Archives

All posts for the month September, 2021

There are many websites out there that will gladly take the details of your wifi network and in exchange for receiving those details, will generate an QR code that you can use to allow others easy access to your guest network, or business wifi. I strongly recommend against use of such sites as you can’t be sure they aren’t mining the data to build a repository of such information, and for what other purposes.

Instead, I used a freely available tool in Linux known as qrencode. Fortunately, qrencode is a simple program that you run locally on your linux machine (hell you could even roll up a linux VM to do this if you don’t have a machine with linux on it).

Installing qrencode in debian or ubuntu is as easy as:
sudo apt install qrencode

Once you have it installed, the format for generating the QR code is pretty straightforward:
qrencode -l H -t PNG -o qrwifi.png "WIFI:S:{SSID name of your network};T:{security type - WPA or WEP};P:{the network password};;"

So say your wifi name is “FBI VAN” with a password of “b0nehead” and has WPA encryption, your command to generate the QR would look like this:
qrencode -l H -t PNG -o qrwifi.png "WIFI:S:FBI VAN;T:WPA;P:b0nehead;;"

You would then see this QR code generated: (go ahead, scan it here!)

Once done, you have a nice QR code you can print and display for your guests. This makes it easy to get them connected, and they don’t have to worry about bothering anyone for the wifi password anymore. It’s a win on both sides.

ABSTRACT

So we recently moved to Northbridge (July 2020) and we were excited that (at the time) the NPS school district was not a GoGuardian customer.  Our family fought with our last school district in North Attleboro to stop deploying GoGuardian to our equipment at home for the reasons I documented back then.  The concept is simple:

  • MY house
  • MY home network
  • MY privately paid for internet
  • MY computers
  • MY electricity that was/is being paid for to run such an invasive application extension software

As a student/family privacy advocate, I do believe the school should monitor it’s own equipment and only on school grounds.  When it comes to family owned equipment used at home or anywhere off school campus, it should be HANDS OFF!  Students (and families) deserve a reasonable expectation of privacy in their own homes and on their own computers.

You should know that today (at the time of this writing) I telephoned the product team at GoGuardian, and asked them about their data collection and retention policies.  They refused to give me any information citing that I wasn’t their customer and that they have a policy against disclosing this information to parents.   Tax dollars funded the acquisition and installation of this software in our schools, I think full disclosure is totally appropriate.

LATEST FINDINGS/HOW TO TELL IF YOUR SCHOOL IS WATCHING

So at home, it’s YOUR computer, and your child is logged in to process homework, or email a teacher.  How do you know your school is watching and recording all their browsing history?  Here’s how:

Ensure they are logged into their school account on chrome.  Once logged in, type this in the address bar:

chrome://extensions

You will see something like this showing GoGuardian is installed: (click for larger view)

Here you can see GoGuardian is installed and running on the browser.  Did you ever give your school system permission to install a monitoring agent on YOUR equipment?  No?  then you need to complain to the highest levels of administration up to and including your school committee.  They are hoping this goes unnoticed, but I bet if they held a public forum on it and went out asking for consent, that most people would decline when they fully understand what GoGuardian really does.  I’ll also note that it isn’t possible to remove this extension – the ability to remove it is managed by the school district’s Google Apps domain policy.

You can see here the permissions given to the GoGuardian browser extension – it’s disturbing:  (note: it is  also  not  possible  to  turn  off  the  extension.   It  is  forced  on.)

Here’s a snapshot of the DNS queries I saw in our logs just after doing a test search for illicit materials on our machine: (click for larger image)

That right there friends, is GoGuardian “phoning home” on what I just did.  (in this case web browsing history and searching) was sent to GoGuardian, and whatever I did is now visible to school officials.  There are real ramifications to this kind of wholesale tracking (which I will not go into here) but simply put, you should contact your school system and demand removal of this invasive browser extension from running in your home.  Here’s a brief use case/reasons why:

  • when the equipment and network the application/extension is running on does not belong to NPS
  • students need to have a perceived sense of privacy within their own home and on family owned equipment.
  • on shared family owned equipment, the data collection could violate the privacy of any person who uses that equipment and unknowingly is operating within a chrome browser logged into that account.  People seldom check to see who chrome is logged in as – they just open a window and go online.
  • This also has the potential to implicate the “tracked” student in other people’s internet activity unfairly, on privately owned (but possibly shared) equipment.

Also the EFF (Electronic Frontier Foundation) has released an extensive study into the privacy matters and even legality of off-campus school surveillance.

