School-Issued Chromebooks and Privacy
Lately students have been returning to school, but as I’m sure I don’t need to tell my readers, things are a little different this year. Many schools are looking to online or hybrid classes as a way to protect students and staff from the still-ongoing pandemic. Unfortunately, schools are often underfunded. Unfortunately, Google has stepped in and offered Chromebooks at low prices to schools to offset this problem. Personally, I don’t blame the schools. Teaching is a difficult thing, and the US federal government certainly isn’t making that problem any easier. Schools are doing their best. But I am pretty upset at Google. We all know that Google is one of the largest and most aggressive privacy offenders, which means that there is no doubt in my mind that Google has an ulterior motive with their charitable donation: they want to get kids rooted in the Google ecosystem early so they stay there. Income stream for life. Sadly this isn’t much of a conspiracy theory, it’s basically a given in the tech community (source, source, source, source). As students have begun to return to school, I’ve seen a lot of questions – and even had a few directed at me – regarding the privacy implications of these devices, including what’s possible and how to use them as privately as possible. So this week, I’m going to discuss that.
What Can It See?
The most common question I get/see regarding Chromebooks and privacy is what else they can see on the network. If I get issued a Chromebook and use it at home, can the school/Google see other devices and network traffic? The short answer is no. Technically it is possible, but once again schools are highly underfunded and they really have no motivation and nothing to gain from such intrusive programs. I have no doubt that the school can see almost everything you do on the device itself, but that’s probably where the school’s eyes end.
Google, on the other hand, is a bit more invasive but not as invasive as some might think. Without having any sources to back me up, but based on what I know about how surveillance capitalism currently works, Google can see everything the school can, as well as network information. For example, Google can probably see your SSID, information about your network (such as password encryption protocol, router info, IP address, and more), and I wouldn’t be surprised if Google can also see what other devices are on that network, such as a Roku TV, a Windows 10 machine, an iPhone, etc. However, as for the actual traffic, I would be surprise if Google sees the traffic from those other devices. The technical ability exists, but I suspect Google’s tentacles on every type of device are already so deep that they gain nothing from that kind of spying. It’s easier just to have each device report individually and connect the dots on Google’s end. After all, if you have two devices reporting from the same IP, then obviously they’re on the same network, and you can be much more invasive tracking the device locally than spying from the router.
Best Practices
In a moment, I’m going to list a bunch of settings I recommend changing, but first let’s talk about how to use your Chromebook in the most privacy-respecting and secure way possible. It should go without saying that you should consider everything you do on the device compromised. Google’s Chrome OS is proprietary, so we don’t fully know what goes on behind the scenes. You should assume anything you do on the device can be seen by Google, just to be safe. Of course, I want us all to have a sanity check: I highly doubt Google is waiting for you to log into your bank on their device so they can screenshot your balance or steal your account numbers. Don’t get overly paranoid about using the device and run yourself ragged. But at the same time, be aware that you’re giving up some privacy by using it. If you are truly concerned about the traffic issue I talked about above, then you can put the device on a separate subnet or VLAN, but again I personally don’t think that’s much of an issue.
I also encourage you to use a dedicated account on the machine. If the device was issued by a school and you have an account with the school, I think it’s safe to use that account. The school already knows the device was issued to you, and as mentioned before I don’t think they have any interest in making sure the IP address you used matches the records on your paperwork (though I would use a VPN in case of data breach). If the school did not issue you a Google account, I would make a new one.
I want it to be noted that Google has some of the best security out there. The privacy is virtually nonexistent, but the security is top notch. However, we should never get complacent. It should go without saying that all of my usual advice applies here. Strong passwords, two-factor authentication, VPNs, all are still useful here.
There are additional challenges and considerations for people attempting to lead a “Google-free,” lifestyle. At that point, it’s really an individual question. I’ve heard people consider only using the device on public networks (such as libraries and coffee shops) or using a phone hotspot. I don’t think those are bad ideas, but they can still create a pattern that Google can make use of. Of course, a pattern of using the public library every day at 2 pm is far less revealing than an IP address and what other devices are on the network in my opinion. You’ll have to make the decision for yourself on the lesser evil.
Settings
Google Chrome OS: Version 76.0.3809.136
Bluetooth: Off
Connected Evices: None
People: Don't sign in if possible, use a unique or school account if you must
Screen lock: Show lock screen when waking from sleep
Screen lock: Screen lock options: either
Autofill: All off
Device: Storage Management: Browsing Data: Advanced: Clear All
Search and Assitant: Search Engine: DuckDuckGo, Searx, or MetaGer
Search and Assitant: Google Assistant: Disabled
Privacy & Security: Disable all settings
Privacy and Security: Manage Security Key: Create PIN
Privacy and Security: Site Settings: Cookies: Keep local data only until you quit your browser: enabled
Privacy and Security: Site Settings: Cookies:Block third party cookies: enabled
Privacy and Security: Site Settings: Location: Off
Privacy and Security: Site Settings: Camera: Ask before accessing
Privacy and Security: Site Settings: Microphone: Ask before accessing
Privacy and Security: Site Settings: Motion sensors: Off
Privacy and Security: Site Settings: Notifications: Off
Privacy and Security: Site Settings: Flash: Off
Privacy and Security: Site Settings: Pop-ups and redirects: Off
Privacy and Security: Site Settings: Ads: Off
Privacy and Security: Site Settings: Unsanboxed plugin access: Off
Privacy and Security: Site Settings: Handlers: Off
Privacy and Security: Site Settings: MIDI devices: Off
Privacy and Security: Site Settings: Payment handlers: Off
Language and input: Spell check: Off
Downloads: Ask where to save each file before downloading
Downloads: Disconnect Google Drive account: enable
When returning it, Powerwash it under the “About Chrome OS” page.
Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...