Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: My kid's school installed spyware and I can't remove it
936 points by ccleve on April 4, 2022 | hide | past | favorite | 417 comments
My middle schooler goes to Chicago Public Schools. They use Google Classroom for assignments and other communications.

I bought him a Chromebook for schoolwork, but also for other private things. When we logged in, the system installed GoGuardian monitoring software on the Chromebook without notice or permission.

And now I can't remove it. I wrote to GoGuardian support, and they replied that I had to contact the school or remove my son as a user. The instructions for removing him as a user do not work; on the contrary, I see the message "cps.edu manages this user and may remotely manage settings and monitor user activity" and he can't be removed.

I did a full factory reset, signed in to his account again, and now the system is once again locked down.

So now I'm in the position where I have to ask permission from a local government entity to please let me install stuff and don't monitor the computer I bought and paid for.

Does anyone know how to refer these people to law enforcement for prosecution?




I work for a school district (not CPS) with about 2000 deployed Chromebooks and you're likely running into one of two things.

1) You somehow 'enrolled' the device into the Chromebook management. This is hard to do by mistake but if you do, essentially puts the device under the control of the school district. It also uses up a license on their end. We only allow particular IT only accounts to enroll devices. 2) You're logging in with their CPS account. Once a person logs in with their managed account it can deploy user level policies that include everything you described: extensions, filtering, and blocking signing into another account in the browser. You'll also find some random pages are blocked to keep students from bypassing the restrictions.

That you can wipe the machine makes me think you didn't enroll it - if you wipe an enrolled device it will prompt/force you to re-enroll. You should be able to reboot the device so you land at the login screen and hit "Add Person" down at the bottom. From there sign in with a different Google account and it should be completely unaffected by any policy the school is deploying. Unless you enroll it, the policies are deployed to the Google account, not the device.

Its likely the CPS Help Desk Staffer you reached doesn't have the power to fix things for you if you've enrolled things - that usually requires permissions that are restricted to a few admins.

Feel free to shoot me a message via the email in my profile - I'm happy to give you some of the inside perspective and help you figure it out.


This response should be higher instead of the useless armchair lawyering :)

With GoGuardian, though, I think device level management is common? It's BYOD but it essentially becomes the district's device (and all the other accounts disabled) until you remove the managed account. It can't happen by accident, though, it tells you very clearly you're making it a managed device.

It sucks that schools are using enterprise management to monitor every thing a student does on their machine, but it's not a rootkit or something. If it's not the district's device just remove the account.


I think GoGuardian is normally full device, but on Chromebooks it is installed via extensions. Extensions in on Chromebooks are 'user' policies so they are applied to entire OUs of users. (docs here for anyone who is interested : https://support.google.com/chrome/a/answer/6177431?hl=en#zip...)

These types of solutions are really common for schools because under CIPA you must filter your network to receive e-rate funding. Deploying it to the device meets these requirements and also extends filtering off site which is a commonly requested feature.

If it is just being managed at the user level - then creating a second account is exactly the way to go.


^ This guy is correct. OP is vastly overstating the situation or uninformed.

Unless it was school provided hardware, management is done at the account level and accounts are fully isolated.

Powerwash (https://support.google.com/chromebook/answer/183084?hl=en) the device, login with a personal account to make it the primary, and then login with your kids school account. Yes they will be monitored when logged in to the school account, but that is for compliance with the law. If you don't like it, write your representative.


What law are you referring to? How could a device owned by the student/parent require monitoring while not in school?


Not the device, the student district-managed account that is logging into the device. Districts are bound by law (varying from state to state) at a basic level to filter content and restrict access in the broadest sense, on or off the district network. I've worked in multiple states for various districts they all had similar compliance requirements.


I don't see how the mere fact of someone being logged into a school account could create such a requirement. If I log into the school account from a normal desktop computer, I don't believe that the school even has the ability to restrict what webpages can subsequently be accessed. Is the school then failing to meet its responsibilities? If not, then how could they be required to enforce this on a chromebook that they do not own?


We run Chromebooks. I'm logged into one right now, on my personal account. There is no way for me, the GSuite admin of my company, to fuck with that personal account.

I can't read anything from it, I can't manage it in any way, I can do nothing. Some things in the personal account aren't accessible (you can only have one account on Chromebooks with a Linux VM), that's it.


Not true, and also not possible.

If a kid or parent can log in from offsite, it is not technically possible to force all browsers or systems to monitor and restrict activity. I can log in through Firefox (or curl, for that matter) and not have my activity sent to the school.

Also, there is absolutely no legal way the school could force the monitoring of activity from an offsite computer (unless it were school-owned), even if it were technically possible. To secretly and silently install spyware on a parent's computer when the parent logs into the child's account would violate so many laws and constitutional protections I can't even list them.


The article you recommend for resetting a device itself says:

"If you're using your Chromebook at work or school, you can't reset it."

So it likely does not apply here.


Yeah seconding this both as a parent and someone who has worked in education IT (K12 and higher ed) for almost 15 years. I'm not familiar with GoGuardian but I do recall with certain 3rd party Google apps that did similarly there were ways within the admin console for said app to exclude monitoring devices (regardless if managed account that's logged in) unless they were on the district network(s) by adding CIDR blocks to a whitelist. Of course, if someone were to use the device on a BYOD network in district you could then get scooped up in that dragnet though we excluded even those networks to prevent this as all district devices should be connected to the proper LAN.

I've personally forbade my kids from logging into devices we own with their school accounts (O365). I've also gone so far as to relegate them to only connecting to a segmented guest network (internet only) with their district issued devices. I no longer work for a district but provide various levels of support for districts in my county as a state employee and let me tell you, no one really knows what they're doing. A district I used to work for uses a product called Aristotle essentially logging key strokes of every staff member and student. There are, or were, certain school admins that made it their business disciplining bored-ass students for things 99% of the time they may have said in jest to a fellow student. On the flip side it was instrumental in catching a couple staff members that were doing some pretty heinous things, one of which who is currently serving 35 years on federal charges.


No, it should only be the district's device while the district student's login is being used. There's still very much a legally-enforceable expectation of privacy for the other possible users of the machine.

That the user is the actual owner of the equipment makes it pretty important that someone at the school system defined the MDM policies properly so as not to violate other user's privacy rights. ...but considering the way most of them are staffed, they probably screwed up and need to be shown the right way to do it before they land themselves in court.


Why is it ever the "district's device?" It's owned by the parent, it's being used at home. What justification does the district have to monitor anything that's happening not at school using equipment that they do not own that does not involve any of their servers?


It isn't the district's device. OP just enrolled it in the School's GSuite organization so, obviously, policies got pushed. They can just... not do that.

If they want to log into apps or whatever on the Chromebook, they do need to do that. At that point the device has to follow policies for accessing the school's services or whatever. They still don't own the device, but they can push policy to it. At any time the device can be removed from the organization, but that has to be done by the organization, I believe.

Of course, you can have multiple accounts on the Chromebook, so they could just have the device enrolled for one user, but have a personal account not enrolled.

It's all pretty straightforward.


Have written Chromebook extensions for large school systems. The OP is absolutely correct.

It boggles the mind what some of the posters above this are thinking.

Seriously, no one wants to spy on your home browsing habits - if nothing else because it creates a new workload and a potential liability for the teachers and the institution. Create a new profile, and you're good to go.


So, it sounds like the best advice to OP is to create another 'home' account for their son, on the same device, which won't be monitored or affected by anything the school does.

The son can decide which account to log into based on what they plan to do that day.


Probably better to login (or not) to the chrome OS device as a personal account, and then login in the browser (private mode perhaps?) to the school account to do the classroom stuff. I don't think logging in to the school account in Chrome the browser will trigger the same behavior as logging in to the school account in Chrome the OS.

You may need/want to powerwash the device again.


> The son can decide which account to log into based on what they plan to do that day.

You can log into multiple accounts at once on a Chromebook. ctrl + alt + `.` lets you switch between workspaces across accounts, and you can right click windows to move them across workspaces. I'm doing this right now so I can post on HN from my personal account while I code for work.


No, at this point they probably can't. It's locked down the way it is to specifically prevent that sort of thing.

It should be removed from enrollment, the IT dept doesn't want that on there any more than OP does.


I experienced scenario #2 on my son's Chromebook during pandemic school closings. One day he logged in with his school account and about half the apps were disabled, including core stuff he needed to do school work. I got the "we can't control your computer, that's not how computers work" speech from the school. It was one of the most frustrating things I've ever experienced. The policies finally got fixed a few days later, but I'm pretty sure the people I talked to thought I was crazy.


Agree. We have filtering on our kid's Chromebook, but only when they login as user to their school account. They have their separate account which gives them their own space.

Certainly you WANT the school district to do some filtering for the school accounts, right? I mean, I think ours locks it down so tight that students can't get outside emails until they are whitelisted somehow...


> Certainly you WANT the school district to do some filtering for the school accounts, right?

a) No. Filtering (if there is any) should be limited to their own network or a school-issued device, not some device the school system doesn't own. b) Filtering only the school accounts is pointless if the student can just switch to a non-school account (or guest account) and access whatever they want there.


> Filtering only the school accounts is pointless if the student can just switch to a non-school account (or guest account) and access whatever they want there.

From the district's perspective this does have a point: it removes perceived or actual liability for things that the student could be exposed to or experience using their managed services. Being able to tell an offended parent "not our account, not our device, not our problem" versus having to answer for "but he was logged into his district managed Google account, shouldn't you have protected him?"


Your A) is exactly what is happening. Filtering on school account only.

On B) I agree that kids can and will do anything they want on other accounts including just opening their phone! But what happens on school sponsored email, virtual drives, and applications should be controlled I would think. It opens the school to liability if nothing else.


> Your A) is exactly what is happening. Filtering on school account only.

I said "their own network or a school-issued device". Not "on school accounts".

Part of the blame here resides with Google for tying login on Chromebooks to an email address & automatically signing in to various other (possibly managed) services linked to that email when all you really want is some local storage and a web browser. An email address is an identity. A student might not have any other email address—sure you can create a new one pretty easily, but this is how they identify themselves to everyone else they know; inventing an alter ego for non-school activities is a bit much to ask. Facebook and the like don't impose a "managed mode" on your private PC and monitor your access to other sites and apps at the OS level just because you signed up with your school email. To basically anything but a Chromebook your email address is just an arbitrary username which happens to also be a place where you can receive messages.

It should be possible to log in to a Chromebook using an organizational email address without enabling remote management of the Chromebook. You may not be able to access certain managed services as conveniently (though these should also be available as regular web sites, sans device management) but other apps and web sites not linked to the organization should work as usual. And it should be possible to have multiple distinct profiles (e.g. personal and school) with the same email address, and different management settings, if you're going to require an email as the login.

> But what happens on school sponsored email, virtual drives, and applications should be controlled I would think.

So control them—on the server side, which is part of the school's network. They're monitoring all use of the Chromebook while signed in to this account, not just the school's network, services, and applications. Even, apparently, while the device is switched to another account after logging in to the student account.


This.

Then again this site is mostly developers. They have no idea about SCCM, Intune, JAMF and other MDMs and how they work.


> I bought him a Chromebook for schoolwork, but also for other private things. When we logged in...

This is why you need to pay attention to the technology choices that you make, and that your schools make. Chromebooks are designed from the ground up to be locked-down dystopian spyware once you "log in" to them with a specific Google account. For heaven's sake stop buying any more Chromebooks.

The correct solution here is not technological at all. Call into the school's board meeting during public comment, and make it loud and clear that the school is installing spyware on students' Chromebooks. Share your technical credentials and the method by which you found this. Emphasize stories of previous data breaches involving educational companies [1], and show officials that they are putting students' sensitive data at risk. (Edit: See the important point in the reply from 'n8cpdx below about the correct tone to use in your comments – don't repeat my words verbatim!)

The technical details don't matter too much to educational officials – as soon as the "Chromebook = bad spyware" label sticks and they think that a fuck-up here could cost them them bad press, they will allow their IT department to make more privacy-respecting technology choices even when those choices cost a little more. If no one speaks up, it's a race to the bottom driving us closer to the fiction in The Right to Read [2].

----------------------------------------

[1] https://techcrunch.com/2021/11/22/smarterselect-exposed-mill...

[2] https://www.gnu.org/philosophy/right-to-read.en.html


> Call into the school's board meeting during public comment, and make it loud and clear that the school is installing spyware on students' Chromebooks. Share your technical credentials and the method by which you found this.

Just some comments on the political aspect of this, since the HN crowd tends to not be so good at that part:

- Following this advice and using a tone that even resembles the tone of the comment or the original post will make you look/sound crazy. School boards (government boards in general) are used to seeing vocal, crazy people and are good at not taking crazy people seriously.

- “spyware” is not something non-technical understand. Just invoking spyware is going to make people think you’re crazy, not motivate them to fix the problem.

- Normal people do understand things like ownership and consent (approximately, anyway). It might be better to highlight the fact that you own the laptop, your child cannot possibly consent to such monitoring/software being installed, and that you weren’t notified.

- Normal people understand things like subscription costs - why should the school district be paying a third-party service to monitor a device that they don’t manage. By installing management software on your child’s device, are they assuming ownership and _liability_ for how that device is used outside of school?

- The whole chromebook=spyware doesn’t really make sense unless the only comparison is Linux; and if your kid doesn’t understand privacy issues on a chromebook, they definitely won’t have a good time with Linux. The IT department could have just as easily installed similar spyware for Windows or macOS.

Realistically what probably happened here is they have slightly clueless people who installed standard-issue software without thinking to check if the student actually owned the chromebook, because they probably dealt with a hundred other District-issued devices that day. When you run into that kind of bad outcome from human frailty, it is better to treat it as such rather than complain to the board that the sky is falling.


I agree one hundred percent with this commenter. They are absolutely right – don't use the tone that I'm using on HN! I did not structure my HN comment from the point of view of how to present it for public comment; and the tone if used verbatim will mark you down as "tinfoil hat crazy person who we should ignore", as the parent correctly points out.

Definitely don't use the term "spyware". Try to assume the persona of a reasonable, slightly conservative, and concerned person who is worried about data privacy why public money is being spent on subscriptions to companies who collect a lot of it, but are not local or accountable. Highlight that you understand that choices are difficult, but that the school needs to do better and be more accountable to parents and students, especially in an age where personal data has become so important.


Even better, contact other parents ahead of time and see if others are concerned. Expand your group of concerned people by following their natural networks and start collaborating on a joint proposal.

Ideally you can collectively find a workaround (start by emailing IT, as someone else suggested, if that doesn't work, maybe schedule a meeting with someone more influential -- either way, the aggregate wisdom of your parent group will come up with more creative solutions than us at HN). Once you have a solution, craft a flyer and send to all parents: "This is what we saw as a problem, and this is what we did about it. Contact us if you want help."

If all else fails, stand up together in the board meeting.

Democracy does not require permission.


> Following this advice and using a tone that even resembles the tone of the comment or the original post will make you look/sound crazy.

