Denmark Bans Chromebooks, Google Workspace In Schools Over Data Transfer Risks (techcrunch.com) 67
Denmark is effectively banning Google's services in schools, after officials in the municipality of Helsingor were last year ordered to carry out a risk assessment around the processing of personal data by Google. TechCrunch reports: In a verdict published last week, Denmark's data protection agency, Datatilsynet, revealed that data processing involving students using Google's cloud-based Workspace software suite -- which includes Gmail, Google Docs, Calendar and Google Drive -- "does not meet the requirements" of the European Union's GDPR data privacy regulations. Specifically, the authority found that the data processor agreement -- or Google's terms and conditions -- seemingly allow for data to be transferred to other countries for the purpose of providing support, even though the data is ordinarily stored in one of Google's EU data centers.
Google's Chromebook laptops, and by extension Google Workspace, are used in schools across Denmark. But Datatilsynet focused specifically on Helsingor for the risk assessment after the municipality reported a "breach of personal data security" back in 2020. While this latest ruling technically only applies to schools in Helsingor for now, Datatilsynet notes that many of the conclusions it has reached will "probably apply to other municipalities" that use Google Chromebooks and Workspace. It added that it expects these other municipalities "to take relevant steps" off the back of the decision it reached in Helsingor. The ban is effective immediately, but Helsingor has until August 3 to delete user data. A Google spokesperson told TechCrunch in a statement: "We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That's why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organizations to comply with the GDPR.
Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students' data is never used for advertising or other commercial purposes. Independent organizations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance."
Google's Chromebook laptops, and by extension Google Workspace, are used in schools across Denmark. But Datatilsynet focused specifically on Helsingor for the risk assessment after the municipality reported a "breach of personal data security" back in 2020. While this latest ruling technically only applies to schools in Helsingor for now, Datatilsynet notes that many of the conclusions it has reached will "probably apply to other municipalities" that use Google Chromebooks and Workspace. It added that it expects these other municipalities "to take relevant steps" off the back of the decision it reached in Helsingor. The ban is effective immediately, but Helsingor has until August 3 to delete user data. A Google spokesperson told TechCrunch in a statement: "We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That's why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organizations to comply with the GDPR.
Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students' data is never used for advertising or other commercial purposes. Independent organizations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance."
At last someone with some sense (Score:3)
Those Chromebook devices are to laptops what Android smartphones are to cellphones: data collection devices, designed solely for Google to slurp up as much of your data as possible.
How anyone with any sense of privacy - or at least with some perception of the utter creepiness of a giant monopoly in the US monitoring virtually everybody on Earth and knowing everything there is to know about you - chooses to buy and use a Chromebook, I'll never know...
Re: (Score:1, Troll)
I threw a virgin into a volcano and bloody Musk didn't even give me a Tesla.
Re: (Score:2)
How did you survive being thrown in a volcano?
Re:At last someone with some sense (Score:5, Insightful)
Facebook called. They want their monopoly back. Hang on, Microsoft is on the other line. A Mr. NSA called earlier.
Re: (Score:2)
Re: (Score:2)
Ok, fine. But what are those schools supposed to do now? Junk all their Chromebooks?
School in Denmark is restarting mid-August.
Re:At last someone with some sense (Score:5, Interesting)
One easy solution would be to re-image all the Chromebooks with an easy-to-use Linux alternative. That solves the OS issue.
Then replace all the applications with Linux alternatives. I'm sure Libre Office would suffice for document creation and any popular browser (Firefox, Brave, Safari, etc) would give them web access.
Next, and here is the crux of the problem, replace all the email, classwork, storage, documents, with something in house or in country. This is where most school systems fall short. It's possible the schools in Denmark already have the infrastructure to host most of the applications they need, except perhaps email for every student. If they want to completely separate themselves from any Google services, they will need to find an alternative that is acceptable.
If they only purchased Chromebooks because they are inexpensive, then nothing really prevents them from changing to a different OS and applications, while still benefiting from the lower cost of the hardware.
