Tell HN: My kid's school installed spyware and I can't remove it

936 points by ccleve ↗ HN
My middle schooler goes to Chicago Public Schools. They use Google Classroom for assignments and other communications.

I bought him a Chromebook for schoolwork, but also for other private things. When we logged in, the system installed GoGuardian monitoring software on the Chromebook without notice or permission.

And now I can't remove it. I wrote to GoGuardian support, and they replied that I had to contact the school or remove my son as a user. The instructions for removing him as a user do not work; on the contrary, I see the message "cps.edu manages this user and may remotely manage settings and monitor user activity" and he can't be removed.

I did a full factory reset, signed in to his account again, and now the system is once again locked down.

So now I'm in the position where I have to ask permission from a local government entity to please let me install stuff and don't monitor the computer I bought and paid for.

Does anyone know how to refer these people to law enforcement for prosecution?

441 comments

[ 22.4 ms ] story [ 7405 ms ] thread
You're not going to get prosecution. You might get somewhere with a civil suit, though. (For that, talk to an actual lawyer, not random commenters on HN.)

You also might get somewhere talking to the press. Be careful on this route, though, because it might get you sued by the school district...

> I bought him a Chromebook for schoolwork, but also for other private things. When we logged in, the system installed GoGuardian monitoring software on the Chromebook without notice or permission.

Can you give more details? Logged in to what? I don't know how Chromebooks work, but I take your description to mean logged into a webpage, which allowed it to install arbitrary software on your computer - this sounds like a vulnerability in Chromebooks.

Edit: On rereading the post, I suppose you mean logged in to Google Classroom.

This is similar to MDM. Sign in to a school .edu Google account that force auto provisions the device.
>Edit: On rereading the post, I suppose you mean logged in to Google Classroom.

Oh, if only. They mean logged into ChromeOS with a Google account.

There is an option to log in as a Guest, but the machine is so unbelievably gimped in Guest mode I can't imagine anyone actually using it like that permanently.

> There is an option to log in as a Guest, but the machine is so unbelievably gimped in Guest mode I can't imagine anyone actually using it like that permanently.

My mother in law was using her Chromebook in guest mode for a while [1], and the only things that didn't work were saving passwords (including wifi passwords, but her home wifi is open). But she only use Chrome OS to use Chrome. I'd guess the play store doesn't work in guest mode, and wifi passwords might get annoying, but what else is missing?

[1] trouble with passwords, with a side of chrome os owner account was @ymail.com, but also an alias for @gmail.com and chrome os/google changed at some point so that logging in with either would login as the @gmail that wasn't the device owner... but fixing that didn't fix the underlying problem that someone likes to change her password rather than find her password book, and then her password book is out of date.

Good lord, just call the CPS IT helpdesk. Problem solved.
Didn't know they existed. Just called them. They said "no, it cannot be removed".

They suggested signing in with a different account, but when I do that, I get the error message "This account is not allowed to sign in within this network."

Do you get that error if you try using a different account (non-MDM, for example a personal Gmail account) after a factory reset, never using* the MDM account post-reset?

* Feel free to use it in a third party browser such as Firefox or Brave, as another commenter suggested. Just don't use it for an OS login.

Ask them for an administrative hearing. 99% chance they won't and will just remove it.
From your description it sounds like when your child signed in with the student account, one of the Ok's they hit for GoGuardian put your device on the schools managed account(cps.edu).

If you're powerwashing and it's automatically pulling cps.edu managed policies as soon as it gets online then the school district IT needs to release your device, and then powerwash it and setup again without the cps.edu policies.

Be aware if you want your child to do any official testing or use their student accounts on your personal device the district may require this arrangement.

Sorry, are you saying it's impossible to completely wipe/factory-reset a chromebook that's been adopted by an MDM?
It is non-trivial to release hardware where the serial number is showing as mated to a managed domain.

If you're power washing and as soon as it connects online it gets cps.edu remote policies you're gonna need district IT to release the serial from management.

What happens if you have two accounts on the Chromebook?

Ultimately spyware has to be unremovable to do its job so you're not going to get anywhere by contacting anyone. You have to decide to use the account or not.

Easy, wipe the system and install Linux on it.
Another little push in the right direction: you'll have to go into developer mode to expose the shell and flip the write-protect bit.
Could it possibly be impossible to enter developer mode?

If so, could it be possible to somehow flip the write protect bit "by hand"?

Some Chromebooks do have a physical switch, like in the battery compartment. I don't know of any Chromebooks where it's actually impossible to enter developer mode.
Probably need to log into the school account on chromeos

So run another chromeos in a VM and just shut it down to switch to personal

Nothing gets “installed” in the traditional sense on a chromebook.

When you login to the chromebook, you can log in with any Google credentials. The credentials the school gave your son are managed by them. If you log into that account, it configured the user session per the management of the account, so this will start a “managed” session for that managed user.

If you use a personal Google account, none of that should happen. It’s not a managed account, it’s a normal one, and there shouldnt be any additional provisioning.

You should be able to switch between them and use both independently.

However, if you are saying that is what you are doing, and the spyware isn’t respecting the config between users, then that is definitely a problem.

