Tell HN: My kid's school installed spyware and I can't remove it
I bought him a Chromebook for schoolwork, but also for other private things. When we logged in, the system installed GoGuardian monitoring software on the Chromebook without notice or permission.
And now I can't remove it. I wrote to GoGuardian support, and they replied that I had to contact the school or remove my son as a user. The instructions for removing him as a user do not work; on the contrary, I see the message "cps.edu manages this user and may remotely manage settings and monitor user activity" and he can't be removed.
I did a full factory reset, signed in to his account again, and now the system is once again locked down.
So now I'm in the position where I have to ask permission from a local government entity to please let me install stuff and don't monitor the computer I bought and paid for.
Does anyone know how to refer these people to law enforcement for prosecution?
[+] [-] mfreydavis|4 years ago|reply
1) You somehow 'enrolled' the device into the Chromebook management. This is hard to do by mistake but if you do, essentially puts the device under the control of the school district. It also uses up a license on their end. We only allow particular IT only accounts to enroll devices. 2) You're logging in with their CPS account. Once a person logs in with their managed account it can deploy user level policies that include everything you described: extensions, filtering, and blocking signing into another account in the browser. You'll also find some random pages are blocked to keep students from bypassing the restrictions.
That you can wipe the machine makes me think you didn't enroll it - if you wipe an enrolled device it will prompt/force you to re-enroll. You should be able to reboot the device so you land at the login screen and hit "Add Person" down at the bottom. From there sign in with a different Google account and it should be completely unaffected by any policy the school is deploying. Unless you enroll it, the policies are deployed to the Google account, not the device.
Its likely the CPS Help Desk Staffer you reached doesn't have the power to fix things for you if you've enrolled things - that usually requires permissions that are restricted to a few admins.
Feel free to shoot me a message via the email in my profile - I'm happy to give you some of the inside perspective and help you figure it out.
[+] [-] magicalist|4 years ago|reply
With GoGuardian, though, I think device level management is common? It's BYOD but it essentially becomes the district's device (and all the other accounts disabled) until you remove the managed account. It can't happen by accident, though, it tells you very clearly you're making it a managed device.
It sucks that schools are using enterprise management to monitor every thing a student does on their machine, but it's not a rootkit or something. If it's not the district's device just remove the account.
[+] [-] jcz_nz|4 years ago|reply
It boggles the mind what some of the posters above this are thinking.
Seriously, no one wants to spy on your home browsing habits - if nothing else because it creates a new workload and a potential liability for the teachers and the institution. Create a new profile, and you're good to go.
[+] [-] londons_explore|4 years ago|reply
The son can decide which account to log into based on what they plan to do that day.
[+] [-] quadrifoliate|4 years ago|reply
This is why you need to pay attention to the technology choices that you make, and that your schools make. Chromebooks are designed from the ground up to be locked-down dystopian spyware once you "log in" to them with a specific Google account. For heaven's sake stop buying any more Chromebooks.
The correct solution here is not technological at all. Call into the school's board meeting during public comment, and make it loud and clear that the school is installing spyware on students' Chromebooks. Share your technical credentials and the method by which you found this. Emphasize stories of previous data breaches involving educational companies [1], and show officials that they are putting students' sensitive data at risk. (Edit: See the important point in the reply from 'n8cpdx below about the correct tone to use in your comments – don't repeat my words verbatim!)
The technical details don't matter too much to educational officials – as soon as the "Chromebook = bad spyware" label sticks and they think that a fuck-up here could cost them them bad press, they will allow their IT department to make more privacy-respecting technology choices even when those choices cost a little more. If no one speaks up, it's a race to the bottom driving us closer to the fiction in The Right to Read [2].
----------------------------------------
[1] https://techcrunch.com/2021/11/22/smarterselect-exposed-mill...
[2] https://www.gnu.org/philosophy/right-to-read.en.html
[+] [-] n8cpdx|4 years ago|reply
Just some comments on the political aspect of this, since the HN crowd tends to not be so good at that part:
- Following this advice and using a tone that even resembles the tone of the comment or the original post will make you look/sound crazy. School boards (government boards in general) are used to seeing vocal, crazy people and are good at not taking crazy people seriously.
- “spyware” is not something non-technical understand. Just invoking spyware is going to make people think you’re crazy, not motivate them to fix the problem.
- Normal people do understand things like ownership and consent (approximately, anyway). It might be better to highlight the fact that you own the laptop, your child cannot possibly consent to such monitoring/software being installed, and that you weren’t notified.
- Normal people understand things like subscription costs - why should the school district be paying a third-party service to monitor a device that they don’t manage. By installing management software on your child’s device, are they assuming ownership and _liability_ for how that device is used outside of school?
