Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: My kid's school installed spyware and I can't remove it
936 points by ccleve on April 4, 2022 | hide | past | favorite | 417 comments
My middle schooler goes to Chicago Public Schools. They use Google Classroom for assignments and other communications.

I bought him a Chromebook for schoolwork, but also for other private things. When we logged in, the system installed GoGuardian monitoring software on the Chromebook without notice or permission.

And now I can't remove it. I wrote to GoGuardian support, and they replied that I had to contact the school or remove my son as a user. The instructions for removing him as a user do not work; on the contrary, I see the message "cps.edu manages this user and may remotely manage settings and monitor user activity" and he can't be removed.

I did a full factory reset, signed in to his account again, and now the system is once again locked down.

So now I'm in the position where I have to ask permission from a local government entity to please let me install stuff and don't monitor the computer I bought and paid for.

Does anyone know how to refer these people to law enforcement for prosecution?




I work for a school district (not CPS) with about 2000 deployed Chromebooks and you're likely running into one of two things.

1) You somehow 'enrolled' the device into the Chromebook management. This is hard to do by mistake but if you do, essentially puts the device under the control of the school district. It also uses up a license on their end. We only allow particular IT only accounts to enroll devices. 2) You're logging in with their CPS account. Once a person logs in with their managed account it can deploy user level policies that include everything you described: extensions, filtering, and blocking signing into another account in the browser. You'll also find some random pages are blocked to keep students from bypassing the restrictions.

That you can wipe the machine makes me think you didn't enroll it - if you wipe an enrolled device it will prompt/force you to re-enroll. You should be able to reboot the device so you land at the login screen and hit "Add Person" down at the bottom. From there sign in with a different Google account and it should be completely unaffected by any policy the school is deploying. Unless you enroll it, the policies are deployed to the Google account, not the device.

Its likely the CPS Help Desk Staffer you reached doesn't have the power to fix things for you if you've enrolled things - that usually requires permissions that are restricted to a few admins.

Feel free to shoot me a message via the email in my profile - I'm happy to give you some of the inside perspective and help you figure it out.


This response should be higher instead of the useless armchair lawyering :)

With GoGuardian, though, I think device level management is common? It's BYOD but it essentially becomes the district's device (and all the other accounts disabled) until you remove the managed account. It can't happen by accident, though, it tells you very clearly you're making it a managed device.

It sucks that schools are using enterprise management to monitor every thing a student does on their machine, but it's not a rootkit or something. If it's not the district's device just remove the account.


I think GoGuardian is normally full device, but on Chromebooks it is installed via extensions. Extensions in on Chromebooks are 'user' policies so they are applied to entire OUs of users. (docs here for anyone who is interested : https://support.google.com/chrome/a/answer/6177431?hl=en#zip...)

These types of solutions are really common for schools because under CIPA you must filter your network to receive e-rate funding. Deploying it to the device meets these requirements and also extends filtering off site which is a commonly requested feature.

If it is just being managed at the user level - then creating a second account is exactly the way to go.


^ This guy is correct. OP is vastly overstating the situation or uninformed.

Unless it was school provided hardware, management is done at the account level and accounts are fully isolated.

Powerwash (https://support.google.com/chromebook/answer/183084?hl=en) the device, login with a personal account to make it the primary, and then login with your kids school account. Yes they will be monitored when logged in to the school account, but that is for compliance with the law. If you don't like it, write your representative.


What law are you referring to? How could a device owned by the student/parent require monitoring while not in school?


Not the device, the student district-managed account that is logging into the device. Districts are bound by law (varying from state to state) at a basic level to filter content and restrict access in the broadest sense, on or off the district network. I've worked in multiple states for various districts they all had similar compliance requirements.


I don't see how the mere fact of someone being logged into a school account could create such a requirement. If I log into the school account from a normal desktop computer, I don't believe that the school even has the ability to restrict what webpages can subsequently be accessed. Is the school then failing to meet its responsibilities? If not, then how could they be required to enforce this on a chromebook that they do not own?


We run Chromebooks. I'm logged into one right now, on my personal account. There is no way for me, the GSuite admin of my company, to fuck with that personal account.

I can't read anything from it, I can't manage it in any way, I can do nothing. Some things in the personal account aren't accessible (you can only have one account on Chromebooks with a Linux VM), that's it.


Not true, and also not possible.

If a kid or parent can log in from offsite, it is not technically possible to force all browsers or systems to monitor and restrict activity. I can log in through Firefox (or curl, for that matter) and not have my activity sent to the school.

Also, there is absolutely no legal way the school could force the monitoring of activity from an offsite computer (unless it were school-owned), even if it were technically possible. To secretly and silently install spyware on a parent's computer when the parent logs into the child's account would violate so many laws and constitutional protections I can't even list them.


The article you recommend for resetting a device itself says:

"If you're using your Chromebook at work or school, you can't reset it."

So it likely does not apply here.


Yeah seconding this both as a parent and someone who has worked in education IT (K12 and higher ed) for almost 15 years. I'm not familiar with GoGuardian but I do recall with certain 3rd party Google apps that did similarly there were ways within the admin console for said app to exclude monitoring devices (regardless if managed account that's logged in) unless they were on the district network(s) by adding CIDR blocks to a whitelist. Of course, if someone were to use the device on a BYOD network in district you could then get scooped up in that dragnet though we excluded even those networks to prevent this as all district devices should be connected to the proper LAN.

I've personally forbade my kids from logging into devices we own with their school accounts (O365). I've also gone so far as to relegate them to only connecting to a segmented guest network (internet only) with their district issued devices. I no longer work for a district but provide various levels of support for districts in my county as a state employee and let me tell you, no one really knows what they're doing. A district I used to work for uses a product called Aristotle essentially logging key strokes of every staff member and student. There are, or were, certain school admins that made it their business disciplining bored-ass students for things 99% of the time they may have said in jest to a fellow student. On the flip side it was instrumental in catching a couple staff members that were doing some pretty heinous things, one of which who is currently serving 35 years on federal charges.


No, it should only be the district's device while the district student's login is being used. There's still very much a legally-enforceable expectation of privacy for the other possible users of the machine.

That the user is the actual owner of the equipment makes it pretty important that someone at the school system defined the MDM policies properly so as not to violate other user's privacy rights. ...but considering the way most of them are staffed, they probably screwed up and need to be shown the right way to do it before they land themselves in court.


Why is it ever the "district's device?" It's owned by the parent, it's being used at home. What justification does the district have to monitor anything that's happening not at school using equipment that they do not own that does not involve any of their servers?


It isn't the district's device. OP just enrolled it in the School's GSuite organization so, obviously, policies got pushed. They can just... not do that.

If they want to log into apps or whatever on the Chromebook, they do need to do that. At that point the device has to follow policies for accessing the school's services or whatever. They still don't own the device, but they can push policy to it. At any time the device can be removed from the organization, but that has to be done by the organization, I believe.

Of course, you can have multiple accounts on the Chromebook, so they could just have the device enrolled for one user, but have a personal account not enrolled.

It's all pretty straightforward.


Have written Chromebook extensions for large school systems. The OP is absolutely correct.

It boggles the mind what some of the posters above this are thinking.

Seriously, no one wants to spy on your home browsing habits - if nothing else because it creates a new workload and a potential liability for the teachers and the institution. Create a new profile, and you're good to go.


So, it sounds like the best advice to OP is to create another 'home' account for their son, on the same device, which won't be monitored or affected by anything the school does.

The son can decide which account to log into based on what they plan to do that day.


Probably better to login (or not) to the chrome OS device as a personal account, and then login in the browser (private mode perhaps?) to the school account to do the classroom stuff. I don't think logging in to the school account in Chrome the browser will trigger the same behavior as logging in to the school account in Chrome the OS.

You may need/want to powerwash the device again.


> The son can decide which account to log into based on what they plan to do that day.

You can log into multiple accounts at once on a Chromebook. ctrl + alt + `.` lets you switch between workspaces across accounts, and you can right click windows to move them across workspaces. I'm doing this right now so I can post on HN from my personal account while I code for work.


No, at this point they probably can't. It's locked down the way it is to specifically prevent that sort of thing.

It should be removed from enrollment, the IT dept doesn't want that on there any more than OP does.


I experienced scenario #2 on my son's Chromebook during pandemic school closings. One day he logged in with his school account and about half the apps were disabled, including core stuff he needed to do school work. I got the "we can't control your computer, that's not how computers work" speech from the school. It was one of the most frustrating things I've ever experienced. The policies finally got fixed a few days later, but I'm pretty sure the people I talked to thought I was crazy.


Agree. We have filtering on our kid's Chromebook, but only when they login as user to their school account. They have their separate account which gives them their own space.

Certainly you WANT the school district to do some filtering for the school accounts, right? I mean, I think ours locks it down so tight that students can't get outside emails until they are whitelisted somehow...


> Certainly you WANT the school district to do some filtering for the school accounts, right?

a) No. Filtering (if there is any) should be limited to their own network or a school-issued device, not some device the school system doesn't own. b) Filtering only the school accounts is pointless if the student can just switch to a non-school account (or guest account) and access whatever they want there.


> Filtering only the school accounts is pointless if the student can just switch to a non-school account (or guest account) and access whatever they want there.

From the district's perspective this does have a point: it removes perceived or actual liability for things that the student could be exposed to or experience using their managed services. Being able to tell an offended parent "not our account, not our device, not our problem" versus having to answer for "but he was logged into his district managed Google account, shouldn't you have protected him?"


Your A) is exactly what is happening. Filtering on school account only.

On B) I agree that kids can and will do anything they want on other accounts including just opening their phone! But what happens on school sponsored email, virtual drives, and applications should be controlled I would think. It opens the school to liability if nothing else.


> Your A) is exactly what is happening. Filtering on school account only.

I said "their own network or a school-issued device". Not "on school accounts".

Part of the blame here resides with Google for tying login on Chromebooks to an email address & automatically signing in to various other (possibly managed) services linked to that email when all you really want is some local storage and a web browser. An email address is an identity. A student might not have any other email address—sure you can create a new one pretty easily, but this is how they identify themselves to everyone else they know; inventing an alter ego for non-school activities is a bit much to ask. Facebook and the like don't impose a "managed mode" on your private PC and monitor your access to other sites and apps at the OS level just because you signed up with your school email. To basically anything but a Chromebook your email address is just an arbitrary username which happens to also be a place where you can receive messages.

It should be possible to log in to a Chromebook using an organizational email address without enabling remote management of the Chromebook. You may not be able to access certain managed services as conveniently (though these should also be available as regular web sites, sans device management) but other apps and web sites not linked to the organization should work as usual. And it should be possible to have multiple distinct profiles (e.g. personal and school) with the same email address, and different management settings, if you're going to require an email as the login.