Thank you. Also, please ignore every comment in this thread suggesting you lawyer up or go to small claims court. The laptop isn't ruined and can be reset whenever the OP wants (as they already established).

If you go in guns blazing to the school board, the school is going to go into full defensive mode. Once you've established yourself as the aggressive parent with an axe to grind, they're not going to be interested at all in working with you.

If you actually want to get anywhere with this, start with a friendly e-mail to the school's IT staff. Ask them how your child can do their schoolwork without putting the laptop under school control. If you go in with a reasonable approach, you might get a sympathetic IT person who will walk you through the situation and explain the options.

> Realistically what probably happened here is they have slightly clueless people who installed standard-issue software without thinking to check if the student actually owned the chromebook

That would be my first assumption. I would even guess that they aren't keen on having yet another license tied up on a student's device somewhere.

Don't immediately rush to assumptions of malicious intent, don't think that making a scene at a school board event will further your goals, and definitely don't take any of the suggestions here to lawyer up or otherwise waste a lot of time and money on a legal fight that you will surely lose.


> The laptop isn't ruined and can be reset whenever the OP wants (as they already established).

I take it that it's fine that I install a microphone with a transmitter in your ceiling fixture so long as I do 't damage the fixture itself.

> Don't immediately rush to assumptions of malicious intent

Is there a good reason to doubt that the intended purpose for installing the software was to use its advertised functionality?


If they thought the laptop was school property, then comparisons to wilful intrusion into someone’s house is hyperbolic, and no it wasn’t malicious. It would be more like if the cops had a valid warrant to track a suspects car, but installed the tracker in the wrong car by mistake.

Best to establish the facts first.


Installing monitoring software (spyware) on a laptop that is owned by the school is legit only if you consider the student exactly that: a suspect. In that sense, your comment is spot-on.

Following that logic, the act itself does not seem malicious. However, the logic of seeing students as suspects is.


I have a sort of extremist take on this: students are literally prisoners. The job of a high school is to keep students from harming each other, feed them, and occasionally teach them something.

It’s why one of the highest offenses is to leave school grounds during school. Ditto for prison.

In that light, of course students are suspects. They’re already guilty of not being adults. They’re not allowed to have jobs, or to decide what they want to learn, or any of the other things that make adults human.

I don’t know what to do about it, but recognizing it seems step one.


> students are literally prisoners

You're being downvoted, but I often felt exactly this way throughout my school years.


> However, the logic of seeing students as suspects is.

Is it? I don’t think I know any high school student that hasn’t tried to muck with, or work around, the schools systems.


And "solving" that "problem" is not a good thing.


That's fair, I'm not saying they are right to do it in that sense.


> If they thought the laptop was school property, then comparisons to wilful intrusion into someone’s house is hyperbolic

So if you're renting an apartment from me, I am right to spy on your children with my ceiling bug?

> It would be more like if the cops had a valid warrant to track a suspects car, but installed the tracker in the wrong car by mistake.

The school is not a police force; nothing warrants their privacy intrusive surveillance of my children without my consent in the first place.


> If you go in guns blazing to the school board, the school is going to go into full defensive mode. Once you've established yourself as the aggressive parent with an axe to grind, they're not going to be interested at all in working with you.

Too bad! They can be voted out, or face lawsuits if a heated attitude is too much for them that they feel the need to ignore valid feedback regardless of the emotions involved.

I've heard the same argument used for angry minority communities in the past, so this very much applies here as well. Heated rhetoric school boards are seeing today are reminiscent of a body that isn't listening.


The question I like to ask myself in instances like these, when I'm pissed off at what I see as unreasonable attitudes and processes, is this:

Do I care more about making myself feel better by airing my grievances in whatever way suits my fancy, or do I care about a specific outcome?

If it's the latter, then the best thing to do is to figure out who is in charge, and, critically, the right way to talk to them in order to get the response -- and hopefully the outcome -- I want.

Sure, I could turn this into a crusade to vote out the school board and replace them with... who, exactly? The kind of people who are qualified and likely to get elected are probably pretty similar to the people there already: not too technically-inclined, and not willing to put up with an aggressive attack from parents. Even if I did manage to find and elect a school board that would take this kind of issue seriously without needing much prodding, by the time I went through this whole process, it'll be... a year? Two years? More? The ship will have sailed, and my hypothetical kid will have leaked all their private data to the school's nanny software already.

So hopefully I'd instead do the smart thing, approach the school board in a way that resonates with them, and get the outcome I want.

> I've heard the same argument used for angry minority communities in the past

I don't think this really applies here. Most "angry minority communities" are fighting for things that are systemically stacked against them, and often the "polite" approach doesn't work. But we're not talking about systemic oppression here; we're talking about an overworked, underpaid school IT department that doesn't have much choice in what they do, directed by a school board that doesn't understand the issues involved.


This! The most important thing I'm asking myself: What do I want to achieve? Does "yelling" at people rises my chances in achieving this? Later on, when my immediate goal is achieved, I can decide do I care enough to follow up or not. First things first - sort out your priority.


>Too bad! They can be voted out, or face lawsuits if a heated attitude is too much for them that they feel the need to ignore valid feedback regardless of the emotions involved.

Only the world doesn't magically grants wishes to Kens and Karens, just because they feel strongly about something and how right they are. The person taking that board to court or trying to vote them out could just as trivially lose.


They can't be voted out by you alone though. And what he wrote about the school is just as true for the majority of other parents.


> Following this advice and using a tone that even resembles the tone of the comment or the original post will make you look/sound crazy. School boards (government boards in general) are used to seeing vocal, crazy people and are good at not taking crazy people seriously.

I agree with the general point of your comment but this is simply not true any more. I’m not sure it was ever true, but recent coverage of school boards and environmental review public consultation throughout the United States demonstrates that it certainly isn’t true in 2022.


Totally agree with you in every way except your last point. IIRC, the administrators of a Google Workspace domain have almost complete control of the accounts created under it. For example, they're able to make sure that each account comes with preset Chrome Web Store extensions or they can limit or completely disable your control over your account. So, unless the school board locked down the Chromebook itself, (which I don't think they can unless they actually own it) these restrictions and the spyware would've been automatically "installed" on OP's kid's account and shouldn't be active/installed when you're logged into a privately owned Google account. All in all, the way Chromebooks work is unconventional and sometimes very annoying.


If I recall, the language that's used in situations like these is something along the lines of "Personal electronic devices will be governed under this policy when such devices are attached to the CPS network." So .. it's a "as long as you're going to connect to the CPS controlled network / resources, you must have software protections / controls in place".


Except it sounds like the spyware is still installed even if they log in with their personal account? The isolation principle is violated. It's a huge security hole.


I have a huge smile reading this comment. Thank you. Far too often the tech community gets totally lost in their own world. A world that 99% of people don’t inhabit.


> “spyware” is not something non-technical understand. Just invoking spyware is going to make people think you’re crazy, not motivate them to fix the problem.

It's also vague. Make sure parents know exactly what data is being gathered, and who gets it. And point out that this is being kept hidden from both children and parents - if the spying is above-board, then why doesn't the device give a big "All your chat messages and internet activity is being monitored by XYZ, even outside school hours" notice at log-in?

Was the existence and extent of this spying communicated in any clear way, by the software or by the school, or buried deep in a click-through agreement?


The biggest thing is that if you are calling to complain, then you will IMMEDIATELY be discredited. They don't have any reason to keep you happy, so complaints mean absolutely nothing. You cannot come with complaints - you must come with a solution, already prepared, such that it is easier for them to implement the solution than to not. People will always, 100% of the time, take the path of least resistance - actually make the path not resistant at all and it's the only way you can convince anyone to do anything.


It seems like the path of least resistance here is “only use school equipment to access school accounts”, create the kid a non-school Google account, and only use non-school accounts (his and others) on the private Chromebook.

I find it annoying but acceptable that my work account doesn’t function on my non-work computer.


I find the behavior as implemented entirely unacceptable. My work has Google apps and that caused a Chromebook I was using to immediately jump to managed by the company as soon as I logged in with my work account despite having no intranet/etc and no one intentionally configuring anything. It would never allow me to do regular processes for the chromebook's management even after full resets.

The whole point of a restricted boot environment is to have multi user with proper separation where one user can't accidentally compromise the system. If an org is still unhappy mixing with other accounts or being on user provided hardware they should be able to block that. Stealing hardware and implementing anti-theft rules that should apply to verified org provided hardware on first login is a crime.

Years ago, I debated Chromebooks as a solution for older relatives. Now I shudder to think what would have happened if I had and one of their nieces/nephews or grandkids had something to show them from school.


Having seen the absolutely atrocious screens in the school furnished chromebooks I half believe Vtech put higher res screens in their 90's kids laptops.


Bring this concern to the school board: Say your child is making homework all alone, in their room, total privacy. Is it true that the monitoring software can at that moment look at the webcam and listen in to the microphone's audio? If no consent was given, that should be pretty bad for the school board.


> The IT department could have just as easily installed similar spyware for Windows or macOS.

Just a nitpick here, yes school IT could do a remote install of spyware if the user was privileged and agreed to it. But a privileged user could also uninstall it. Which is not the case here. In my experience with MDMs the school has to physically have the laptop to install a permanent MDM or purchase the laptop and provision through an activation portal. My experience has been Intune Autopilot and ABM.

Google Work MDMs was notorious for remotely wiping personal devices which is why I never allow work to install MDMs on my personal items.


I've worked in IT support and had issues with parents who let their children use their work computers for school having the chrome browser locked down by the school.

The only fix that worked was exporting the logins and passwords, deleting them from Chrome, and then reinstalling chrome with a different login. I don't want my coworkers work data in the hands of their children's schools' IT dept, and I've let them know that this can count as a data breach (fortunately, so far none of them have been privy to any important data).

Suffice it to say, don't let your kids use your work laptops, and don't log into your child's school accounts on your work computer.

This should be really obvious but apparently it is not.


>- “spyware” is not something non-technical understand. Just invoking spyware is going to make people think you’re crazy, not motivate them to fix the problem.

Even if you say the school is installing stuff that allows them to monitor your child instead of using the term 'spyware' that may not be too compelling, I suppose a lot of parents will reflexively think - so, that's the school's job.

Thus the need to focus on how these things have been misused in the past, maybe say it's their job to monitor your child during school hours, but after school hours it's your job.

Also note how you bought the computer, it is your property, you can use it how you wish, if they want it to be otherwise they should buy the computers for children.


Use examples that help non-technical parents understand e.g. anonymous spyware employees can now potentially spy on your children while they’re getting dressed.


Brilliantly written feedback, I hope folks take it to heart.


The other thing is add is the only way to impact the school system is to create an alternative (private or charter) or get your own people on the school board. Or if you’re really rich, hire a lawyer, but that’s kind of an %sshole move because then the school district has to either cave to everyone hiring a lawyer, or fire the music teacher to pay for legal defense.


School choice would do a lot of get schools to compete and be the best possible.

Charter schools is something we use now. Hardly perfect but it’s a lot nicer.


Charter schools leave a lot of kids behind, especially if they have special needs.


Depends on the charter school. In New York the Special Ed kids at Success Academy outperform Gen Ed kids citywide.


Not the OP but: IME, in EU, being tough, not vocal, and being threatening legal actions with serious bases works very well, most institutions know they have skeletons in their wardrobe and they do not like to face someone who is not crying but very decided to hit with all legal means, especially if there are also ideological motivations.

Spyware is a very well generally understood terms: someone breach someone else privacy deliberately, witch means complaint, court and uncertain results for those who decide to spy. Surveillance capitalism is ignored by most, but known as evil so once someone talk about that pointing out the finger to a school, not a hyper-giant player, people arise likely. They imaging in their mind a naked child spied via the webcam etc in an instant. While they do normally not understand nothing about ownership and consent on "digital stuff".

Oh, BTW what "realistically happen" have exactly zero meaning: the possibility of doing so on not managed computers means a built-in RCE so big that such products must not be on the market. Remote control of desktops must be deployed on purpose not came pre-installed from factories because anyone can use a pre-installed system in place. If that's true at least in EU, there is room for legal action against the OEM, not only the school.


> When you run into that kind of bad outcome from human frailty, it is better to treat it as such

I take it, then that, you would not bother to do anything about the descent down the slope to uniformity controlled by MAMAA?


> Chromebooks are designed from the ground up to be locked-down dystopian spyware once you "log in" to them with a specific Google account.

Nonsense. They were designed to implement required policies when someone logs into a managed domain. Unless you're logging into something like that (where disclosures have been made and consent has been obtained) then there's no "dystopian spyware" involved. Absent any domain management policies, Chromebook are basically fancy thin clients that make efficient use of web-based services.

That having been said, the OP either conspicuously failed to mention that such disclosures were made, or (and this I find to be much more likely) the school was dumb enough to think they don't need to disclose anything because like a lot of school systems, they have gotten the curious idea that they basically own the kids and that the kids have no rights whatsoever. Should that be the case I hope a judge spanks them soundly for it because yeah, they absolutely do need to disclose this stuff to the students or the first time there's a serious problem due to abuse of the monitoring system the school is likely to get very, very pantsed for facilitating child abuse.


Agreed, domain admins can also lock down Windows, iOS, Android, and MacOS.

The school is effectively making the computer a terminal into their system. Their system, their rules.

I know the OP won't like this answer but the OP should buy their kid another computer for their non-school activities. Of course they could also complain to their school/district to change the polices. Personally, I'm used to it. I have a personal computer for my own use and a corp computer that's managed by corp and is locked down. I don't complain the corp computer is locked down (except when it gets in the way of doing my actual job). For all personal stuff I use my personal computer.


That corp computer is owned by your employer. If instead you are a consultant who does work for several clients on your own machine, then it would be unreasonable for them to lockdown your personal machine. Instead, if they want you to use a more secure solution, they should provide the computer.


In my company setting up the office email on our personal phone is optional. But if we choose to do that, they install this entirely new 'profile' with work apps and controlling software on that in the name of security. I chose not to install it, but some would surely do it. Probably no case can be made against them as they don't force their employees to install mail on their phones.


I did that for convenience (though now I removed it), but the work profile seemed to be well compartmentalized from the personal part, and there was a strong emphasis on this fact before the installation process. If they were to wipe it, only the work profile would be affected. I fortunately never had to try it...


Right, but if you add your account to their organization so that you can get onto their network dont be surprised when they push policies.


No but if you add their MDM to your personal PC they can push policy to it.


"The school is effectively making the computer a terminal into their system."

I agree with this. If you had an rdp / citrix / ssh session to your employer you'd expect them to control what's on the other end. A Chromebook on which you're using a work/school account is much closer to that experience than a PC, but with the lines unfortunately much more blurred.


> consent has been obtained

Has it been, in this case? If a parent says 'I do not agree to this', then what? Will the school district swap the system out for one that doesn't require end users to waive their legal rights? Has that ever happened when a parent objected to one of these EULAs, even once?


Not to mention, consent can be revoked at any time in the future without reason. Giving consent once does not mean you have consent forever.


The school district should give the student a (locked down) computer. No waiving of legal rights is necessary.


