back to article Microsoft accused of tracking kids with education software

A privacy campaign group with a strong record in legal upheavals has asked the Austrian data protection authority to investigate Microsoft 365 Education to clarify if it breaches transparency provisions under GDPR. Noyb said Microsoft pushed data protection obligations onto schools that use the system, and failed to comply …

  1. Doctor Syntax Silver badge

    "In its new complaint, noyb said Microsoft was trying to avoid responsibility under GDPR by insisting that almost all of the data protection responsibilities lie with local authorities or schools."

    Actually, I think that's preferable. Parents can take the matter up with the schools. For the average parent or parent organisation this is going to be easier than dealing with Microsoft. After all, it would have been the schools' decision to go with Microsoft, not the parents'.

    This, I think, is a better principle that saying if the data you provided to a local supplier is breached by their supplier in the US then take it up in a US court. That idea was behind the previous privacy fig-leaves and equally, AIUI, behind the bridge framework.

    The schools can then take the matter up with Microsoft and, as customers, should find this easier - not very much easier but they do have a direct relationship. And if they don't get a satisfactory answer from Microsoft they can cease doing business with them.

    1. cornetman Silver badge

      > ,,, he schools can then take the matter up with Microsoft and, as customers, should find this easier

      Which as the article made *extremely* clear, is not a realistic possibility.

      1. Doctor Syntax Silver badge

        That is there problem. It's a damn sight less of a realistic possibility for the parents to take it up with Microsoft.

        If you were one of the parents what would you do?

        I think the law needs to be very clear: if you do business with someone - and I'll include sending children to school - then you must be able to hold that business responsible for whatever actions any of its agents takes.

        From the business's PoV it needs, in consequence, to be very careful about whom it appoints as its agents. Simply passing the responsibility along the chain and then throwing up your hands and saying "it's too difficult" is not good enough.

        1. cornetman Silver badge

          > If you were one of the parents what would you do?

          I would raise a stink with the school to stop using this software. That's realistically your only option. If I *really* had a problem with it, I would move them to another school or teach them at home.

          Seriously though, the school has only a smidgen more capability to affect Microsoft's policies than the parents. The school might have some traction if they bandied together with other districts and raised a stink about it. Or sued them. The best thing would be to just stop using their software. If you are paying for the software or service, you should not be dealing with this kind of thing, but there *are* good-enough alternatives out there. They just need to look.

          When one of our kids started at a local private school for a year or two, a few of us parents bandied together to create an IT group to sort out the IT affairs of the school. I set up a spare PC with some extra memory and some Turnkey Linux VMs and it was great. So easy to set up and was very reliable. This was for user access and file sharing, roving profiles (yes the satellite PCs were all running Windows), network backup and much more. It was actually surprisingly simple. I think a lot of these schools are just too damn lazy to find alternatives.

          Expectations are a lot higher these days, I will give you that, but it is possible for a school district to sort this kind of thing out for their schools and roll it out to them. We need to stop passing off responsibilities for services to other conglomerates who ultimately don't give a shit about us.

          1. Doctor Syntax Silver badge

            "Seriously though, the school has only a smidgen more capability to affect Microsoft's policies than the parents."

            It has a capability to determine its own policies and by that means it has the capability to not use Microsoft's services to hold any data on its pupils. Once it makes that decision it doesn't need to affect Microsoft's policies in the least. In that way it can ensure that Microsoft's policies do not affect its ability to discharge its responsibilities to the children.

            1. cornetman Silver badge

              Don't know why people are downvoting you. That's a perfectly reasonable stance.

              1. NATTtrash

                Well, to be fair, there is a bias with the El Reg audience of course. But I would not be surprised if it's (also) an expression of the "bought it but never mine" dislike under the surface, having no control.

                Then again, I have no doubt that the same audience happily carries around their phones and would go back home if it turns out they left their home without it...

