Tell HN: My kid's school installed spyware and I can't remove it
I bought him a Chromebook for schoolwork, but also for other private things. When we logged in, the system installed GoGuardian monitoring software on the Chromebook without notice or permission.
And now I can't remove it. I wrote to GoGuardian support, and they replied that I had to contact the school or remove my son as a user. The instructions for removing him as a user do not work; on the contrary, I see the message "cps.edu manages this user and may remotely manage settings and monitor user activity" and he can't be removed.
I did a full factory reset, signed in to his account again, and now the system is once again locked down.
So now I'm in the position where I have to ask permission from a local government entity to please let me install stuff and don't monitor the computer I bought and paid for.
Does anyone know how to refer these people to law enforcement for prosecution?
441 comments
[ 22.4 ms ] story [ 7405 ms ] threadYou also might get somewhere talking to the press. Be careful on this route, though, because it might get you sued by the school district...
Can you give more details? Logged in to what? I don't know how Chromebooks work, but I take your description to mean logged into a webpage, which allowed it to install arbitrary software on your computer - this sounds like a vulnerability in Chromebooks.
Edit: On rereading the post, I suppose you mean logged in to Google Classroom.
Oh, if only. They mean logged into ChromeOS with a Google account.
There is an option to log in as a Guest, but the machine is so unbelievably gimped in Guest mode I can't imagine anyone actually using it like that permanently.
My mother in law was using her Chromebook in guest mode for a while [1], and the only things that didn't work were saving passwords (including wifi passwords, but her home wifi is open). But she only use Chrome OS to use Chrome. I'd guess the play store doesn't work in guest mode, and wifi passwords might get annoying, but what else is missing?
[1] trouble with passwords, with a side of chrome os owner account was @ymail.com, but also an alias for @gmail.com and chrome os/google changed at some point so that logging in with either would login as the @gmail that wasn't the device owner... but fixing that didn't fix the underlying problem that someone likes to change her password rather than find her password book, and then her password book is out of date.
They suggested signing in with a different account, but when I do that, I get the error message "This account is not allowed to sign in within this network."
* Feel free to use it in a third party browser such as Firefox or Brave, as another commenter suggested. Just don't use it for an OS login.
If you're powerwashing and it's automatically pulling cps.edu managed policies as soon as it gets online then the school district IT needs to release your device, and then powerwash it and setup again without the cps.edu policies.
Be aware if you want your child to do any official testing or use their student accounts on your personal device the district may require this arrangement.
If you're power washing and as soon as it connects online it gets cps.edu remote policies you're gonna need district IT to release the serial from management.
Ultimately spyware has to be unremovable to do its job so you're not going to get anywhere by contacting anyone. You have to decide to use the account or not.
If so, could it be possible to somehow flip the write protect bit "by hand"?
e.g. https://joshuawoehlke.com/wp-content/uploads/2018/07/dell-31...
So run another chromeos in a VM and just shut it down to switch to personal
When you login to the chromebook, you can log in with any Google credentials. The credentials the school gave your son are managed by them. If you log into that account, it configured the user session per the management of the account, so this will start a “managed” session for that managed user.
If you use a personal Google account, none of that should happen. It’s not a managed account, it’s a normal one, and there shouldnt be any additional provisioning.
You should be able to switch between them and use both independently.
However, if you are saying that is what you are doing, and the spyware isn’t respecting the config between users, then that is definitely a problem.
When I got my cell phone the default keyboard was sending everything I typed to a 3rd party whose privacy policy stated they were collecting data for everything from market research to trying to understand my intelligence/cognitive abilities. I replaced the default keyboard. I can't imagine the wealth of data Google could be collecting form children, their test scores and their associations with other children. They may claim not to collect and store data on your kids, but there are no regulations and nobody is checking. Only a whistleblower could tell you what Google is actually doing. I haven't seen much reason to trust them.
This is...funny, given that apparently the OP's child's school is using Google Classroom - which means Google is the provider and the system for storing/giving/recording/managing test scores, so of course they store test scores since they are paid to provide that. Likewise, on Google Classroom, kids can interact with each other and of course Google stores those.