> But what happens on school sponsored email, virtual drives, and applications should be controlled I would think.

So control them—on the server side, which is part of the school's network. They're monitoring all use of the Chromebook while signed in to this account, not just the school's network, services, and applications. Even, apparently, while the device is switched to another account after logging in to the student account.


This.

Then again this site is mostly developers. They have no idea about SCCM, Intune, JAMF and other MDMs and how they work.


> I bought him a Chromebook for schoolwork, but also for other private things. When we logged in...

This is why you need to pay attention to the technology choices that you make, and that your schools make. Chromebooks are designed from the ground up to be locked-down dystopian spyware once you "log in" to them with a specific Google account. For heaven's sake stop buying any more Chromebooks.

The correct solution here is not technological at all. Call into the school's board meeting during public comment, and make it loud and clear that the school is installing spyware on students' Chromebooks. Share your technical credentials and the method by which you found this. Emphasize stories of previous data breaches involving educational companies [1], and show officials that they are putting students' sensitive data at risk. (Edit: See the important point in the reply from 'n8cpdx below about the correct tone to use in your comments – don't repeat my words verbatim!)

The technical details don't matter too much to educational officials – as soon as the "Chromebook = bad spyware" label sticks and they think that a fuck-up here could cost them them bad press, they will allow their IT department to make more privacy-respecting technology choices even when those choices cost a little more. If no one speaks up, it's a race to the bottom driving us closer to the fiction in The Right to Read [2].

----------------------------------------

[1] https://techcrunch.com/2021/11/22/smarterselect-exposed-mill...

[2] https://www.gnu.org/philosophy/right-to-read.en.html


> Call into the school's board meeting during public comment, and make it loud and clear that the school is installing spyware on students' Chromebooks. Share your technical credentials and the method by which you found this.

Just some comments on the political aspect of this, since the HN crowd tends to not be so good at that part:

- Following this advice and using a tone that even resembles the tone of the comment or the original post will make you look/sound crazy. School boards (government boards in general) are used to seeing vocal, crazy people and are good at not taking crazy people seriously.

- “spyware” is not something non-technical understand. Just invoking spyware is going to make people think you’re crazy, not motivate them to fix the problem.

- Normal people do understand things like ownership and consent (approximately, anyway). It might be better to highlight the fact that you own the laptop, your child cannot possibly consent to such monitoring/software being installed, and that you weren’t notified.

- Normal people understand things like subscription costs - why should the school district be paying a third-party service to monitor a device that they don’t manage. By installing management software on your child’s device, are they assuming ownership and _liability_ for how that device is used outside of school?

- The whole chromebook=spyware doesn’t really make sense unless the only comparison is Linux; and if your kid doesn’t understand privacy issues on a chromebook, they definitely won’t have a good time with Linux. The IT department could have just as easily installed similar spyware for Windows or macOS.

Realistically what probably happened here is they have slightly clueless people who installed standard-issue software without thinking to check if the student actually owned the chromebook, because they probably dealt with a hundred other District-issued devices that day. When you run into that kind of bad outcome from human frailty, it is better to treat it as such rather than complain to the board that the sky is falling.


I agree one hundred percent with this commenter. They are absolutely right – don't use the tone that I'm using on HN! I did not structure my HN comment from the point of view of how to present it for public comment; and the tone if used verbatim will mark you down as "tinfoil hat crazy person who we should ignore", as the parent correctly points out.

Definitely don't use the term "spyware". Try to assume the persona of a reasonable, slightly conservative, and concerned person who is worried about data privacy why public money is being spent on subscriptions to companies who collect a lot of it, but are not local or accountable. Highlight that you understand that choices are difficult, but that the school needs to do better and be more accountable to parents and students, especially in an age where personal data has become so important.


Even better, contact other parents ahead of time and see if others are concerned. Expand your group of concerned people by following their natural networks and start collaborating on a joint proposal.

Ideally you can collectively find a workaround (start by emailing IT, as someone else suggested, if that doesn't work, maybe schedule a meeting with someone more influential -- either way, the aggregate wisdom of your parent group will come up with more creative solutions than us at HN). Once you have a solution, craft a flyer and send to all parents: "This is what we saw as a problem, and this is what we did about it. Contact us if you want help."

If all else fails, stand up together in the board meeting.

Democracy does not require permission.


> Following this advice and using a tone that even resembles the tone of the comment or the original post will make you look/sound crazy.

Thank you. Also, please ignore every comment in this thread suggesting you lawyer up or go to small claims court. The laptop isn't ruined and can be reset whenever the OP wants (as they already established).

If you go in guns blazing to the school board, the school is going to go into full defensive mode. Once you've established yourself as the aggressive parent with an axe to grind, they're not going to be interested at all in working with you.

If you actually want to get anywhere with this, start with a friendly e-mail to the school's IT staff. Ask them how your child can do their schoolwork without putting the laptop under school control. If you go in with a reasonable approach, you might get a sympathetic IT person who will walk you through the situation and explain the options.

> Realistically what probably happened here is they have slightly clueless people who installed standard-issue software without thinking to check if the student actually owned the chromebook

That would be my first assumption. I would even guess that they aren't keen on having yet another license tied up on a student's device somewhere.

Don't immediately rush to assumptions of malicious intent, don't think that making a scene at a school board event will further your goals, and definitely don't take any of the suggestions here to lawyer up or otherwise waste a lot of time and money on a legal fight that you will surely lose.


> The laptop isn't ruined and can be reset whenever the OP wants (as they already established).

I take it that it's fine that I install a microphone with a transmitter in your ceiling fixture so long as I do 't damage the fixture itself.

> Don't immediately rush to assumptions of malicious intent

Is there a good reason to doubt that the intended purpose for installing the software was to use its advertised functionality?


If they thought the laptop was school property, then comparisons to wilful intrusion into someone’s house is hyperbolic, and no it wasn’t malicious. It would be more like if the cops had a valid warrant to track a suspects car, but installed the tracker in the wrong car by mistake.

Best to establish the facts first.


Installing monitoring software (spyware) on a laptop that is owned by the school is legit only if you consider the student exactly that: a suspect. In that sense, your comment is spot-on.

Following that logic, the act itself does not seem malicious. However, the logic of seeing students as suspects is.


I have a sort of extremist take on this: students are literally prisoners. The job of a high school is to keep students from harming each other, feed them, and occasionally teach them something.

It’s why one of the highest offenses is to leave school grounds during school. Ditto for prison.

In that light, of course students are suspects. They’re already guilty of not being adults. They’re not allowed to have jobs, or to decide what they want to learn, or any of the other things that make adults human.

I don’t know what to do about it, but recognizing it seems step one.


> students are literally prisoners

You're being downvoted, but I often felt exactly this way throughout my school years.


> However, the logic of seeing students as suspects is.

Is it? I don’t think I know any high school student that hasn’t tried to muck with, or work around, the schools systems.


And "solving" that "problem" is not a good thing.


That's fair, I'm not saying they are right to do it in that sense.


> If they thought the laptop was school property, then comparisons to wilful intrusion into someone’s house is hyperbolic

So if you're renting an apartment from me, I am right to spy on your children with my ceiling bug?

> It would be more like if the cops had a valid warrant to track a suspects car, but installed the tracker in the wrong car by mistake.

The school is not a police force; nothing warrants their privacy intrusive surveillance of my children without my consent in the first place.


> If you go in guns blazing to the school board, the school is going to go into full defensive mode. Once you've established yourself as the aggressive parent with an axe to grind, they're not going to be interested at all in working with you.

Too bad! They can be voted out, or face lawsuits if a heated attitude is too much for them that they feel the need to ignore valid feedback regardless of the emotions involved.

I've heard the same argument used for angry minority communities in the past, so this very much applies here as well. Heated rhetoric school boards are seeing today are reminiscent of a body that isn't listening.


The question I like to ask myself in instances like these, when I'm pissed off at what I see as unreasonable attitudes and processes, is this:

Do I care more about making myself feel better by airing my grievances in whatever way suits my fancy, or do I care about a specific outcome?

If it's the latter, then the best thing to do is to figure out who is in charge, and, critically, the right way to talk to them in order to get the response -- and hopefully the outcome -- I want.

Sure, I could turn this into a crusade to vote out the school board and replace them with... who, exactly? The kind of people who are qualified and likely to get elected are probably pretty similar to the people there already: not too technically-inclined, and not willing to put up with an aggressive attack from parents. Even if I did manage to find and elect a school board that would take this kind of issue seriously without needing much prodding, by the time I went through this whole process, it'll be... a year? Two years? More? The ship will have sailed, and my hypothetical kid will have leaked all their private data to the school's nanny software already.

So hopefully I'd instead do the smart thing, approach the school board in a way that resonates with them, and get the outcome I want.

> I've heard the same argument used for angry minority communities in the past

I don't think this really applies here. Most "angry minority communities" are fighting for things that are systemically stacked against them, and often the "polite" approach doesn't work. But we're not talking about systemic oppression here; we're talking about an overworked, underpaid school IT department that doesn't have much choice in what they do, directed by a school board that doesn't understand the issues involved.


This! The most important thing I'm asking myself: What do I want to achieve? Does "yelling" at people rises my chances in achieving this? Later on, when my immediate goal is achieved, I can decide do I care enough to follow up or not. First things first - sort out your priority.


>Too bad! They can be voted out, or face lawsuits if a heated attitude is too much for them that they feel the need to ignore valid feedback regardless of the emotions involved.

Only the world doesn't magically grants wishes to Kens and Karens, just because they feel strongly about something and how right they are. The person taking that board to court or trying to vote them out could just as trivially lose.


They can't be voted out by you alone though. And what he wrote about the school is just as true for the majority of other parents.


> Following this advice and using a tone that even resembles the tone of the comment or the original post will make you look/sound crazy. School boards (government boards in general) are used to seeing vocal, crazy people and are good at not taking crazy people seriously.

I agree with the general point of your comment but this is simply not true any more. I’m not sure it was ever true, but recent coverage of school boards and environmental review public consultation throughout the United States demonstrates that it certainly isn’t true in 2022.


Totally agree with you in every way except your last point. IIRC, the administrators of a Google Workspace domain have almost complete control of the accounts created under it. For example, they're able to make sure that each account comes with preset Chrome Web Store extensions or they can limit or completely disable your control over your account. So, unless the school board locked down the Chromebook itself, (which I don't think they can unless they actually own it) these restrictions and the spyware would've been automatically "installed" on OP's kid's account and shouldn't be active/installed when you're logged into a privately owned Google account. All in all, the way Chromebooks work is unconventional and sometimes very annoying.