- The whole chromebook=spyware doesn’t really make sense unless the only comparison is Linux; and if your kid doesn’t understand privacy issues on a chromebook, they definitely won’t have a good time with Linux. The IT department could have just as easily installed similar spyware for Windows or macOS.
Realistically what probably happened here is they have slightly clueless people who installed standard-issue software without thinking to check if the student actually owned the chromebook, because they probably dealt with a hundred other District-issued devices that day. When you run into that kind of bad outcome from human frailty, it is better to treat it as such rather than complain to the board that the sky is falling.
[+] [-] evilDagmar|4 years ago|reply
Nonsense. They were designed to implement required policies when someone logs into a managed domain. Unless you're logging into something like that (where disclosures have been made and consent has been obtained) then there's no "dystopian spyware" involved. Absent any domain management policies, Chromebook are basically fancy thin clients that make efficient use of web-based services.
That having been said, the OP either conspicuously failed to mention that such disclosures were made, or (and this I find to be much more likely) the school was dumb enough to think they don't need to disclose anything because like a lot of school systems, they have gotten the curious idea that they basically own the kids and that the kids have no rights whatsoever. Should that be the case I hope a judge spanks them soundly for it because yeah, they absolutely do need to disclose this stuff to the students or the first time there's a serious problem due to abuse of the monitoring system the school is likely to get very, very pantsed for facilitating child abuse.
[+] [-] mdmglr|4 years ago|reply
This is some bad advice. No need to escalate the situation. Simply contact the sons school and find out who the technologist is and ask them for help. Explain to them the situation and I'm sure they will understand. The computer is personal so they don't want it under mobile device management.
I have some experience with schools. The school is not intentionally installing spyware. Further most public K12 organizations have IT departments are not going to be as well staffed/knowledgable as your average silicon valley tech company. So they may not know exactly how to rectify this situation. No need to berate the school board over "spyware."
[+] [-] op00to|4 years ago|reply
I recommend reaching out to your child's teacher, and ask to get connected with the IT team at the school to explain what's going on.
[+] [-] spamizbad|4 years ago|reply
[+] [-] JJMcJ|4 years ago|reply
And referring for prosecution is really going to go nowhere.
Best bet, contact the public service operation for one of the TV stations, maybe a newspaper, and maybe your city council member, to wake up somebody, either at your school or at headquarters downtown.
Prepare to be disappointed.
[+] [-] ocdtrekkie|4 years ago|reply
Source: https://www.theverge.com/2020/2/20/21145698/google-student-p...
[+] [-] dachryn|4 years ago|reply
I have intune on my personal ipad. And the idiots from our IT department accidentally wiped the entire thing. Just because I wanted to be able to read outlook mails. My iCloud was even blocked for a day or so. Despite their claims they can only manage the app itself and despite my protests that the fine print clearly indicates they could do so and that they should change their configuration.
At least I got an apology letter, but all these devices are desigend to be locked down by centralized IT departmens. Be it ChromeOs, iOS or Windows
[+] [-] throwawaybner3|4 years ago|reply
[+] [-] nextlevelwizard|4 years ago|reply
Whole point of Chromebooks is that they are minimal devices that can easily be adopted for school work. What I find strange is that OP had to buy their own machine. Anyway even if you somehow convinced the school to change to a Windows based laptops all you'd achieve would be a tier more expensive machines for the kids to use. The school would still require same "spyware" to be installed.
[+] [-] shapefrog|4 years ago|reply
I remember not so long ago when people were using this advice on health care issues;
Call into the school's board meeting during public comment, and make it loud and clear that the school is injecting your children with 5G mind control vaccines. Share your technical credentials and the method by which you found this.
[+] [-] girvo|4 years ago|reply
[+] [-] micromacrofoot|4 years ago|reply
[+] [-] coding123|4 years ago|reply
[+] [-] maxerickson|4 years ago|reply
[+] [-] footlose_3815|4 years ago|reply
[deleted]
[+] [-] yeetsfromhellL2|4 years ago|reply
There was a PA school district back around 2009 that issued laptops to students preloaded with spyware that let school staff watch students through the webcam, while the students were at home and not doing schoolwork. Neither the students or parents were informed of this. IIRC the FBI got involved but nobody actually got in any real trouble, I'm not even sure they were fired.
I wish things weren't this way. You could maybe use Wireshark and black hole anything the spyware tries to connect to at the router, or maybe add the addresses to the hosts file on the machine itself (not sure if ChromeOS lets you do this).
[+] [-] filesystem|4 years ago|reply
[+] [-] deathanatos|4 years ago|reply
IANAL, either. Just because the student is a minor, I don't see how that gives the school the right to pwn a private laptop (were the laptop a school laptop, my opinion would be different here); at best, this would seem to be the parent's machine, or right to decide, at that point.