This. My kids have chromebooks, and they have two accounts active on their devices, on at their .k12 for school stuff, and one for their gmail that is open.
Do you actually trust google not to be collecting data on both accounts and link them together somewhere? When I was in school we used to get told that bad behavior would end up in our "permanent record" which would follow us for life, but while that was a lie we all have a permanent record now and nearly every action no matter how mundane or benign gets saved to it.

When I got my cell phone the default keyboard was sending everything I typed to a 3rd party whose privacy policy stated they were collecting data for everything from market research to trying to understand my intelligence/cognitive abilities. I replaced the default keyboard. I can't imagine the wealth of data Google could be collecting form children, their test scores and their associations with other children. They may claim not to collect and store data on your kids, but there are no regulations and nobody is checking. Only a whistleblower could tell you what Google is actually doing. I haven't seen much reason to trust them.

> I can't imagine the wealth of data Google could be collecting form children, their test scores and their associations with other children.

This is...funny, given that apparently the OP's child's school is using Google Classroom - which means Google is the provider and the system for storing/giving/recording/managing test scores, so of course they store test scores since they are paid to provide that. Likewise, on Google Classroom, kids can interact with each other and of course Google stores those.

Why did you buy him the Chromebook versus the district?
Yes. The district should supply the Chromebook for school work. They will manage that as they see fit. If he wants to do other stuff with a Chromebook, he should have a separate Chromebook and separate Google account. Ultimately that's easier and safer than constantly logging in and out of two different accounts on one machine anyway.
I am not a parent, but this seems like a good practice to get a child in the habit of, anyway: separating out your devices for work and school. Much like I wouldn't log into personal Slack groups on my work laptop (I learned that lesson!), I wouldn't try to conduct personal work on a school laptop.
> The district should supply the Chromebook for school work. They will manage that as they see fit.

I haven't been a student for a while, but the closest analogous technology they had when I was in high school was my graphing calculator for math classes. The school district mandated individual students each obtain a specific graphing calculator, which was a fully programmable computing environment (the TI-83). But the teachers/administration could and would wield a lot of power over those devices (which the the families owned in the legal sense) - looking through it, requiring students to wipe its storage with no warning, etc. Requiring families to buy a Chromebook and still use a school-managed account with invasive management on it feels largely analogous.

Buying a separate personal laptop is the correct workaround, but unfortunately I don't think the "the school should supply the schoolwork computer" line of reasoning holds up. The hardware/software has become more powerful in the graduation from TI-83 to Chromebook but the principles are the same.

(comment deleted)
District chromebooks are for in-school use only. You can't take them home. This is for homework.
Chicago Public Schools gave me a chromebook to do homework on. It was a piece of trash computer that they probably got for free, but I could certainly take it home and use google suite for homework.
In my case, we bought our kids better ones than the district offered, which are the lowest educational spec machines available. It was only after we bought it - during covid school-from-home last year - that we learned our district also forbids any non-district-issued computer from connecting to school wifi, so we ended up with one of the crappy machines anyway. On the plus side, no effect on our personal chromebook, but on the negative side, my kids are restricted to using the crappy school computers for school work.
You use ask for a reasonable accommodation. E.G. Access to assignments via email.

The Department of Education mandates such accommodations.

You might consider small claims court for the value of the laptop. Whether you would win depends on the context which you've mostly left out.
Have you tried to see if the Small Claims Court would work?

https://ag.state.il.us/consumers/smlclaims.html

Get the cost of the Chromebook, some money for your time, and then donate the Chromebook to the school since its deadweight at this point.

My guess is that no one from Dept. of ed will show up and you'll get a summary judgment.

Good idea; IMO, probably the only way the OP is likely to get any "justice" (if you can call it that) here...
Unless someone from HN is mediating, it seems pretty unlikely that there will be an award for the value of the computer in small claims court.
The Chromebook isn't ruined. Just do a factory reset and do not log into the school account.

I know it doesn't help the op's kids who needs the CB for school, but there is nothing being done that a factory reset can't fix.

Looks like you read it the way I did originally -- that even a factory reset still leaves the GoGuardian software on the machine.

From the gist of comments of people more familiar with chromebooks than me, it actually looks like the factory reset does completely wipe the machine (as you'd expect from "factory reset") and there's no software installed that survives this process (other than the default chromebook stuff)

Powerwash/factory reset it and don’t sign into the school account. Ask for the school to provide a device.
I think it's now a managed device and that won't help.

If he power washes it, I believe it's still locked down to the school, I could be wrong thought.

There's a separate provisioning process for the "very locked" state you're talking about, not just signing in on the device.
Factory reset and not logging into the account again, should fix the issue.
Yea I graduated from Chicago Public Schools and they gave out chromebooks starting in 8th grade. I think that was the first generation of them so maybe CPS get some deal, but through high school the chromebook system only seemed to expand. I imagine it's possible for OP to get one from school.
Why did you buy a device that's patronizing you in the first place? You bought a device that is even advertised as not being fully under your control, then it turns out it's actually not under your control. Meh. Put Linux on it and next time buy an normal PC.
You are completely failing to grasp the level of tyranny here. Schools these days often will not accept non-Chromebook devices.
Probably shouldn't go round accusing Linux users of "failing to grasp the level of tyranny" when it comes to people forcing the use of Apple, Google or Microsoft operating systems.
I'm curious on how they enforce that
Presumably, the same way they enforce any other supply requirements.
Simply by using some application for things like online test taking that only works on ChromeOS. If you can't afford to buy a Chromebook, you may be eligible to receive one free from the school.