If I recall, the language that's used in situations like these is something along the lines of "Personal electronic devices will be governed under this policy when such devices are attached to the CPS network." So .. it's a "as long as you're going to connect to the CPS controlled network / resources, you must have software protections / controls in place".


Except it sounds like the spyware is still installed even if they log in with their personal account? The isolation principle is violated. It's a huge security hole.


I have a huge smile reading this comment. Thank you. Far too often the tech community gets totally lost in their own world. A world that 99% of people don’t inhabit.


> “spyware” is not something non-technical understand. Just invoking spyware is going to make people think you’re crazy, not motivate them to fix the problem.

It's also vague. Make sure parents know exactly what data is being gathered, and who gets it. And point out that this is being kept hidden from both children and parents - if the spying is above-board, then why doesn't the device give a big "All your chat messages and internet activity is being monitored by XYZ, even outside school hours" notice at log-in?

Was the existence and extent of this spying communicated in any clear way, by the software or by the school, or buried deep in a click-through agreement?


The biggest thing is that if you are calling to complain, then you will IMMEDIATELY be discredited. They don't have any reason to keep you happy, so complaints mean absolutely nothing. You cannot come with complaints - you must come with a solution, already prepared, such that it is easier for them to implement the solution than to not. People will always, 100% of the time, take the path of least resistance - actually make the path not resistant at all and it's the only way you can convince anyone to do anything.


It seems like the path of least resistance here is “only use school equipment to access school accounts”, create the kid a non-school Google account, and only use non-school accounts (his and others) on the private Chromebook.

I find it annoying but acceptable that my work account doesn’t function on my non-work computer.


I find the behavior as implemented entirely unacceptable. My work has Google apps and that caused a Chromebook I was using to immediately jump to managed by the company as soon as I logged in with my work account despite having no intranet/etc and no one intentionally configuring anything. It would never allow me to do regular processes for the chromebook's management even after full resets.

The whole point of a restricted boot environment is to have multi user with proper separation where one user can't accidentally compromise the system. If an org is still unhappy mixing with other accounts or being on user provided hardware they should be able to block that. Stealing hardware and implementing anti-theft rules that should apply to verified org provided hardware on first login is a crime.

Years ago, I debated Chromebooks as a solution for older relatives. Now I shudder to think what would have happened if I had and one of their nieces/nephews or grandkids had something to show them from school.


Having seen the absolutely atrocious screens in the school furnished chromebooks I half believe Vtech put higher res screens in their 90's kids laptops.


Bring this concern to the school board: Say your child is making homework all alone, in their room, total privacy. Is it true that the monitoring software can at that moment look at the webcam and listen in to the microphone's audio? If no consent was given, that should be pretty bad for the school board.


> The IT department could have just as easily installed similar spyware for Windows or macOS.

Just a nitpick here, yes school IT could do a remote install of spyware if the user was privileged and agreed to it. But a privileged user could also uninstall it. Which is not the case here. In my experience with MDMs the school has to physically have the laptop to install a permanent MDM or purchase the laptop and provision through an activation portal. My experience has been Intune Autopilot and ABM.

Google Work MDMs was notorious for remotely wiping personal devices which is why I never allow work to install MDMs on my personal items.


I've worked in IT support and had issues with parents who let their children use their work computers for school having the chrome browser locked down by the school.

The only fix that worked was exporting the logins and passwords, deleting them from Chrome, and then reinstalling chrome with a different login. I don't want my coworkers work data in the hands of their children's schools' IT dept, and I've let them know that this can count as a data breach (fortunately, so far none of them have been privy to any important data).

Suffice it to say, don't let your kids use your work laptops, and don't log into your child's school accounts on your work computer.

This should be really obvious but apparently it is not.


>- “spyware” is not something non-technical understand. Just invoking spyware is going to make people think you’re crazy, not motivate them to fix the problem.

Even if you say the school is installing stuff that allows them to monitor your child instead of using the term 'spyware' that may not be too compelling, I suppose a lot of parents will reflexively think - so, that's the school's job.

Thus the need to focus on how these things have been misused in the past, maybe say it's their job to monitor your child during school hours, but after school hours it's your job.

Also note how you bought the computer, it is your property, you can use it how you wish, if they want it to be otherwise they should buy the computers for children.


Use examples that help non-technical parents understand e.g. anonymous spyware employees can now potentially spy on your children while they’re getting dressed.


Brilliantly written feedback, I hope folks take it to heart.


The other thing is add is the only way to impact the school system is to create an alternative (private or charter) or get your own people on the school board. Or if you’re really rich, hire a lawyer, but that’s kind of an %sshole move because then the school district has to either cave to everyone hiring a lawyer, or fire the music teacher to pay for legal defense.


School choice would do a lot of get schools to compete and be the best possible.

Charter schools is something we use now. Hardly perfect but it’s a lot nicer.


Charter schools leave a lot of kids behind, especially if they have special needs.


Depends on the charter school. In New York the Special Ed kids at Success Academy outperform Gen Ed kids citywide.


Not the OP but: IME, in EU, being tough, not vocal, and being threatening legal actions with serious bases works very well, most institutions know they have skeletons in their wardrobe and they do not like to face someone who is not crying but very decided to hit with all legal means, especially if there are also ideological motivations.

Spyware is a very well generally understood terms: someone breach someone else privacy deliberately, witch means complaint, court and uncertain results for those who decide to spy. Surveillance capitalism is ignored by most, but known as evil so once someone talk about that pointing out the finger to a school, not a hyper-giant player, people arise likely. They imaging in their mind a naked child spied via the webcam etc in an instant. While they do normally not understand nothing about ownership and consent on "digital stuff".

Oh, BTW what "realistically happen" have exactly zero meaning: the possibility of doing so on not managed computers means a built-in RCE so big that such products must not be on the market. Remote control of desktops must be deployed on purpose not came pre-installed from factories because anyone can use a pre-installed system in place. If that's true at least in EU, there is room for legal action against the OEM, not only the school.


> When you run into that kind of bad outcome from human frailty, it is better to treat it as such

I take it, then that, you would not bother to do anything about the descent down the slope to uniformity controlled by MAMAA?


> Chromebooks are designed from the ground up to be locked-down dystopian spyware once you "log in" to them with a specific Google account.

Nonsense. They were designed to implement required policies when someone logs into a managed domain. Unless you're logging into something like that (where disclosures have been made and consent has been obtained) then there's no "dystopian spyware" involved. Absent any domain management policies, Chromebook are basically fancy thin clients that make efficient use of web-based services.

That having been said, the OP either conspicuously failed to mention that such disclosures were made, or (and this I find to be much more likely) the school was dumb enough to think they don't need to disclose anything because like a lot of school systems, they have gotten the curious idea that they basically own the kids and that the kids have no rights whatsoever. Should that be the case I hope a judge spanks them soundly for it because yeah, they absolutely do need to disclose this stuff to the students or the first time there's a serious problem due to abuse of the monitoring system the school is likely to get very, very pantsed for facilitating child abuse.


Agreed, domain admins can also lock down Windows, iOS, Android, and MacOS.

The school is effectively making the computer a terminal into their system. Their system, their rules.

I know the OP won't like this answer but the OP should buy their kid another computer for their non-school activities. Of course they could also complain to their school/district to change the polices. Personally, I'm used to it. I have a personal computer for my own use and a corp computer that's managed by corp and is locked down. I don't complain the corp computer is locked down (except when it gets in the way of doing my actual job). For all personal stuff I use my personal computer.


That corp computer is owned by your employer. If instead you are a consultant who does work for several clients on your own machine, then it would be unreasonable for them to lockdown your personal machine. Instead, if they want you to use a more secure solution, they should provide the computer.


In my company setting up the office email on our personal phone is optional. But if we choose to do that, they install this entirely new 'profile' with work apps and controlling software on that in the name of security. I chose not to install it, but some would surely do it. Probably no case can be made against them as they don't force their employees to install mail on their phones.


I did that for convenience (though now I removed it), but the work profile seemed to be well compartmentalized from the personal part, and there was a strong emphasis on this fact before the installation process. If they were to wipe it, only the work profile would be affected. I fortunately never had to try it...


Right, but if you add your account to their organization so that you can get onto their network dont be surprised when they push policies.


No but if you add their MDM to your personal PC they can push policy to it.


"The school is effectively making the computer a terminal into their system."

I agree with this. If you had an rdp / citrix / ssh session to your employer you'd expect them to control what's on the other end. A Chromebook on which you're using a work/school account is much closer to that experience than a PC, but with the lines unfortunately much more blurred.


> consent has been obtained

Has it been, in this case? If a parent says 'I do not agree to this', then what? Will the school district swap the system out for one that doesn't require end users to waive their legal rights? Has that ever happened when a parent objected to one of these EULAs, even once?


Not to mention, consent can be revoked at any time in the future without reason. Giving consent once does not mean you have consent forever.


The school district should give the student a (locked down) computer. No waiving of legal rights is necessary.


One solution could be to setup the laptop with a personal email account and configure the school email address to forward everything.


If the student needs to use a Chromebook for school, that won't work. On my daughter's Chromebook, every app and website is tied to the account. It's not just a question of forwarding email.


You can have multiple accounts on a Chromebook.


As others have mentioned above, GoGuardian is at the device level, not the account level.


https://news.ycombinator.com/item?id=30915660


Yeah, I’m assuming a lot about the ability to do what you need to do without a school account.


Not really applicable with the Chromebook, but in general I guess the safest thing is to log in to the school stuff only from a VM? (At least that way the damage is limited.)


> Chromebook are basically fancy thin clients that make efficient use of web-based services

This reminds me of Asimov's Multivac home terminals where every user, in the comfort of their home, could dial in a query on their computer terminal and the massive infrastructure which is the continental-sized Multivac computer will respond with an answer.


> they absolutely do need to disclose this stuff to the students

In this case the student is not the owner of the Chromebook. They need to disclose this stuff to, and obtain consent from, the parents before taking control of the device.


> (and this I find to be much more likely) the school was dumb

It makes me cringe that this is an accurate assessment of how our educational system is run.


> Call into the school's board meeting during public comment, and make it loud and clear that the school is installing spyware on students' Chromebooks. Share your technical credentials and the method by which you found this. Emphasize stories of previous data breaches involving educational companies [1],

This is some bad advice. No need to escalate the situation. Simply contact the sons school and find out who the technologist is and ask them for help. Explain to them the situation and I'm sure they will understand. The computer is personal so they don't want it under mobile device management.