                For me, that also applies to this discussion: I do agree that the MS product is rubbish, not worth your business. However, we all buy/ use it, and are hit with emotions ranging from anxiety to "shrug and sloth" when change is suggested... (Yeah, sure, I know this is not you because you run your potato server 1976 edition. Don't be silly and do the Doctors Dot and Bubble please)

        2. Roland6 Silver badge

          >”I think the law needs to be very clear: if you do business with someone - and I'll include sending children to school - then you must be able to hold that business responsible for whatever actions any of its agents takes.”

          Well given schools are effectively under the control of the Department of Education…

          Remember schools basically use the IT their LEA et al recommend and is readily available through normal education IT channels. I. They don’t generally use an IT expert

          Yes, I know a lot of primary education.software dates back to XP and hence, with hindsight, a Linux platform with a better focus on backwards compatibility would have been better, but, who even 10 years back could foresee the level of surveillance MS would include as standard in Windows 10+ ?

    2. nematoad Silver badge

      "...take the matter up with Microsoft and, as customers, should find this easier"

      Tell that to the victims customers of Oracle.

      1. Doctor Syntax Silver badge

        It's in a better place than the parents for one very obvious reason. It can refuse to do business with Microsoft.

    3. heyrick Silver badge

      I'm not sure why all the downvotes. If the school provided the equipment and information, doesn't that make them the "data controller" and thus the one who is ultimately responsible?

      If the school (as a collective entity) can't get any sort of useful response from Microsoft, how does anybody think anybody else will? Ultimately the school chose this "solution", they carry the can...

      [I don't know the ICOs stance, but over here in France the CNIL says that you have to perform an actual GDPR compliancy audit on third parties that you use, noting that "bon volonté" (they said they were compliant) is unacceptable.]

  2. Mike 137 Silver badge

    MS wants it both ways

    Unfortunately, it's impossible under the (very practical) legislation for the LAs or schools to be data controllers in this context. A data controller defines the purposes and nature of processing. A data processor follows the instructions of a data controller to the letter and cannot lawfully process the specified data in any other way (or indeed process any other data as processor for that controller). MS is trying to suggest that LAs or schools are data controllers in respect of Microsoft 365 Education, but that just doesn't hold water. As the Noyb lawyer stated, that would require MS to process exclusively under instructions from the LAs or schools, whereas in fact it's MS that decides on the purposes and nature of the processing. The LAs and schools have no way to modify that processing as it's practically impossible to negotiate it with MS. So in fact MS is the data controller.

    1. Guy de Loimbard

      Re: MS wants it both ways

      As long as we have some proactive delving into the masses of telemetry software now sends home, then at least we are informed enough to raise the issue up the chain.

      If the complaint is upheld then you'd like to think that MS and others would change their MO, but, not unreasonably cynically of me to think, I doubt we'll see any real and significant change and any monetary or other punitive judgement is so financially insignificant it holds no real deterrent value or substance to make these organisations change.

      1. Doctor Syntax Silver badge

        Re: MS wants it both ways

        Microsoft might change their way and will only change their way if their market is cut away from them unless they do. If it's made clear to their customers, the schools in this case, that they will be held responsible for Microsoft's shenanigans with the data they entrusted to them then they'll have to stop entrusting them with that data.

      2. Roland6 Silver badge

        Re: MS wants it both ways

        > If the complaint is upheld then you'd like to think that MS and others would change their MO

        The hope has to be that the EU picks this up and demand change…

        As history has shown us, the UK government on its own is too small to impact MS.

    2. Doctor Syntax Silver badge

      Re: MS wants it both ways

      "The LAs and schools have no way to modify that processing as it's practically impossible to negotiate it with MS"

      Then don't deal with them. It's the schools who have a relationship with the parents. If the schools just hand things over to a 3rd party it's their choice and they should be held responsible to the schools for the consequences of that choice.

      It looks as if Noyb have lost their way on this.

  3. 3arn0wl

    There's an easy fix...

    Educational institutions ought to be using Open Source software anyway.

    1. Snake Silver badge

      Re: open source

      Sounds (very) nice, but regretfully on job listings "Fluent in LibreOffice" simply never shows up. "Fluent in MS Office" or "skilled in Excel", yes. But the open source replacements aren't exact replacements, 1-for-1 all-function equivalent, so training students with FOSS might not work to their benefit. I'm going to get downvoted, but go look at your local job listings and see for yourself.

      1. 3arn0wl

        Re: open source

        No doubt you're right, but it's not a good enough reason to maintain the status quo : job adverts can change.

        1. Mike 137 Silver badge

          Re: open source

          "job adverts can change"

          Not until employer requirements change. Since almost every office uses M$ not open source, that requirement is what drives the job specifications. I suspect this will be the case for the foreseeable future. And BTW I've almost never found a business consider the privacy implications for either staff or customers of the technologies or 3rd party services they choose to deploy. Convenience and cost rule the day.

          1. Doctor Syntax Silver badge

            Re: open source

            "And BTW I've almost never found a business consider the privacy implications for either staff or customers of the technologies or 3rd party services they choose to deploy. Convenience and cost rule the day."

            That holds right up to the point where things go wrong and their disregard costs them money and convenience. Most will learn from that when it happens to them.

            1. Roland6 Silver badge

              Re: open source

              The informed, simply include the lack of privacy ie. Personal data will be passed to third parties to be processed according to their needs, clause in their user agreement…

              Remember, the Tories want UK citizens medical records to be processed by US companies, hence why they set up NHS Digital et al. so they could bypass the laws surrounding the NHS’s data protection.

          2. Snake Silver badge

            Re: requirement is what drives the job specifications

            Very much so. You may as well ask for corporate to stop asking for bachelor's degrees for baristas - it's not open to us to change, it's them. As long as they keep insisting on MS skills, not 'can use spreadsheet and word processing applications', we (the peons) are not in a position to tell them otherwise.

            It's a cost-cutting measure: they want pre-trained, self-skilled employees that 'Hit the ground running!' with no expected catch-up time to their method. How DARE you require any time to become accustomed to our policies! Make us money now!!

      2. Doctor Syntax Silver badge

        Re: open source

        Schools should be providing education, not training is specific skills for employers. Are the employers going to send their staff back to the schools to be retrained whenever MS Office changes its UI?

        1. Roland6 Silver badge

          Re: open source

          > Are the employers going to send their staff back to the schools to be retrained whenever MS Office changes its UI?

          If it doesn’t cost them and can be done n the employee’s own time… yes!

      3. Stephen Wilkinson

        Re: open source

        The amount of people I worked with at a previous employer whose job specifications had the "Fluent in MS Office" and weren't even vaguely competent...

      4. Roland6 Silver badge

        Re: open source

        The real problem, isn’t so much the job ad’s, but the expectation that what is learnt in school is directly and immediately usable by employers, who don’t want to incur the cost of training and thus constantly moan about the poor quality of educaion…

        Given Linux effectively came from Unix, which owes its rise to fame to education establishments, there are good long-term reasons for schools (and the DoE to financially support) to use open source software for pupils. Which is why MS, Apple etc. have Education sector offerings; given the way people today talk, MS’s multi decade Educaton giveaway has been an outstanding success…

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Hmmmm

    The UK ICO should maybe take a peek at GLOW in Scotland. It uses both M365 education AND Google Classroom.

    Having had some significant involvment in them I'm pretty certain both of those organisations are very much up to no good with kids data. It was a bun fight at the start to get them to stop slinging ads directly to kids.

    I don't like my kids being forced to use Google services (it's school choice not kids choice which to use).

    1. Doctor Syntax Silver badge

      Re: Hmmmm

      "The UK ICO should maybe take a peek at GLOW in Scotland"

      Try lodging a complaint with them. Even better, get as many parents who understand what's happening to ledge a complaint with them and with the schools concerned.

      Ask the schools why they have not given you the choice to opt out and remind them of the provision of GDPR which says not opting out cannot be a condition of not providing the service.

      1. 0laf Silver badge

        Re: Hmmmm

        You're misunderstanding the principles of legitimate interest and consent. Not an insult it's not easy stuff to comprehend

        Kids processing isn't done under consent, it's done under legitimte interest. i.e. in order to provide ediucation the councils need the data to be processed by MS and or Alphabet.

        that side of it is ok it's the unauthorised data snafflle that is going on when kids use the service or when you have log in from home.

        1. Doctor Syntax Silver badge

          Re: Hmmmm

          It isn't legitimate interest for that unauthorised snaffle to take place and it isn't consented to. It's up to the councils or whoever to provide the education without breaking the law. "We had no alternative" shouldn't be regarded as a valid excuse.

    2. Mike 137 Silver badge

      Re: Hmmmm

      "I don't like my kids being forced to use Google services "

      I've raised similar issues with the UK ICO quite often -- essentially being forced by services one wants or needs to use to be exposed to 3rd party services of their choice to which one objects on privacy grounds.

      The law requires data controllers to verify the compliance of processors they use and data subjects have the right to protection against of 'non-material' harm related to processing. Nevertheless, the ICO has never taken any of the issues I raised seriously.

      There are several 'inconvenient' aspects of the GDPR that (it seems) everyone has tacitly agreed to ignore. This became apparent from the content of the (fortunately for now abandoned) Data Protection and Digital Information (No. 2) Bill, which, under the pretence of 'simplification' seriously watered down both the rigor with which data protection management would be conducted and documented and, consequently, the ability of data subjects to exercise their rights.

      1. Doctor Syntax Silver badge

        Re: Hmmmm

        "Nevertheless, the ICO has never taken any of the issues I raised seriously."

        Maybe the best approach is to gather as many other complainants together as possible. And then let the local press know what's happening.

        1. Roland6 Silver badge

          Re: Hmmmm

          >” Maybe the best approach is to gather as many other complainants together as possible. And then let the local press know what's happening.”

          Nice in theory, practise….

          Just look at the campaign’s around social media and it’s propensity to sling inappropriate content at young people which has resulted in several deaths…

          This something government needs to lead on, but as we know governments get subverted by business interests…

  6. Rich 2 Silver badge

    Think of the kids

    “Authorities should finally step up and effectively enforce the rights of minors”

    I have great respect for noyb and the following is no reflection on them but I am constantly rattled that the focus (not just in this case, but generally) seems to be almost always on the kids’ privacy. While I totally agree that what goes on is completely unacceptable, what about the adults’ privacy? What is the point in fighting for the kids when, as soon as they hit 16/18/whatever, suddenly the law doesn’t give a shit?

    What goes on with many businesses, and the Microsofts and Googles and Farcesbooks of this world are the outstanding examples is totally reprehensible and should be flat-out illegal. I simply do not understand why governments don’t legislate against the very obvious abuse that these companies exercise

    1. Richard 12 Silver badge
      Headmaster

      Re: Think of the kids

      Children cannot give consent by definition, and it's far easier to get politicians to pay attention when the victims are children.

      Thus it's much more likely that they'll win, and thus create a precedent that also protects adults.

      You always try the slam dunk case first, it helps argue the harder one.

      1. Doctor Syntax Silver badge

        Re: Think of the kids

        Even if Microsoft lose they still win. It's all taken care of in the data bridge think which says says the kids or their parents can take it up in a US court.

      2. Rich 2 Silver badge

        Re: Think of the kids

        That’s fine, but any resulting law only applies to kids. It doesn’t filter down (up?) to adults.

        As for the consent thing, yes, kids can’t give consent, but 99% of the time NOBODY is given that option anyway

    2. Doctor Syntax Silver badge

      Re: Think of the kids

      Noyb have locked horns with big business a number of times not just for children and I applaud them for it. But those have been businesses with whom the data subjects would do business directly.

      In this case it's not. The children, or their parents deal with the schools, not Microsoft. That's one factor.

      We seem to have arrived at a situation where, if a data subject does business with one of these organisations in Europe and the data abuse takes place in the US the data subject is expected to take action in the US courts, essentially the big business's home ground. That's where all the diplomatic negotiations have taken us and it doesn't seem to me anything like an effective remedy.

      By taking on Microsoft in this instance we're likely to see the same response - if you don't like it, sue in the US. There's an option here - establish that the transaction - data subject to school - takes place in the EU so that any action can be between the parties in their own jurisdiction. It would be a step to getting a general principle recognised - that the jurisdiction should be that in which the data subject was located when the transaction took place.

      A general question to those from the EU or UK who think that Noyb is right in bypassing the schools and taking on Microsoft: if data you had given, in the EU or UK to a US corporation were to be breached would find it easy or even feasible to seek redress in the US courts than in your own, were you given the option to do the latter?

  7. Tron Silver badge

    So what?

    We are seeing a lot of complaints from activists nowadays about things that only activists actually care about.

    Microsoft isn't monitoring individual kids. That's not what this sort of tech is for. They will just want feedback on how their software is being used for the next version.

    In schools, teachers monitor pretty much everything kids do - so they don't really have any privacy.

    The kids won't give a toss about what the software is doing. They are more concerned with important stuff like vapes, chocolate, and anime.

    Parents don't care as long as the kids get educated and the teachers don't go on strike.

    However, the EU could ban all software and the net in classrooms for the potential 'harms' it might cause to privacy, mental health, well being and safeguarding. Teachers can go back to using text books, exercise books, white boards and OHPs. Kids will actually learn to write properly. The 80s were great and kids may be happier reliving them, because the world they are growing up in now is really crappy. So, yeah, go ahead EUians. Let's go back to the future. It couldn't be any worse than the present.

    1. Doctor Syntax Silver badge

      Re: So what?

      "Microsoft isn't monitoring individual kids."

      And your evidence for this is....?

      If it's possible don't assume it isn't or won't be done. Just to send a few adverts. Or link up with their subsequent linkedin profile or whatever.

  8. Anonymous Coward
    Anonymous Coward

    Our school dropped MS for this reason

    My kid's school was instructed by state government to stop using MS Teams for this reason. I don't think they used any other MS products, so unsure if it applies to all or just Teams. But Germany does take data privacy quite seriously. The public-sector-coded replacement was predictably bad, if not unworkable, so the school repurposed a 3rd party solution intended for teacher <-> parent communication was expanded to pupils (with certain safeguards to prevent spamming). I'm quite impressed they were able to be so flexible, as well as finding a workable solution (though everybody preferred Teams!).

  9. Tubz Silver badge

    "IF" Microsoft 365 Education is tracking kids and "IF" Microsoft the creators don't know what it is tracking, then the product should be instantly banned from use, pulled from sale and all data it has collected deleted permantetly, until Microsoft can prove to an independent auditor that it complies with privacy laws. Regulators need to stop pussy footing around with Megacorps and start kicking them in the nutz and wallets hard to get them play by the rules, no more give us a couple of years to take a look and maybe we'll change a few lines of code but we get to keep the data.

    1. Anonymous Coward
      Anonymous Coward

      "IF Microsoft 365 Education is tracking kids"

      The article indicates that noyb is accusing them of doing so, while hiding the details from schools and parents.

      "IF Microsoft the creators don't know what it is tracking"

      I'm sure they know what data they collect, they just don't want to admit what is tracked for legal reasons.

  10. chivo243 Silver badge

    Worked at a school in EU

    I was there when GDPR was enacted. We had audits on our data flows beginning at the admission process. Which department was getting too much student info? Is student info regarding finances protected from other departments. Are health records protected. You get the picture, even before the dust settled, the school hired a Data Protection Officer. They made changes in how data flowed, eliminated a lot of duplication and most important of all, how and when data breaches should be reported, and what constituted a data breach. That school did not use 365Edu, but GaFE* (is it still called that?) We had a few uber-admins, I was just an admin, I was restricted to what I could see regarding student info. So, in the end, this school administration took all possible precautions regarding data protection from the audit results, as it was in "their" best interest. They recognized their need for data protection and spent some cash to get it done.

    *I know there was what was termed as randomized data collection by Gafe, but again as a non-uber admin I couldn't see that info either... The Data Protection Officer became very involved in what left our environment and worked closely with the uber-admins regarding how much personal info should be collected.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like