Even in college, we had a freshman year computer requirement where we had to have a Tablet PC. Freshman engineering classes all used a Windows-only handwriting application for class participation. The Tablet PCs they sold at the time were expensive and crappy. Luckily the application worked in Wine somehow and you could get by using a cheap Wacom tablet so that's what I did. I sold the Wacom to another freshman so they could do the same. Eventually I bought a used Thinkpad tablet PC because I actually liked handwriting my notes and homework but I hated the fact I was almost forced to.

And the root of the tyranny is devices you 'buy' without owning. Something the parent commentor has probably been trying to warn everyone about since it was first pushed in the 90s like most other long term linux users.

'trusted' computing is tyranniclal, petty managers and school boards exploiting it is its intended use case

how can they enforce that as a public school?
Same way they dictate which graphing calculator you buy?
and how do they do that?
Way to blame the victim. Obviously he didn't know this would happen when he bought the device.
It seems like you should be able to sign out of the CPS managed account, then use "Add Person" to add a non-CPS managed account:

https://docs.google.com/document/d/1r7xOL4U9lL0qyqMIVl4eH2EM...

https://support.google.com/chromebook/answer/1059242?hl=en&r...

For school work, login to the CPS-managed account. Otherwise login to the personal account.

(comment deleted)
I believe the OP is concerned the Chromebook is rooted by the spy software and therefore using another account doesn’t solve that issue.
(comment deleted)
> I did a full factory reset, signed in to his account again

I read this to mean that the software uninstalled after a factory reset, but signing back into the managed account re-installed it. I'm taking OP with a grain of salt here, but I think it's likely that OP doesn't understand their son's brand new Chromebook and that there's a technical solution that doesn't involve suing anyone.

This is the perfectly reasonable solution. But OP wants the operating system to be signed into an account managed by the organization without the organization having permission over anything, and since that's not the way ChromeOS works, they're going to sue the school board.

Honestly, I'm disappointed in the HN that they're taking OP at their word and giving legal advice.

The surprising part to me is that the school district let parents bring their own Chromebooks. Where I live the school supplies the Chromebook for the students. If your child breaks it, they bill you for the cost of the unit and then supply another one. IMHO, they are pretty dang cheap.
If it's not too late, return it to where you got it.

Then tell the school district that they have to pay for computers that they control.

> Does anyone know how to refer these people to law enforcement for prosecution?

You call the police. However, don't expect them to do anything and you won't be disappointed when they don't.

You can then call the city/county DA and get the same treatment. The state's attorney will do the same thing.

..and if those offices doing nothing to help you isn’t enough, there are plenty of other government agencies/services which will also do nothing for you

you can also try contacting Google, who will bend over backwards to make sure not to do anything for you.

> Then tell the school district that they have to pay for computers that they control.

100% on board with this. I would refuse to pay for a machine that is going to spy on my kid.

I'd probably buy a chrome book, install Linux and then they can access the google suite via a browser.

You could always install a different OS on your son's Chromebook since it would still have access to all of the school's software (through Chrome) and more. I'd recommend GalliumOS (https://galliumos.org/) since the drivers support audio and keyboard shortcuts better.
Ran GalliumOS all throughout college without any issue. A Toshiba i3 Chromebook + Gallium was easily one of the best laptops I ever had. OP - seriously consider this solution if it wouldn't agitate the school too much. Swap out the usually small (16GB or so) SSD that tends to come with Chromebooks, install Gallium, and you're off to the races. Might still be some weird compatibility issues/edge cases that are hard to predict; maybe run Gallium in a VM, log into your sons Google Classroom, and do some testing first.
related support ticket from someone trying to log into device w/ work account without inheriting workplace MDM policy

https://support.google.com/chromebook/thread/117916330/how-t...

> Even if the Chromebook is your private device and your owner account is your private @gmail.com account, once you sign in with a managed account, even using a separate profile, the managed account polices become active.

> This is NOT a bug. It's required to maintain security of the managed environment. Whenever the managed account is active, ChromeOS management and the policies set by your administrators pwn the entire machine.

> Google promises bulletproof security to customers who license Chrome OS management, and having any instance of an active non-managed account available when a managed account and its resources are active is a potential security hole.

not a chrome-os user -- I imagine you can access the G acct via a browser without signing in the whole OS? if 'signing into gmail signs in the OS', maybe can do it via crostini linux

re law: illinois is the state that has the biometric privacy law iirc? you may be able to do a civil suit via that, if the device is sharing face images and you really didn't consent and you can prove it and the law was written with your situation and mind and CPS hasn't indemnified big G. my guess is you'd have to pay a few $k to a lawyer to evaluate the case and then many more $k on the suit, plus you probably have a TOS problem.

The ending of that post (trimmed above) is also important:

> So you can boot into your personal account and do your personal business and then reboot into your business acount and do your business' business, but never the twain shall meet.

Not a chomeOS user, so maybe I'm not familiar with the terminology, but what is the difference between "log into" an account and "boot into" one?