I have some experience with schools. The school is not intentionally installing spyware. Further most public K12 organizations have IT departments are not going to be as well staffed/knowledgable as your average silicon valley tech company. So they may not know exactly how to rectify this situation. No need to berate the school board over "spyware."


Oh no, there's no way the school system didn't know they were installing monitoring software. It would be fairly reasonable for them to require that in the context of students logging in to access and use school resources (i.e. lessons) and to keep them from just goofing off.

What is not reasonable is the very real possibility that they might have overstepped and made these policies active for all logins on the device, or that they failed to properly disclose what exactly happens when the user uses the domain login. That would then make what's been installed very worthy of the term "spyware" and would probably make both GoGuardian and Google upset with them because it's unnecessarily heavy-handed and pretty much guaranteed to bring bad press.

Part of the reason these things are so locked down is so that management policies can be applied to ONLY the logins that require them without impacting the entire device all the time. If someone tries to sidestep that by grabbing root access and messing with the trusted environment, when the user logs into the managed domain the machine is going to report that its environment has been tampered with and that should pretty immediately bring use of any domain-managed accounts to a halt. You wind up actually jumping through the same hoops (although more discretely and without involving logging/reporting of browser history) when you use your bank's banking app or have Microsoft Teams/Outlook installed on your phone. Both of these things absolutely require their data be kept separate from the rest of the user's data, and very carefully protected from the other apps on the device.


I agree. What I should have typed instead of "The school is not intentionally installing spyware." Is they probably did not intend to install the spyware on personal machines of students that logged in with their school Google account. Perhaps there is a management policy misconfigured or the student got confused and enrolled the device.

From my understanding if you setup a personal chromebook you can then login to Google Classroom via the Chrome browser and it should not enroll the chromebook in MDM. At least when I login to my chromebook it does not enroll my device.


GoGuardian is an extension tied to the user and installed at login. This extension only runs on chromebooks and does not know which device is owned by who.


> I have some experience with schools. The school is not intentionally installing spyware.

Our highschool had a bunch of laptops. They were the firstish gen of mac laptops with built-in webcams. This was all very new.

These laptops would take a picture of the user at every login and then once an hour or so after that. I guess the principal wanted to know who was using each machine in case anything unclothe was done with the laptop. The pics were stored on an FTP server (not FTPS. Not SFTP. FTP.). The FTP account had RWX on the directory where all login pictures were stored, and the FTP server was exposed to the internet. A simple MiTM on any network where this laptop connected would give the attacker full read access to these login pictures.

The problem: these laptops could be "checked out" for an evening or weekend. So they got around. Hotels, restaurants, libraries, coffee shops, etc. But also student's bedrooms. This was in the days when most public wifi was just a commodity linksys router behind the register and you could more-or-less safely assume you were being MiTM'd when connecting to a public wifi network.

So, long story short, a principal with bad judgement and an IT admin with just enough googling skills were uploading pics of students in their bedrooms to an FTP server that was almost certainly hacked into by dozens of different people. Without consent or knowledge of the students or parents.

When I raised this issue, the principal suspended me. Getting the suspension reversed required going to central office, who were totally unaware of what was going on and were, obviously, appalled at the picture taking script.

School IT staff are often knowledgeable enough to be dangerous, and individual school administrators often demonstrate remarkably horrible judgement. I understand the "be kind" sentiment, but there really is a lot of inexcusable incompetence and poor judgement in K12. We should hold those systems to a much higher standard than we do.


> The school is not intentionally installing spyware

Citation needed.

Here is a counter citation: https://www.vice.com/amp/en/article/8xwze4/schools-are-using...

And here: https://amp.theguardian.com/commentisfree/2021/oct/11/us-stu...

Schools are doing this. They are intention into installing spyware and GoGuardian is one of the biggest offenders.

This should be brought up at the school board.


Please don't follow this advice. Frothing at the mouth about spyware on your kids computer will immediately be dismissed as insane ravings, and possibly get a visit from your local child safety organization.

I recommend reaching out to your child's teacher, and ask to get connected with the IT team at the school to explain what's going on.


>Please don't follow this advice. Frothing at the mouth about spyware on your kids computer will immediately be dismissed as insane ravings, and possibly get a visit from your local child safety organization.

I don't think parent described 'frothing at the mouth', and furthermore the concept of "I shouldn't speak out otherwise I may paint myself as a target for child protective services" is so subversive and nu-speak like that I don't think I can ever support it. CPS is supposed to be a social service for the support of children; not a society control and opinion-steering organization.

If parent did something publicly that'd warrant the visit, sure; but creating public awareness of the situation for the parents can be done in an orderly and respectful way -- no one suggested otherwise.


Speaking out is not something that puts you at risk. Showing unstable behavior by escalating a simple technical support issue into a rant about ‘spyware’ at some board of Ed meeting tends to raise eyebrows though.

Asking “Does anyone know how to refer these people to law enforcement for prosecution?” regarding a technical support issue is not respectful or orderly behavior.


From Wikipedia [1]:

> GoGuardian products allow teachers and administrators to view and snapshot students' computer screens, close and open browser tabs, and see running applications. GoGuardian can collect information about any activity when users are logged onto their accounts, including data originating from a student's webcam, microphone, keyboard, and screen, along with historical data such as browsing history. This collection can be performed whether students connect from school-provided or personally-owned devices.

I can only describe this as, well, spyware. No need for scare quotes. The OP has every right to be angry about this.

To describe this as a "simple technical support issue" is some blatant euphemism.

[1]: https://en.wikipedia.org/wiki/GoGuardian


A pedo-criminal hacker's wet dream. If one manages to compromise accounts of some teachers, or worse, some school admin accounts, or is an insider at the school or GoGuardian itself...

And before anybody says, that things like these only happen in the movies, or bad crime TV shows... they do happen in real life as well. I remember a case here in Germany, where somebody had managed to install RATs on ~150 school-age girls' laptops, tho using some spear-hunting, and when he was raided, police found a large collection of videos he had recorded with the girls' webcams[0].

That there are sexually-motivated hacks should be clear to the wider public at least since the so called Fappening.

As for insiders, NSA staff spied on ex-partners, love interests and spouses[1], to a degree where they internally coined the term "LOVEINT" for it. If the paranoid NSA cannot "manage" their own people, then what chance would a GoGuardian or school have, I wonder.

[0] https://www.t-online.de/digital/sicherheit/id_42278570/hacke...

[1] https://www.reuters.com/article/us-usa-surveillance-watchdog...


Having a 'right to be angry' doesn't mean being angry is the tactic to further one's goals.


My point was that the parent comment was downplaying the significance of the problem and shifting blame on the victim with statements like this:

> escalating a simple technical support issue into a rant about ‘spyware’

The right tactic for objecting to school officials was besides my point.


Calling unremovable* spyware (the term is accurate, no matter how insane you think it sounds) a "technical support issue" is like calling surveillance cameras installed in your home an "improper furnishing issue".

*Edit: sokoloff may be correct, and the spyware is not unremovable. Still, the analogy holds.


Is it unremovable from the device, though? It isn’t clearly defined in the account above whether it was removed (and then reinstalled with the subsequent kid’s login).


Yes. It would be re installed at login


What is accurate or not in some platonic sense doesn't have much bearing on what tactic will yield the results you want in practice.


CPS does not really have a traditional school board and it’s not elected either (appointed by one of several mayors who ran on an elected school board and then reneged). OP can shout their complaints out over Lake Michigan for the same effect.


A few minutes of Googling showed me this upcoming meeting https://www.cpsboe.org/meetings/details/2329 on April 27th, 2022. It seems to be a Chicago Board of Education meeting, and seems to have options for public participation.

Do I have this wrong? I'm not from Chicago or Illinois, so that's quite possible.


You can indeed attend and raise concerns but it will likely be ignored. Nobody is worried about losing their seat if they ignore constituent complaints.


Yeah, I don't really know how the Chicago school board meetings go, but I watch the MTA board meetings. (The MTA is New York State's public transportation agency.) They have a public comment section where you get 2 minutes to say whatever you want. These rants are usually completely incoherent and I doubt any board member could remember a specific point from any one of the commenters. I watch them all and I certainly can't. The law requires that you be allowed to speak. The law does not require the board to take any action on your comments, or even remember a single point you tried to make. ("I've said it before and I'll say it again. Democracy simply doesn't work.")

That said, my advice here would be to keep it short and non-emotional. You can speak for two minutes, but you don't have to use all two minutes. Say what's wrong, what action you want the board to take, and how interested board members can get ahold of you.


Out of curiosity, why do you watch them all? Especially if you can't remember anything?


I watch the comments sections, even if they're silly, to see if anyone has anything interesting to say. Someone might, someday.

I watch the board meetings in general because the subject matter is interesting and there are neat details in there that don't get widely reported. Recently they had some slides with security camera footage of someone riding their bicycle on the subway tracks. No idea people did that. Also, the point of the board meetings public is to provide the public with some oversight. If you don't actually watch them, then there is no oversight. (I guess we hope that "someone else" does this for us. Transit reporting is not what the best journalists necessarily end up doing.)


He is probably not watching the public comment section closely, but the other parts.


It's Chicago. Unless you have $$$$$ to buy access, nothing will happen.


[flagged]


Sorry, but that's fearmongering bullshit that doesn't seem to match reality. Concerned parents often call into school board meetings for all sorts of reasons.

It should go without saying that you should be courteous and reasonable while presenting your concerns.


comment is alluding to this incident: https://www.edweek.org/policy-politics/national-school-board...


The only thing worse than the DOJ and FBI investigating parents for complaining to school boards is letting the fear of said investigations prevent you from complaining.


Clearly you missed all of the people at city council meetings trying to prove vaccines made them magnetic. None of those individuals were taken away and talked to by the FBI. They probably should have been taken away in white coats that secure from the back haha hehe, but they don't need FBI involvement.


The next step would be to approach a local news station and have OP report what he found, again emphasizing his own credentials.

Spyware and children in the same sentence easily bring up unpleasant thoughts.


Reminding people of stories where the school district employees were remotely enabling cameras and microphones should also be referenced.

https://www.computerworld.com/article/2521075/pennsylvania-s...

https://abcnews.go.com/GMA/Parenting/pennsylvania-school-fbi...


The Chicago Public Schools is an immense agency. Good luck getting anyone to pay attention, even at a school board meeting.

And referring for prosecution is really going to go nowhere.

Best bet, contact the public service operation for one of the TV stations, maybe a newspaper, and maybe your city council member, to wake up somebody, either at your school or at headquarters downtown.

Prepare to be disappointed.