I haven't been a student for a while, but the closest analogous technology they had when I was in high school was my graphing calculator for math classes. The school district mandated individual students each obtain a specific graphing calculator, which was a fully programmable computing environment (the TI-83). But the teachers/administration could and would wield a lot of power over those devices (which the the families owned in the legal sense) - looking through it, requiring students to wipe its storage with no warning, etc. Requiring families to buy a Chromebook and still use a school-managed account with invasive management on it feels largely analogous.
Buying a separate personal laptop is the correct workaround, but unfortunately I don't think the "the school should supply the schoolwork computer" line of reasoning holds up. The hardware/software has become more powerful in the graduation from TI-83 to Chromebook but the principles are the same.
The Department of Education mandates such accommodations.
https://ag.state.il.us/consumers/smlclaims.html
Get the cost of the Chromebook, some money for your time, and then donate the Chromebook to the school since its deadweight at this point.
My guess is that no one from Dept. of ed will show up and you'll get a summary judgment.
I know it doesn't help the op's kids who needs the CB for school, but there is nothing being done that a factory reset can't fix.
From the gist of comments of people more familiar with chromebooks than me, it actually looks like the factory reset does completely wipe the machine (as you'd expect from "factory reset") and there's no software installed that survives this process (other than the default chromebook stuff)
If he power washes it, I believe it's still locked down to the school, I could be wrong thought.
Even in college, we had a freshman year computer requirement where we had to have a Tablet PC. Freshman engineering classes all used a Windows-only handwriting application for class participation. The Tablet PCs they sold at the time were expensive and crappy. Luckily the application worked in Wine somehow and you could get by using a cheap Wacom tablet so that's what I did. I sold the Wacom to another freshman so they could do the same. Eventually I bought a used Thinkpad tablet PC because I actually liked handwriting my notes and homework but I hated the fact I was almost forced to.
'trusted' computing is tyranniclal, petty managers and school boards exploiting it is its intended use case
https://docs.google.com/document/d/1r7xOL4U9lL0qyqMIVl4eH2EM...
https://support.google.com/chromebook/answer/1059242?hl=en&r...
For school work, login to the CPS-managed account. Otherwise login to the personal account.
https://news.ycombinator.com/item?id=30912995
I read this to mean that the software uninstalled after a factory reset, but signing back into the managed account re-installed it. I'm taking OP with a grain of salt here, but I think it's likely that OP doesn't understand their son's brand new Chromebook and that there's a technical solution that doesn't involve suing anyone.
Honestly, I'm disappointed in the HN that they're taking OP at their word and giving legal advice.
Then tell the school district that they have to pay for computers that they control.
> Does anyone know how to refer these people to law enforcement for prosecution?
You call the police. However, don't expect them to do anything and you won't be disappointed when they don't.
You can then call the city/county DA and get the same treatment. The state's attorney will do the same thing.
you can also try contacting Google, who will bend over backwards to make sure not to do anything for you.
100% on board with this. I would refuse to pay for a machine that is going to spy on my kid.
I'd probably buy a chrome book, install Linux and then they can access the google suite via a browser.
https://support.google.com/chromebook/thread/117916330/how-t...
> Even if the Chromebook is your private device and your owner account is your private @gmail.com account, once you sign in with a managed account, even using a separate profile, the managed account polices become active.
> This is NOT a bug. It's required to maintain security of the managed environment. Whenever the managed account is active, ChromeOS management and the policies set by your administrators pwn the entire machine.
> Google promises bulletproof security to customers who license Chrome OS management, and having any instance of an active non-managed account available when a managed account and its resources are active is a potential security hole.
not a chrome-os user -- I imagine you can access the G acct via a browser without signing in the whole OS? if 'signing into gmail signs in the OS', maybe can do it via crostini linux
re law: illinois is the state that has the biometric privacy law iirc? you may be able to do a civil suit via that, if the device is sharing face images and you really didn't consent and you can prove it and the law was written with your situation and mind and CPS hasn't indemnified big G. my guess is you'd have to pay a few $k to a lawyer to evaluate the case and then many more $k on the suit, plus you probably have a TOS problem.
> So you can boot into your personal account and do your personal business and then reboot into your business acount and do your business' business, but never the twain shall meet.