Re:At last someone with some sense (Score:5, Informative)
One easy solution would be to re-image all the Chromebooks with an easy-to-use Linux alternative. That solves the OS issue. ... then nothing really prevents them from changing to a different OS and applications, while still benefiting from the lower cost of the hardware.
Sadly this really only works for older models generally (2017 and older). Newer ones have hardware and architectures that aren't supported well (or at all) by any Linux kernel/distro, including GalliumOS which was specifically designed for that. Take a look at this compatibility list (https://wiki.galliumos.org/Hardware_Compatibility) and you'll see when you get to Apollo Lake and Kaby Lake processors in chromebooks, things like audio stop working.
Another great resource is Mr. Chromebox: https://mrchromebox.tech/#devi... [mrchromebox.tech]
Safari on Linux? (Score:2)
> Then replace all the applications with Linux alternatives [...] and any popular browser ([...] Safari...
I get your point but Safari on Linux?
Re: (Score:2)
All possible, of course. But it's something of a shame for cash-strapped schools or local governments. A Chromebook was a decent way to get a useful laptop with useful software very easily and cheaply.
It now lost the "easy" differentiator, and once someone's spent the time to do all the Linux stuff, train all the people that need it, etc etc, it'll have lost the "cheap" differentiator too.
Don't get me wrong, I'd still prefer they did this than relent and go to Microsoft - which lets be honest, is also tryin
Re: (Score:2)
It now lost the "easy" differentiator, and once someone's spent the time to do all the Linux stuff, train all the people that need it, etc etc, it'll have lost the "cheap" differentiator too.
Don't get me wrong, I'd still prefer they did this than relent and go to Microsoft - which lets be honest, is also trying its very best to hoover up as much information as they possibly can. I just think it's not as likely as "one easy solution" makes it seem.
I think it could be made a relatively "easy solution" after the initial time-and-resources investment. Step one, find an in-country ISP to host the necessary websites and email servers.
Step two, find a laptop provider. This could be one of the major companies that have Linux among their out-of-the-box offerings, but preferably it would be somebody like System 76 who might be willing to take a profit hit for the publicity and the cred boost.
Step three, tap the expertise of the ISP and the laptop provider to
Re:At last someone with some sense (Score:5, Informative)
One easy solution would be to re-image all the Chromebooks with an easy-to-use Linux alternative.
...if that were an easy solution, schools would have done that years ago. However, it is very, very much not that simple.
Textbooks need to be written for something. I grew up when schools standardized on Microsoft environments, so the textbooks were written for Windows and Office. Such books continue to exist, but a new wave of Google-based textbooks now exist. If you don't have textbooks and tests, you don't have a solution.
But, you decide to write the textbook and tests and get it all done before school starts in September. What makes Google's platform so appealing to schools is the simplicity of management. Sure, it's entirely possible to cobble something together with Nextcloud and Moodle and Univention, but we're already way beyond 'simple' and you still don't have an MDM in place.
Then replace all the applications with Linux alternatives. I'm sure Libre Office would suffice for document creation and any popular browser (Firefox, Brave, Safari, etc) would give them web access.
See, this is the problem when talking about Linux in pretty much any end-user driven environment. There is this seeming assumption that all anyone does with a computer is word processing, spreadsheets, and web browsers. That's what everyone says they do on their computer, but that's not how it works. "But that's exactly what a Chromebook is!!", goes the battle cry. No, it's not. ChromeOS wouldn't have an App Store if a browser and a word processor was all that's needed. But really, we agree that the next sentence is the real problem...
Next, and here is the crux of the problem, replace all the email, classwork, storage, documents, with something in house or in country. This is where most school systems fall short.
Precisely this. Chromebooks are the new dumb terminals. Replacing ChromeOS with Linux is like saying that replacing the green screen terminals is needed in order to reduce dependency on IBM's mainframes. If all that the Linux-based laptops do is access Google Drive and Google Docs and Google Classroom and Youtube, nothing has been accomplished.
It's possible the schools in Denmark already have the infrastructure to host most of the applications they need, except perhaps email for every student. If they want to completely separate themselves from any Google services, they will need to find an alternative that is acceptable.