It's also worth noting that Google is almost undoubtably violating childrens privacy laws, and other states are already investigating this... it's very possible what CPS is doing here isn't even legal. There's a lot of reason that the agreements schools are making to bring Google's platform in should be dragged out into the light.

Source: https://www.theverge.com/2020/2/20/21145698/google-student-p...


If they activate the microphone and pick up a background conversation, they could be found in violation of state or federal wiretap laws. At least one party must be aware that they are being recorded. I hope everyone involved gets held responsible and prosecuted.


to be fair microsoft does exactly the same thing.

I have intune on my personal ipad. And the idiots from our IT department accidentally wiped the entire thing. Just because I wanted to be able to read outlook mails. My iCloud was even blocked for a day or so. Despite their claims they can only manage the app itself and despite my protests that the fine print clearly indicates they could do so and that they should change their configuration.

At least I got an apology letter, but all these devices are desigend to be locked down by centralized IT departmens. Be it ChromeOs, iOS or Windows


RMS(Richard Stallman) was way ahead. Like him or not. He is right.


This just seems so over the top.

Whole point of Chromebooks is that they are minimal devices that can easily be adopted for school work. What I find strange is that OP had to buy their own machine. Anyway even if you somehow convinced the school to change to a Windows based laptops all you'd achieve would be a tier more expensive machines for the kids to use. The school would still require same "spyware" to be installed.


> Call into the school's board meeting during public comment, and make it loud and clear that the school is installing spyware on students' Chromebooks. Share your technical credentials and the method by which you found this.

I remember not so long ago when people were using this advice on health care issues;

Call into the school's board meeting during public comment, and make it loud and clear that the school is injecting your children with 5G mind control vaccines. Share your technical credentials and the method by which you found this.


Sadly, my cousins' school forces them to have Chromebooks. Its required. So I ensured they know to never use it for their personal stuff, it's purely a school work device. Such a waste, but oh well. I gave them both Pi 400s for them to use for personal things instead


You’re deeply overestimating how much schools and administrators understand stuff. They are paying for this spyware and want it installed because they think it’s necessary.


Drop the school and homeschool the shit out of him. Go off book and teach him solar panel installation, plants and anything you can find in prepper books.


Be prepared for the possibility that majority of parents are fine with it.


As a longtime armchair attorney who has closely read summaries of cases like this on Slashdot for well over the past decade (IANAL, BTW)...you could go the lawyer route but this basically amounts to your kid being a minor in school which means they don't have full legal rights, and the interpretation of 4A is likely up in the air here anyway. Constitutional rights don't necessarily apply at school or anywhere near school (see bongrips4jesus case), your kid is a minor anyway (another special case), and a school doing this for the sake of "preventing cheating" may not fall under the umbrella of unreasonable search.

There was a PA school district back around 2009 that issued laptops to students preloaded with spyware that let school staff watch students through the webcam, while the students were at home and not doing schoolwork. Neither the students or parents were informed of this. IIRC the FBI got involved but nobody actually got in any real trouble, I'm not even sure they were fired.

I wish things weren't this way. You could maybe use Wireshark and black hole anything the spyware tries to connect to at the router, or maybe add the addresses to the hosts file on the machine itself (not sure if ChromeOS lets you do this).


On the flip side of that "minors have no rights" coin you're holding up is the fact that laptop is the parent's property since they bought the laptop for the child to use. They did a factory reset and the problem software still remains. What if the parent did a factory reset to use the laptop for themselves? There is no reason for the spyware to remain in that case. It needs to be removable.


They did a factory reset and reconnected the Chromebook to the school account, which configures the device according to the schools requirements. If they wanted to use it themselves, they would reset it, do not connect the school account and all is well. GPs argument seems to support that the school doesn't have to allow to use a school account without the device being put under the schools control.

(at least as I understand it. if the MDM enrollment is actually tied to the device somehow, then they could reasonably demand it to be released if they planned to use it themselves)


That doesn't really make sense to me. User accounts, whether managed remotely or locally, should be subordinate to administrator accounts. That administrator-level privileges are insufficient to undo a change made with user-level privileges breaks this relationship.


OP didn't mention that the child's account is a secondary account. AFAIK if you log-in with an account the first time on a fresh(ly reset) chromebook, it becomes the "administrator" account - and at the same time if its in an organization (i.e. the school) the orgs policies are applied. No clue how that interacts if you do attempt to login such account as a second account, it's possible the org can require an account to be in control of the device. Chromebooks are deeply designed for exactly this centrally managed scenario after all, that's (partly) why they are so popular with schools and companies.


Based on this support thread [0], which was linked to by awinter-py's comment [1] elsewhere in the comments, it doesn't really matter which is first. Remote policies supersede any local controls, and can promote themselves to have Owner privileges. That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

[0] https://support.google.com/chromebook/thread/117916330/how-t...

[1] https://news.ycombinator.com/item?id=30912427


>That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

You've actually got it backwards. In an enterprise domain like this, allowing local management to take precedence over remote management and policies is a massive security hole for the domain as a whole not to mention required by regulatory bodies dictating information security for educational institutions. A locally managed node is effectively a rogue node on the network. There are use cases for it but they're specialized. OP most likely signed a consent form as part of the online learning stuff at some point and this is the consequence of not reading the things you sign. This whole thing is so massively overblown like no one here has worked anywhere with a BYOD policy and MDM.


The device belongs to the owner and the owner should be able to override anything.

If an organization wants to set policies that can’t be overridden, it should pay for the devices. (And even then, the user still has a right to privacy and a certain level of control).

If they set a MDM policy on a device I own, I’ll mail the organization the device and a bill for buying a new one that very same day.


So you’re out both the device AND a stamp?


No, it's a terrifying security hole, full stop. If I leave my non-managed Chromebook unattended (logged out!) for 30 seconds, someone can sign into it with their managed account and install spyware without me knowing?


I think it works similarly on Android phones. Google policy for the Android Corp devices requires you to set it up using corp account, then add secondary personal accounts(if needed).


They are, but there has always been a contention between local admin vs domain admin (managed accounts) and usually the case has been that the domain admin overrules the local but the local admin can un-join the domain.

This is not that different. The moment you join the remote domain, you no longer have top privileges. You can still unjoin at any point but as soon as you join, you're placed under a different hierarchy.


You were never the owner of the chromebook in the first place so Google the actual owner just transferred control to the school. They never needed your permission to do this in the first place because you just paid full fare for an unlimited rental of someone else's property.


That's the conclusion I tend to reach, and I believe Google to have fraudulently described a rental as a purchase. Whoever is the source of authority to run software on a device is the owner of that device. Since enabling remote management does not require administrator privilege, the right to do so doesn't come from the administrator. Since disabling remote management cannot be done by a local administrator, the granted authority is even greater than the nominal authority granted to the buyer. Each of these implies that Google remained the source of authority, and therefore didn't transfer ownership over the device.


> Whoever is the source of authority to run software on a device is the owner of that device

Hundreds of years of established case law refutes this claim.


The most pragmatic thing to do is probably acquire another school only Chromebook. Either have one issued from the school or buy another one. This is probably a worthwhile lesson for how to treat personal and employer assets separately anyway.

The work to try to get the school to make the software removable is a laudable stand for citizens, parent, and student rights - but would come at some cost of time, money (more than buying a second chromebook anyway), and maybe strained relationships with school officials.


> to your kid being a minor in school which means they don't have full legal rights, and the interpretation of 4A is likely up in the air here anyway

IANAL, either. Just because the student is a minor, I don't see how that gives the school the right to pwn a private laptop (were the laptop a school laptop, my opinion would be different here); at best, this would seem to be the parent's machine, or right to decide, at that point.

The OP's post isn't very clear on how the school managed to get into a private laptop in the first place; he mentions they "logged on", but onto what? And how does signing into something permit installs? (There's a comment below that hypothesizes this might be an MDM profile sort of situation, and that's … trickier. But doesn't even an MDM login have an uninstall of some sort? (Although, IDK, perhaps Chromebooks just can't do that, but that would seem to be an issue then with their software. But I've never tried, as I don't usually go for MDM stuff myself, as companies that do it typically want too much permission onto what is my personal device.))


Probably a Google account sign on.

If I sign into my work Google account on my androids chrome it basically forces you to install spyware so our IT team can suck up my browser history.

It sounds like chrome os takes this approach and adds steroids.


This is why people should be issued a work phone (or children a school laptop in the case of the OP) if the IT department is going to request control of it.

A while ago my company eventually decided to enable security settings for Microsoft Outlook, Teams etc on all mobile devices (the wipe phone on demand option). All that happened was everyone without a company phone uninstalled Teams and used WhatsApp instead.


I wouldn't accept a work phone unless I was given full control over it and can use it for personal use as well.

I'm not carrying two around.

If you want me to leave one at my desk that's fine but you won't reach me on it unless I'm there.

Same goes for work laptops and working from home.

The whole idea that you need to separate work from personal is based on the idea that if you use work laptop for personal work then they own it, that's an entirely made up constraint, one I won't accept.

In before bad analogies, there are plenty of industries that provide tradies with tool stipends, those are still owned by the tradesman but paid for by the employer do to their consumable nature. It allows tradies to buy more expensive tools if they prefer and encourages them to look after them better.


pwning the laptop was a req for doing school work, like how you essentially give prior consent to a field sobriety test when you get a drivers license. I'm not saying it's right, but that likely the school district's argument in court, and I'm sure it's buried deep in a EULA or privacy policy somewhere.


> you essentially give prior consent to a field sobriety test when you get a drivers license

If USA, this is false.


You are misinformed. In the USA, every state has a law stating licensed drivers give their implied consent to roadside DUI testing. Failure to comply will result in extra charges and almost certain conviction.


It's comical how your best advice is seek a lawyer. Any lawyer worth their salt would advise to contact the school directly to handle this matter. No need for a lawyer at this stage.


Nit: I think it's "Bong Hits 4 Jesus."


Thank you, this one still makes me lose my damn mind.


The lawyer route makes no sense, it's all about small claims here. Sue for the cost of the chromebook, that will get someone's attention and you can likely settle it out of court or get the money to purchase a new one.

The important part here is that the computer is not usable with their software and that you have no way to remove said software despite being the owner of the computer.


Actually....

It's the poster's Chromebook. They has revoked authorization for the school to deploy $software on their machine.

Next step is the public school supplying a spyware'd laptop and NOT imstalling spyware on said parent's chromebook, but also said private chromebook not being used for school stuff.

If you want the district to not install spyware... Well... Lets just say, the poster is probably pissing in the wind in my experience.


Can’t you file criminal charges over this? It’s malware used to spy on minors without the parents knowledge or consent. Is the school also free to undress the kid and photograph them in person? If not, why if it’s remote?


