KELLY MCEVERS, HOST:
Your children's personal information is not supposed to be an online commodity. But whether kids are using Google apps at school or Internet-connected toys at home, they are generating a lot of data about themselves. It's getting stored in the Cloud, and some advocates say there aren't enough protections in place to keep it private. We're talking about kids and privacy today for All Tech Considered.
(SOUNDBITE OF MUSIC)
MCEVERS: A complaint has been filed with the Federal Trade Commission against Google for spying on students. The nonprofit advocacy group known as the Electronic Frontier Foundation accuses Google of harvesting way too much data about kids in the classroom. More than half of all classroom computers in the U.S. are Google Chromebook computers. And the EFF says Google gets all kinds of information about children from these devices and from Google's educational apps and then stores it, potentially using it for targeting kids with ads. For more on this issue, we turn to Anya Kamenetz of our NPR Ed team. And, Anya, let's get more specific. What exactly is the Electronic Frontier Foundation alleging that Google is doing?
ANYA KAMENETZ, BYLINE: So this requires a little context. When you and I are logged into Google, whether we're using search or Maps or Gmail, we have one account. And that's following us around, sometimes literally in the physical world, and it's collecting information. And when you're logged in and using Chrome, which is their really popular web browser, Google can actually, with permission, track your entire browsing history - every site you visit. And Google uses all this information to better target ads and search results and to improve its services not only for you but for everyone.
MCEVERS: OK, so what's the problem here? I mean, that's how these services work, right?
KAMENETZ: Yes, but for students, the rules are supposed to be a little bit different. So when students are using the Google apps for education and core services within them - Gmail, Docs, Sheets, Slides - Google says that they don't collect personal data on those students using those educational apps to target ads specifically. And in fact, they stopped collecting student data for ad targeting last year after a California lawsuit questioned that practice.
But the EFF says that there's a little bit of a backdoor. When students are logged in to their student Google accounts but they're using, you know, other Google services like YouTube or they're searching Maps, Google is collecting that information after all. And when students are using Chrome on the school-issued Chromebooks, they're browsing the web, and Google potentially has access to their browsing history as well.
MCEVERS: OK, so that does sound creepy, but is it against the law?
KAMENETZ: Well, that depends on who you ask. You know, Google denies any wrongdoing here. They have signed a voluntary but binding pledge called the Student Privacy Pledge along with about 200 other companies, and that pledge says that Google will seek parental authorization for collecting data that isn't being used explicitly for educational purposes. And in this state, it would fall under that category because it's being used, perhaps, to better target Google's results in general but not for educational purposes.
And the EFF told me, though, that they just want Google to get permission. They want a dropdown the menu. They want students and parents of the students who are younger to be able to give permission before releasing or allowing this kind of data collection.
MCEVERS: Is that likely to happen?
KAMENETZ: Well, the politics of this are pretty complicated, as are the technological questions at stake. You know, EFF is raising these complaints as part of a broader student privacy campaign, and they're trying to strengthen a bill that's currently in the works in California. It's worth pointing out as well that there's a lot more action and a lot more rules around student privacy specifically than there is around children's privacy more generally. So you know, EFF's targeted this complaint - a student may be using a Chromebook to Google things in the school library, and they're not seeing any ads. But then they get home and say they turn on YouTube Kids, and they're being bombarded with ads. So you know, there really are a lot of loopholes here, a lot of uncharted territory, and I think a lot more work that needs to be done.
MCEVERS: That's Anya Kamenetz of the NPR Ed team. Thanks so much.
KAMENETZ: Thanks, Kelly.
AUDIE CORNISH, HOST:
Hackers are a threat to kids, too. Last month, the personal information and photos of more than 6 million children and their parents was stolen from a toy company.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED MAN: VTech has done it again - the new InnoTab 3S.
CORNISH: That's an ad for a children's tablet by VTech, which makes all sorts of other electronic toys.
MCEVERS: That tablet comes with a camera and the ability to text.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED MAN: Send text and voice messages, animated stickers, kids' own drawings, photos and more right to your smartphone.
MCEVERS: A few weeks ago, VTech says a hacker cracked into its customer database and grabbed children's names, addresses, passwords, birthdates and more, information that parents and their kids enter into VTech's website to use certain functions of their toys.
CORNISH: That hacker then went to the media to a tech news website called Motherboard to publicize the theft.
LORENZO FRANCESCHI-BICCHIERAI: This hacker reached out to me via encrypted chat, and he told me, I found something interesting that you might be interested in.
CORNISH: That's Motherboard staff writer Lorenzo Franceschi-Bicchierai.
FRANCESCHI-BICCHIERAI: What he told me was that basically, he found about this company. He just got curious, and he realized that their services were really easy to break into. And he just took a peek in, and he saw that there was a lot of personal data. And he was like, whoa, I should not be able to look at this.
CORNISH: Franceschi-Bicchierai says the hacker sent samples of what he had stolen to prove he had broken into VTech's database. That included kids' selfies.
FRANCESCHI-BICCHIERAI: He was able to download more than 190 gigabytes of pictures. And he showed me a few of them.
CORNISH: The hacker claims he used something known as SQL - or an S-Q-L attack - to grab all that data. And internet and security analyst Troy Hunt says VTech seriously dropped the ball.
TROY HUNT: It's the number one recognized risk on the web today. It's very, very easily discoverable. It's easily exploitable, and it has an enormous impact. And anyone who works building software certainly should know about this, but you know, here we are with all this data out there.
MCEVERS: Now Congress is getting involved. Massachusetts senator Ed Market and Texas representative Joe Barton sent a letter to VTech.
CORNISH: They want to know if the company's complying with a law called the Children's Online Privacy Protection Act. But Motherboard writer Lorenzo Franceschi-Bicchierai says you can't rely on a toy company to protect a child's privacy.
FRANCESCHI-BICCHIERAI: If you're a parent and you buy a VTech toy and they ask for your children's name or your home address and, you know, maybe don't, you know - input, like, a fake name or a fake address. You know, if the company doesn't need that address, you might want to, like, not give it out. And at that point, you know, even if they use it, then there's no damage there.
MCEVERS: VTech didn't reply to our request for comment. In a press release, the company says it has hired a security firm to help design a more secure approach to storing data.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.