"if we hand-wave the real problem away, we can solve the problem". It's certainly possible to replace Google services with non-Google services, r/selfhosted is a great resource for ways to do that. However, will the school systems do it better? Cheaper? Will it improve the quality of education for the student? Will it leverage the faculty's existing experience? As much as I too would *love* for schools to reduce their dependency on Google, I can at least acknowledge that the closest thing to an alternative is Microsoft, and their cloudy solutions have virtually all of the same caveats.
If they only purchased Chromebooks because they are inexpensive, then nothing really prevents them from changing to a different OS and applications, while still benefiting from the lower cost of the hardware.
They purchased dumb terminals because there is an ecosystem around the mainframe. Replacing ChromeOS is easy. Replacing the Google ecosystem is not. Add in the fact that the majority of parents probably dgaf, that the cost of a switch would be politically problematic, that support gets plenty more complicated, and you've got a pretty solid set of reasons why such a change is unlikely to arrive any time soon.
Re: (Score:2)
I understand why lots of places just farm off their e-mail to Google or Microsoft: they're lazy. But if you have a good reason to host your own, it's not really that hard. Particularly not if you're the size of an entire country's school system.
Re: (Score:2)
I understand why lots of places just farm off their e-mail to Google or Microsoft: they're lazy. But if you have a good reason to host your own, it's not really that hard. Particularly not if you're the size of an entire country's school system.
keeping in mind that this is Denmark, with all of about 5 million people in it, and the DPA’s ruling was specific to the Helsingør commune, which has all of about 60,000 people, the comment on size of their school system might not be the most relevant.
Re: (Score:2)
I once ran the mail system for a high school with about 300 students.
Re: At last someone with some sense (Score:2)
Re: (Score:1)
You get a spying windows 11 laptop
Re: (Score:2)
You get a spying windows 11 laptop
Why worry about it? The updates that are shoved into the system will eat up most of the available internet link bandwidth, so data getting back out won't be an issue. /humor /HUMOR
Re: (Score:3)
Google won't give up this source of revenue. They will just fix the issues that have been identified, and continue to profit from Workspace subscriptions, cloud storage fees and so on.
That's good, it's how these laws are supposed to work.
Re: At last someone with some sense (Score:2)
Re: (Score:3)
The issue identified is nothing to do with ads. It's that some of the student's data can be transferred outside GDPR countries for support purposes. To fix it Google would need to keep all support in GDPR countries, in the EU.
Google claims it does not use data from educational institutions or their students for ads. That has been investigated as part of this process. If you have data suggesting otherwise, please share it.
Re: (Score:2)
Not sure that I believe them, or any internal audit they might produce to "prove" this. The temptation is far too great me thinks.
Re: (Score:2)
I doubt it. Think about the consequences if they lied.
They would lose their educational business overnight. All that money for Workspace, ChromeOS and Chromebook sales, and getting students familiar with Google apps in the same way as previous generates got used to Microsoft Office.
Then there would be the GDPR file. 4% of global turnover, several billions. Probably multiple times over for different things, and different jurisdictions.
And how would they keep it secret? In order to make any money from ads the
Re: At last someone with some sense (Score:2)
Google is fundamentally an advertising business that utilizes data harvesting on an industrial scale.
Re: (Score:2)
But again, they would need to ask for specific opt-in permission from each child for each of those research uses. Legally children cannot agree to some kinds of data usage, depending on their age. And if they lied about it, all the stuff I mentioned comes crashing down on them.
It's not impossible, and they do screw up sometimes like when they captured wifi data during street view photography. They would end up having to delete all the data, and all the research they used it with. It would destroy any resear
Re: (Score:1)
Re: (Score:2)
Google is fundamentally an advertising business that utilizes data harvesting on an industrial scale.
This, exactly, and that's why they can't be trusted to provide these services for schools. IMO we're talking about infrastructure here, and for a long time I've maintained that infrastructure should be part of the commons and never in the hands of for-profit companies. Especially companies like Google that are ultimately in the business of spying and behavioural manipulation.
Re: (Score:2)
They make far too much money from ads, they will figure out a way to skirt the law.
You just gave them the idea. Legal ads! You know, how to get a lawyer in your area for cloud storage being blocked, etc... Better patent quickly! /half humor, half 'could see it happen'
Re: At last someone with some sense (Score:2)
Re: (Score:2)
Re: (Score:2)
Google promises
Exactly.
I have no other counterargument for you. It comes down to whether you believe what a giant monopolistic, unaudited (and unauditable) psychopathic US corporation say.
Can you tell what I think?
Re: (Score:2)
The vast majority of the population of the planet do not care about vague issues of "data privacy".
They just want to live their lives, do their jobs, make phone calls, browse websites, send/receive messages, etc.
Good call! (Score:1, Insightful)
Re: (Score:3)
Re: (Score:3)
Apple is shit for this too. Anyone who disagrees is just fooling themselves. Big Tech is NOT your friend, and not who you want to trust your privacy to. If you really need to send info, mailing a letter is still safer than smartphones, next to talking in person. Even landlines aren't safe from TLA agencies. We live in the age of the thought police, they are just somewhat benevolent at this stage. Like as not that will change at some point (probably when the GOP starts gerrymandering phones... you know what
Re: (Score:3)
Postal mail is not very secure in the UK, and probably most developed nations. In the UK they photograph every bit of mail. Part of it is so they can get the address from OCR, but they also keep the photos and store all the from and to addresses in a massive database for law enforcement to access.
If you want secure messaging that is metadata resistant, the simplest option is probably Cwtch. It's a messaging app that uses Tor for message transport, and which is highly resistant to surveillance and metadata c
Re: (Score:2)
Cool. So that's what the USPS is doing, most likely. Smoke and mirrors. I'm half joking but mostly not because that's how things happen here in the good ol' US. The USPS will, if you request, send you an email with photos of the mail being delivered [today]. What's creepy is it's only correct 2/5 of the time. The other 3/5 are days where one of the pieces isn't in there, but will show up tomorrow... or one isn't in there and you'll never see it... or you got something you've been waiting on but it nev
Re: (Score:2)
Don't forget in the UK, starting Feb 2023, every piece of mail will have to use their new stamps with tracking bar codes built in. After that, even if you don't put a return address on the outside of the letter, they can still track the sender. https://news.slashdot.org/stor... [slashdot.org]
Re: (Score:2)
It's way easier and therefor more likely, to scan through email contents, than it is to scan through snailmail contents. And if they are looking at you specifically, already, nothing will be safe. :)
Re: (Score:2)
On top of this, it is foolish for people to be using Android devices. If you are and you think you have any privacy, you need to think again. Cheap and convenient, well you will get what you pay for.
That has been an issue of concern for decades. Not Android, but the underlying issue. It's FREE, it's CHEAP. It's AWESOME! No, you're paying for it with something... Yet the wool remains over the eyes and want overrides safety. You just need to find different words to use and different eye candy to distract every so often to keep the old beast alive (data mining, tracking, selling).
I wish I were joking.
A clever Google response (Score:5, Interesting)
But, if you look closely, you'll note Google's response doesn't actually counter anything Datatilsynet stated.
Google likes to pretend it's just a bunch of engineers, but they obviously have some very skilled lawyers and PR people.
Re: (Score:2)
thats because its correct, they employ low wage support people where the data is worth more than the wage... much like Microsoft
maybe just maybe employ some locals outsourcing is a bad way to go from a customer experience and profit POV
Re: (Score:2)
thats because its correct, they employ low wage support people where the data is worth more than the wage... much like Microsoft
maybe just maybe employ some locals outsourcing is a bad way to go from a customer experience and profit POV
And they wonder why occasionally you see someone with data access in a data center getting pissed because they can't afford their car to get to work anymore with rising prices and pay not accommodating, and just happen to pull a load of database dumps and other data that's not linked as it is in the programming, but it's there. Just hands it out on the (dark?) web. That'll teach 'em! (sigh)
Re: (Score:1)
No one in a Google data center has "data access."