Are there different ways how you can add multiple accounts to a Chromebook and the OP just used the wrong one?
You have a few options on how you log into ChromeOS. Once you boot the device, you can choose which account to sign in as. If it's your corp account, you get whatever corp policies get applied to you (like no play store, no linux, etc). If you log into your personal account, you don't get those restrictions (there's a note to be made here for stuff like enrolled devices which I don't think applies to OP and I'm not too familiar with anyway).
However, once you are already logged into an account on the device, you can also choose to "sign in with another account". This makes you run two accounts at the same time, you can swap between them without using passwords, etc (it's like switching a virtual desktop/workspace). You can even transfer windows from one account to the other so you can simply alt+tab between them as you would on a single account (for example I am typing this at work on my personal account in a window running inside my corp account). In this situation, whichever account logged in first is the account that "owns" the session and has policies applied. If you log into your corp account with play store disabled, and then log into your personal account as a secondary account, you can't use the play store on it. If you log out everything and re-log with your personal account, you will still be able to use the play store there.
Still, if account policies "leak" into unmanaged accounts when both accounts are active at the same time, this sounds like a potential vulnerability: E.g., if the managed account has a policy that sets proxy settings or force-installs a particular browser extension, would those policies also be applied to the unmanaged account?
That's my understanding, yes. You can't "infect" an unmanaged account from a managed one, as far as I know at least.
> E.g., if the managed account has a policy that sets proxy settings or force-installs a particular browser extension, would those policies also be applied to the unmanaged account?
I'm not 100% sure if those policies would apply, I admit I'm not familiar with the account enrolment details of ChromeOS since I work at a much lower level. However, from what I know, whenever you go to sign-in to a secondary account in the same session as your primary one, there's a big warning telling you to be careful because you're basically "entrusting" your secondary account to the primary one and to not share an account session with another account you do not trust. This I always assumed was due to reasons like (for example) ending up literally sharing account2 window with account1 session, if you bring a program running in the account2 "domain" (filesystem, etc) into the account1 UI session, the account1 can take a screenshot of it (screenshot will be saved into account1 local files) and that can leak data obviously.
So if you log in to your personal account first, and then into the corporate account, the corporate policies are not applied to either account? There are probably a bunch of corporate types who will be very surprised to learn this…
I don't know about other policies.
I’m not super familiar with ChromeOS’s MDM stuff… but I wonder what would happen if someone were to log in to two separate managed accounts, for two separate organizations, with conflicting requirements?
Right now they're spending money to spy on students, so fighting that is worth it.
There was a PA school district back around 2009 that issued laptops to students preloaded with spyware that let school staff watch students through the webcam, while the students were at home and not doing schoolwork. Neither the students or parents were informed of this. IIRC the FBI got involved but nobody actually got in any real trouble, I'm not even sure they were fired.
I wish things weren't this way. You could maybe use Wireshark and black hole anything the spyware tries to connect to at the router, or maybe add the addresses to the hosts file on the machine itself (not sure if ChromeOS lets you do this).
It's the poster's Chromebook. They has revoked authorization for the school to deploy $software on their machine.
Next step is the public school supplying a spyware'd laptop and NOT imstalling spyware on said parent's chromebook, but also said private chromebook not being used for school stuff.
If you want the district to not install spyware... Well... Lets just say, the poster is probably pissing in the wind in my experience.
(at least as I understand it. if the MDM enrollment is actually tied to the device somehow, then they could reasonably demand it to be released if they planned to use it themselves)
[0] https://support.google.com/chromebook/thread/117916330/how-t...
[1] https://news.ycombinator.com/item?id=30912427
You've actually got it backwards. In an enterprise domain like this, allowing local management to take precedence over remote management and policies is a massive security hole for the domain as a whole not to mention required by regulatory bodies dictating information security for educational institutions. A locally managed node is effectively a rogue node on the network. There are use cases for it but they're specialized. OP most likely signed a consent form as part of the online learning stuff at some point and this is the consequence of not reading the things you sign. This whole thing is so massively overblown like no one here has worked anywhere with a BYOD policy and MDM.
If an organization wants to set policies that can’t be overridden, it should pay for the devices. (And even then, the user still has a right to privacy and a certain level of control).