The OP's post isn't very clear on how the school managed to get into a private laptop in the first place; he mentions they "logged on", but onto what? And how does signing into something permit installs? (There's a comment below that hypothesizes this might be an MDM profile sort of situation, and that's … trickier. But doesn't even an MDM login have an uninstall of some sort? (Although, IDK, perhaps Chromebooks just can't do that, but that would seem to be an issue then with their software. But I've never tried, as I don't usually go for MDM stuff myself, as companies that do it typically want too much permission onto what is my personal device.))
[+] [-] mdmglr|4 years ago|reply
[+] [-] kaladin-jasnah|4 years ago|reply
[+] [-] bastardoperator|4 years ago|reply
The important part here is that the computer is not usable with their software and that you have no way to remove said software despite being the owner of the computer.
[+] [-] salawat|4 years ago|reply
It's the poster's Chromebook. They has revoked authorization for the school to deploy $software on their machine.
Next step is the public school supplying a spyware'd laptop and NOT imstalling spyware on said parent's chromebook, but also said private chromebook not being used for school stuff.
If you want the district to not install spyware... Well... Lets just say, the poster is probably pissing in the wind in my experience.
[+] [-] gentleman11|4 years ago|reply
[+] [-] briandear|4 years ago|reply
[+] [-] duxup|4 years ago|reply
That’s by design though isn’t it? You logged in with a managed account and the policy was applied again?
The account is his school account right?
That’s pretty much how Chrome OS works.
This might just be a good lesson that you want to maintain device / role boundaries.
[+] [-] MereInterest|4 years ago|reply
And that's the problem. Signing onto a remote account is a request to access a remote resource, and should not be interpreted as granted the remote actor control over local resources. That Chrome OS works this way implies that Chrome OS is fundamentally flawed.
[+] [-] shapefrog|4 years ago|reply
This is the teachable moment here. Better for the poster and their child to learn it now rather than in the workplace.
It doesnt make it right, but the 90's and 00's with work browsing and email full of porn, dickpics and assorted filth were not right either.
[+] [-] trasz|4 years ago|reply
[+] [-] indymike|4 years ago|reply
When I contacted the school my ask was they remove the spyware from my Chromebooks. The first answer was, no. I asked again via the superintendent, and got a call from their IT director. I shared with him what my traffic monitoring found and a few days later I get another no.
My last try was simple... I paid a lawyer to write a simple letter demanding to have the software removed or be shown the warrant giving the school the right to install surveillance software on my laptop. The next day I get a call from the districts lawyer who wanted me to confirm the software had been removed, and it had been.
[+] [-] js2|4 years ago|reply
https://docs.google.com/document/d/1r7xOL4U9lL0qyqMIVl4eH2EM...
https://support.google.com/chromebook/answer/1059242?hl=en&r...
For school work, login to the CPS-managed account. Otherwise login to the personal account.
[+] [-] awinter-py|4 years ago|reply
https://support.google.com/chromebook/thread/117916330/how-t...
> Even if the Chromebook is your private device and your owner account is your private @gmail.com account, once you sign in with a managed account, even using a separate profile, the managed account polices become active.
> This is NOT a bug. It's required to maintain security of the managed environment. Whenever the managed account is active, ChromeOS management and the policies set by your administrators pwn the entire machine.
> Google promises bulletproof security to customers who license Chrome OS management, and having any instance of an active non-managed account available when a managed account and its resources are active is a potential security hole.
not a chrome-os user -- I imagine you can access the G acct via a browser without signing in the whole OS? if 'signing into gmail signs in the OS', maybe can do it via crostini linux
re law: illinois is the state that has the biometric privacy law iirc? you may be able to do a civil suit via that, if the device is sharing face images and you really didn't consent and you can prove it and the law was written with your situation and mind and CPS hasn't indemnified big G. my guess is you'd have to pay a few $k to a lawyer to evaluate the case and then many more $k on the suit, plus you probably have a TOS problem.
[+] [-] amatecha|4 years ago|reply
This kind of crap is fundamentally a violation of students' right to privacy. They deserve to grow up in a safe environment away from the prying eyes of crappy adults.
I mean, to that point, how secure is GoGuardian? Who has access to the administrative tools/etc.? What APTs have gained access to its systems? A system breach of any online system is effectively inevitable, or at least impossible to rule out. Do you think everyone with a Verkada camera thought hackers around the world are going to be tuning into their video feed?[0]
Anyway, stop buying tech that force you to give up your right to privacy to use it. You don't have to go 100%, but at least start looking at these kind of things before you shell out your hard-earned dollars.
[0] https://www.theverge.com/2021/3/9/22322122/verkada-hack-1500...