Are there different ways how you can add multiple accounts to a Chromebook and the OP just used the wrong one?

From the sound of it (haven't used ChromeOS in ~4 years), "log into" means switching users without powering off the laptop, while "boot into" means to reboot the computer and log in as the other user. For a device that is supposedly built around security, needing to know that the "Switch User" menu shouldn't ever be used to switch the user is something of a footgun.
"Shouldn't ever be used" is an overstatement though. My employer (Google, no less) would apply restrictions, but not hoover logs from the personal profile. Meaning it's still good to have messaging and music there while working.
Chrome has a log in screen like windows and Mac. You can login and out between google accounts like a gmail.com or a k12 account. Similarly but not the same— there is a second “add account” after logged in. This secondary account does allows access email but not override them, bookmarks, etc
ChromeOS developer here (opinions are my own, etc etc), writing as a user though since I don't work on this specific field myself but I've been using chromebooks daily with multiple accounts (corp and personal) daily for the greater part of a decade.

You have a few options on how you log into ChromeOS. Once you boot the device, you can choose which account to sign in as. If it's your corp account, you get whatever corp policies get applied to you (like no play store, no linux, etc). If you log into your personal account, you don't get those restrictions (there's a note to be made here for stuff like enrolled devices which I don't think applies to OP and I'm not too familiar with anyway).

However, once you are already logged into an account on the device, you can also choose to "sign in with another account". This makes you run two accounts at the same time, you can swap between them without using passwords, etc (it's like switching a virtual desktop/workspace). You can even transfer windows from one account to the other so you can simply alt+tab between them as you would on a single account (for example I am typing this at work on my personal account in a window running inside my corp account). In this situation, whichever account logged in first is the account that "owns" the session and has policies applied. If you log into your corp account with play store disabled, and then log into your personal account as a secondary account, you can't use the play store on it. If you log out everything and re-log with your personal account, you will still be able to use the play store there.

Thanks a lot for that info, that clears up a lot! So an unmanaged Chromebook can't be "taken over" by logging into a managed account, the policies are only active until you reboot.

Still, if account policies "leak" into unmanaged accounts when both accounts are active at the same time, this sounds like a potential vulnerability: E.g., if the managed account has a policy that sets proxy settings or force-installs a particular browser extension, would those policies also be applied to the unmanaged account?

> So an unmanaged Chromebook can't be "taken over" by logging into a managed account, the policies are only active until you reboot.

That's my understanding, yes. You can't "infect" an unmanaged account from a managed one, as far as I know at least.

> E.g., if the managed account has a policy that sets proxy settings or force-installs a particular browser extension, would those policies also be applied to the unmanaged account?

I'm not 100% sure if those policies would apply, I admit I'm not familiar with the account enrolment details of ChromeOS since I work at a much lower level. However, from what I know, whenever you go to sign-in to a secondary account in the same session as your primary one, there's a big warning telling you to be careful because you're basically "entrusting" your secondary account to the primary one and to not share an account session with another account you do not trust. This I always assumed was due to reasons like (for example) ending up literally sharing account2 window with account1 session, if you bring a program running in the account2 "domain" (filesystem, etc) into the account1 UI session, the account1 can take a screenshot of it (screenshot will be saved into account1 local files) and that can leak data obviously.

> In this situation, whichever account logged in first is the account that "owns" the session and has policies applied.

So if you log in to your personal account first, and then into the corporate account, the corporate policies are not applied to either account? There are probably a bunch of corporate types who will be very surprised to learn this…

I admit I've never tried this so I don't know which policies do or do not apply and how. For things like the play store (which is what I've worked on in the past), only the "primary" account (the one you logged into first) will have access to it so if your secondary account has the play store blocked anyway, you won't be able to use it with that account so it doesn't matter much.

I don't know about other policies.

Typically, the corporate login will be blocked if you attempt this.
Hmm.

I’m not super familiar with ChromeOS’s MDM stuff… but I wonder what would happen if someone were to log in to two separate managed accounts, for two separate organizations, with conflicting requirements?

It'll block the multi-login and require you to fully sign out of everything, THEN log into the other organization account.
Suing the CPS over this is simply taking money out of everyone else's pocket for your own enrichment.
It's to make them stop doing it, not to profit.

Right now they're spending money to spy on students, so fighting that is worth it.

Yeah, why anyone gotta make trouble for the guvnah
As a longtime armchair attorney who has closely read summaries of cases like this on Slashdot for well over the past decade (IANAL, BTW)...you could go the lawyer route but this basically amounts to your kid being a minor in school which means they don't have full legal rights, and the interpretation of 4A is likely up in the air here anyway. Constitutional rights don't necessarily apply at school or anywhere near school (see bongrips4jesus case), your kid is a minor anyway (another special case), and a school doing this for the sake of "preventing cheating" may not fall under the umbrella of unreasonable search.

There was a PA school district back around 2009 that issued laptops to students preloaded with spyware that let school staff watch students through the webcam, while the students were at home and not doing schoolwork. Neither the students or parents were informed of this. IIRC the FBI got involved but nobody actually got in any real trouble, I'm not even sure they were fired.