One solution could be to setup the laptop with a personal email account and configure the school email address to forward everything.


If the student needs to use a Chromebook for school, that won't work. On my daughter's Chromebook, every app and website is tied to the account. It's not just a question of forwarding email.


You can have multiple accounts on a Chromebook.


As others have mentioned above, GoGuardian is at the device level, not the account level.


https://news.ycombinator.com/item?id=30915660


Yeah, I’m assuming a lot about the ability to do what you need to do without a school account.


Not really applicable with the Chromebook, but in general I guess the safest thing is to log in to the school stuff only from a VM? (At least that way the damage is limited.)


> Chromebook are basically fancy thin clients that make efficient use of web-based services

This reminds me of Asimov's Multivac home terminals where every user, in the comfort of their home, could dial in a query on their computer terminal and the massive infrastructure which is the continental-sized Multivac computer will respond with an answer.


> they absolutely do need to disclose this stuff to the students

In this case the student is not the owner of the Chromebook. They need to disclose this stuff to, and obtain consent from, the parents before taking control of the device.


> (and this I find to be much more likely) the school was dumb

It makes me cringe that this is an accurate assessment of how our educational system is run.


> Call into the school's board meeting during public comment, and make it loud and clear that the school is installing spyware on students' Chromebooks. Share your technical credentials and the method by which you found this. Emphasize stories of previous data breaches involving educational companies [1],

This is some bad advice. No need to escalate the situation. Simply contact the sons school and find out who the technologist is and ask them for help. Explain to them the situation and I'm sure they will understand. The computer is personal so they don't want it under mobile device management.

I have some experience with schools. The school is not intentionally installing spyware. Further most public K12 organizations have IT departments are not going to be as well staffed/knowledgable as your average silicon valley tech company. So they may not know exactly how to rectify this situation. No need to berate the school board over "spyware."


Oh no, there's no way the school system didn't know they were installing monitoring software. It would be fairly reasonable for them to require that in the context of students logging in to access and use school resources (i.e. lessons) and to keep them from just goofing off.

What is not reasonable is the very real possibility that they might have overstepped and made these policies active for all logins on the device, or that they failed to properly disclose what exactly happens when the user uses the domain login. That would then make what's been installed very worthy of the term "spyware" and would probably make both GoGuardian and Google upset with them because it's unnecessarily heavy-handed and pretty much guaranteed to bring bad press.

Part of the reason these things are so locked down is so that management policies can be applied to ONLY the logins that require them without impacting the entire device all the time. If someone tries to sidestep that by grabbing root access and messing with the trusted environment, when the user logs into the managed domain the machine is going to report that its environment has been tampered with and that should pretty immediately bring use of any domain-managed accounts to a halt. You wind up actually jumping through the same hoops (although more discretely and without involving logging/reporting of browser history) when you use your bank's banking app or have Microsoft Teams/Outlook installed on your phone. Both of these things absolutely require their data be kept separate from the rest of the user's data, and very carefully protected from the other apps on the device.


I agree. What I should have typed instead of "The school is not intentionally installing spyware." Is they probably did not intend to install the spyware on personal machines of students that logged in with their school Google account. Perhaps there is a management policy misconfigured or the student got confused and enrolled the device.

From my understanding if you setup a personal chromebook you can then login to Google Classroom via the Chrome browser and it should not enroll the chromebook in MDM. At least when I login to my chromebook it does not enroll my device.


GoGuardian is an extension tied to the user and installed at login. This extension only runs on chromebooks and does not know which device is owned by who.


> I have some experience with schools. The school is not intentionally installing spyware.

Our highschool had a bunch of laptops. They were the firstish gen of mac laptops with built-in webcams. This was all very new.

These laptops would take a picture of the user at every login and then once an hour or so after that. I guess the principal wanted to know who was using each machine in case anything unclothe was done with the laptop. The pics were stored on an FTP server (not FTPS. Not SFTP. FTP.). The FTP account had RWX on the directory where all login pictures were stored, and the FTP server was exposed to the internet. A simple MiTM on any network where this laptop connected would give the attacker full read access to these login pictures.

The problem: these laptops could be "checked out" for an evening or weekend. So they got around. Hotels, restaurants, libraries, coffee shops, etc. But also student's bedrooms. This was in the days when most public wifi was just a commodity linksys router behind the register and you could more-or-less safely assume you were being MiTM'd when connecting to a public wifi network.

So, long story short, a principal with bad judgement and an IT admin with just enough googling skills were uploading pics of students in their bedrooms to an FTP server that was almost certainly hacked into by dozens of different people. Without consent or knowledge of the students or parents.

When I raised this issue, the principal suspended me. Getting the suspension reversed required going to central office, who were totally unaware of what was going on and were, obviously, appalled at the picture taking script.

School IT staff are often knowledgeable enough to be dangerous, and individual school administrators often demonstrate remarkably horrible judgement. I understand the "be kind" sentiment, but there really is a lot of inexcusable incompetence and poor judgement in K12. We should hold those systems to a much higher standard than we do.


> The school is not intentionally installing spyware

Citation needed.

Here is a counter citation: https://www.vice.com/amp/en/article/8xwze4/schools-are-using...

And here: https://amp.theguardian.com/commentisfree/2021/oct/11/us-stu...

Schools are doing this. They are intention into installing spyware and GoGuardian is one of the biggest offenders.

This should be brought up at the school board.


Please don't follow this advice. Frothing at the mouth about spyware on your kids computer will immediately be dismissed as insane ravings, and possibly get a visit from your local child safety organization.

I recommend reaching out to your child's teacher, and ask to get connected with the IT team at the school to explain what's going on.


>Please don't follow this advice. Frothing at the mouth about spyware on your kids computer will immediately be dismissed as insane ravings, and possibly get a visit from your local child safety organization.

I don't think parent described 'frothing at the mouth', and furthermore the concept of "I shouldn't speak out otherwise I may paint myself as a target for child protective services" is so subversive and nu-speak like that I don't think I can ever support it. CPS is supposed to be a social service for the support of children; not a society control and opinion-steering organization.

If parent did something publicly that'd warrant the visit, sure; but creating public awareness of the situation for the parents can be done in an orderly and respectful way -- no one suggested otherwise.


Speaking out is not something that puts you at risk. Showing unstable behavior by escalating a simple technical support issue into a rant about ‘spyware’ at some board of Ed meeting tends to raise eyebrows though.

Asking “Does anyone know how to refer these people to law enforcement for prosecution?” regarding a technical support issue is not respectful or orderly behavior.


From Wikipedia [1]:

> GoGuardian products allow teachers and administrators to view and snapshot students' computer screens, close and open browser tabs, and see running applications. GoGuardian can collect information about any activity when users are logged onto their accounts, including data originating from a student's webcam, microphone, keyboard, and screen, along with historical data such as browsing history. This collection can be performed whether students connect from school-provided or personally-owned devices.

I can only describe this as, well, spyware. No need for scare quotes. The OP has every right to be angry about this.

To describe this as a "simple technical support issue" is some blatant euphemism.

[1]: https://en.wikipedia.org/wiki/GoGuardian


A pedo-criminal hacker's wet dream. If one manages to compromise accounts of some teachers, or worse, some school admin accounts, or is an insider at the school or GoGuardian itself...

And before anybody says, that things like these only happen in the movies, or bad crime TV shows... they do happen in real life as well. I remember a case here in Germany, where somebody had managed to install RATs on ~150 school-age girls' laptops, tho using some spear-hunting, and when he was raided, police found a large collection of videos he had recorded with the girls' webcams[0].

That there are sexually-motivated hacks should be clear to the wider public at least since the so called Fappening.

As for insiders, NSA staff spied on ex-partners, love interests and spouses[1], to a degree where they internally coined the term "LOVEINT" for it. If the paranoid NSA cannot "manage" their own people, then what chance would a GoGuardian or school have, I wonder.

[0] https://www.t-online.de/digital/sicherheit/id_42278570/hacke...

[1] https://www.reuters.com/article/us-usa-surveillance-watchdog...


Having a 'right to be angry' doesn't mean being angry is the tactic to further one's goals.


My point was that the parent comment was downplaying the significance of the problem and shifting blame on the victim with statements like this:

> escalating a simple technical support issue into a rant about ‘spyware’

The right tactic for objecting to school officials was besides my point.


Calling unremovable* spyware (the term is accurate, no matter how insane you think it sounds) a "technical support issue" is like calling surveillance cameras installed in your home an "improper furnishing issue".

*Edit: sokoloff may be correct, and the spyware is not unremovable. Still, the analogy holds.


Is it unremovable from the device, though? It isn’t clearly defined in the account above whether it was removed (and then reinstalled with the subsequent kid’s login).


Yes. It would be re installed at login


What is accurate or not in some platonic sense doesn't have much bearing on what tactic will yield the results you want in practice.


CPS does not really have a traditional school board and it’s not elected either (appointed by one of several mayors who ran on an elected school board and then reneged). OP can shout their complaints out over Lake Michigan for the same effect.


A few minutes of Googling showed me this upcoming meeting https://www.cpsboe.org/meetings/details/2329 on April 27th, 2022. It seems to be a Chicago Board of Education meeting, and seems to have options for public participation.

Do I have this wrong? I'm not from Chicago or Illinois, so that's quite possible.


You can indeed attend and raise concerns but it will likely be ignored. Nobody is worried about losing their seat if they ignore constituent complaints.


Yeah, I don't really know how the Chicago school board meetings go, but I watch the MTA board meetings. (The MTA is New York State's public transportation agency.) They have a public comment section where you get 2 minutes to say whatever you want. These rants are usually completely incoherent and I doubt any board member could remember a specific point from any one of the commenters. I watch them all and I certainly can't. The law requires that you be allowed to speak. The law does not require the board to take any action on your comments, or even remember a single point you tried to make. ("I've said it before and I'll say it again. Democracy simply doesn't work.")

That said, my advice here would be to keep it short and non-emotional. You can speak for two minutes, but you don't have to use all two minutes. Say what's wrong, what action you want the board to take, and how interested board members can get ahold of you.


Out of curiosity, why do you watch them all? Especially if you can't remember anything?


I watch the comments sections, even if they're silly, to see if anyone has anything interesting to say. Someone might, someday.

I watch the board meetings in general because the subject matter is interesting and there are neat details in there that don't get widely reported. Recently they had some slides with security camera footage of someone riding their bicycle on the subway tracks. No idea people did that. Also, the point of the board meetings public is to provide the public with some oversight. If you don't actually watch them, then there is no oversight. (I guess we hope that "someone else" does this for us. Transit reporting is not what the best journalists necessarily end up doing.)


He is probably not watching the public comment section closely, but the other parts.


It's Chicago. Unless you have $$$$$ to buy access, nothing will happen.


[flagged]


Sorry, but that's fearmongering bullshit that doesn't seem to match reality. Concerned parents often call into school board meetings for all sorts of reasons.

It should go without saying that you should be courteous and reasonable while presenting your concerns.


comment is alluding to this incident: https://www.edweek.org/policy-politics/national-school-board...


The only thing worse than the DOJ and FBI investigating parents for complaining to school boards is letting the fear of said investigations prevent you from complaining.


Clearly you missed all of the people at city council meetings trying to prove vaccines made them magnetic. None of those individuals were taken away and talked to by the FBI. They probably should have been taken away in white coats that secure from the back haha hehe, but they don't need FBI involvement.


The next step would be to approach a local news station and have OP report what he found, again emphasizing his own credentials.

Spyware and children in the same sentence easily bring up unpleasant thoughts.


Reminding people of stories where the school district employees were remotely enabling cameras and microphones should also be referenced.

https://www.computerworld.com/article/2521075/pennsylvania-s...

https://abcnews.go.com/GMA/Parenting/pennsylvania-school-fbi...


The Chicago Public Schools is an immense agency. Good luck getting anyone to pay attention, even at a school board meeting.

And referring for prosecution is really going to go nowhere.

Best bet, contact the public service operation for one of the TV stations, maybe a newspaper, and maybe your city council member, to wake up somebody, either at your school or at headquarters downtown.

Prepare to be disappointed.


It's also worth noting that Google is almost undoubtably violating childrens privacy laws, and other states are already investigating this... it's very possible what CPS is doing here isn't even legal. There's a lot of reason that the agreements schools are making to bring Google's platform in should be dragged out into the light.

Source: https://www.theverge.com/2020/2/20/21145698/google-student-p...


If they activate the microphone and pick up a background conversation, they could be found in violation of state or federal wiretap laws. At least one party must be aware that they are being recorded. I hope everyone involved gets held responsible and prosecuted.


to be fair microsoft does exactly the same thing.

I have intune on my personal ipad. And the idiots from our IT department accidentally wiped the entire thing. Just because I wanted to be able to read outlook mails. My iCloud was even blocked for a day or so. Despite their claims they can only manage the app itself and despite my protests that the fine print clearly indicates they could do so and that they should change their configuration.

At least I got an apology letter, but all these devices are desigend to be locked down by centralized IT departmens. Be it ChromeOs, iOS or Windows


RMS(Richard Stallman) was way ahead. Like him or not. He is right.


This just seems so over the top.

Whole point of Chromebooks is that they are minimal devices that can easily be adopted for school work. What I find strange is that OP had to buy their own machine. Anyway even if you somehow convinced the school to change to a Windows based laptops all you'd achieve would be a tier more expensive machines for the kids to use. The school would still require same "spyware" to be installed.


> Call into the school's board meeting during public comment, and make it loud and clear that the school is installing spyware on students' Chromebooks. Share your technical credentials and the method by which you found this.

I remember not so long ago when people were using this advice on health care issues;

Call into the school's board meeting during public comment, and make it loud and clear that the school is injecting your children with 5G mind control vaccines. Share your technical credentials and the method by which you found this.


Sadly, my cousins' school forces them to have Chromebooks. Its required. So I ensured they know to never use it for their personal stuff, it's purely a school work device. Such a waste, but oh well. I gave them both Pi 400s for them to use for personal things instead


You’re deeply overestimating how much schools and administrators understand stuff. They are paying for this spyware and want it installed because they think it’s necessary.


Drop the school and homeschool the shit out of him. Go off book and teach him solar panel installation, plants and anything you can find in prepper books.


Be prepared for the possibility that majority of parents are fine with it.


As a longtime armchair attorney who has closely read summaries of cases like this on Slashdot for well over the past decade (IANAL, BTW)...you could go the lawyer route but this basically amounts to your kid being a minor in school which means they don't have full legal rights, and the interpretation of 4A is likely up in the air here anyway. Constitutional rights don't necessarily apply at school or anywhere near school (see bongrips4jesus case), your kid is a minor anyway (another special case), and a school doing this for the sake of "preventing cheating" may not fall under the umbrella of unreasonable search.

There was a PA school district back around 2009 that issued laptops to students preloaded with spyware that let school staff watch students through the webcam, while the students were at home and not doing schoolwork. Neither the students or parents were informed of this. IIRC the FBI got involved but nobody actually got in any real trouble, I'm not even sure they were fired.