But the school doesn’t own the machine, the parent does.


> I did a full factory reset, signed in to his account again, and now the system is once again locked down.

That’s by design though isn’t it? You logged in with a managed account and the policy was applied again?

The account is his school account right?

That’s pretty much how Chrome OS works.

This might just be a good lesson that you want to maintain device / role boundaries.


> That’s pretty much how Chrome OS works.

And that's the problem. Signing onto a remote account is a request to access a remote resource, and should not be interpreted as granted the remote actor control over local resources. That Chrome OS works this way implies that Chrome OS is fundamentally flawed.


Yeah good luck getting a company to give you VPN access to their network without demanding you've been keeping your operating system patched. BYOD without such policies is a great way to make the network support staff quit and maybe slash your tires on the way through the parking lot.

It's called _attestation_ and Windows has been doing it for some time now with VPNs and domain credentials. Attestation actually makes it possible for BYOD to be done in a way that's not going to simply repeatedly expose one's network to every kind of malware known to man.


Isnt this the same way Windows works? If I sign into a work Windows account and they want to set my default browser or something, thats absolutely something they can do. ChromeOS isnt doing something particularly new in that regard.


On a Windows account, a user can change the default browser for their own account. Therefore, a user can delegate the choice of default browser to the remote management. A user can record which sites their own browser visits. Therefore, a user can delegate that authority, allowing remote management to record which sites that user visits. A user does not have the authority to record which sites are visited by another user. Therefore, they cannot delegate that authority to remote management, because they themselves do not have it.

On ChromeOS, you can filter your own access to websites. You cannot filter other users' access to websites. But signing in to a remote management can filter other users' access to websites. This grants the remote management privileges that the user doesn't actually have.


>On a Windows account, a user can change the default browser for their own account.

Not if they lock down that setting via GPO and let the default behavior of remote > local. There's a lot of settings that can't be undone in the GUI and take diving into the registry to undo when set by GPO but then they'll just get re-applied on GP refresh anyways. Talking about who can do what is immaterial to how domains and remote management actually work if they're not designed how you think they should be. The remote admin will always have more control than the local user in this situation, it's been that way for a very long time now and is unlikely to change.

As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin and the services and processes that handle all of this run as SYSTEM thus the user has the authority to delegate that authority to remote management at-will.

Like, this is all basic stuff for BYOD and MDM policies if you've worked anywhere with a halfway competent IT staff. OP didn't read the fine print probably. Wouldn't be the first parent to not do so and freak out over nothing.


> As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin…

The parent owns the device and would have the local admin account. They aren't joining the device to a managed domain where something like GPO would be relevant (unless configured by the parent, naturally). The student would only have a non-admin local account, and would be incapable of granting device administration privileges to the school. The school could still manage their browser profile, of course—if the browser itself is actually signed in to the school account, which is something you can disable while still logging in to the account on the web—but they would have no access to or control over other user accounts or anything else requiring local admin privileges.


This is with the presumption that the filtering here is device-level and not user-level. The fact that they were able to wipe and reset the device AT ALL probably means that the device isn't fully enrolled into device management (only the account is) and that the blocking and monitoring is just for that one specific account/profile. That is to say, none of the blocking is breaking the privilege rules on the system.

This isn't to give them extra credit. GoGuardian is still spyware and you should be, at the very least, wary of it if you have a kid with that software running around. But this behavior is consistent with the design of ChromeOS and isn't shocking or special if you've been paying attention to what ChromeOS has been built for over the last couple years.


Group policies on Windows, applied at logon, give the admin control over what the user can or cannot do. If the admin wants you to use Chrome not Edge, then that is what you'll be using, and you won't be able to change the default.


To my knowledge, that group policy only applies to the user who is logging in, not the other users on the computer.


There doesnt appear to be any claim that this undesired software was being run on any other account besides the managed one.


Depends. In the Active Directory world, policies can be applied at the user or computer level. Not sure about Chrome OS, but computer level policies absolutely can effect other users. I bet if OP signed into a normal, non-Google Classroom/organization affiliated account after they reset the device, they wouldn't have found GoGuardian running. This seems like if you connected an arbitrary device to a Windows domain over say VPN, then got surprised when user level policies were applied to the profile created on the local machine resultant from the process of connecting a machine to a domain. This is very much by design of ChromeOS as other commenters point out.


On Windows, settings and software can be enrolled remotely the moment you hook your machine up to an MDM portal, just like on chromeOS. Windows doesn't include some of the functionality ChromeOS includes, but your employer can definitely manage settings like your standard browser if they choose to. The can also enforce that all software you run is signed, is run from specific locations on the system that you may no longer have access to and they enable Bitlocker with a specific backup key.

Most companies either choose not to implement any of this, or simply do not know they can implement this. Do not sign into your personal devices with your work account on anything but an isolated browser (modern Windows has a sandbox built in!) or you might discover the hard way what kind of possibilities remote AD allows for.

Windows does prompt you to accept that the account can manage your device, but so does ChromeOS. Denying MDM may cause the login to fail if they automatically rescind any tokens that don't get MDM access on your device.


It is not fundamentally flawed, it just isn't a general purpose computer. It's a thin client to your cloud services. The "local" is not a primary compute environment, but just a cache. Once you think about it this way, Chromebooks are absolutely amazing little physical manifestations of a remotely managed browser. As they are intended to be.


Maybe there should be more of a notice, but when I tried it with my son’s account I got some notifications.

Having said all that the default will be for most school accounts… all or nothing. Don’t allow them to manage it and you won’t get in.


My issue isn't about the notification, but that this doesn't work at all within any reasonable model of user permissions.

Fundamentally, authority cannot be delegated authority that you yourself don't have. I can agree to a contract promising to do some particular work, because I have the authority to direct my actions. I cannot agree to a contract promising that you will do some particular work, because you haven't granted me that authority. I cannot grant to another what I do not have for myself.

With regards to user permissions, a non-administrator doesn't have permission to monitor another user's activity. Therefore, they cannot delegate permission to a third party to monitor another user's activity. That this is possible means that ChromeOS has a fundamentally flawed model of user permissions.


Windows does this as well, and I would expect other management solutions to as well. You can build your own PC and be local admin on it, but the second you sign in to an active directory account (using a VPN for work) that account will be locked down and can run scripts that the AD owner chooses. I imagine that is what is happening here as well, where the user has signed into the school Google Workspace account (or whatever it's called these days). To avoid this, they could sign in to Google Docs and Google Classroom in a browser. (Although to be fair, Chrome does aggressively ask if you want to sign into Chrome with your account, and probably if you want to sign into the user profile on ChromeOS if I had to guess)


Can't speak for OP, but generally this is mentioned during the sign in process, so it should be laid out. It is effectively all or nothing.


> This might just be a good lesson that you want to maintain device / role boundaries.

This is the teachable moment here. Better for the poster and their child to learn it now rather than in the workplace.

It doesnt make it right, but the 90's and 00's with work browsing and email full of porn, dickpics and assorted filth were not right either.


A gaping security hole is fine if it’s been introduced on purpose?


> A gaping security hole

What is that?


“the system installed GoGuardian monitoring software on the Chromebook without notice or permission.”


When I logged in with my son’s school account on chrome OS it had some notifications about who owns the account and so on.

I don’t think it is as much a mystery as implied.

In the end there’s no getting around that mixing device uses like this doesn’t work. It works less and less as the history of computers goes on.


Can the managed account actually access files from the unmanaged account or control which processes are active while the unmanaged account runs?

Because, if yes, this absolutely does sound like a security hole:

1) Set up an organisation and add a managed account. Set up policies that install a backdoor on first login.

2) Get hold of victim's Chromebook.

3) Log into the Chromebook using the account from (1)

4) Chromebook will execute the policies and run the backdoor.

5) Use the backdoor to snoop victim's files.

You've successfully gained access to the victim's files without knowing their password. Profit!

This would work even if the victim is fully aware of the issue and never intended to mix managed and unmanaged accounts on their own.


Does a chromebook allow you to have more than one user account? It sounds like a factory reset was necessary to allow enrollment


Chromebooks do allow more than one user account, yes. The factory reset mentioned by the OP was necessary in order to undo the enrollment, as no application of Administrator/Owner privileges would undo it otherwise.


I think you misunderstand the original post - the parent didnt have some sort of local administrator account (which isnt really a thing on ChromeOS). They signed into a managed account run by the school district, didnt like the policy, then reset the device, signed into the same managed account again, and noticed the same policy was applied.


> local administrator account (which isnt really a thing on ChromeOS).

The first user to sign in on a chromebook has limited special powers. I don't think they involve reading other people's data though.


>In the end there’s no getting around that mixing device uses like this doesn’t work

Surely this is the entire value proposition of ChromeOS - you sign in to your account, and the laptop magically becomes yours? It seems like a serious hole if a single sign-in is able to compromise other accounts.


It's tied directly to the remotely managed account, that's how the account works. If you don't sign into the account, the software won't be installed.

Students don't get to decide what software to install when it comes to logging in to school accounts. Generally the laptops are provided by the district, but it seems OP was trying to add another personal device to their system.

You can't participate in their system without the software. So I guess the alternative would be to block personal devices from logging in like this at all.


I fought this with a suburban school system in Indiana and won. The spyware was installed on Chromebooks I bought. Before contacting the school, I monitored network traffic for about 1 HR and found a an ad fraud click bot and logging being sent to India.

When I contacted the school my ask was they remove the spyware from my Chromebooks. The first answer was, no. I asked again via the superintendent, and got a call from their IT director. I shared with him what my traffic monitoring found and a few days later I get another no.

My last try was simple... I paid a lawyer to write a simple letter demanding to have the software removed or be shown the warrant giving the school the right to install surveillance software on my laptop. The next day I get a call from the districts lawyer who wanted me to confirm the software had been removed, and it had been.


That's great for your situation - what about the rest of the people in your district? Did you reach out to other parents and make this problem known publicly, along with your solution, so that other parents could decide for themselves (individually or collectively) what their response should be?

Seems like this would be a slam dunk of a local news piece for some newspaper/website.


Yup, stuff like this should be on the local news. While most parents will go "ehhh I trust the government and if my kid is doing something bad I want to hear about it", the ones who actually care about their kids' rights will raise a huge stink and the district is more likely to not only be more upfront about this stuff but also probably make opting out easier.


I shared what happened with other parents. Most did not care or even understand.


It seems like you should be able to sign out of the CPS managed account, then use "Add Person" to add a non-CPS managed account:

https://docs.google.com/document/d/1r7xOL4U9lL0qyqMIVl4eH2EM...

https://support.google.com/chromebook/answer/1059242?hl=en&r...

