A new lawsuit alleges that Google has been data-mining and scanning the emails of thousands of school children throughout the nation who use Google Apps for education through their public schools—a charge the company doesn't deny. The scanning and mining may violate federal student privacy law, called FERPA. That’s a problem for us here in Boston, like it is in many other cities and towns nationwide, which are increasingly ditching Microsoft Exchange email servers for the Google product, which is “free”.

Back in January 2014, the Chief Technology Officer for the City of Boston announced that all of the city’s public entities were going Google.

“As a tech-savvy city, we’re always looking for the best IT tools to help our government run smarter, innovate more effectively and provide better services for our citizens,” he wrote. “Our most recent innovation was the successful migration of 76,000 email accounts from a collection of our premise based systems, mostly Microsoft Exchange, to Google Apps. Not only are all city departments, including the Boston Police Department, now on Google Apps, but every teacher and more than 50,000 public school students each has an individual Google Apps account.”

The city selected Google after a review of the competition, citing both “its ability to meet the needs of a fast moving city” and the fact that the company provides a “secure cloud environment. ”

But is Google Apps truly secure? It depends on what one means by that word.

Education Week reports on the new lawsuit:

As part of a potentially explosive lawsuit making its way through federal court, giant online-services provider Google has acknowledged scanning the contents of millions of email messages sent and received by student users of the company’s Apps for Education tool suite for schools.

In the suit, the Mountain View, Calif.-based company also faces accusations from plaintiffs that it went further, crossing a “creepy line” by using information gleaned from the scans to build “surreptitious” profiles of Apps for Education users that could be used for such purposes as targeted advertising.

…

Those plaintiffs in the California lawsuit allege that Google treats Google Apps for Education email users virtually the same as it treats consumer Gmail users. That means not only mining students’ email messages for key words and other information, but also using resulting data—including newly created derivative information, or “metadata”—for “secret user profiling” that could serve as the basis for such activities as delivering targeted ads in Google products other than Apps for Education, such as Google Search, Google+, and YouTube.

In response to the allegations, Google’s lawyers have essentially said: Did you read the user agreement?

Contrary to the company’s earlier public statements, Google representatives acknowledged in a September motion to dismiss the plaintiffs’ request for class certification that the company’s consumer-privacy policy [PrivacySOS note: the policy is terrible] applies to Apps for Education users. Thus, Google argues, it has students’ (and other Apps for Education users’) consent to scan and process their emails.

In November, Kyle C. Wong, a lawyer representing Google, also argued in a formal declaration submitted to the court in opposition to the plaintiffs’ motion for class certification that the company’s data-mining practices are widely known, and that the plaintiffs’ complaints that the scanning and processing of their emails was done secretly are thus invalid. Mr. Wong cited extensive media coverage about Google’s data mining of Gmail consumer users’ messages, as well as the disclosures made by numerous universities to their students about how Google Apps for Education functions.

I wonder if the same “privacy” policy applies to agreements between Google and other public sector organizations, like police departments. Here in Boston, “[m]ore than 3,000 police employees, including 2,100 sworn officers, use Google Apps to communicate with one another as well as to streamline reporting processes.” If the same extremely lax data policy applies to the police, that means Google is routinely scanning confidential information related to criminal cases and intelligence investigations when police email this data to one another.

Are we ever going to reach a point where we think one company might just know too much?