I wish things weren't this way. You could maybe use Wireshark and black hole anything the spyware tries to connect to at the router, or maybe add the addresses to the hosts file on the machine itself (not sure if ChromeOS lets you do this).


On the flip side of that "minors have no rights" coin you're holding up is the fact that laptop is the parent's property since they bought the laptop for the child to use. They did a factory reset and the problem software still remains. What if the parent did a factory reset to use the laptop for themselves? There is no reason for the spyware to remain in that case. It needs to be removable.


They did a factory reset and reconnected the Chromebook to the school account, which configures the device according to the schools requirements. If they wanted to use it themselves, they would reset it, do not connect the school account and all is well. GPs argument seems to support that the school doesn't have to allow to use a school account without the device being put under the schools control.

(at least as I understand it. if the MDM enrollment is actually tied to the device somehow, then they could reasonably demand it to be released if they planned to use it themselves)


That doesn't really make sense to me. User accounts, whether managed remotely or locally, should be subordinate to administrator accounts. That administrator-level privileges are insufficient to undo a change made with user-level privileges breaks this relationship.


OP didn't mention that the child's account is a secondary account. AFAIK if you log-in with an account the first time on a fresh(ly reset) chromebook, it becomes the "administrator" account - and at the same time if its in an organization (i.e. the school) the orgs policies are applied. No clue how that interacts if you do attempt to login such account as a second account, it's possible the org can require an account to be in control of the device. Chromebooks are deeply designed for exactly this centrally managed scenario after all, that's (partly) why they are so popular with schools and companies.


Based on this support thread [0], which was linked to by awinter-py's comment [1] elsewhere in the comments, it doesn't really matter which is first. Remote policies supersede any local controls, and can promote themselves to have Owner privileges. That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

[0] https://support.google.com/chromebook/thread/117916330/how-t...

[1] https://news.ycombinator.com/item?id=30912427


>That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

You've actually got it backwards. In an enterprise domain like this, allowing local management to take precedence over remote management and policies is a massive security hole for the domain as a whole not to mention required by regulatory bodies dictating information security for educational institutions. A locally managed node is effectively a rogue node on the network. There are use cases for it but they're specialized. OP most likely signed a consent form as part of the online learning stuff at some point and this is the consequence of not reading the things you sign. This whole thing is so massively overblown like no one here has worked anywhere with a BYOD policy and MDM.


The device belongs to the owner and the owner should be able to override anything.

If an organization wants to set policies that can’t be overridden, it should pay for the devices. (And even then, the user still has a right to privacy and a certain level of control).

If they set a MDM policy on a device I own, I’ll mail the organization the device and a bill for buying a new one that very same day.


So you’re out both the device AND a stamp?


No, it's a terrifying security hole, full stop. If I leave my non-managed Chromebook unattended (logged out!) for 30 seconds, someone can sign into it with their managed account and install spyware without me knowing?


I think it works similarly on Android phones. Google policy for the Android Corp devices requires you to set it up using corp account, then add secondary personal accounts(if needed).


They are, but there has always been a contention between local admin vs domain admin (managed accounts) and usually the case has been that the domain admin overrules the local but the local admin can un-join the domain.

This is not that different. The moment you join the remote domain, you no longer have top privileges. You can still unjoin at any point but as soon as you join, you're placed under a different hierarchy.


You were never the owner of the chromebook in the first place so Google the actual owner just transferred control to the school. They never needed your permission to do this in the first place because you just paid full fare for an unlimited rental of someone else's property.


That's the conclusion I tend to reach, and I believe Google to have fraudulently described a rental as a purchase. Whoever is the source of authority to run software on a device is the owner of that device. Since enabling remote management does not require administrator privilege, the right to do so doesn't come from the administrator. Since disabling remote management cannot be done by a local administrator, the granted authority is even greater than the nominal authority granted to the buyer. Each of these implies that Google remained the source of authority, and therefore didn't transfer ownership over the device.


> Whoever is the source of authority to run software on a device is the owner of that device

Hundreds of years of established case law refutes this claim.


The most pragmatic thing to do is probably acquire another school only Chromebook. Either have one issued from the school or buy another one. This is probably a worthwhile lesson for how to treat personal and employer assets separately anyway.

The work to try to get the school to make the software removable is a laudable stand for citizens, parent, and student rights - but would come at some cost of time, money (more than buying a second chromebook anyway), and maybe strained relationships with school officials.


> to your kid being a minor in school which means they don't have full legal rights, and the interpretation of 4A is likely up in the air here anyway

IANAL, either. Just because the student is a minor, I don't see how that gives the school the right to pwn a private laptop (were the laptop a school laptop, my opinion would be different here); at best, this would seem to be the parent's machine, or right to decide, at that point.

The OP's post isn't very clear on how the school managed to get into a private laptop in the first place; he mentions they "logged on", but onto what? And how does signing into something permit installs? (There's a comment below that hypothesizes this might be an MDM profile sort of situation, and that's … trickier. But doesn't even an MDM login have an uninstall of some sort? (Although, IDK, perhaps Chromebooks just can't do that, but that would seem to be an issue then with their software. But I've never tried, as I don't usually go for MDM stuff myself, as companies that do it typically want too much permission onto what is my personal device.))


Probably a Google account sign on.

If I sign into my work Google account on my androids chrome it basically forces you to install spyware so our IT team can suck up my browser history.

It sounds like chrome os takes this approach and adds steroids.


This is why people should be issued a work phone (or children a school laptop in the case of the OP) if the IT department is going to request control of it.

A while ago my company eventually decided to enable security settings for Microsoft Outlook, Teams etc on all mobile devices (the wipe phone on demand option). All that happened was everyone without a company phone uninstalled Teams and used WhatsApp instead.


I wouldn't accept a work phone unless I was given full control over it and can use it for personal use as well.

I'm not carrying two around.

If you want me to leave one at my desk that's fine but you won't reach me on it unless I'm there.

Same goes for work laptops and working from home.

The whole idea that you need to separate work from personal is based on the idea that if you use work laptop for personal work then they own it, that's an entirely made up constraint, one I won't accept.

In before bad analogies, there are plenty of industries that provide tradies with tool stipends, those are still owned by the tradesman but paid for by the employer do to their consumable nature. It allows tradies to buy more expensive tools if they prefer and encourages them to look after them better.


pwning the laptop was a req for doing school work, like how you essentially give prior consent to a field sobriety test when you get a drivers license. I'm not saying it's right, but that likely the school district's argument in court, and I'm sure it's buried deep in a EULA or privacy policy somewhere.


> you essentially give prior consent to a field sobriety test when you get a drivers license

If USA, this is false.


You are misinformed. In the USA, every state has a law stating licensed drivers give their implied consent to roadside DUI testing. Failure to comply will result in extra charges and almost certain conviction.


It's comical how your best advice is seek a lawyer. Any lawyer worth their salt would advise to contact the school directly to handle this matter. No need for a lawyer at this stage.


Nit: I think it's "Bong Hits 4 Jesus."


Thank you, this one still makes me lose my damn mind.


The lawyer route makes no sense, it's all about small claims here. Sue for the cost of the chromebook, that will get someone's attention and you can likely settle it out of court or get the money to purchase a new one.

The important part here is that the computer is not usable with their software and that you have no way to remove said software despite being the owner of the computer.


Actually....

It's the poster's Chromebook. They has revoked authorization for the school to deploy $software on their machine.

Next step is the public school supplying a spyware'd laptop and NOT imstalling spyware on said parent's chromebook, but also said private chromebook not being used for school stuff.

If you want the district to not install spyware... Well... Lets just say, the poster is probably pissing in the wind in my experience.


Can’t you file criminal charges over this? It’s malware used to spy on minors without the parents knowledge or consent. Is the school also free to undress the kid and photograph them in person? If not, why if it’s remote?


But the school doesn’t own the machine, the parent does.


> I did a full factory reset, signed in to his account again, and now the system is once again locked down.

That’s by design though isn’t it? You logged in with a managed account and the policy was applied again?

The account is his school account right?

That’s pretty much how Chrome OS works.

This might just be a good lesson that you want to maintain device / role boundaries.


> That’s pretty much how Chrome OS works.

And that's the problem. Signing onto a remote account is a request to access a remote resource, and should not be interpreted as granted the remote actor control over local resources. That Chrome OS works this way implies that Chrome OS is fundamentally flawed.


Yeah good luck getting a company to give you VPN access to their network without demanding you've been keeping your operating system patched. BYOD without such policies is a great way to make the network support staff quit and maybe slash your tires on the way through the parking lot.

It's called _attestation_ and Windows has been doing it for some time now with VPNs and domain credentials. Attestation actually makes it possible for BYOD to be done in a way that's not going to simply repeatedly expose one's network to every kind of malware known to man.


Isnt this the same way Windows works? If I sign into a work Windows account and they want to set my default browser or something, thats absolutely something they can do. ChromeOS isnt doing something particularly new in that regard.


On a Windows account, a user can change the default browser for their own account. Therefore, a user can delegate the choice of default browser to the remote management. A user can record which sites their own browser visits. Therefore, a user can delegate that authority, allowing remote management to record which sites that user visits. A user does not have the authority to record which sites are visited by another user. Therefore, they cannot delegate that authority to remote management, because they themselves do not have it.

On ChromeOS, you can filter your own access to websites. You cannot filter other users' access to websites. But signing in to a remote management can filter other users' access to websites. This grants the remote management privileges that the user doesn't actually have.


>On a Windows account, a user can change the default browser for their own account.

Not if they lock down that setting via GPO and let the default behavior of remote > local. There's a lot of settings that can't be undone in the GUI and take diving into the registry to undo when set by GPO but then they'll just get re-applied on GP refresh anyways. Talking about who can do what is immaterial to how domains and remote management actually work if they're not designed how you think they should be. The remote admin will always have more control than the local user in this situation, it's been that way for a very long time now and is unlikely to change.

As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin and the services and processes that handle all of this run as SYSTEM thus the user has the authority to delegate that authority to remote management at-will.

Like, this is all basic stuff for BYOD and MDM policies if you've worked anywhere with a halfway competent IT staff. OP didn't read the fine print probably. Wouldn't be the first parent to not do so and freak out over nothing.


> As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin…

The parent owns the device and would have the local admin account. They aren't joining the device to a managed domain where something like GPO would be relevant (unless configured by the parent, naturally). The student would only have a non-admin local account, and would be incapable of granting device administration privileges to the school. The school could still manage their browser profile, of course—if the browser itself is actually signed in to the school account, which is something you can disable while still logging in to the account on the web—but they would have no access to or control over other user accounts or anything else requiring local admin privileges.


This is with the presumption that the filtering here is device-level and not user-level. The fact that they were able to wipe and reset the device AT ALL probably means that the device isn't fully enrolled into device management (only the account is) and that the blocking and monitoring is just for that one specific account/profile. That is to say, none of the blocking is breaking the privilege rules on the system.

This isn't to give them extra credit. GoGuardian is still spyware and you should be, at the very least, wary of it if you have a kid with that software running around. But this behavior is consistent with the design of ChromeOS and isn't shocking or special if you've been paying attention to what ChromeOS has been built for over the last couple years.


Group policies on Windows, applied at logon, give the admin control over what the user can or cannot do. If the admin wants you to use Chrome not Edge, then that is what you'll be using, and you won't be able to change the default.


To my knowledge, that group policy only applies to the user who is logging in, not the other users on the computer.


There doesnt appear to be any claim that this undesired software was being run on any other account besides the managed one.


Depends. In the Active Directory world, policies can be applied at the user or computer level. Not sure about Chrome OS, but computer level policies absolutely can effect other users. I bet if OP signed into a normal, non-Google Classroom/organization affiliated account after they reset the device, they wouldn't have found GoGuardian running. This seems like if you connected an arbitrary device to a Windows domain over say VPN, then got surprised when user level policies were applied to the profile created on the local machine resultant from the process of connecting a machine to a domain. This is very much by design of ChromeOS as other commenters point out.


On Windows, settings and software can be enrolled remotely the moment you hook your machine up to an MDM portal, just like on chromeOS. Windows doesn't include some of the functionality ChromeOS includes, but your employer can definitely manage settings like your standard browser if they choose to. The can also enforce that all software you run is signed, is run from specific locations on the system that you may no longer have access to and they enable Bitlocker with a specific backup key.

Most companies either choose not to implement any of this, or simply do not know they can implement this. Do not sign into your personal devices with your work account on anything but an isolated browser (modern Windows has a sandbox built in!) or you might discover the hard way what kind of possibilities remote AD allows for.

Windows does prompt you to accept that the account can manage your device, but so does ChromeOS. Denying MDM may cause the login to fail if they automatically rescind any tokens that don't get MDM access on your device.


It is not fundamentally flawed, it just isn't a general purpose computer. It's a thin client to your cloud services. The "local" is not a primary compute environment, but just a cache. Once you think about it this way, Chromebooks are absolutely amazing little physical manifestations of a remotely managed browser. As they are intended to be.


Maybe there should be more of a notice, but when I tried it with my son’s account I got some notifications.

Having said all that the default will be for most school accounts… all or nothing. Don’t allow them to manage it and you won’t get in.


My issue isn't about the notification, but that this doesn't work at all within any reasonable model of user permissions.

Fundamentally, authority cannot be delegated authority that you yourself don't have. I can agree to a contract promising to do some particular work, because I have the authority to direct my actions. I cannot agree to a contract promising that you will do some particular work, because you haven't granted me that authority. I cannot grant to another what I do not have for myself.

With regards to user permissions, a non-administrator doesn't have permission to monitor another user's activity. Therefore, they cannot delegate permission to a third party to monitor another user's activity. That this is possible means that ChromeOS has a fundamentally flawed model of user permissions.


Windows does this as well, and I would expect other management solutions to as well. You can build your own PC and be local admin on it, but the second you sign in to an active directory account (using a VPN for work) that account will be locked down and can run scripts that the AD owner chooses. I imagine that is what is happening here as well, where the user has signed into the school Google Workspace account (or whatever it's called these days). To avoid this, they could sign in to Google Docs and Google Classroom in a browser. (Although to be fair, Chrome does aggressively ask if you want to sign into Chrome with your account, and probably if you want to sign into the user profile on ChromeOS if I had to guess)


Can't speak for OP, but generally this is mentioned during the sign in process, so it should be laid out. It is effectively all or nothing.


> This might just be a good lesson that you want to maintain device / role boundaries.

This is the teachable moment here. Better for the poster and their child to learn it now rather than in the workplace.

It doesnt make it right, but the 90's and 00's with work browsing and email full of porn, dickpics and assorted filth were not right either.


A gaping security hole is fine if it’s been introduced on purpose?


> A gaping security hole

What is that?


“the system installed GoGuardian monitoring software on the Chromebook without notice or permission.”


When I logged in with my son’s school account on chrome OS it had some notifications about who owns the account and so on.

I don’t think it is as much a mystery as implied.

In the end there’s no getting around that mixing device uses like this doesn’t work. It works less and less as the history of computers goes on.


Can the managed account actually access files from the unmanaged account or control which processes are active while the unmanaged account runs?