I wish things weren't this way. You could maybe use Wireshark and black hole anything the spyware tries to connect to at the router, or maybe add the addresses to the hosts file on the machine itself (not sure if ChromeOS lets you do this).

Actually....

It's the poster's Chromebook. They has revoked authorization for the school to deploy $software on their machine.

Next step is the public school supplying a spyware'd laptop and NOT imstalling spyware on said parent's chromebook, but also said private chromebook not being used for school stuff.

If you want the district to not install spyware... Well... Lets just say, the poster is probably pissing in the wind in my experience.

On the flip side of that "minors have no rights" coin you're holding up is the fact that laptop is the parent's property since they bought the laptop for the child to use. They did a factory reset and the problem software still remains. What if the parent did a factory reset to use the laptop for themselves? There is no reason for the spyware to remain in that case. It needs to be removable.
They did a factory reset and reconnected the Chromebook to the school account, which configures the device according to the schools requirements. If they wanted to use it themselves, they would reset it, do not connect the school account and all is well. GPs argument seems to support that the school doesn't have to allow to use a school account without the device being put under the schools control.

(at least as I understand it. if the MDM enrollment is actually tied to the device somehow, then they could reasonably demand it to be released if they planned to use it themselves)

That doesn't really make sense to me. User accounts, whether managed remotely or locally, should be subordinate to administrator accounts. That administrator-level privileges are insufficient to undo a change made with user-level privileges breaks this relationship.
OP didn't mention that the child's account is a secondary account. AFAIK if you log-in with an account the first time on a fresh(ly reset) chromebook, it becomes the "administrator" account - and at the same time if its in an organization (i.e. the school) the orgs policies are applied. No clue how that interacts if you do attempt to login such account as a second account, it's possible the org can require an account to be in control of the device. Chromebooks are deeply designed for exactly this centrally managed scenario after all, that's (partly) why they are so popular with schools and companies.
I think it works similarly on Android phones. Google policy for the Android Corp devices requires you to set it up using corp account, then add secondary personal accounts(if needed).
Based on this support thread [0], which was linked to by awinter-py's comment [1] elsewhere in the comments, it doesn't really matter which is first. Remote policies supersede any local controls, and can promote themselves to have Owner privileges. That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

[0] https://support.google.com/chromebook/thread/117916330/how-t...

[1] https://news.ycombinator.com/item?id=30912427

>That this is the intended behavior, for any remote management to take precedence over any local management, is a terrifying security hole.

You've actually got it backwards. In an enterprise domain like this, allowing local management to take precedence over remote management and policies is a massive security hole for the domain as a whole not to mention required by regulatory bodies dictating information security for educational institutions. A locally managed node is effectively a rogue node on the network. There are use cases for it but they're specialized. OP most likely signed a consent form as part of the online learning stuff at some point and this is the consequence of not reading the things you sign. This whole thing is so massively overblown like no one here has worked anywhere with a BYOD policy and MDM.

The device belongs to the owner and the owner should be able to override anything.

If an organization wants to set policies that can’t be overridden, it should pay for the devices. (And even then, the user still has a right to privacy and a certain level of control).

If they set a MDM policy on a device I own, I’ll mail the organization the device and a bill for buying a new one that very same day.

So you’re out both the device AND a stamp?
No, it's a terrifying security hole, full stop. If I leave my non-managed Chromebook unattended (logged out!) for 30 seconds, someone can sign into it with their managed account and install spyware without me knowing?
You were never the owner of the chromebook in the first place so Google the actual owner just transferred control to the school. They never needed your permission to do this in the first place because you just paid full fare for an unlimited rental of someone else's property.
That's the conclusion I tend to reach, and I believe Google to have fraudulently described a rental as a purchase. Whoever is the source of authority to run software on a device is the owner of that device. Since enabling remote management does not require administrator privilege, the right to do so doesn't come from the administrator. Since disabling remote management cannot be done by a local administrator, the granted authority is even greater than the nominal authority granted to the buyer. Each of these implies that Google remained the source of authority, and therefore didn't transfer ownership over the device.
> Whoever is the source of authority to run software on a device is the owner of that device

Hundreds of years of established case law refutes this claim.

They are, but there has always been a contention between local admin vs domain admin (managed accounts) and usually the case has been that the domain admin overrules the local but the local admin can un-join the domain.

This is not that different. The moment you join the remote domain, you no longer have top privileges. You can still unjoin at any point but as soon as you join, you're placed under a different hierarchy.

The most pragmatic thing to do is probably acquire another school only Chromebook. Either have one issued from the school or buy another one. This is probably a worthwhile lesson for how to treat personal and employer assets separately anyway.

The work to try to get the school to make the software removable is a laudable stand for citizens, parent, and student rights - but would come at some cost of time, money (more than buying a second chromebook anyway), and maybe strained relationships with school officials.

> to your kid being a minor in school which means they don't have full legal rights, and the interpretation of 4A is likely up in the air here anyway

IANAL, either. Just because the student is a minor, I don't see how that gives the school the right to pwn a private laptop (were the laptop a school laptop, my opinion would be different here); at best, this would seem to be the parent's machine, or right to decide, at that point.