Re: (Score:2)
I didn't say Google.
Re: (Score:2)
But, if you look closely, you'll note Google's response doesn't actually counter anything Datatilsynet stated.
Google likes to pretend it's just a bunch of engineers, but they obviously have some very skilled lawyers and PR people.
Half of me wonders if that's like their 'support' has been for years - it's an automated response that covers what it, via weak AI, determines to be the best response to get you to go away and stay satisfied. But it's basically a variably modified template, built off of.
That's 500 less lawyers and public address speakers to have and pay out of the 5000+?. Savings!
Re: (Score:2)
Even If you've achieved Zero-Google, you going to do Zero-Microsoft next? In principle, the government has to check all the source code that runs on the local computer and compile it by yourself. And then build crazy big firewall in Denmark network. Is it possible today like in Denmark? I can't keep up with that stupid.
No, it is not enough to compile it yourself. You also have to create your own compiler since a compiler can do whatever it wants with your code, including inserting data collection and transmitting instructions. And you have to remove all non-open firmware.
In reality this is of course regulated by law instead. The GDPR forces companies to inform us about the data collection and handling that they are doing. And if Googles data collection and handling does not conform to the regulations that the schools have
Re: (Score:1)
Trusting Trust attacks can be mitigated by using double compilation. https://dwheeler.com/trusting-... [dwheeler.com] and (in greater detail) https://dwheeler.com/trusting-... [dwheeler.com]
Firmware rootkits can do anything though, yes.
Re: (Score:2)
I'm sure China would lease their 'firewall'. As long as the source doesn't get out, there's money to be made. But that would just encourage people to find a way around it ten fold. Lather, rinse...
Re: (Score:2)
I'm sure China would lease their 'firewall'. As long as the source doesn't get out, there's money to be made. But that would just encourage people to find a way around it ten fold. Lather, rinse...
It is not illegal to use Google services in Denmark. It is illegal for municipalities (including public schools) to use services from a company which does not store this information in places where the data is safe (so, outside the EU since these are Danish students). If Google chooses to protect the data according the to EU GDPR then they can resume selling their services to public schools in Denmark.
Re: (Score:1)
If Google chooses to protect the data according the to EU GDPR then they can resume selling their services to public schools in Denmark.
That will be hard as long Google is an US compagny which has to secretly hand over any data to any US agency that asks for it.
Re: (Score:2)
If Google chooses to protect the data according the to EU GDPR then they can resume selling their services to public schools in Denmark.
That will be hard as long Google is an US compagny which has to secretly hand over any data to any US agency that asks for it.
That is currently the case. But the coming Trans-Atlantic Data Privacy Framework which replaces the EU–US Privacy Shield (which did not give sufficient protections) will change that. See https://www.tadpf.eu/ [tadpf.eu]
Re: (Score:2)
I did that almost twenty years ago by switching to Linux and removing every last trace of Windows from my computer. Unless you're working for a company that requires you to use Microsoft software when you're working from home, there's no real good reason for you to be using it on any computer that you own. And, even if you are forced to use it that way, there's nothing stopping you from having two computers: one for work and one for everything else.
They didn't want to hear ... (Score:2)
The last time they were caught (Score:2)
"We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That's why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organizations to comply with the GDPR.
Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students' data is never used for advertising or other commercial purposes. Independent organizations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance."
Isn't this pretty much the same thing they said the last few times they were caught exploiting children's, students', & patients' personal records & data?
It is NSA, not Google, that is the problem (Score:1)
The GDPR concern is not primarily what Google may do with the data, but what NSA and other TLAs may do. You know, the data snooping that is bad when the chineese do it.
The Google education suite gives a non-European goverment the posibility to look up every school work for every child in most of the schools!
It may be a remote posibility it would happen, but just look at what happens with the browser history of US women at the moment!
Just the posibility is bad, as it will cause self censure against commentin
Google lies and hides things. (Score:2)