Because, if yes, this absolutely does sound like a security hole:

1) Set up an organisation and add a managed account. Set up policies that install a backdoor on first login.

2) Get hold of victim's Chromebook.

3) Log into the Chromebook using the account from (1)

4) Chromebook will execute the policies and run the backdoor.

5) Use the backdoor to snoop victim's files.

You've successfully gained access to the victim's files without knowing their password. Profit!

This would work even if the victim is fully aware of the issue and never intended to mix managed and unmanaged accounts on their own.


Does a chromebook allow you to have more than one user account? It sounds like a factory reset was necessary to allow enrollment


Chromebooks do allow more than one user account, yes. The factory reset mentioned by the OP was necessary in order to undo the enrollment, as no application of Administrator/Owner privileges would undo it otherwise.


I think you misunderstand the original post - the parent didnt have some sort of local administrator account (which isnt really a thing on ChromeOS). They signed into a managed account run by the school district, didnt like the policy, then reset the device, signed into the same managed account again, and noticed the same policy was applied.


> local administrator account (which isnt really a thing on ChromeOS).

The first user to sign in on a chromebook has limited special powers. I don't think they involve reading other people's data though.


>In the end there’s no getting around that mixing device uses like this doesn’t work

Surely this is the entire value proposition of ChromeOS - you sign in to your account, and the laptop magically becomes yours? It seems like a serious hole if a single sign-in is able to compromise other accounts.


It's tied directly to the remotely managed account, that's how the account works. If you don't sign into the account, the software won't be installed.

Students don't get to decide what software to install when it comes to logging in to school accounts. Generally the laptops are provided by the district, but it seems OP was trying to add another personal device to their system.

You can't participate in their system without the software. So I guess the alternative would be to block personal devices from logging in like this at all.


I fought this with a suburban school system in Indiana and won. The spyware was installed on Chromebooks I bought. Before contacting the school, I monitored network traffic for about 1 HR and found a an ad fraud click bot and logging being sent to India.

When I contacted the school my ask was they remove the spyware from my Chromebooks. The first answer was, no. I asked again via the superintendent, and got a call from their IT director. I shared with him what my traffic monitoring found and a few days later I get another no.

My last try was simple... I paid a lawyer to write a simple letter demanding to have the software removed or be shown the warrant giving the school the right to install surveillance software on my laptop. The next day I get a call from the districts lawyer who wanted me to confirm the software had been removed, and it had been.


That's great for your situation - what about the rest of the people in your district? Did you reach out to other parents and make this problem known publicly, along with your solution, so that other parents could decide for themselves (individually or collectively) what their response should be?

Seems like this would be a slam dunk of a local news piece for some newspaper/website.


Yup, stuff like this should be on the local news. While most parents will go "ehhh I trust the government and if my kid is doing something bad I want to hear about it", the ones who actually care about their kids' rights will raise a huge stink and the district is more likely to not only be more upfront about this stuff but also probably make opting out easier.


I shared what happened with other parents. Most did not care or even understand.


It seems like you should be able to sign out of the CPS managed account, then use "Add Person" to add a non-CPS managed account:

https://docs.google.com/document/d/1r7xOL4U9lL0qyqMIVl4eH2EM...

https://support.google.com/chromebook/answer/1059242?hl=en&r...

For school work, login to the CPS-managed account. Otherwise login to the personal account.


This is the perfectly reasonable solution. But OP wants the operating system to be signed into an account managed by the organization without the organization having permission over anything, and since that's not the way ChromeOS works, they're going to sue the school board.

Honestly, I'm disappointed in the HN that they're taking OP at their word and giving legal advice.


The surprising part to me is that the school district let parents bring their own Chromebooks. Where I live the school supplies the Chromebook for the students. If your child breaks it, they bill you for the cost of the unit and then supply another one. IMHO, they are pretty dang cheap.


I believe the OP is concerned the Chromebook is rooted by the spy software and therefore using another account doesn’t solve that issue.


> I did a full factory reset, signed in to his account again

I read this to mean that the software uninstalled after a factory reset, but signing back into the managed account re-installed it. I'm taking OP with a grain of salt here, but I think it's likely that OP doesn't understand their son's brand new Chromebook and that there's a technical solution that doesn't involve suing anyone.


Since this Chromebook is BYOD, I think OP is likely in scenario 2 described here:

https://news.ycombinator.com/item?id=30912995


related support ticket from someone trying to log into device w/ work account without inheriting workplace MDM policy

https://support.google.com/chromebook/thread/117916330/how-t...

> Even if the Chromebook is your private device and your owner account is your private @gmail.com account, once you sign in with a managed account, even using a separate profile, the managed account polices become active.

> This is NOT a bug. It's required to maintain security of the managed environment. Whenever the managed account is active, ChromeOS management and the policies set by your administrators pwn the entire machine.

> Google promises bulletproof security to customers who license Chrome OS management, and having any instance of an active non-managed account available when a managed account and its resources are active is a potential security hole.

not a chrome-os user -- I imagine you can access the G acct via a browser without signing in the whole OS? if 'signing into gmail signs in the OS', maybe can do it via crostini linux

re law: illinois is the state that has the biometric privacy law iirc? you may be able to do a civil suit via that, if the device is sharing face images and you really didn't consent and you can prove it and the law was written with your situation and mind and CPS hasn't indemnified big G. my guess is you'd have to pay a few $k to a lawyer to evaluate the case and then many more $k on the suit, plus you probably have a TOS problem.


The ending of that post (trimmed above) is also important:

> So you can boot into your personal account and do your personal business and then reboot into your business acount and do your business' business, but never the twain shall meet.


Not a chomeOS user, so maybe I'm not familiar with the terminology, but what is the difference between "log into" an account and "boot into" one?

Are there different ways how you can add multiple accounts to a Chromebook and the OP just used the wrong one?


ChromeOS developer here (opinions are my own, etc etc), writing as a user though since I don't work on this specific field myself but I've been using chromebooks daily with multiple accounts (corp and personal) daily for the greater part of a decade.

You have a few options on how you log into ChromeOS. Once you boot the device, you can choose which account to sign in as. If it's your corp account, you get whatever corp policies get applied to you (like no play store, no linux, etc). If you log into your personal account, you don't get those restrictions (there's a note to be made here for stuff like enrolled devices which I don't think applies to OP and I'm not too familiar with anyway).

However, once you are already logged into an account on the device, you can also choose to "sign in with another account". This makes you run two accounts at the same time, you can swap between them without using passwords, etc (it's like switching a virtual desktop/workspace). You can even transfer windows from one account to the other so you can simply alt+tab between them as you would on a single account (for example I am typing this at work on my personal account in a window running inside my corp account). In this situation, whichever account logged in first is the account that "owns" the session and has policies applied. If you log into your corp account with play store disabled, and then log into your personal account as a secondary account, you can't use the play store on it. If you log out everything and re-log with your personal account, you will still be able to use the play store there.


Thanks a lot for that info, that clears up a lot! So an unmanaged Chromebook can't be "taken over" by logging into a managed account, the policies are only active until you reboot.

Still, if account policies "leak" into unmanaged accounts when both accounts are active at the same time, this sounds like a potential vulnerability: E.g., if the managed account has a policy that sets proxy settings or force-installs a particular browser extension, would those policies also be applied to the unmanaged account?


> So an unmanaged Chromebook can't be "taken over" by logging into a managed account, the policies are only active until you reboot.

That's my understanding, yes. You can't "infect" an unmanaged account from a managed one, as far as I know at least.

> E.g., if the managed account has a policy that sets proxy settings or force-installs a particular browser extension, would those policies also be applied to the unmanaged account?

I'm not 100% sure if those policies would apply, I admit I'm not familiar with the account enrolment details of ChromeOS since I work at a much lower level. However, from what I know, whenever you go to sign-in to a secondary account in the same session as your primary one, there's a big warning telling you to be careful because you're basically "entrusting" your secondary account to the primary one and to not share an account session with another account you do not trust. This I always assumed was due to reasons like (for example) ending up literally sharing account2 window with account1 session, if you bring a program running in the account2 "domain" (filesystem, etc) into the account1 UI session, the account1 can take a screenshot of it (screenshot will be saved into account1 local files) and that can leak data obviously.


> In this situation, whichever account logged in first is the account that "owns" the session and has policies applied.

So if you log in to your personal account first, and then into the corporate account, the corporate policies are not applied to either account? There are probably a bunch of corporate types who will be very surprised to learn this…


I admit I've never tried this so I don't know which policies do or do not apply and how. For things like the play store (which is what I've worked on in the past), only the "primary" account (the one you logged into first) will have access to it so if your secondary account has the play store blocked anyway, you won't be able to use it with that account so it doesn't matter much.

I don't know about other policies.


Typically, the corporate login will be blocked if you attempt this.


From the sound of it (haven't used ChromeOS in ~4 years), "log into" means switching users without powering off the laptop, while "boot into" means to reboot the computer and log in as the other user. For a device that is supposedly built around security, needing to know that the "Switch User" menu shouldn't ever be used to switch the user is something of a footgun.


"Shouldn't ever be used" is an overstatement though. My employer (Google, no less) would apply restrictions, but not hoover logs from the personal profile. Meaning it's still good to have messaging and music there while working.


Chrome has a log in screen like windows and Mac. You can login and out between google accounts like a gmail.com or a k12 account. Similarly but not the same— there is a second “add account” after logged in. This secondary account does allows access email but not override them, bookmarks, etc


Hmm.

I’m not super familiar with ChromeOS’s MDM stuff… but I wonder what would happen if someone were to log in to two separate managed accounts, for two separate organizations, with conflicting requirements?


It'll block the multi-login and require you to fully sign out of everything, THEN log into the other organization account.


don't cross the streams


Suing the CPS over this is simply taking money out of everyone else's pocket for your own enrichment.


Yeah, why anyone gotta make trouble for the guvnah


It's to make them stop doing it, not to profit.

Right now they're spending money to spy on students, so fighting that is worth it.


I find this stuff so disheartening. It's like, "how early can we indoctrinate kids into being comfortable being watched and having their every move tracked?" I don't even care what the justifications are. Preventing cheating? Before everyone had personal computers and the internet, people could just copy each others' work.

This kind of crap is fundamentally a violation of students' right to privacy. They deserve to grow up in a safe environment away from the prying eyes of crappy adults.

I mean, to that point, how secure is GoGuardian? Who has access to the administrative tools/etc.? What APTs have gained access to its systems? A system breach of any online system is effectively inevitable, or at least impossible to rule out. Do you think everyone with a Verkada camera thought hackers around the world are going to be tuning into their video feed?[0]

Anyway, stop buying tech that force you to give up your right to privacy to use it. You don't have to go 100%, but at least start looking at these kind of things before you shell out your hard-earned dollars.

[0] https://www.theverge.com/2021/3/9/22322122/verkada-hack-1500...


The problem is that schools and teachers are at risk from more liability than ever. If a student is groomed online whilst using a school device of login, who do you think is going to get blamed; not the parents but the school. If a child is bullied online or radicalised, then again is will fall back on the school.

You can't have privacy and expect a school to be responsible for what a child does online. Privacy doesn't create a safe environment; and when it comes to crappy adults, out of any group of people parents are the by far the most likely to abuse or neglect children. This idea of "stranger danger" is a myth, as the real danger in most cases is closer to home.


Primarily these types of software's are used for safeguarding purposes. For alerting teaching staff about children who are being abused, bullied or at risk of self harm etc.

I think a better lesson would be here that if you use an account that's not managed by you, it may be used to install software that you disagree with. This is a good lesson for using IT in the workplace. OP shouldn't expect his son's school provided account to maintain privacy when he's using it, because schools have statutory responsibilities to look after the safety of their students.


Nothing gets “installed” in the traditional sense on a chromebook.

When you login to the chromebook, you can log in with any Google credentials. The credentials the school gave your son are managed by them. If you log into that account, it configured the user session per the management of the account, so this will start a “managed” session for that managed user.

If you use a personal Google account, none of that should happen. It’s not a managed account, it’s a normal one, and there shouldnt be any additional provisioning.

You should be able to switch between them and use both independently.

However, if you are saying that is what you are doing, and the spyware isn’t respecting the config between users, then that is definitely a problem.


This. My kids have chromebooks, and they have two accounts active on their devices, on at their .k12 for school stuff, and one for their gmail that is open.


Do you actually trust google not to be collecting data on both accounts and link them together somewhere? When I was in school we used to get told that bad behavior would end up in our "permanent record" which would follow us for life, but while that was a lie we all have a permanent record now and nearly every action no matter how mundane or benign gets saved to it.

When I got my cell phone the default keyboard was sending everything I typed to a 3rd party whose privacy policy stated they were collecting data for everything from market research to trying to understand my intelligence/cognitive abilities. I replaced the default keyboard. I can't imagine the wealth of data Google could be collecting form children, their test scores and their associations with other children. They may claim not to collect and store data on your kids, but there are no regulations and nobody is checking. Only a whistleblower could tell you what Google is actually doing. I haven't seen much reason to trust them.


> I can't imagine the wealth of data Google could be collecting form children, their test scores and their associations with other children.

This is...funny, given that apparently the OP's child's school is using Google Classroom - which means Google is the provider and the system for storing/giving/recording/managing test scores, so of course they store test scores since they are paid to provide that. Likewise, on Google Classroom, kids can interact with each other and of course Google stores those.


You could always install a different OS on your son's Chromebook since it would still have access to all of the school's software (through Chrome) and more. I'd recommend GalliumOS (https://galliumos.org/) since the drivers support audio and keyboard shortcuts better.


Ran GalliumOS all throughout college without any issue. A Toshiba i3 Chromebook + Gallium was easily one of the best laptops I ever had. OP - seriously consider this solution if it wouldn't agitate the school too much. Swap out the usually small (16GB or so) SSD that tends to come with Chromebooks, install Gallium, and you're off to the races. Might still be some weird compatibility issues/edge cases that are hard to predict; maybe run Gallium in a VM, log into your sons Google Classroom, and do some testing first.


I would do the factory reset again and then not use that account anymore. If you want, you can create a new local-only account and then (this is the important part) sign in to the school Google Classroom on another browser. Install Firefox, Brave, something, and use it for the school account rather than Chrome. Chrome allows extensions installed to it to run in the background and manage the system, but another browser cannot.


Good suggestion. If the school is requiring your child to have the chromebook, then they should pay for the thing. They don't have the right to infect any device that your child happens to log in with. So factory reset, don't log in. Then when the school complains that the child is not completing the assignments, tell them that he/she cannot do them unless the school issues a school-owned device.

A better move would be to get your child out of Chicago public schools altogether.


CPS does pay for the thing. OP wanted their child to use a fancier device and they're mad that it falls under CPS' MDM policy. Go get a free device from CPS, take good care of it, and return it once the child graduates.

https://www.cps.edu/school-reopening/remote-learning/technol...

>A better move would be to get your child out of Chicago public schools altogether.

I went to a Chicago Public School and I resent that comment greatly.