The OP's post isn't very clear on how the school managed to get into a private laptop in the first place; he mentions they "logged on", but onto what? And how does signing into something permit installs? (There's a comment below that hypothesizes this might be an MDM profile sort of situation, and that's … trickier. But doesn't even an MDM login have an uninstall of some sort? (Although, IDK, perhaps Chromebooks just can't do that, but that would seem to be an issue then with their software. But I've never tried, as I don't usually go for MDM stuff myself, as companies that do it typically want too much permission onto what is my personal device.))

pwning the laptop was a req for doing school work, like how you essentially give prior consent to a field sobriety test when you get a drivers license. I'm not saying it's right, but that likely the school district's argument in court, and I'm sure it's buried deep in a EULA or privacy policy somewhere.
> you essentially give prior consent to a field sobriety test when you get a drivers license

If USA, this is false.

You are misinformed. In the USA, every state has a law stating licensed drivers give their implied consent to roadside DUI testing. Failure to comply will result in extra charges and almost certain conviction.
Probably a Google account sign on.

If I sign into my work Google account on my androids chrome it basically forces you to install spyware so our IT team can suck up my browser history.

It sounds like chrome os takes this approach and adds steroids.

This is why people should be issued a work phone (or children a school laptop in the case of the OP) if the IT department is going to request control of it.

A while ago my company eventually decided to enable security settings for Microsoft Outlook, Teams etc on all mobile devices (the wipe phone on demand option). All that happened was everyone without a company phone uninstalled Teams and used WhatsApp instead.

I wouldn't accept a work phone unless I was given full control over it and can use it for personal use as well.

I'm not carrying two around.

If you want me to leave one at my desk that's fine but you won't reach me on it unless I'm there.

Same goes for work laptops and working from home.

The whole idea that you need to separate work from personal is based on the idea that if you use work laptop for personal work then they own it, that's an entirely made up constraint, one I won't accept.

In before bad analogies, there are plenty of industries that provide tradies with tool stipends, those are still owned by the tradesman but paid for by the employer do to their consumable nature. It allows tradies to buy more expensive tools if they prefer and encourages them to look after them better.

The lawyer route makes no sense, it's all about small claims here. Sue for the cost of the chromebook, that will get someone's attention and you can likely settle it out of court or get the money to purchase a new one.

The important part here is that the computer is not usable with their software and that you have no way to remove said software despite being the owner of the computer.

Can’t you file criminal charges over this? It’s malware used to spy on minors without the parents knowledge or consent. Is the school also free to undress the kid and photograph them in person? If not, why if it’s remote?
It's comical how your best advice is seek a lawyer. Any lawyer worth their salt would advise to contact the school directly to handle this matter. No need for a lawyer at this stage.
But the school doesn’t own the machine, the parent does.
I would do the factory reset again and then not use that account anymore. If you want, you can create a new local-only account and then (this is the important part) sign in to the school Google Classroom on another browser. Install Firefox, Brave, something, and use it for the school account rather than Chrome. Chrome allows extensions installed to it to run in the background and manage the system, but another browser cannot.
Good suggestion. If the school is requiring your child to have the chromebook, then they should pay for the thing. They don't have the right to infect any device that your child happens to log in with. So factory reset, don't log in. Then when the school complains that the child is not completing the assignments, tell them that he/she cannot do them unless the school issues a school-owned device.

A better move would be to get your child out of Chicago public schools altogether.

CPS does pay for the thing. OP wanted their child to use a fancier device and they're mad that it falls under CPS' MDM policy. Go get a free device from CPS, take good care of it, and return it once the child graduates.

https://www.cps.edu/school-reopening/remote-learning/technol...

>A better move would be to get your child out of Chicago public schools altogether.

I went to a Chicago Public School and I resent that comment greatly.

> create a new local-only account

I thought you couldn't do that on a Chromebook.

i don't think you can. I had one of these chromebooks too, which I paid for. But my school did not want to remove the 'school policy' so now it's locked and even other accounts are 'watched' and managed by the school's policy. Last time I tried to create an account it wouldn't let you create it unless you provided an email.
Ah. This makes sense. In this case, I think a throwaway or a personal account will perform the same function, as long as it is not affiliated with the school system.
(By "makes sense" I do not, in fact, really mean that it makes sense; more accurately, this should read "seems typical of a Chromebook").
> Does anyone know how to refer these people to law enforcement for prosecution?

You can simply look up the phone number for any law enforcement agency you want and call them. None of them are likely to do anything, however; even if there was a crime involved, they have no obligation to pursue anything, and it's almost certainly not something that is on anyone 8nnlaw enforcement’s list of priorities.

What you probably want to do is contact a lawyer and see if you have any civil law remedies.

Even if they are things you will eventually pursue in small claims court, you absolutely can get advice from a lawyer on causes of action and what you need to do, but in general forcing a behavioral change—equitable remedies—are not available in small claims (which mostly just allows limited monetary recovery) and you'd need a lawsuit in a “full“ trial court to force that (or, of course, a settlement agreement.)

Prosecute for what, though? It's very common for school accounts to take over a chromebook until you remove their profile/perform factory reset.

This sounds more like a Google issue for allowing this behavior in the first place.

> Prosecute for what, though?

Both what and who are good questions, which is why I say: “What you probably want to do is contact a lawyer and see if you have any civil law remedies.”

It's plausible that something in the combination of Google and school district practices violates some law of some applicable jurisdiction, but it's not obvious to me what law would be impacted.

It is not actually specific behavior to Google (while Android in general has the same property). History has seen many cases, even my old Nokia Lumia phone many years ago has similar properties when I logged in the organisational email and that granted them remote wipe and access rights. Also iPhones have ”organizational control”, which can be set by certain configuration profiles, to track users.

Companies have had demand for these kind features and now they are there.

Apple said in one of their WWDC keynotes somewhere that because use of personal devices for work was so common, Apple was going to sandbox and limit access to personal data after signing in to a work account - so the most work could do is erase their part of the device and not erase or touch the entire device. The idea being that if you bought the device and it wasn’t provisioned from work, then signing in with a work email should only ever affect your work accounts and apps that access them. But I might have the details wrong, haven’t looked into it in detail yet. The iOS feature is called “Account-Driven User Enrollment”, there’s a WWDC video on it from last year.
What paperwork did you sign, and what did you agree to wrt computer policies? I'd start there.
(comment deleted)
> I did a full factory reset, signed in to his account again, and now the system is once again locked down.

That’s by design though isn’t it? You logged in with a managed account and the policy was applied again?

The account is his school account right?

That’s pretty much how Chrome OS works.

This might just be a good lesson that you want to maintain device / role boundaries.

A gaping security hole is fine if it’s been introduced on purpose?
> A gaping security hole

What is that?

“the system installed GoGuardian monitoring software on the Chromebook without notice or permission.”
When I logged in with my son’s school account on chrome OS it had some notifications about who owns the account and so on.

I don’t think it is as much a mystery as implied.

In the end there’s no getting around that mixing device uses like this doesn’t work. It works less and less as the history of computers goes on.

Can the managed account actually access files from the unmanaged account or control which processes are active while the unmanaged account runs?

Because, if yes, this absolutely does sound like a security hole:

1) Set up an organisation and add a managed account. Set up policies that install a backdoor on first login.

2) Get hold of victim's Chromebook.

3) Log into the Chromebook using the account from (1)

4) Chromebook will execute the policies and run the backdoor.

5) Use the backdoor to snoop victim's files.

You've successfully gained access to the victim's files without knowing their password. Profit!

This would work even if the victim is fully aware of the issue and never intended to mix managed and unmanaged accounts on their own.

Does a chromebook allow you to have more than one user account? It sounds like a factory reset was necessary to allow enrollment
Chromebooks do allow more than one user account, yes. The factory reset mentioned by the OP was necessary in order to undo the enrollment, as no application of Administrator/Owner privileges would undo it otherwise.
I think you misunderstand the original post - the parent didnt have some sort of local administrator account (which isnt really a thing on ChromeOS). They signed into a managed account run by the school district, didnt like the policy, then reset the device, signed into the same managed account again, and noticed the same policy was applied.
> local administrator account (which isnt really a thing on ChromeOS).

The first user to sign in on a chromebook has limited special powers. I don't think they involve reading other people's data though.

>In the end there’s no getting around that mixing device uses like this doesn’t work

Surely this is the entire value proposition of ChromeOS - you sign in to your account, and the laptop magically becomes yours? It seems like a serious hole if a single sign-in is able to compromise other accounts.

It's tied directly to the remotely managed account, that's how the account works. If you don't sign into the account, the software won't be installed.

Students don't get to decide what software to install when it comes to logging in to school accounts. Generally the laptops are provided by the district, but it seems OP was trying to add another personal device to their system.

You can't participate in their system without the software. So I guess the alternative would be to block personal devices from logging in like this at all.

> That’s pretty much how Chrome OS works.

And that's the problem. Signing onto a remote account is a request to access a remote resource, and should not be interpreted as granted the remote actor control over local resources. That Chrome OS works this way implies that Chrome OS is fundamentally flawed.

Maybe there should be more of a notice, but when I tried it with my son’s account I got some notifications.

Having said all that the default will be for most school accounts… all or nothing. Don’t allow them to manage it and you won’t get in.

Can't speak for OP, but generally this is mentioned during the sign in process, so it should be laid out. It is effectively all or nothing.
My issue isn't about the notification, but that this doesn't work at all within any reasonable model of user permissions.

Fundamentally, authority cannot be delegated authority that you yourself don't have. I can agree to a contract promising to do some particular work, because I have the authority to direct my actions. I cannot agree to a contract promising that you will do some particular work, because you haven't granted me that authority. I cannot grant to another what I do not have for myself.

With regards to user permissions, a non-administrator doesn't have permission to monitor another user's activity. Therefore, they cannot delegate permission to a third party to monitor another user's activity. That this is possible means that ChromeOS has a fundamentally flawed model of user permissions.

Windows does this as well, and I would expect other management solutions to as well. You can build your own PC and be local admin on it, but the second you sign in to an active directory account (using a VPN for work) that account will be locked down and can run scripts that the AD owner chooses. I imagine that is what is happening here as well, where the user has signed into the school Google Workspace account (or whatever it's called these days). To avoid this, they could sign in to Google Docs and Google Classroom in a browser. (Although to be fair, Chrome does aggressively ask if you want to sign into Chrome with your account, and probably if you want to sign into the user profile on ChromeOS if I had to guess)
Isnt this the same way Windows works? If I sign into a work Windows account and they want to set my default browser or something, thats absolutely something they can do. ChromeOS isnt doing something particularly new in that regard.
On a Windows account, a user can change the default browser for their own account. Therefore, a user can delegate the choice of default browser to the remote management. A user can record which sites their own browser visits. Therefore, a user can delegate that authority, allowing remote management to record which sites that user visits. A user does not have the authority to record which sites are visited by another user. Therefore, they cannot delegate that authority to remote management, because they themselves do not have it.

On ChromeOS, you can filter your own access to websites. You cannot filter other users' access to websites. But signing in to a remote management can filter other users' access to websites. This grants the remote management privileges that the user doesn't actually have.

(comment deleted)
Group policies on Windows, applied at logon, give the admin control over what the user can or cannot do. If the admin wants you to use Chrome not Edge, then that is what you'll be using, and you won't be able to change the default.
To my knowledge, that group policy only applies to the user who is logging in, not the other users on the computer.
There doesnt appear to be any claim that this undesired software was being run on any other account besides the managed one.
Depends. In the Active Directory world, policies can be applied at the user or computer level. Not sure about Chrome OS, but computer level policies absolutely can effect other users. I bet if OP signed into a normal, non-Google Classroom/organization affiliated account after they reset the device, they wouldn't have found GoGuardian running. This seems like if you connected an arbitrary device to a Windows domain over say VPN, then got surprised when user level policies were applied to the profile created on the local machine resultant from the process of connecting a machine to a domain. This is very much by design of ChromeOS as other commenters point out.
This is with the presumption that the filtering here is device-level and not user-level. The fact that they were able to wipe and reset the device AT ALL probably means that the device isn't fully enrolled into device management (only the account is) and that the blocking and monitoring is just for that one specific account/profile. That is to say, none of the blocking is breaking the privilege rules on the system.

This isn't to give them extra credit. GoGuardian is still spyware and you should be, at the very least, wary of it if you have a kid with that software running around. But this behavior is consistent with the design of ChromeOS and isn't shocking or special if you've been paying attention to what ChromeOS has been built for over the last couple years.

>On a Windows account, a user can change the default browser for their own account.

Not if they lock down that setting via GPO and let the default behavior of remote > local. There's a lot of settings that can't be undone in the GUI and take diving into the registry to undo when set by GPO but then they'll just get re-applied on GP refresh anyways. Talking about who can do what is immaterial to how domains and remote management actually work if they're not designed how you think they should be. The remote admin will always have more control than the local user in this situation, it's been that way for a very long time now and is unlikely to change.

As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin and the services and processes that handle all of this run as SYSTEM thus the user has the authority to delegate that authority to remote management at-will.

Like, this is all basic stuff for BYOD and MDM policies if you've worked anywhere with a halfway competent IT staff. OP didn't read the fine print probably. Wouldn't be the first parent to not do so and freak out over nothing.

> As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin…

The parent owns the device and would have the local admin account. They aren't joining the device to a managed domain where something like GPO would be relevant (unless configured by the parent, naturally). The student would only have a non-admin local account, and would be incapable of granting device administration privileges to the school. The school could still manage their browser profile, of course—if the browser itself is actually signed in to the school account, which is something you can disable while still logging in to the account on the web—but they would have no access to or control over other user accounts or anything else requiring local admin privileges.

On Windows, settings and software can be enrolled remotely the moment you hook your machine up to an MDM portal, just like on chromeOS. Windows doesn't include some of the functionality ChromeOS includes, but your employer can definitely manage settings like your standard browser if they choose to. The can also enforce that all software you run is signed, is run from specific locations on the system that you may no longer have access to and they enable Bitlocker with a specific backup key.

Most companies either choose not to implement any of this, or simply do not know they can implement this. Do not sign into your personal devices with your work account on anything but an isolated browser (modern Windows has a sandbox built in!) or you might discover the hard way what kind of possibilities remote AD allows for.

Windows does prompt you to accept that the account can manage your device, but so does ChromeOS. Denying MDM may cause the login to fail if they automatically rescind any tokens that don't get MDM access on your device.

Yeah good luck getting a company to give you VPN access to their network without demanding you've been keeping your operating system patched. BYOD without such policies is a great way to make the network support staff quit and maybe slash your tires on the way through the parking lot.

It's called _attestation_ and Windows has been doing it for some time now with VPNs and domain credentials. Attestation actually makes it possible for BYOD to be done in a way that's not going to simply repeatedly expose one's network to every kind of malware known to man.

It is not fundamentally flawed, it just isn't a general purpose computer. It's a thin client to your cloud services. The "local" is not a primary compute environment, but just a cache. Once you think about it this way, Chromebooks are absolutely amazing little physical manifestations of a remotely managed browser. As they are intended to be.
> This might just be a good lesson that you want to maintain device / role boundaries.

This is the teachable moment here. Better for the poster and their child to learn it now rather than in the workplace.

It doesnt make it right, but the 90's and 00's with work browsing and email full of porn, dickpics and assorted filth were not right either.

(comment deleted)
wipe the chromebook and return it and get him a normal laptop and put linux on it
Is your son's Google account a school account rather than a personal one?