If they set a MDM policy on a device I own, I’ll mail the organization the device and a bill for buying a new one that very same day.
Hundreds of years of established case law refutes this claim.
This is not that different. The moment you join the remote domain, you no longer have top privileges. You can still unjoin at any point but as soon as you join, you're placed under a different hierarchy.
The work to try to get the school to make the software removable is a laudable stand for citizens, parent, and student rights - but would come at some cost of time, money (more than buying a second chromebook anyway), and maybe strained relationships with school officials.
IANAL, either. Just because the student is a minor, I don't see how that gives the school the right to pwn a private laptop (were the laptop a school laptop, my opinion would be different here); at best, this would seem to be the parent's machine, or right to decide, at that point.
The OP's post isn't very clear on how the school managed to get into a private laptop in the first place; he mentions they "logged on", but onto what? And how does signing into something permit installs? (There's a comment below that hypothesizes this might be an MDM profile sort of situation, and that's … trickier. But doesn't even an MDM login have an uninstall of some sort? (Although, IDK, perhaps Chromebooks just can't do that, but that would seem to be an issue then with their software. But I've never tried, as I don't usually go for MDM stuff myself, as companies that do it typically want too much permission onto what is my personal device.))
If USA, this is false.
If I sign into my work Google account on my androids chrome it basically forces you to install spyware so our IT team can suck up my browser history.
It sounds like chrome os takes this approach and adds steroids.
A while ago my company eventually decided to enable security settings for Microsoft Outlook, Teams etc on all mobile devices (the wipe phone on demand option). All that happened was everyone without a company phone uninstalled Teams and used WhatsApp instead.
I'm not carrying two around.
If you want me to leave one at my desk that's fine but you won't reach me on it unless I'm there.
Same goes for work laptops and working from home.
The whole idea that you need to separate work from personal is based on the idea that if you use work laptop for personal work then they own it, that's an entirely made up constraint, one I won't accept.
In before bad analogies, there are plenty of industries that provide tradies with tool stipends, those are still owned by the tradesman but paid for by the employer do to their consumable nature. It allows tradies to buy more expensive tools if they prefer and encourages them to look after them better.
The important part here is that the computer is not usable with their software and that you have no way to remove said software despite being the owner of the computer.
A better move would be to get your child out of Chicago public schools altogether.
https://www.cps.edu/school-reopening/remote-learning/technol...
>A better move would be to get your child out of Chicago public schools altogether.
I went to a Chicago Public School and I resent that comment greatly.
I thought you couldn't do that on a Chromebook.
You can simply look up the phone number for any law enforcement agency you want and call them. None of them are likely to do anything, however; even if there was a crime involved, they have no obligation to pursue anything, and it's almost certainly not something that is on anyone 8nnlaw enforcement’s list of priorities.
What you probably want to do is contact a lawyer and see if you have any civil law remedies.
Even if they are things you will eventually pursue in small claims court, you absolutely can get advice from a lawyer on causes of action and what you need to do, but in general forcing a behavioral change—equitable remedies—are not available in small claims (which mostly just allows limited monetary recovery) and you'd need a lawsuit in a “full“ trial court to force that (or, of course, a settlement agreement.)
This sounds more like a Google issue for allowing this behavior in the first place.
Both what and who are good questions, which is why I say: “What you probably want to do is contact a lawyer and see if you have any civil law remedies.”
It's plausible that something in the combination of Google and school district practices violates some law of some applicable jurisdiction, but it's not obvious to me what law would be impacted.
Companies have had demand for these kind features and now they are there.
That’s by design though isn’t it? You logged in with a managed account and the policy was applied again?
The account is his school account right?
That’s pretty much how Chrome OS works.
This might just be a good lesson that you want to maintain device / role boundaries.
What is that?
I don’t think it is as much a mystery as implied.
In the end there’s no getting around that mixing device uses like this doesn’t work. It works less and less as the history of computers goes on.
Because, if yes, this absolutely does sound like a security hole:
1) Set up an organisation and add a managed account. Set up policies that install a backdoor on first login.
2) Get hold of victim's Chromebook.
3) Log into the Chromebook using the account from (1)
4) Chromebook will execute the policies and run the backdoor.