[+] [-] throwaway413|4 years ago|reply
When you login to the chromebook, you can log in with any Google credentials. The credentials the school gave your son are managed by them. If you log into that account, it configured the user session per the management of the account, so this will start a “managed” session for that managed user.
If you use a personal Google account, none of that should happen. It’s not a managed account, it’s a normal one, and there shouldnt be any additional provisioning.
You should be able to switch between them and use both independently.
However, if you are saying that is what you are doing, and the spyware isn’t respecting the config between users, then that is definitely a problem.
[+] [-] splch|4 years ago|reply
[+] [-] wanderer_|4 years ago|reply
[+] [-] Ansil849|4 years ago|reply
> So now I'm in the position where I have to ask permission from a local government entity to please let me install stuff and don't monitor the computer I bought and paid for.
I don't understand, this sounds like an issue with the account, not with the Chromebook.
Does this spyware persist on this device even if you sign into a different account?
If you look at third-party apps in the account settings, can you delete this one?
[+] [-] JonChesterfield|4 years ago|reply
It's annoying and generally a waste of resources so feel free to argue with the school at the same time. Corporate IT won't remove spyware from my work computer, school sounds likely to be similar.
[+] [-] donohoe|4 years ago|reply
https://ag.state.il.us/consumers/smlclaims.html
Get the cost of the Chromebook, some money for your time, and then donate the Chromebook to the school since its deadweight at this point.
My guess is that no one from Dept. of ed will show up and you'll get a summary judgment.
[+] [-] CodeWriter23|4 years ago|reply
[+] [-] d1sxeyes|4 years ago|reply
https://policy.cps.edu/download.aspx?ID=203
> I. Applicability.
> This policy applies to all students who use CPS Computer Resources and/or access the CPS Network (“Students”). Personal electronic devices (e.g. personal laptop) are subject to this policy when such devices are connected to the CPS Network or Computer Resources.
> IV. Privacy and Monitoring.
> A. Privacy. Students have no expectation of privacy in their use of the CPS Network and Computer Resources
> B. Monitoring. The Department of Information & Technology Services (ITS) has the right to access, search, read, inspect, copy, monitor, log or otherwise use data and information stored, transmitted and processed on the CPS Network and Computer Resources in order to execute the requirements of this policy [...] ITS reserves the right to: (1) access and make changes to any system connected to the CPS Network and Computer Resources to address security concerns.
[+] [-] dragonwriter|4 years ago|reply
You can simply look up the phone number for any law enforcement agency you want and call them. None of them are likely to do anything, however; even if there was a crime involved, they have no obligation to pursue anything, and it's almost certainly not something that is on anyone 8nnlaw enforcement’s list of priorities.
What you probably want to do is contact a lawyer and see if you have any civil law remedies.
Even if they are things you will eventually pursue in small claims court, you absolutely can get advice from a lawyer on causes of action and what you need to do, but in general forcing a behavioral change—equitable remedies—are not available in small claims (which mostly just allows limited monetary recovery) and you'd need a lawsuit in a “full“ trial court to force that (or, of course, a settlement agreement.)
[+] [-] harikb|4 years ago|reply
But I am not panicking though. The companies we work for make such software (list any “enterprise” security company here).
You might own the machine, but they will force the machine to be “managed” if you want to access their network.
Btw GoGaurdian also gets installed if you access the school “Google Suite” account from even your own PC or Mac, not limited to Chromebooks.
[+] [-] turtlebits|4 years ago|reply
[+] [-] evilDagmar|4 years ago|reply
Installing something you were given a chance to read the EULA and disclosures for is fairly reasonable, because you would have the opportunity to decline (and then they probably wouldn't be able to login to the schools network). The school using MDM to install the monitoring software _without disclosing this to the user_ would likely fall afoul of the law, because yeah if you paid for it you are the owner and what you say goes. Third parties are not allowed to install software on equipment you own without explicit permission. Additionally, to be even remotely ethical, this needs to be disclosed clearly and the first time the school login is used and the software installation is about to occur--not buried inside a school handbook somewhere.
If the school has been so bold as to ignore the need to disclose that they're installing something that records and reports all web browsing activity (which GoGuardian is designed to do), or if this software applies to other logins on the system which will be used by people who did not consent to being monitored, then the school needs to start hiring _competent_ people to administrate the network, because doing this with minors involved is just really begging for a judge to slap the school system hard.
The school system can (and should) make that policy only apply when the kid's school login is being used--so if they try to fob you off with that silly excuse, feel free to go ahead and start talking to lawyers. Google would not be amused to find some rinkydinky school administrators making claims that the attested environment used by ChromeOS may be trivially compromised by other users and thus justify installing the monitoring software to be in play all the time. Rather a lot of work has gone into creating that environment.