> create a new local-only account

I thought you couldn't do that on a Chromebook.


i don't think you can. I had one of these chromebooks too, which I paid for. But my school did not want to remove the 'school policy' so now it's locked and even other accounts are 'watched' and managed by the school's policy. Last time I tried to create an account it wouldn't let you create it unless you provided an email.


Ah. This makes sense. In this case, I think a throwaway or a personal account will perform the same function, as long as it is not affiliated with the school system.


(By "makes sense" I do not, in fact, really mean that it makes sense; more accurately, this should read "seems typical of a Chromebook").


> I did a full factory reset, signed in to his account again, and now the system is once again locked down.

> So now I'm in the position where I have to ask permission from a local government entity to please let me install stuff and don't monitor the computer I bought and paid for.

I don't understand, this sounds like an issue with the account, not with the Chromebook.

Does this spyware persist on this device even if you sign into a different account?

If you look at third-party apps in the account settings, can you delete this one?


> I don't understand, this sounds like an issue with the account, not with the Chromebook.

While it does sound like an issue with the account, the unusual part is that Chromebook hands over the control of a device you own to someone else, just because you logged in to some account. Call me old fashioned, but an OS or device that does this is a vulgar anti-consumer design.

I get it that consumers should accept it as a feature of the product. But this was an unacceptable proposition a decade ago. There is a gradual erosion of consumer rights and we aren't fighting back enough. Another factor is that even tech savvy users are caught by surprise. This means that this drawback is not sufficiently highlighted in the product description. The platform may not have become this popular if it was.


The "control of the device" hasn't been handed over to anyone. If you log into another account, or go into guest mode, GoGuardian will not be present. In fact, you couldn't find out if GoGuardian was installed on another account you aren't logged into, because every account has all user data encrypted. The school won't be able to see anything about non cps.edu accounts - they don't know if they exist, what the email addresses were, etc.

There is no concept of installing or running programs outside of a login on ChromeOS. There is also only one form of device ownership, and that is device enrollment (which is not what is being described by OP), and the set of policies that are applied to enrolled device. Logging into an account cannot apply device policies.

cps.edu is who's enforcing that while you use a cps.edu account, you have to use their software (only while logged into that account or browser). BYOD devices are still yours and you can remove the account with a press of a button.


It is early to learn to separate work (school in this case) from home by using separate hardware but it's a good lesson to learn. Get a second laptop, school spyware nonsense goes on one, non-school stuff on the other.

It's annoying and generally a waste of resources so feel free to argue with the school at the same time. Corporate IT won't remove spyware from my work computer, school sounds likely to be similar.


Upvote. My kids use Chromebooks as well, and we were asked to buy them ourselves, but I always assumed they would be heavily locked down and monitored.

We bought very cheap ones and they are only used for school work at school. They take forever to boot up and load google docs, but once there they are fine.

The kids know the teachers can see and read everything and anything that happens on that machine.

I kind of assumed they would be dropped or beaten up, and was expecting to buy a new one every tear, but the eldest is still in perfect condition after 2 years. Quite proud that they are looking after them.


Have you tried to see if the Small Claims Court would work?

https://ag.state.il.us/consumers/smlclaims.html

Get the cost of the Chromebook, some money for your time, and then donate the Chromebook to the school since its deadweight at this point.

My guess is that no one from Dept. of ed will show up and you'll get a summary judgment.


The Chromebook isn't ruined. Just do a factory reset and do not log into the school account.

I know it doesn't help the op's kids who needs the CB for school, but there is nothing being done that a factory reset can't fix.


Looks like you read it the way I did originally -- that even a factory reset still leaves the GoGuardian software on the machine.

From the gist of comments of people more familiar with chromebooks than me, it actually looks like the factory reset does completely wipe the machine (as you'd expect from "factory reset") and there's no software installed that survives this process (other than the default chromebook stuff)


Unless someone from HN is mediating, it seems pretty unlikely that there will be an award for the value of the computer in small claims court.


Good idea; IMO, probably the only way the OP is likely to get any "justice" (if you can call it that) here...


Organize other pissed-off parents and persist at school board meetings until they change the policy. You’ll likely be labeled as terrorists for seeking redress with your public officials but stand strong, read up on laws and the board’s bylaws. Let them enter a trap (like ignoring you) where the law/bylaws say you can petition for removal of board member(s) on that cause. You’ll likely have to take it to court. But parents are prevailing and board members are being removed, for example in Pennsylvania over schools imposing their own mask mandates that do not align with public health.


Considering the range of protections a school is required to provide and that school IT is usually poorly staffed, paid, funded awkwardly… tons of different motivations for various policies.

I wouldn’t expect these policies to change.

Best bet is to not mix school administrated accounts with personal devices.


> Best bet is to not mix school administrated accounts with personal devices.

I feel like this is the obvious solution which is not fair or practicable to everyone, and so this whole post is about solutions that don't involve ceding an entire device to spyware distributors.


> so this whole post is about solutions that don't involve ceding an entire device to spyware distributors

I wonder if the school already provided a device.

My son’s school does.


“this is my rifle/ this is my gun/ this one’s for fighting/ this one’s for fun”


Don't use the CPS provided account. CPS policy is quite clear:

https://policy.cps.edu/download.aspx?ID=203

> I. Applicability.

> This policy applies to all students who use CPS Computer Resources and/or access the CPS Network (“Students”). Personal electronic devices (e.g. personal laptop) are subject to this policy when such devices are connected to the CPS Network or Computer Resources.

> IV. Privacy and Monitoring.

> A. Privacy. Students have no expectation of privacy in their use of the CPS Network and Computer Resources

> B. Monitoring. The Department of Information & Technology Services (ITS) has the right to access, search, read, inspect, copy, monitor, log or otherwise use data and information stored, transmitted and processed on the CPS Network and Computer Resources in order to execute the requirements of this policy [...] ITS reserves the right to: (1) access and make changes to any system connected to the CPS Network and Computer Resources to address security concerns.


Sounds like CPS is due for some major policy changes. Schools should not be teaching students that this sort of intrusive infringement of their privacy is something to be tolerated.


I'm not sure I agree that this is an infringement of their privacy - or more accurately I think this is a reflection of the fact that there's no reasonable expectation of privacy in a public space (physical or virtual).

It is perfectly normal in working circles that your activities on company owned devices or devices connected to a company network are monitored.

If the school required everyone to purchase a private device and then install monitoring software on it, then I think it would be reasonable to argue that if they want to control it, they should pay for it.

However, there was no such obligation here, OP simply bought a private device and expected to be able to connect it to a service someone else is paying for (yes, I know OP probably pays their taxes, and so is paying indirectly). They expected to take advantage of all the services provided by CPS without checking what the prerequisites for that might be.


> there's no reasonable expectation of privacy in a public space

This is not a public space, it's a privately-owned Chromebook. It is not reasonable that merely accessing the school's (mandatory) web services from a privately owned device will result in monitoring software being installed on that device without so much as seeking consent from the device's owner (which is the parent here, not the student who is logging in).

I blame Google here more than the schools. They're the ones that designed an OS which doesn't treat the device's rightful owner as the ultimate authority on which software gets installed. The school is just taking advantage of that design flaw, which is also wrong but hardly unexpected.

Aside: Can anyone familiar with the CPS system chime in on whether it's actually necessary to sign in to the Chromebook using the CPS login credentials to access these web services? Do they perhaps check for specific extensions? If it just requires a Google login it should be possible to disable the automatic link between the web login and the device/browser login in the browser's settings (under "Sync and Google Services" disable "Allow Chrome Sign-in", or just use Incognito mode).


> This is not a public space, it's a privately-owned Chromebook.

Well, privately owned things can exist in a public space too, with restrictions.

For example, if I want to drive my privately owned car on a public road, I need to take steps (registering, attaching registration plates) to allow my car to be tracked and its usage monitored.

I agree on the point that this is a decision made by Google, although I would say that if you attach a Windows device to a domain, settings can be set through group policies without the user's explicit consent.


> … to drive my privately owned car on a public road, I need to take steps … to allow my car to be tracked and its usage monitored.

Yes, for very restricted interpretations of "tracked" and "monitored" which are basically limited to mounting a unique license plate on the vehicle which can be passively scanned and used to look up the owner of the vehicle (not the driver). Without a warrant they aren't allowed to attach a GPS tracker for continuous real-time location or install a camera inside the car. The inside of the vehicle is still considered a private space which cannot be searched without probable cause. Moreover, the justification for the license plate and registration requirements is that the vehicle is physically within their territory, on public roads, which doesn't apply to the Chromebook situation.

> … if you attach a Windows device to a domain, settings can be set through group policies without the user's explicit consent.

This is not like attaching a Windows device to a domain. For one thing that requires local administrative privileges on the Windows device, whereas anyone can log into a CPS account on any Chromebook whether they own it or not. Here the student doesn't own the Chromebook, the parent does—if this were a Windows PC the student would not be the device's local administrator and would not have the ability to join it to a domain.


I don't own a Chromebook, but my understanding is that the monitoring would only run for the user with the CPS account, rather than for all users, is that wrong?


Apparently, according to another response from a Google employee, it depends on who logs in first. If you log in with the CPS account and then switch to another non-CPS account, the CPS policies are applied to both.


Well, that for sure is dodgy then.


> Does anyone know how to refer these people to law enforcement for prosecution?

You can simply look up the phone number for any law enforcement agency you want and call them. None of them are likely to do anything, however; even if there was a crime involved, they have no obligation to pursue anything, and it's almost certainly not something that is on anyone 8nnlaw enforcement’s list of priorities.

What you probably want to do is contact a lawyer and see if you have any civil law remedies.

Even if they are things you will eventually pursue in small claims court, you absolutely can get advice from a lawyer on causes of action and what you need to do, but in general forcing a behavioral change—equitable remedies—are not available in small claims (which mostly just allows limited monetary recovery) and you'd need a lawsuit in a “full“ trial court to force that (or, of course, a settlement agreement.)


Prosecute for what, though? It's very common for school accounts to take over a chromebook until you remove their profile/perform factory reset.

This sounds more like a Google issue for allowing this behavior in the first place.


It is not actually specific behavior to Google (while Android in general has the same property). History has seen many cases, even my old Nokia Lumia phone many years ago has similar properties when I logged in the organisational email and that granted them remote wipe and access rights. Also iPhones have ”organizational control”, which can be set by certain configuration profiles, to track users.

Companies have had demand for these kind features and now they are there.


Apple said in one of their WWDC keynotes somewhere that because use of personal devices for work was so common, Apple was going to sandbox and limit access to personal data after signing in to a work account - so the most work could do is erase their part of the device and not erase or touch the entire device. The idea being that if you bought the device and it wasn’t provisioned from work, then signing in with a work email should only ever affect your work accounts and apps that access them. But I might have the details wrong, haven’t looked into it in detail yet. The iOS feature is called “Account-Driven User Enrollment”, there’s a WWDC video on it from last year.


> Prosecute for what, though?

Both what and who are good questions, which is why I say: “What you probably want to do is contact a lawyer and see if you have any civil law remedies.”

It's plausible that something in the combination of Google and school district practices violates some law of some applicable jurisdiction, but it's not obvious to me what law would be impacted.


Our school (Bay Area/South Bay) uses GoGardian as well. The middle school also forces MITM-ed certificates via securely to monitor all traffic to anyone who wants school WiFi (student, volunteer, or staff)

But I am not panicking though. The companies we work for make such software (list any “enterprise” security company here).

You might own the machine, but they will force the machine to be “managed” if you want to access their network.

Btw GoGaurdian also gets installed if you access the school “Google Suite” account from even your own PC or Mac, not limited to Chromebooks.


Powerwash/factory reset it and don’t sign into the school account. Ask for the school to provide a device.


Yea I graduated from Chicago Public Schools and they gave out chromebooks starting in 8th grade. I think that was the first generation of them so maybe CPS get some deal, but through high school the chromebook system only seemed to expand. I imagine it's possible for OP to get one from school.


I think it's now a managed device and that won't help.

If he power washes it, I believe it's still locked down to the school, I could be wrong thought.


There's a separate provisioning process for the "very locked" state you're talking about, not just signing in on the device.


Ah neat, thanks!


Factory reset and not logging into the account again, should fix the issue.


The real question isn't whether or not GoGuardian is installed--because the Chromebook is going to be subject to the school's policies while the student is logged in, assumedly doing classwork. The real question is whether or not it's being disclosed to you when you initially login to the school's domain that this software is being installed.

Installing something you were given a chance to read the EULA and disclosures for is fairly reasonable, because you would have the opportunity to decline (and then they probably wouldn't be able to login to the schools network). The school using MDM to install the monitoring software _without disclosing this to the user_ would likely fall afoul of the law, because yeah if you paid for it you are the owner and what you say goes. Third parties are not allowed to install software on equipment you own without explicit permission. Additionally, to be even remotely ethical, this needs to be disclosed clearly and the first time the school login is used and the software installation is about to occur--not buried inside a school handbook somewhere.

If the school has been so bold as to ignore the need to disclose that they're installing something that records and reports all web browsing activity (which GoGuardian is designed to do), or if this software applies to other logins on the system which will be used by people who did not consent to being monitored, then the school needs to start hiring _competent_ people to administrate the network, because doing this with minors involved is just really begging for a judge to slap the school system hard.

The school system can (and should) make that policy only apply when the kid's school login is being used--so if they try to fob you off with that silly excuse, feel free to go ahead and start talking to lawyers. Google would not be amused to find some rinkydinky school administrators making claims that the attested environment used by ChromeOS may be trivially compromised by other users and thus justify installing the monitoring software to be in play all the time. Rather a lot of work has gone into creating that environment.


Here in Europa we have a requirement for companies and institutions to provide what is called a "privacy policy" which explain to the user, in common language, which personal data is processed, for what, by whom and why. Many lawyers are doing these wrong and try to sell an unintelligible mess of legal text, while the law actually demands that the user can easily understand it. The european laws are especially serious about that, if the users are children. A school in europa would need to explain GoGuardian both to the children and the parents. Things like "monitoring all browser history, social network activity, logging all keystrokes, accessing all files and remotely enabling cameras and microphones" should raise some eyebrows and have parents ask unpleasant follow up questions. Also the "for what and why" parts are enforceable limits, any undisclosed processing is illegal.

In contrast, Illinois has pretty much no data privacy laws at all, with PIPA being one of the worst globally. Talking to the school, local and regional governance about data privacy concerns can help, but US citizens need to think bigger and amend the constitution with a right to data privacy. Surveillance Capitalism is already deeply entrenched in schools, showing an EULA is a start as it creates awareness, but misses the bigger problem. The tech companies selling to these schools will claim that a friendly teacher sometimes looks what the children are doing, as they should, and then collect every bit of data they can access. They will claim their big brother algorithms will help teachers support pupils with their individual problems, that they improve education and enable students, and yet society isn't becoming enlightened, it is turning into a dystopia of surveillance capitalism and gamified control.

There is something wrong at a fundamental level, the USA was the bastion of liberal philosophy, individualism and human rights, and yet it is now at the forefront of data enabled neo-authoritarianism.