For school work, login to the CPS-managed account. Otherwise login to the personal account.


This is the perfectly reasonable solution. But OP wants the operating system to be signed into an account managed by the organization without the organization having permission over anything, and since that's not the way ChromeOS works, they're going to sue the school board.

Honestly, I'm disappointed in the HN that they're taking OP at their word and giving legal advice.


The surprising part to me is that the school district let parents bring their own Chromebooks. Where I live the school supplies the Chromebook for the students. If your child breaks it, they bill you for the cost of the unit and then supply another one. IMHO, they are pretty dang cheap.


I believe the OP is concerned the Chromebook is rooted by the spy software and therefore using another account doesn’t solve that issue.


> I did a full factory reset, signed in to his account again

I read this to mean that the software uninstalled after a factory reset, but signing back into the managed account re-installed it. I'm taking OP with a grain of salt here, but I think it's likely that OP doesn't understand their son's brand new Chromebook and that there's a technical solution that doesn't involve suing anyone.


Since this Chromebook is BYOD, I think OP is likely in scenario 2 described here:

https://news.ycombinator.com/item?id=30912995


related support ticket from someone trying to log into device w/ work account without inheriting workplace MDM policy

https://support.google.com/chromebook/thread/117916330/how-t...

> Even if the Chromebook is your private device and your owner account is your private @gmail.com account, once you sign in with a managed account, even using a separate profile, the managed account polices become active.

> This is NOT a bug. It's required to maintain security of the managed environment. Whenever the managed account is active, ChromeOS management and the policies set by your administrators pwn the entire machine.

> Google promises bulletproof security to customers who license Chrome OS management, and having any instance of an active non-managed account available when a managed account and its resources are active is a potential security hole.

not a chrome-os user -- I imagine you can access the G acct via a browser without signing in the whole OS? if 'signing into gmail signs in the OS', maybe can do it via crostini linux

re law: illinois is the state that has the biometric privacy law iirc? you may be able to do a civil suit via that, if the device is sharing face images and you really didn't consent and you can prove it and the law was written with your situation and mind and CPS hasn't indemnified big G. my guess is you'd have to pay a few $k to a lawyer to evaluate the case and then many more $k on the suit, plus you probably have a TOS problem.


The ending of that post (trimmed above) is also important:

> So you can boot into your personal account and do your personal business and then reboot into your business acount and do your business' business, but never the twain shall meet.


Not a chomeOS user, so maybe I'm not familiar with the terminology, but what is the difference between "log into" an account and "boot into" one?

Are there different ways how you can add multiple accounts to a Chromebook and the OP just used the wrong one?


ChromeOS developer here (opinions are my own, etc etc), writing as a user though since I don't work on this specific field myself but I've been using chromebooks daily with multiple accounts (corp and personal) daily for the greater part of a decade.

You have a few options on how you log into ChromeOS. Once you boot the device, you can choose which account to sign in as. If it's your corp account, you get whatever corp policies get applied to you (like no play store, no linux, etc). If you log into your personal account, you don't get those restrictions (there's a note to be made here for stuff like enrolled devices which I don't think applies to OP and I'm not too familiar with anyway).

However, once you are already logged into an account on the device, you can also choose to "sign in with another account". This makes you run two accounts at the same time, you can swap between them without using passwords, etc (it's like switching a virtual desktop/workspace). You can even transfer windows from one account to the other so you can simply alt+tab between them as you would on a single account (for example I am typing this at work on my personal account in a window running inside my corp account). In this situation, whichever account logged in first is the account that "owns" the session and has policies applied. If you log into your corp account with play store disabled, and then log into your personal account as a secondary account, you can't use the play store on it. If you log out everything and re-log with your personal account, you will still be able to use the play store there.


Thanks a lot for that info, that clears up a lot! So an unmanaged Chromebook can't be "taken over" by logging into a managed account, the policies are only active until you reboot.

Still, if account policies "leak" into unmanaged accounts when both accounts are active at the same time, this sounds like a potential vulnerability: E.g., if the managed account has a policy that sets proxy settings or force-installs a particular browser extension, would those policies also be applied to the unmanaged account?


> So an unmanaged Chromebook can't be "taken over" by logging into a managed account, the policies are only active until you reboot.

That's my understanding, yes. You can't "infect" an unmanaged account from a managed one, as far as I know at least.

> E.g., if the managed account has a policy that sets proxy settings or force-installs a particular browser extension, would those policies also be applied to the unmanaged account?

I'm not 100% sure if those policies would apply, I admit I'm not familiar with the account enrolment details of ChromeOS since I work at a much lower level. However, from what I know, whenever you go to sign-in to a secondary account in the same session as your primary one, there's a big warning telling you to be careful because you're basically "entrusting" your secondary account to the primary one and to not share an account session with another account you do not trust. This I always assumed was due to reasons like (for example) ending up literally sharing account2 window with account1 session, if you bring a program running in the account2 "domain" (filesystem, etc) into the account1 UI session, the account1 can take a screenshot of it (screenshot will be saved into account1 local files) and that can leak data obviously.


> In this situation, whichever account logged in first is the account that "owns" the session and has policies applied.

So if you log in to your personal account first, and then into the corporate account, the corporate policies are not applied to either account? There are probably a bunch of corporate types who will be very surprised to learn this…


I admit I've never tried this so I don't know which policies do or do not apply and how. For things like the play store (which is what I've worked on in the past), only the "primary" account (the one you logged into first) will have access to it so if your secondary account has the play store blocked anyway, you won't be able to use it with that account so it doesn't matter much.

I don't know about other policies.


Typically, the corporate login will be blocked if you attempt this.


From the sound of it (haven't used ChromeOS in ~4 years), "log into" means switching users without powering off the laptop, while "boot into" means to reboot the computer and log in as the other user. For a device that is supposedly built around security, needing to know that the "Switch User" menu shouldn't ever be used to switch the user is something of a footgun.


"Shouldn't ever be used" is an overstatement though. My employer (Google, no less) would apply restrictions, but not hoover logs from the personal profile. Meaning it's still good to have messaging and music there while working.


Chrome has a log in screen like windows and Mac. You can login and out between google accounts like a gmail.com or a k12 account. Similarly but not the same— there is a second “add account” after logged in. This secondary account does allows access email but not override them, bookmarks, etc


Hmm.

I’m not super familiar with ChromeOS’s MDM stuff… but I wonder what would happen if someone were to log in to two separate managed accounts, for two separate organizations, with conflicting requirements?


It'll block the multi-login and require you to fully sign out of everything, THEN log into the other organization account.


don't cross the streams


Suing the CPS over this is simply taking money out of everyone else's pocket for your own enrichment.


Yeah, why anyone gotta make trouble for the guvnah


It's to make them stop doing it, not to profit.

Right now they're spending money to spy on students, so fighting that is worth it.


I find this stuff so disheartening. It's like, "how early can we indoctrinate kids into being comfortable being watched and having their every move tracked?" I don't even care what the justifications are. Preventing cheating? Before everyone had personal computers and the internet, people could just copy each others' work.

This kind of crap is fundamentally a violation of students' right to privacy. They deserve to grow up in a safe environment away from the prying eyes of crappy adults.

I mean, to that point, how secure is GoGuardian? Who has access to the administrative tools/etc.? What APTs have gained access to its systems? A system breach of any online system is effectively inevitable, or at least impossible to rule out. Do you think everyone with a Verkada camera thought hackers around the world are going to be tuning into their video feed?[0]

Anyway, stop buying tech that force you to give up your right to privacy to use it. You don't have to go 100%, but at least start looking at these kind of things before you shell out your hard-earned dollars.

[0] https://www.theverge.com/2021/3/9/22322122/verkada-hack-1500...


The problem is that schools and teachers are at risk from more liability than ever. If a student is groomed online whilst using a school device of login, who do you think is going to get blamed; not the parents but the school. If a child is bullied online or radicalised, then again is will fall back on the school.

You can't have privacy and expect a school to be responsible for what a child does online. Privacy doesn't create a safe environment; and when it comes to crappy adults, out of any group of people parents are the by far the most likely to abuse or neglect children. This idea of "stranger danger" is a myth, as the real danger in most cases is closer to home.


Primarily these types of software's are used for safeguarding purposes. For alerting teaching staff about children who are being abused, bullied or at risk of self harm etc.

I think a better lesson would be here that if you use an account that's not managed by you, it may be used to install software that you disagree with. This is a good lesson for using IT in the workplace. OP shouldn't expect his son's school provided account to maintain privacy when he's using it, because schools have statutory responsibilities to look after the safety of their students.


Nothing gets “installed” in the traditional sense on a chromebook.

When you login to the chromebook, you can log in with any Google credentials. The credentials the school gave your son are managed by them. If you log into that account, it configured the user session per the management of the account, so this will start a “managed” session for that managed user.

If you use a personal Google account, none of that should happen. It’s not a managed account, it’s a normal one, and there shouldnt be any additional provisioning.

You should be able to switch between them and use both independently.

However, if you are saying that is what you are doing, and the spyware isn’t respecting the config between users, then that is definitely a problem.


This. My kids have chromebooks, and they have two accounts active on their devices, on at their .k12 for school stuff, and one for their gmail that is open.


Do you actually trust google not to be collecting data on both accounts and link them together somewhere? When I was in school we used to get told that bad behavior would end up in our "permanent record" which would follow us for life, but while that was a lie we all have a permanent record now and nearly every action no matter how mundane or benign gets saved to it.

When I got my cell phone the default keyboard was sending everything I typed to a 3rd party whose privacy policy stated they were collecting data for everything from market research to trying to understand my intelligence/cognitive abilities. I replaced the default keyboard. I can't imagine the wealth of data Google could be collecting form children, their test scores and their associations with other children. They may claim not to collect and store data on your kids, but there are no regulations and nobody is checking. Only a whistleblower could tell you what Google is actually doing. I haven't seen much reason to trust them.


> I can't imagine the wealth of data Google could be collecting form children, their test scores and their associations with other children.

This is...funny, given that apparently the OP's child's school is using Google Classroom - which means Google is the provider and the system for storing/giving/recording/managing test scores, so of course they store test scores since they are paid to provide that. Likewise, on Google Classroom, kids can interact with each other and of course Google stores those.


You could always install a different OS on your son's Chromebook since it would still have access to all of the school's software (through Chrome) and more. I'd recommend GalliumOS (https://galliumos.org/) since the drivers support audio and keyboard shortcuts better.


Ran GalliumOS all throughout college without any issue. A Toshiba i3 Chromebook + Gallium was easily one of the best laptops I ever had. OP - seriously consider this solution if it wouldn't agitate the school too much. Swap out the usually small (16GB or so) SSD that tends to come with Chromebooks, install Gallium, and you're off to the races. Might still be some weird compatibility issues/edge cases that are hard to predict; maybe run Gallium in a VM, log into your sons Google Classroom, and do some testing first.


I would do the factory reset again and then not use that account anymore. If you want, you can create a new local-only account and then (this is the important part) sign in to the school Google Classroom on another browser. Install Firefox, Brave, something, and use it for the school account rather than Chrome. Chrome allows extensions installed to it to run in the background and manage the system, but another browser cannot.


Good suggestion. If the school is requiring your child to have the chromebook, then they should pay for the thing. They don't have the right to infect any device that your child happens to log in with. So factory reset, don't log in. Then when the school complains that the child is not completing the assignments, tell them that he/she cannot do them unless the school issues a school-owned device.

A better move would be to get your child out of Chicago public schools altogether.


CPS does pay for the thing. OP wanted their child to use a fancier device and they're mad that it falls under CPS' MDM policy. Go get a free device from CPS, take good care of it, and return it once the child graduates.

https://www.cps.edu/school-reopening/remote-learning/technol...

>A better move would be to get your child out of Chicago public schools altogether.

I went to a Chicago Public School and I resent that comment greatly.


> create a new local-only account

I thought you couldn't do that on a Chromebook.


i don't think you can. I had one of these chromebooks too, which I paid for. But my school did not want to remove the 'school policy' so now it's locked and even other accounts are 'watched' and managed by the school's policy. Last time I tried to create an account it wouldn't let you create it unless you provided an email.


Ah. This makes sense. In this case, I think a throwaway or a personal account will perform the same function, as long as it is not affiliated with the school system.


(By "makes sense" I do not, in fact, really mean that it makes sense; more accurately, this should read "seems typical of a Chromebook").


> I did a full factory reset, signed in to his account again, and now the system is once again locked down.

> So now I'm in the position where I have to ask permission from a local government entity to please let me install stuff and don't monitor the computer I bought and paid for.

I don't understand, this sounds like an issue with the account, not with the Chromebook.

Does this spyware persist on this device even if you sign into a different account?

If you look at third-party apps in the account settings, can you delete this one?


> I don't understand, this sounds like an issue with the account, not with the Chromebook.

While it does sound like an issue with the account, the unusual part is that Chromebook hands over the control of a device you own to someone else, just because you logged in to some account. Call me old fashioned, but an OS or device that does this is a vulgar anti-consumer design.

I get it that consumers should accept it as a feature of the product. But this was an unacceptable proposition a decade ago. There is a gradual erosion of consumer rights and we aren't fighting back enough. Another factor is that even tech savvy users are caught by surprise. This means that this drawback is not sufficiently highlighted in the product description. The platform may not have become this popular if it was.


The "control of the device" hasn't been handed over to anyone. If you log into another account, or go into guest mode, GoGuardian will not be present. In fact, you couldn't find out if GoGuardian was installed on another account you aren't logged into, because every account has all user data encrypted. The school won't be able to see anything about non cps.edu accounts - they don't know if they exist, what the email addresses were, etc.

There is no concept of installing or running programs outside of a login on ChromeOS. There is also only one form of device ownership, and that is device enrollment (which is not what is being described by OP), and the set of policies that are applied to enrolled device. Logging into an account cannot apply device policies.

cps.edu is who's enforcing that while you use a cps.edu account, you have to use their software (only while logged into that account or browser). BYOD devices are still yours and you can remove the account with a press of a button.


It is early to learn to separate work (school in this case) from home by using separate hardware but it's a good lesson to learn. Get a second laptop, school spyware nonsense goes on one, non-school stuff on the other.

It's annoying and generally a waste of resources so feel free to argue with the school at the same time. Corporate IT won't remove spyware from my work computer, school sounds likely to be similar.


Upvote. My kids use Chromebooks as well, and we were asked to buy them ourselves, but I always assumed they would be heavily locked down and monitored.

We bought very cheap ones and they are only used for school work at school. They take forever to boot up and load google docs, but once there they are fine.

The kids know the teachers can see and read everything and anything that happens on that machine.

I kind of assumed they would be dropped or beaten up, and was expecting to buy a new one every tear, but the eldest is still in perfect condition after 2 years. Quite proud that they are looking after them.


Have you tried to see if the Small Claims Court would work?

https://ag.state.il.us/consumers/smlclaims.html

Get the cost of the Chromebook, some money for your time, and then donate the Chromebook to the school since its deadweight at this point.

My guess is that no one from Dept. of ed will show up and you'll get a summary judgment.


The Chromebook isn't ruined. Just do a factory reset and do not log into the school account.

I know it doesn't help the op's kids who needs the CB for school, but there is nothing being done that a factory reset can't fix.


Looks like you read it the way I did originally -- that even a factory reset still leaves the GoGuardian software on the machine.

From the gist of comments of people more familiar with chromebooks than me, it actually looks like the factory reset does completely wipe the machine (as you'd expect from "factory reset") and there's no software installed that survives this process (other than the default chromebook stuff)


Unless someone from HN is mediating, it seems pretty unlikely that there will be an award for the value of the computer in small claims court.


Good idea; IMO, probably the only way the OP is likely to get any "justice" (if you can call it that) here...


Organize other pissed-off parents and persist at school board meetings until they change the policy. You’ll likely be labeled as terrorists for seeking redress with your public officials but stand strong, read up on laws and the board’s bylaws. Let them enter a trap (like ignoring you) where the law/bylaws say you can petition for removal of board member(s) on that cause. You’ll likely have to take it to court. But parents are prevailing and board members are being removed, for example in Pennsylvania over schools imposing their own mask mandates that do not align with public health.


Considering the range of protections a school is required to provide and that school IT is usually poorly staffed, paid, funded awkwardly… tons of different motivations for various policies.

I wouldn’t expect these policies to change.

Best bet is to not mix school administrated accounts with personal devices.


> Best bet is to not mix school administrated accounts with personal devices.

I feel like this is the obvious solution which is not fair or practicable to everyone, and so this whole post is about solutions that don't involve ceding an entire device to spyware distributors.


> so this whole post is about solutions that don't involve ceding an entire device to spyware distributors

I wonder if the school already provided a device.

My son’s school does.


“this is my rifle/ this is my gun/ this one’s for fighting/ this one’s for fun”


Don't use the CPS provided account. CPS policy is quite clear:

https://policy.cps.edu/download.aspx?ID=203

> I. Applicability.

> This policy applies to all students who use CPS Computer Resources and/or access the CPS Network (“Students”). Personal electronic devices (e.g. personal laptop) are subject to this policy when such devices are connected to the CPS Network or Computer Resources.

> IV. Privacy and Monitoring.

> A. Privacy. Students have no expectation of privacy in their use of the CPS Network and Computer Resources

> B. Monitoring. The Department of Information & Technology Services (ITS) has the right to access, search, read, inspect, copy, monitor, log or otherwise use data and information stored, transmitted and processed on the CPS Network and Computer Resources in order to execute the requirements of this policy [...] ITS reserves the right to: (1) access and make changes to any system connected to the CPS Network and Computer Resources to address security concerns.


Sounds like CPS is due for some major policy changes. Schools should not be teaching students that this sort of intrusive infringement of their privacy is something to be tolerated.


I'm not sure I agree that this is an infringement of their privacy - or more accurately I think this is a reflection of the fact that there's no reasonable expectation of privacy in a public space (physical or virtual).

It is perfectly normal in working circles that your activities on company owned devices or devices connected to a company network are monitored.

If the school required everyone to purchase a private device and then install monitoring software on it, then I think it would be reasonable to argue that if they want to control it, they should pay for it.

However, there was no such obligation here, OP simply bought a private device and expected to be able to connect it to a service someone else is paying for (yes, I know OP probably pays their taxes, and so is paying indirectly). They expected to take advantage of all the services provided by CPS without checking what the prerequisites for that might be.


> there's no reasonable expectation of privacy in a public space

This is not a public space, it's a privately-owned Chromebook. It is not reasonable that merely accessing the school's (mandatory) web services from a privately owned device will result in monitoring software being installed on that device without so much as seeking consent from the device's owner (which is the parent here, not the student who is logging in).

I blame Google here more than the schools. They're the ones that designed an OS which doesn't treat the device's rightful owner as the ultimate authority on which software gets installed. The school is just taking advantage of that design flaw, which is also wrong but hardly unexpected.

Aside: Can anyone familiar with the CPS system chime in on whether it's actually necessary to sign in to the Chromebook using the CPS login credentials to access these web services? Do they perhaps check for specific extensions? If it just requires a Google login it should be possible to disable the automatic link between the web login and the device/browser login in the browser's settings (under "Sync and Google Services" disable "Allow Chrome Sign-in", or just use Incognito mode).


> This is not a public space, it's a privately-owned Chromebook.

Well, privately owned things can exist in a public space too, with restrictions.

For example, if I want to drive my privately owned car on a public road, I need to take steps (registering, attaching registration plates) to allow my car to be tracked and its usage monitored.

I agree on the point that this is a decision made by Google, although I would say that if you attach a Windows device to a domain, settings can be set through group policies without the user's explicit consent.


> … to drive my privately owned car on a public road, I need to take steps … to allow my car to be tracked and its usage monitored.

Yes, for very restricted interpretations of "tracked" and "monitored" which are basically limited to mounting a unique license plate on the vehicle which can be passively scanned and used to look up the owner of the vehicle (not the driver). Without a warrant they aren't allowed to attach a GPS tracker for continuous real-time location or install a camera inside the car. The inside of the vehicle is still considered a private space which cannot be searched without probable cause. Moreover, the justification for the license plate and registration requirements is that the vehicle is physically within their territory, on public roads, which doesn't apply to the Chromebook situation.

> … if you attach a Windows device to a domain, settings can be set through group policies without the user's explicit consent.

This is not like attaching a Windows device to a domain. For one thing that requires local administrative privileges on the Windows device, whereas anyone can log into a CPS account on any Chromebook whether they own it or not. Here the student doesn't own the Chromebook, the parent does—if this were a Windows PC the student would not be the device's local administrator and would not have the ability to join it to a domain.


I don't own a Chromebook, but my understanding is that the monitoring would only run for the user with the CPS account, rather than for all users, is that wrong?


Apparently, according to another response from a Google employee, it depends on who logs in first. If you log in with the CPS account and then switch to another non-CPS account, the CPS policies are applied to both.


Well, that for sure is dodgy then.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: