So far the higher education press has paid scant attention to the Google Gmail Litigation case in the Northern District of California Federal Court, San Jose. If there is a jurisdiction worth watching for issues of consumer privacy and intellectual property, more patent than copyright, this is the one! And of all the cases in the former category, none is more important than Google Gmail.
Briefly: Plaintiffs are suing Google for violation of the Electronic Communications Privacy Act given their business practice of data mining mail for the purpose of targeted marketing and tailored advertising. Last fall, plaintiffs survived a summary judgment – that is, Judge Lucy Koh – someone to watch because she is smart, directive and aware of the hot seat she is in – decided that as a matter of law, there is something to litigate. Just a few weeks ago, plaintiffs suffered a defeat in their hopes to certify the case as a class action suit. Judge Koh found the application too sweeping, but did not fail to offer some creative thoughts about how to contain. “By I.S.P.?” she offered as an example, looking for options.
How about by sector? Because if any particular group of users has a claim to make, it would appear from discovery, it is the educational sector. So help me, colleagues. I am going to set out a few observations gleaned from the court papers so far. Those of you with Google boots on the ground chime in?
Is there a smoking gun, you ask? Google claims that it cannot or does not shut off its data mining practices even in cases of enterprise education mail that does not display ads. Let’s examine the implications of this revelation.
First, for K-12, data mining persons under the age of 13 may constitute a violation of COPPA, the Child Online Privacy Protection Act. Here is a question: Do school districts have a right to consent on behalf of parents for students under the age of 13, as the law requires? Data mining inevitably collects personal information. Indeed, that information is far more personal than the type of PII that trips state data breach notification.
Then there is our old friend FERPA. Have the school districts negotiated “school official” obligations with Google? Based on Joel Reindenberg’s research on FERPA, cloud services and K-12, the odds are not. That finding comports with the experience of many higher education institutions that also did not include FERPA provisions in the early Google mail contracts back in 2008 or so. Even for those schools that only did Gmail for students, the question arises: can the institution give the student’s consent to have mail, some of which might contain education records, without FERPA protection? Or to be mined for content data?
And then there are those higher ed institutions that did negotiate for a FERPA provision. Do those contracts specifically call data mining out as a prohibited practice? They should, and a distinction is worth making on this point: data mining for operational reasons, such as user search and account indexing, should be differentiated from data mining for the business purposes of targeted marketing and tailored advertising. The latter is the crux of why and how Google offers “free services” and still makes a buck. And that kind of data mining is precisely what trips the FERPA wire.
In my previous role as Director of IT Policy at Cornell University, I was never witness to the Google contract for student mail. Chatting among friends and colleagues about Google contracts throughout higher education, both EDUCAUSE and NACUA communities, I have my doubts that all of those enterprise mail contracts name this business practice explicitly. Too bad, because it sure would seem to me – and I am not a contract lawyer – but it sure does seem that if those contracts do explicitly call that technical practice out, discovery in the Google Gmail case may be evidence of breach of contract. Institutional attorneys should go back and read the fine print. You may have a situation on your hands.
Why, you may ask, would Google be so remiss as to admit the practice when it may signal breach of enterprise contracts for Gmail services? Because their eyes are not on you, higher education! They are on the F.T.C. and the on-going issue of “deceptive practices” for which they have already been investigated. In order to demonstrate full disclosure on that front, they may have given up evidence of interest to you.
And so what about the case of a Google enterprise contract that does not call this practice out explicitly, with or without FERPA provisions? Time to rally the troops, end the one-off negotiation strategy that Google used so successfully to obfuscate its enterprise higher education accounts, and get down to business: higher education’s missions this time, not Google’s profit motive.