Isn't this a pretty typical bring-your-own-device policy?

I.e., if you want to use your personal device to access the organization's private network or resources, they are going to insist on having control over that device, or at least they are allowed to.

Or in this case I assume that CPS "owns" your son's account and probably has a terms-of-service-style document somewhere that makes GoGuardian or similar a condition of using that account.

If you don't want their software then you can't use "their" account on that computer. I don't love that policy, but it sure seems like something they are allowed to do.


After you reset the device but before you sign in with a school Google account, can you use a separate profile to install chrx or some other dual-boot Linux option? Or at least make sure the device has more than one Google Profile it can sign into?

At least then you'd be able to know the spyware profile wasn't running all the time. You son could use it only for the specific homework that requires it.

It's obviously still not OK that they can monitor everything he does while he's doing his homework, but it's an improvement on being able to monitor everything he does all the time, and (as much as I hate this) it might be an important lesson about what to expect when he's dealing company-provided devices in the future (though obviously a company controlling its own property is more justifiable than a school controlling your property).


I think if you log in with any other google account, you won't have the GoGuardian stuff running.

So I would recommend setting up a personal account for your child and telling them to log in to that whenever they want to work on something unrelated to school (or just want privacy)


> I bought him a Chromebook for schoolwork, but also for other private things. When we logged in, the system installed GoGuardian monitoring software on the Chromebook without notice or permission.

Can you give more details? Logged in to what? I don't know how Chromebooks work, but I take your description to mean logged into a webpage, which allowed it to install arbitrary software on your computer - this sounds like a vulnerability in Chromebooks.

Edit: On rereading the post, I suppose you mean logged in to Google Classroom.


This is similar to MDM. Sign in to a school .edu Google account that force auto provisions the device.


>Edit: On rereading the post, I suppose you mean logged in to Google Classroom.

Oh, if only. They mean logged into ChromeOS with a Google account.

There is an option to log in as a Guest, but the machine is so unbelievably gimped in Guest mode I can't imagine anyone actually using it like that permanently.


> There is an option to log in as a Guest, but the machine is so unbelievably gimped in Guest mode I can't imagine anyone actually using it like that permanently.

My mother in law was using her Chromebook in guest mode for a while [1], and the only things that didn't work were saving passwords (including wifi passwords, but her home wifi is open). But she only use Chrome OS to use Chrome. I'd guess the play store doesn't work in guest mode, and wifi passwords might get annoying, but what else is missing?

[1] trouble with passwords, with a side of chrome os owner account was @ymail.com, but also an alias for @gmail.com and chrome os/google changed at some point so that logging in with either would login as the @gmail that wasn't the device owner... but fixing that didn't fix the underlying problem that someone likes to change her password rather than find her password book, and then her password book is out of date.


If you login with a different profile, is the GoGuardian software still running? Or is it only running on the managed school account?


wipe the chromebook and return it and get him a normal laptop and put linux on it


This is the correct answer.


woof also goguardian has a prediction model for the 'active planning' phase of suicide which monitors all text + web activity

https://www.goguardian.com/admin

good in theory I guess, but 1) is it EBM and 2) not sure this plays well post CTL / loris snafu

their privacy policy is nonsense https://www.goguardian.com/privacy-information, they don't sell 'private student information' but this is shrunk to be just PII. no details about non-PII categories of data


If it's not too late, return it to where you got it.

Then tell the school district that they have to pay for computers that they control.

> Does anyone know how to refer these people to law enforcement for prosecution?

You call the police. However, don't expect them to do anything and you won't be disappointed when they don't.

You can then call the city/county DA and get the same treatment. The state's attorney will do the same thing.


..and if those offices doing nothing to help you isn’t enough, there are plenty of other government agencies/services which will also do nothing for you

you can also try contacting Google, who will bend over backwards to make sure not to do anything for you.


> Then tell the school district that they have to pay for computers that they control.

100% on board with this. I would refuse to pay for a machine that is going to spy on my kid.

I'd probably buy a chrome book, install Linux and then they can access the google suite via a browser.


Not entirely familiar with Chrome OS but if you log out of the school account and into a personal one instead, does this monitoring persist?

Regardless, this is pretty much the perfect example that RMS was extremely prescient about free software and the distinction between freedom and free beer (or a Google account in this case).


To be clear, you can and did remove it. The factory reset worked. You just can't login to the school account using the built-in Chrome browser. But I bet you could by installing a different browser using the Play Store or Crostini/Linux, just like you would on a PC. So try that before suing people.


Practical advice? Forget it, move on. The system has far more resources and time than you, it costs them nothing to ignore you and by taking no action. Any potential "win" from you can be delayed by them almost indefinitely -- they have salaried legal teams that can deal with any legal action taken by you. It is possible some kind soul may find it in the budget to settle this for $50 and admit no wrongdoing. Would that be satisfying?

Some rather hard experiences have taught us that the system is structured to deal with complaints in a fairly standard way. That is its genius. It's just a laptop, nothing more. You're lucky.


So do not sign into his school account? That sounds like they are requiring an MDM be installed on all devices used to access school resources. This is standard security practice.

When you do a full reset (there are multiple types on Chromebooks) it should remove everything. If you sign back into that school account, however, it will re-add it.

If you create another account (not your school) then it should work as normal. You would need to contact the IT team at your school to find out if they setup this as a full device MDM (and if your chromebook is enrolled or not) or if it is just MAM mode and monitors things when using the school account.


You use ask for a reasonable accommodation. E.G. Access to assignments via email.

The Department of Education mandates such accommodations.


Even if you send your kid to school with a paper notebook, the staff has always had the legal power to seize and read it. If anything, the school shootings era has expanded that authority even beyond the broad latitude it was granted before: https://www.ascd.org/el/articles/the-right-to-search-student...

(Before replying, please note that I'm not expressing any opinion about whether this is good or bad; it's just how it is.)


That authority has always stopped at the sidewalk, too. Taking computers home has altered the scope of potential overreach, particularly with personal computer use at home and the potential school control of camera and microphone devices.


> I bought him a Chromebook for schoolwork, but also for other private things.

Sadly we do not live in a world where this is a reasonable expectation.

School is effectively work. There should be separate hardware for both. If you have more than one kid they shouldn’t share hardware.

Don’t use your work laptop for anything personal. Don’t set up corporate email on your phone. Don’t log in to your personal iCloud on your work laptop.

You bought your son school supplies. Back in my day my parents donated Kleenex boxes and other classroom supplies. This isn’t really any different. The school owns that device now.


> Back in my day my parents donated Kleenex boxes and other classroom supplies. This isn’t really any different.

Except for the fact that this Kleenex box can cost costs hundreds if not thousands of dollars and most families don't even own a Kleenex box or they only have one.

Just like how it's no problem for most people to buy enough pencils and paper for every member of the household so picking up a little more for school supplies isn't a big deal but if the school expects a kid to use a laptop or a Wacom Cintiq Pro not every parent is going to be able to afford that and nobody is donating them.


I’m not defending it, just explaining how it is. I wish OP luck with the lawsuit.


What happens if you have two accounts on the Chromebook?

Ultimately spyware has to be unremovable to do its job so you're not going to get anywhere by contacting anyone. You have to decide to use the account or not.


If it was me, I'd write the Chromebook off as now being solely for school use. Your child needs to log into it with their school account in order to participate and complete their schoolwork, I don't see any way around this. As soon as the school account logs in, I believe the machine is then enrolled as a managed device of your school district.

Maybe you could get the school to supply you with a Chromebook, if you really want one. Where I live this is how it works (the school supplies the Chromebook).


Take a look at https://mrchromebox.tech

If your brand/model is supported and you have no reasons to stay with Chrome OS, you can unlock your Chromebox/book and flash a full Coreboot/UEFI firmware, so that you can install whatever OS you want. Linux runs circles around Chrome OS just about in everything. I've "liberated" a good number of Chromeboxes so far and never had any problems.


What paperwork did you sign, and what did you agree to wrt computer policies? I'd start there.


GoGuardian CEO here. Lots of misinformation in this thread.

Chrome extensions are attached to your Google account. Your son logged into his Chromebook with his CPS account which in turn installed the GoGuardian chrome extension.

The simplest solution here is to just log on to your Chromebook with a personal account. No enterprise policy will be applied.


> They suggested signing in with a different account, but when I do that, I get the error message "This account is not allowed to sign in within this network."

https://news.ycombinator.com/item?id=30911927


>Lots of misinformation

So post some clarifications? Sound like they tried what you suggested and it didn’t work.


I’ve had similar experiences with my school district.

They used to use managed iPads with Google classroom. They now use managed windows Lenovo with multiple layers of spyware.

I bought my iPad and don’t allow installation of any apps with system privileges. This required a sit down with the principal, vice principal, county school board rep, and “tech manager” (who was just a random teachers aide with no training or specialized education and didn’t know much about equipment).

It was a real hassle, but they agreed to a personal device and they give out a school “loaner laptop” for exams. The loaner has goguardian and lots of other stuff installed.

Some surprising things I learned: -the school principal chooses the technology without any real evaluation criteria. He said multiple times “I’m not a tech expert, I just do my best” and claimed to not know how all this stuff works -my child was threatened with expulsion if they didn’t comply with the policy and only got around the school policy through a loophole because it was me who wouldn’t sign the contract yet it was the child who was being punished (contract required me to maintain the laptop, pay penalties for any damage, even if accidental, assume liability for theft, pay for my own insurance through a single vendor negotiated by the school, and learn and carry out administration since the school didnt have trained admins and only had an 800 number for tech support)

I hope they never make a competent policy because it is so kafkaesque and draconian. The standard laptop is completely locked down and monitored by the school by people who don’t have any training on when to access data, including video from inside my home.

I have quite a bit of experience with hardware and software and it’s hard for me. I can’t imagine how typical parents are supposed to protect their kids’ rights.


> Does anyone know how to refer these people to law enforcement for prosecution?

This is quite an overreaction. Prosecution?

Besides, would this even be a criminal offense? I'm thinking it is more likely to be a civil case, if anything.

It's not like the police are going to go into the school and perp walk the IT technician out in hand cuffs because your child's laptop has monitoring software installed on it.


Is your son's Google account a school account rather than a personal one?


Did you ever consent to the GoGuardian monitoring of your student?

I'd probably wireshark it and see if it's sending out data - especially on other users than your kid.

That moves this from "The school installed invasive but allowable anti-cheating software" to "The school is monitoring my family without consent" which is a more interesting avenue.


100% guaranteed the parent signed something before the kid could do anything with a school Google account.


I have no idea how school/board/us/system/it/student thing works so I won't speak to 'how do I get rid of spyware' and 'can I call the police'. It is improbable you can. Like, where I work, if I want to use my work mail with my android phone, my IT mandates I have a remote-wipe installed ... I am hopeful, that the androids work profile keeps the work-it separate from my personal browser history, but I can live with it.

What I would do, is give my kid their own google account. I assume they don't need 'shool-mamaged-chromebook', just 'a computer that can access Google Classroom'. Then, after running the chromebook with your own account, your kid should still be able to log in with the school account in browser, without handing over admin privileges.


Why did you buy him the Chromebook versus the district?


Yes. The district should supply the Chromebook for school work. They will manage that as they see fit. If he wants to do other stuff with a Chromebook, he should have a separate Chromebook and separate Google account. Ultimately that's easier and safer than constantly logging in and out of two different accounts on one machine anyway.


I am not a parent, but this seems like a good practice to get a child in the habit of, anyway: separating out your devices for work and school. Much like I wouldn't log into personal Slack groups on my work laptop (I learned that lesson!), I wouldn't try to conduct personal work on a school laptop.


> The district should supply the Chromebook for school work. They will manage that as they see fit.

I haven't been a student for a while, but the closest analogous technology they had when I was in high school was my graphing calculator for math classes. The school district mandated individual students each obtain a specific graphing calculator, which was a fully programmable computing environment (the TI-83). But the teachers/administration could and would wield a lot of power over those devices (which the the families owned in the legal sense) - looking through it, requiring students to wipe its storage with no warning, etc. Requiring families to buy a Chromebook and still use a school-managed account with invasive management on it feels largely analogous.

Buying a separate personal laptop is the correct workaround, but unfortunately I don't think the "the school should supply the schoolwork computer" line of reasoning holds up. The hardware/software has become more powerful in the graduation from TI-83 to Chromebook but the principles are the same.


In my case, we bought our kids better ones than the district offered, which are the lowest educational spec machines available. It was only after we bought it - during covid school-from-home last year - that we learned our district also forbids any non-district-issued computer from connecting to school wifi, so we ended up with one of the crappy machines anyway. On the plus side, no effect on our personal chromebook, but on the negative side, my kids are restricted to using the crappy school computers for school work.


District chromebooks are for in-school use only. You can't take them home. This is for homework.


Chicago Public Schools gave me a chromebook to do homework on. It was a piece of trash computer that they probably got for free, but I could certainly take it home and use google suite for homework.


>Does anyone know how to refer these people to law enforcement for prosecution?

Or, you know, you could just call the school during active hours and ask them politely to unlock it. They'll probably be more willing to accommodate you if you act older than your shoe size.


It would be interesting to see if measures like this would violate CFAA. Like, was there any click-wrap prior to the MDM? Is the spyware isolated to only the data managed by the school?

Eventually we’ll probably get some court cases, and I look forward to following them.


I tried to google OP's setup (because I was curious), but all resources I found so far were about managing/enrolling an entire Chromebook before use.

However, the situation OP (and others) seems different: They are using a managed account on an unmanaged Chromebook, which already had private accounts set up. So I guess you could talk about a "half-enrolled" Chromebook.

Are there any official Google resources which describe this particular state and how it interacts with the data that is already on the device?

Edit: This post explains more: https://news.ycombinator.com/item?id=30915710


Being not from US I can't answer the legal part (here in France it's illegal and you just need to file a formal complaint) however: why you choose a Chromebook? People needs desktops, not modern dumb terminals/endpoints acting as WebVM bootloaders, so learn them from the start help kids a lot in both practical skill and pedagogical ones (they learn different things exists, strong and weak point of anything and they have comparisons terms), I mean Classroom works on GNU/Linux desktop I suppose, so why not just give you son a GNU/Linux desktop well configured and dedicate a bit of time aside to teach him basic and less basic usage?


Based on comments, I am apparently in the minority in that I could not care less what my kid's school does to my kid's school computer. I understand that the OP purchased their own computer, but that seems immaterial--Schools give/loan free ones, so there is always the option to just use a school computer and not sign in with your personal chromebook.

Am I just not paranoid? Am I not paranoid ENOUGH? I just don't see the big deal--my kids are at school, in classrooms, for 30 hours a week. Their time online doing school work seems like the least concerning thing as far as being under the control of school.


Easy, wipe the system and install Linux on it.


Another little push in the right direction: you'll have to go into developer mode to expose the shell and flip the write-protect bit.


Could it possibly be impossible to enter developer mode?

If so, could it be possible to somehow flip the write protect bit "by hand"?


Every Chromebook model I've ever had has had a physical switch or screw that can be removed/toggled somewhere on the motherboard to unset the write-protect bit.

e.g. https://joshuawoehlke.com/wp-content/uploads/2018/07/dell-31...


Oops, I had forgotten about that. I was doing a bit of ...research a while back to apply to my own school machine.


Some Chromebooks do have a physical switch, like in the battery compartment. I don't know of any Chromebooks where it's actually impossible to enter developer mode.


Probably need to log into the school account on chromeos

So run another chromeos in a VM and just shut it down to switch to personal


After reading this it seems like only at least partialy feasible solution is qubes os and something like starting from previous snapshot so any installed spyware gets instantly wiped. Also, chrome is not allowed on computers in my home and will never be. I see no reason for chrome requirement by anyone.

My main question is - when Chromebook is SO annoying. Why wouldn't OP just sell it and buy more sane pc and use sane os. I'm getting vibes like chromebooks are mandatory or what (which would be so much not cool).


Chrome OS is the new Windows. Go to Walmart and look for a normal PC, you won't find one, just Chromebooks.


We dont have walmart here. i'm in central europe


This is probably a dumb question, but can't you just log into the school's system using normal Chrome (or even Firefox) on a normal computer? This worked for my (very young) children when COVID made them stay home for a while. The school board issued very nice Chromebooks, but we were afraid of them getting broken, so we just logged in at the computer stations they have anyway, no problem.

You could even spin up a VM image with a very basic Linux install in it for further privilege isolation.


I have bypassed many similar spywares in my youth, typically anticheats when I wanted to poke memory addresses with certain values. Have you tried rooting the chrome book?

You'll need some way to observe the network activity of the spyware agent, and then reverse engineer the agent to see how it phones home (probably valgrind or gdb will suffice, assuming they didnt pack the agent). From there you can either inject your custom code with LD_PRELOAD or write a simple shared library injector.


My wife used my laptop for her work as a teacher, all of a sudden the system forces her to change her password! And I'm like what? That's not Krebs approved! Turns out is was her school's sys admin using some o365 settings (or at least I assume it was.)

I told her to tell her director that this type of control over personal hardware is not acceptable, and this year they got school issued laptops, so that is nice.


Good lord, just call the CPS IT helpdesk. Problem solved.


Didn't know they existed. Just called them. They said "no, it cannot be removed".

They suggested signing in with a different account, but when I do that, I get the error message "This account is not allowed to sign in within this network."


Do you get that error if you try using a different account (non-MDM, for example a personal Gmail account) after a factory reset, never using* the MDM account post-reset?

* Feel free to use it in a third party browser such as Firefox or Brave, as another commenter suggested. Just don't use it for an OS login.


Ask them for an administrative hearing. 99% chance they won't and will just remove it.


From your description it sounds like when your child signed in with the student account, one of the Ok's they hit for GoGuardian put your device on the schools managed account(cps.edu).

If you're powerwashing and it's automatically pulling cps.edu managed policies as soon as it gets online then the school district IT needs to release your device, and then powerwash it and setup again without the cps.edu policies.

Be aware if you want your child to do any official testing or use their student accounts on your personal device the district may require this arrangement.


Sorry, are you saying it's impossible to completely wipe/factory-reset a chromebook that's been adopted by an MDM?


It is non-trivial to release hardware where the serial number is showing as mated to a managed domain.

If you're power washing and as soon as it connects online it gets cps.edu remote policies you're gonna need district IT to release the serial from management.


I think the worst thing about student surveillance software is that it teaches a whole generation that it is normal to be and work under surveillance.


You might consider small claims court for the value of the laptop. Whether you would win depends on the context which you've mostly left out.


Send them a copy of "1984" or, i am not familiar with chromebooks, set a bios/boot-password or something so if they want install anything, they have to ask for permission. I kinda find it helpless to monitor kids activities instead of talking to them, explaining where the dangers are.


My bet is you could remove the user. Do some DNS messing about either on your router or hosts file to drop all communications to goguardian and then resign into your sons account.

The end result will be that the school management scripts will still run but they’ll be unable to fetch and install goguardian.


IMO the account settings are acting like the chromebook is the school's property, and thus should be purchased and owned by the school, not the household. Otherwise it's another form of tuition charge. I don't think public schools charge for textbooks either correct?


You're not going to get prosecution. You might get somewhere with a civil suit, though. (For that, talk to an actual lawyer, not random commenters on HN.)

You also might get somewhere talking to the press. Be careful on this route, though, because it might get you sued by the school district...


I've had no experience with chromebooks but this sounds VERY much like Autopilot on windows/intune or Knox MDM enrollment on samsung android devices.

Ring the school again and talk to their IT, prompt their memories with the words MDM enrollment.

I bet one of them will have "AHA!" moment.


If you want to be even more upset, if you log into Chrome with this account on a “real” computer, I bet it will download and install a bunch of Chrome extensions without asking, too. It certainly did on my daughter’s PC when we were using it during the pandemic.


Wow that's annoying. Especially the "without asking" part!


This might be helpful: https://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School...


Holy shivers... That is something of a 1984-esque level! I can't give any recommendations, but, at least, I thank you for reminding us to NOT to buy things we won't (be able to) own!


You are going to spend a lot of time and money to address this. Better solution is to buy a second Chromebook only for school or personal use snd explain to your kid that their government hates them.


Better yet, ask the school to provide a Chromebook if they want to spy on and control it. The owner should have the ultimate authority on what the device does - so the school should spend money for the power they demand.


My solution is a pragmatic one, yours is a dead-end most likely, the point was to paper over the issue and move on unless OP wants to spend a lot of time and money on lawyers fighting it.


Or buy a real laptop.


If the software were removable at all then students, who are more technologically literate than their parents would simply remove the spy software.

Student removal would defeat the purpose of the spy software.


>Does anyone know how to refer these people to law enforcement for prosecution?

Like, filling a lawsuit, or reporting them to the police? I mean, how else would that happen?


>Does anyone know how to refer these people to law enforcement for prosecution?

Your best bet is probably to contact the office of the Illinois State Attorney General.


In a BYOD organization, you must be in compliance with Mobile Software Management Rules in order to have access to organizational assets and resources.


Goguardian is an chrome extension that is installed by a policy configuration of the district. It only works on chrome divides and not the chrome browser.


Collect the evidence and report a criminal computer intrusion. You have been violated entirely outside of the permission may have granted the school.


CPS gives out Chromebooks. Ask CPS for a loaner Chromebook. Keep two Chromebooks. Chromebook A is for private things, Chromebook B is for school things.


My I suggest a nice one page letter from your attorney to the School Attorney and cc the School board and local police department.

It runs a foul of 1990s computer law, at least in the USA as the firm producing the software did not have your permission to break computer security safeguards and access guards.

Oh and make sure to save a copy of the local newspapers.

Then submit story to channel & i-team at:

https://abc7chicago.com/contact-i-team-submit-story-investig...


I haven't used a Chromebook before because I've always suspected this kind of malfeasance is inevitable, but I wonder...

Could you just rip out the disk device (nvme/etc) and shove a blank one in there?

As long as you never used the backdoored Google account again, at least you could re-use the device for other purposes (albeit with a different OS most likely). Not optimal I agree, but could that be a viable option?

Also, is it possible to virtualize Chrome OS, feasibly? Might be an option for anyone with the skills to firewall/isolate that malware when usage is compulsory.


>Could you just rip out the disk device (nvme/etc) and shove a blank one in there?

When I last owned a Chromebook the storage was soldered on the motherboard.


Its been a few years since Chromebooks have had swappable disks. There used to be some high priced models that supported user upgrades but then the OEMs figured out that no one wants to spend a fortune on a Chromebook so everything is soldered in now. Since what is being installed isn't actually malware but just some enterprise spyware, the easiest solution is to just wipe it, log in as a user unassociated with the school, and then add the school account. The spyware won't be running on the unassociated account. Kids have always had their 4th amendment rights encroached upon in schools and clearly this school district is extending that to their devices in this manner, for better or for worse.


> There used to be some high priced models that supported user upgrades but then the OEMs figured out that no one wants to spend a fortune on a Chromebook so everything is soldered in now.

It can't be that simple because I had a pretty cheap model a few years ago that had a replaceable sata m.2 drive.


I think it's mostly that emmc is now supported and cheaper than having m.2 storage. Soldered storage may be more reliable than connectorized storage (at least that's what Apple claims), although it's harder to replace when it breaks. OTOH, it may not be economical to debug a Chromebook storage issue, if powerwash fails, and USB rescue fails, you've spent too much technician time, so just replace the device.


> I did a full factory reset, signed in to his account again, and now the system is once again locked down.

Sign in with another account, problem solved.


OP you got to realize that what ever device you child logs into with his school issued google account will log all sorts of fun stuff.


You should strongly consider a freedom of information request on what personal data they school has collected on your kid.


Digital sunshine laws (FOIA and state and local equivalents) generally exclude personal data other than certain information about public employees, and definitely records covered under specific privacy regulation like FERPA. You would need to request those records under different laws relating to parent access to private records of students (in this case, the parental right to inspect under FERPA, probably), not sunshine laws.

Quite possible there are whole different request channels for private vs. public records.


Open a $100 bank account for him, login, and then take it to small claims court so you can buy a better laptop for him.


This post is showing up in grey text for me. Does that mean it's being downvoted? I can't imagine why.


Nah, all Ask HNs do. It was written that way by pg to discourage people from using HN as a blog.


Ah, so good to know this stuff. I don't know where it's explained for newcomers. Thanks a lot.


Can you have more than one account on there? Can your kid have separate accounts for school and non-school?


> I bought him a Chromebook

It wasn't the school who started giving spyware to your kid. It was you.


Possibly related-- does the Church of Satan hold an official position on vendor lock-in? :)


Don't use Google products. Google makes its money based on user surveillance.


My son came home with a Chromebook and I'm trying my hardest to make him hate it by talking as much shit about it every chance I get. I made sure to get him a desktop with games, dual boot windows and ubuntu and stress that if there's anything he wants to do, we can do it.


Since he is basically going to have a Chromebook for the rest of his school career, and likely part of his professional life, why not help him to understand it and set him up to be successful?

Even if you have a personal dislike for something, your job is to enable your son to be prepared for his life ahead.


I see what you're getting at but there's really nothing Chrome OS offers that can't be replicated on x86 and M1 machines. If he really wants to use it, I'll just VM Chrome OS, get him a touch screen monitor and call it a day. Chrome OS and iOS for that matter are garbage through and through by design, not by nature and I'll never stop preaching that... basically, if I took your stance, I'd be putting my son at a huge disadvantage the more I think about it.


This is like people who think they are vegan so their pets should be too.

At no point in the future is your kid going to say "wow dad thanks for teaching me how to stand up to the corporate overlords and opening my eyes to what shit iOS is!" Instead the conversation is going to be "Dad can you loan me money for rent this month? I replaced the proprietary freedom hating operating system on the cash register with an open source alternative and corporate had to fly someone out to fix it so they fired me."


You keep thinking that. At the end of the day, if you understand an OS, you can figure out mobile OS in a weekend. Try to setup a web server and write a React application using CI/CD pipeline. While it can be done, it takes hours on mobile and minutes in a Desktop OS. If anything, the tablet will be cannibalized by the Desktop OS as we're already seeing so arguing that I'm doing harm is a moot point.


What lesson are you teaching your child?


That Chrome OS is locked down and doesn't let you do anything nerdy like programming. I learned how to use a computer by using it and crashing it, I've shown him the browser, I've shown him terminal, how to use tab to auto-complete and how to use man and VIM style keys to navigate it. I've also thought him about PC gaming, Discord, Minecraft servers, that sort of thing. Honestly, I think just him knowing how to use a mouse and keyboard and liking them is an accomplishment.

I've locked down his tablets because he's fallen for all the "modern evils" like Messenger Kids and endless games that ask for money. I'll likely open it back up so he can explore again, but when I was a kid, doing something as simple as playing online required tunneling services and setting that up actually taught you something useful. So yeah, it's tough but I don't think glorifying dystopian devices ecosystems like iOS and ChromeOS is a good idea.


If this was my son's computer, I would have a lot of fun defeating it


Should the school not be providing the chromebook for your child to use?


What happens if you do a factory reset and don't add him again?


Anything for work or school should be a separate disposable device.


If the school wants monitoring spyware, they should provide that, for example a computer to take tests or exams.

Not taking over and control your own equipment.

Talk to a lawyer and see if you can file a (digital ownership) theft report to the police.


I’m sure the Chicago PD will jump right on your “digital ownership” theft. They have the boys in the crime lab working shifts!


Is your child logged in with a CPS managed email address?


Nope. This is the future you signed up for, enjoy!


Take them to smalls claims court for hacking your computer and making it useless.

Just the threat of getting lawyers involved will make the school and district blink.


Install Linux and never look back.


For those interested: GalliumOS.


Apparently you can also install Ubuntu and even NixOS.


you could put linux over the top? Chrome books make reasonable linux laptops generally.


> Does anyone know how to refer these people to law enforcement for prosecution?

Where can I vote for you?


"When we logged in, the system installed"

What login, which system. What are you even doing.


If I were you I'd just blow away the OS, and put ubuntu LTS with xubuntu or something which will perform well on low-spec laptops. Unless google has the boot loader locked down I've heard Chromebooks make reasonable linux systems as they come with an ssd etc.


Stop buying crapware. Is there a chance you could do full install of a new OS?


Sorry bub, but this is America. We don’t have rights and other commie nonsense like that.


Why did you buy a device that's patronizing you in the first place? You bought a device that is even advertised as not being fully under your control, then it turns out it's actually not under your control. Meh. Put Linux on it and next time buy an normal PC.


You are completely failing to grasp the level of tyranny here. Schools these days often will not accept non-Chromebook devices.


And the root of the tyranny is devices you 'buy' without owning. Something the parent commentor has probably been trying to warn everyone about since it was first pushed in the 90s like most other long term linux users.

'trusted' computing is tyranniclal, petty managers and school boards exploiting it is its intended use case


Probably shouldn't go round accusing Linux users of "failing to grasp the level of tyranny" when it comes to people forcing the use of Apple, Google or Microsoft operating systems.


how can they enforce that as a public school?


Same way they dictate which graphing calculator you buy?


and how do they do that?


I'm curious on how they enforce that


Simply by using some application for things like online test taking that only works on ChromeOS. If you can't afford to buy a Chromebook, you may be eligible to receive one free from the school.

Even in college, we had a freshman year computer requirement where we had to have a Tablet PC. Freshman engineering classes all used a Windows-only handwriting application for class participation. The Tablet PCs they sold at the time were expensive and crappy. Luckily the application worked in Wine somehow and you could get by using a cheap Wacom tablet so that's what I did. I sold the Wacom to another freshman so they could do the same. Eventually I bought a used Thinkpad tablet PC because I actually liked handwriting my notes and homework but I hated the fact I was almost forced to.


Presumably, the same way they enforce any other supply requirements.


Way to blame the victim. Obviously he didn't know this would happen when he bought the device.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: