apps.
In order to use those apps, the kids had to speak into the laptop’s audio recording device so Google could record their voices, and they had to look into the laptop’s camera so Google could scan their faces.
According to the lawsuit, over half of the nation’s school children use Google’s education products, including those in Illinois, most of whom are under the age of 13.
Illinois comes into play because it’s got the strictest biometrics privacy law in the land: the Biometric Information Privacy Act (BIPA). BIPA requires private entities – like Google – to first get our informed consent before collecting our biometrics, including faceprints and voiceprints.
The complaint alleges that Google’s violating both BIPA and the nation’s strictest federal online children’s privacy law, the Children’s Online Privacy Protection Act (COPPA). COPPA requires websites and online services to fully and clearly disclose their data collection, use, and disclosure practices and that they obtain verifiable parental consent before collecting, using, or disclosing the data they collect from children younger than 13.
“Incredibly,” the complaint says, Google’s violating both of those privacy protection laws at the same time. The lawsuit says that besides faceprints and voiceprints, Google’s also illegally creating, collecting, storing and using students’ PII, including:

  • their physical locations;
  • the websites they visit;
  • every search term they use in Google’s search engine (and the results they click on);
  • the videos they watch on YouTube;
  • personal contact lists;
  • voice recordings;
  • saved passwords; and
  • other behavioral information.

…all without verifiable parental consent. From the complaint:

Google has complete control over the data collection, use, and retention practices of the ‘G Suite for Education’ service, including the biometric data and other personally identifying information collected through the use of the service, and uses this control not only to secretly and unlawfully monitor and profile children, but to do so without the knowledge or consent of those children’s parents.

The plaintiffs are requesting a jury trial. They want Google to stop collecting the data and to destroy whatever data it has. The suit is also seeking $5,000 per student for each of Google’s alleged “intentional or reckless” violations, and $1,000 for each “negligent” violation.

Not the first time

Even before COVID-19 sent schools reeling into a crash course on remote learning and an embrace of the tools companies offer to make it happen, Google was looking at legal action over the privacy implications of students using its free G Suite for Education-loaded Chromebooks.
In February, New Mexico Attorney General Hector Balderas sued Google over alleged data slurping with the laptops. Like the BIPA lawsuit filed last week, Balderas accused Google of secretly collecting information including students’ geolocation information, internet history, terms that students have searched for on Google, videos they’ve watched on YouTube, personal contact lists, saved passwords, voice recordings, and more, in violation of COPPA.
Google had already been fined over blowing kids’ privacy a few months prior to New Mexico’s suit. In September 2019, the Federal Trade Commission (FTC) fined the company $170 million for illegally sucking up kids’ data so it could target them with ads.
In response to the FTC fine, Google’s YouTube subsidiary decided to sit out the thorny task of verifying age, instead passing the burden on to content creators, leaving them liable for being sued over COPPA violations, even if the creators themselves think that their content is meant for viewers over the age of 13.


According to the New Mexico lawsuit, Google Education is now used by more than 80 million educators and students in the US, including more than 25 million who use Chromebooks in school. To drive up adoption in schools, Google has publicly promised that it takes students’ privacy seriously and that it will never mine student data for its own commercial purposes, the New Mexico lawsuit says.
It’s broken those promises, the lawsuit says, pointing to Google’s response to a Congressional inquiry into the privacy practices associated with Google Education, in which it admitted to using students’ data – extracted and stored in profiles – for “product improvement and product development.”

Add that all up and multiply it by COVID-19

As state after state has issued stay-at-home orders, usage of Google’s tools to help manage classrooms has exploded.
The free service wasn’t particularly popular before the world woke up to the pandemic. According to AppBrain, which tracks app popularity over time, Google’s Classroom app wasn’t even in the top 100 in early March. As of 28 March, it had sailed past 50 million downloads.
In reporting about the surge of Google’s education tools, Android Police expressed gratitude – as many of us have – that there are free platforms, readily available, to keep kids’ education from completely going off the rails.
But it’s worth noting that the spotlight now shining on online collaboration tools is illuminating some warts – for example, the ZoomBombing wart that taught us all what happens when hosts neglect to disallow screen-sharing by default.
What happens, you might ask, if you haven’t already read about about that one? Nasty happens. Please do check out our article on how to make Zooming safer, lest you wind up apologizing to your boss, your colleagues, your fellow Zumba dancers or your parents for something both avoidable and regrettable.
We’ll keep you updated on the lawsuits against Google over its education apps as they progress.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

8 Comments

Google should just ban the use of their Chromebooks and Suit inside the US until the lawsuit is finished.

To common people, Google is just a “searching” company. Actually Google is an AI and Big Data company; i.e. it’ll gather as much as data it wants

I would rather not be cynical but what did the parents think when Google hands out “something for free”. Google has admitted in the past with a straight face that of course they read everyone’s gmail. Something for free is NEVER free.

Probably “The school has approved the use of this, and the school is run by the government. I don’t have time to worry about this, so I’m trusting the school’s judgement”.

These accusations that Zoom is at fault for allowing screen sharing by default needs to stop. This is a good thing. I’d be highly pissed off if I had manually allow screen sharing every time I used Discord, Skype, and Jabber (who, FYI, also allow it by default; but let’s all spit on Zoom).
The option to disable it is there. It’s not Zoom’s fault the average user refuses to spend 5 minutes familiarizing themselves with its exceedingly simple user interface before hosting conferences.

When setting up G-Suite, Google puts the burden of obtaining parental consent on the school. Clearly in practice this doesn’t always happen. How they expect the school to tackle the task of explaining what data Google may or may not collect from its users in order to obtain informed consent frankly baffles me!
By the way, officially (according to Google) YouTube is only for over 13s, YouTube Kids for all those under. In practice, this is often flaunted and Google must be aware – they step very carefully whenever this comes up (collection of data from viewers of children’s content); they only make small steps to transfer content over to Kids rather than the main site, since they clearly appreciate the resulting lost advertising dollars. It’s a fine tightrope for them and anyone else catering to the child market.

There was no need for the kids to do all of this… Google knows almost every person details especially who logged in with them through use of an account.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?