5) Use the backdoor to snoop victim's files.
You've successfully gained access to the victim's files without knowing their password. Profit!
This would work even if the victim is fully aware of the issue and never intended to mix managed and unmanaged accounts on their own.
The first user to sign in on a chromebook has limited special powers. I don't think they involve reading other people's data though.
Surely this is the entire value proposition of ChromeOS - you sign in to your account, and the laptop magically becomes yours? It seems like a serious hole if a single sign-in is able to compromise other accounts.
Students don't get to decide what software to install when it comes to logging in to school accounts. Generally the laptops are provided by the district, but it seems OP was trying to add another personal device to their system.
You can't participate in their system without the software. So I guess the alternative would be to block personal devices from logging in like this at all.
And that's the problem. Signing onto a remote account is a request to access a remote resource, and should not be interpreted as granted the remote actor control over local resources. That Chrome OS works this way implies that Chrome OS is fundamentally flawed.
Having said all that the default will be for most school accounts… all or nothing. Don’t allow them to manage it and you won’t get in.
Fundamentally, authority cannot be delegated authority that you yourself don't have. I can agree to a contract promising to do some particular work, because I have the authority to direct my actions. I cannot agree to a contract promising that you will do some particular work, because you haven't granted me that authority. I cannot grant to another what I do not have for myself.
With regards to user permissions, a non-administrator doesn't have permission to monitor another user's activity. Therefore, they cannot delegate permission to a third party to monitor another user's activity. That this is possible means that ChromeOS has a fundamentally flawed model of user permissions.
On ChromeOS, you can filter your own access to websites. You cannot filter other users' access to websites. But signing in to a remote management can filter other users' access to websites. This grants the remote management privileges that the user doesn't actually have.
This isn't to give them extra credit. GoGuardian is still spyware and you should be, at the very least, wary of it if you have a kid with that software running around. But this behavior is consistent with the design of ChromeOS and isn't shocking or special if you've been paying attention to what ChromeOS has been built for over the last couple years.
Not if they lock down that setting via GPO and let the default behavior of remote > local. There's a lot of settings that can't be undone in the GUI and take diving into the registry to undo when set by GPO but then they'll just get re-applied on GP refresh anyways. Talking about who can do what is immaterial to how domains and remote management actually work if they're not designed how you think they should be. The remote admin will always have more control than the local user in this situation, it's been that way for a very long time now and is unlikely to change.
As a normal user, on a Windows box, if you log into say a corporate Microsoft 365 account with your corporate credentials that device may get managed by the domain (pending any admin approvals needed on the management end) in some fashion because by default the local user/MS account user is a local admin and the services and processes that handle all of this run as SYSTEM thus the user has the authority to delegate that authority to remote management at-will.
Like, this is all basic stuff for BYOD and MDM policies if you've worked anywhere with a halfway competent IT staff. OP didn't read the fine print probably. Wouldn't be the first parent to not do so and freak out over nothing.
The parent owns the device and would have the local admin account. They aren't joining the device to a managed domain where something like GPO would be relevant (unless configured by the parent, naturally). The student would only have a non-admin local account, and would be incapable of granting device administration privileges to the school. The school could still manage their browser profile, of course—if the browser itself is actually signed in to the school account, which is something you can disable while still logging in to the account on the web—but they would have no access to or control over other user accounts or anything else requiring local admin privileges.
Most companies either choose not to implement any of this, or simply do not know they can implement this. Do not sign into your personal devices with your work account on anything but an isolated browser (modern Windows has a sandbox built in!) or you might discover the hard way what kind of possibilities remote AD allows for.
Windows does prompt you to accept that the account can manage your device, but so does ChromeOS. Denying MDM may cause the login to fail if they automatically rescind any tokens that don't get MDM access on your device.
It's called _attestation_ and Windows has been doing it for some time now with VPNs and domain credentials. Attestation actually makes it possible for BYOD to be done in a way that's not going to simply repeatedly expose one's network to every kind of malware known to man.
This is the teachable moment here. Better for the poster and their child to learn it now rather than in the workplace.
It doesnt make it right, but the 90's and 00's with work browsing and email full of porn, dickpics and assorted filth were not right either.