Google Apps for Education users beware: Your online activity could be anything but private. In fact, depending on your university’s policy, you could have essentially given your institution the right to store, observe, and use your personal information.

Before we dig into just what is going down, doesn’t this fall under the ‘caveat emptor’ line of defense? Students should have known better? I don’t think so. If I was just starting school, and my university told me that either I agree to a terrible TOS, or I didn’t get a .edu email address (which carries big extracurricular benefits), I might have had no recourse but to swallow it.

And secondly, if a university has a comically bad privacy policy in place, how is that the fault of the student? This stuff matters, and it matters now, as Google Apps for Education is growing in popularity, and therefore daily use.

Here’s what’s going on: If you sign up for a Google Apps account, how the information that is collected by that account is used is completely at the whim of your provider. Period. From Google’s page, explaining its policy:

Google Apps administrators for a domain can access all end-user accounts and the associated data, per the Google Apps privacy policy.

As a domain administrator, you have control of all user names and passwords within your domain. You may access your users’ accounts in conformity with the Customer Agreement. We do require that you have a policy about such actions that is published to your end-users.

Now, that would be well and good, but I doubt that people just out of high school really understand what is at stake here. And what is? Assuming, just for the sake of the moment, that you never had a Google account, and were assigned one on your first day of school. Good. Now, you discover that you can link it to YouTube, and Google+, and that it even tracks your searches! What fun. Only, it seems that that information is utterly at the disposal of whomever gave you that account.

Now sure, they have to say, ‘we may use this data,’ but I doubt the language would be so simple. Therefore, the school is set to collect, for every student, at least information about their school email, and potentially more. That’s huge.

Let’s take a case, to make the point. From Google’s sample letter, that it encourages Apps customers to send to their users, to get them onto Google+, comes this little charming bit of prose:

Some important reminders

  • Because you’re signing up for Google+ with your [institution] email address, your Google Apps administrator retains the right to access your Google+ data and modify or delete it at any time. [edit based on your institution's policies]

Access and modify or delete your data at any time. Zing! I might have missed a day in ‘protect the end-user school,’ but this seems to be a bit much.

Those of you who are more stern-faced might think that this is no big deal at all; a university should have access to student data, as it is the data of its students. Very well, but that is a narrow view of this issue. Students graduate, and they often keep (are allowed to keep) their student email address. It might even work forever, given a minimal usage requirement.

And if their services are still tied to that account, on goes the accumulation of data that the university can access. This could go on for years, and years.

Another note: do the innocent have anything to fear, if they are indeed innocent? It’s a bullshit question, as we all know, we all deserve privacy unless we expressly give it up. But there is another element here that is worth hitting on: what happens when the university isn’t perfectly happy with a student, and has access to all their data?

Let’s say a student a school of a certain persuasion, writes a blistering article against the mores of the institution. Well, the school could then dredge up that kid’s porn habits, and use that to slander and discredit them. There is a bill in Congress right now that works to ban certain parties from requiring subordinates, or potential lessers give us passwords to social networks and the like. In this case, that’s not even a question; the access has been given.

Tempest in a tea-pot, as this information is public? Perhaps. But students need to know what their schools may, and may not know about them. Your mileage may vary.

If this is a problem in a university setting, imagine what the implications are for businesses, which also use Google Apps in the workplace.

Drew Olanoff contributed to this post.