SIGN THE PETITION TO REMOVE GOGUARDIAN FROM SCHOOLS

You can sign the petition here (I did): https://www.change.org/p/goguardian-ban-goguardian-in-schools-across-the-globe

HOW CAN MY SCHOOL MAKE THIS RIGHT?

Simple.  All the technology department needs to do is work with GoGuardian to prevent it’s extension from being deployed on non-school owned assets:

  • Work with GoGuardian to come up with a way to better control extension deployment by confining it to the following:
  • Define a Google Apps OU just for school-owned assets
  • Put all school-owned assets in that OU
  • Push GoGuardian deployment policies to ONLY that OU containing school owned assets.

UPDATE 9/24

I spoke with Director Tiago Vital and Superintendent McKinstry today about the privacy concerns with the GoGuardian extension running on privately owned equipment.  Here are the key points:

  • Superintendent McKinstry agrees that this extension running on “private property” is a bit concerning, wants to find a solution to exclude private computing equipment where possible.
  • Director Vital has actually looked into fixating GoGuardian to specific OUs within the NPS GApps domain, but mentioned it doesn’t appear that GoGuardian currently honors this in it’s current version.
  • Both Director Vital and Superintendent McKinstry agreed that a joint conference to discuss directly with GoGuardian, ways of excluding private equipment from the product deployment scope is desired and have invited me to join the call to present the concern from a parent’s point of view.
  • Time and date of such call is yet to be determined.

I will provide additional updates as they become available.

UPDATE 9/27

I got an email back from Director Vital which makes it clear GoGuardian does not wish to hear from/or involve in discussion, parents.  Here’s what the email said (and my response) click for larger view:

It should be noted that the claim of the extensions on non-chromebook devices are inaccurate.  Our family computer is a Linux (Ubuntu 20.04) machine running Chrome browser.  You can see from the screenshots above from that computer, that the extension was present and alive.  A test search for porn, bomb making, etc caused several DNS queries for goguardian servers to immediately show, indicating that the computer was talking to and sending data to GoGuardian.  This computer is private property, and we don’t consent to the residency of this executable extension (and code) belonging to GoGuardian, running on our private property (computer) in our home.

Since I learned that GoGuardian will not talk to parents – I went to my local police department (Northbridge Police) and filed a police report. (I’ll copy any developments herein as they happen)  I intend to fully pursue the legality of a school system and/or company placing executable monitoring agents in people’s homes on privately owned equipment.  I need parents to join this effort to preserve the expectation of privacy in our homes.  I also believe there are serious 4th & 5th amendment (unlawful search & right to not self-incriminate) civil rights violations at work here.

UPDATE 9/30

I’ve kept an eye on our machine over the last couple days and there has no longer been any GoGuardian traffic.  The extensions also appear to be missing from Chrome now.  I suspect that the school has removed this extension somehow from being deployed to our equipment when the kids log on – THANK YOU!   I do ask that parents use this guide to check and verify if the GoGuardian extensions have disappeared from their chrome browsers also.  Please follow the steps above and please feel free to comment below.   NOTE: I believe this removal is only for PRIVATE at home equipment.  If your child is using school issued equipment at home or on campus, I believe you will still see this extension in use.   Please remember that the focus of this cause, is ONLY for removal of the goguardian extension from PRIVATE equipment used OFF CAMPUS.

UPDATE 10/27

During another security audit of my network, I have discovered that again, GoGuardian has been reinstated on our family computer. I also see constant traffic in our DNS logs (times shown are in UTC):

I went to Northbridge Police Department to enter a second complaint against NPS for this unauthorized software running and monitoring activity on our family PC. I have also formally demanded the following information from Superintendent McKinstry:

Superintendent McKinstry,
I have returned from the Northbridge Police Department after bringing evidence of this repeat complaint and have spoken with Officer O’Malley this evening.I am formally demanding a copy of all data that GoGuardian has collected on both Jianna and Sophia Rogers.   I also want a copy of any policies on data retention:

  • where this data resides (both within NPS and within GoGuardian)
  • who has access to it
  • what data was collected and where
  • lifetime of data retention – when and where is it destroyed and how
  • a written scope of all GoGuardian functionality the district is subscribed to from GoGuardian
  • a list of any 3rd parties this data is shared with

Please provide these materials pursuant to my demand no later than 30 days.  If you require a court order to provide this, please immediately say so, and I will immediately have my attorney seek one.

UPDATE 10/28

Now that GoGuardian was quietly put back on our family computer when the kids are signed in, I decided to do some additional forensics on the machine to determine:

  • Is the executable extension permanently resident on the computer’s hard drive regardless of whether my kids are logged in?
  • Can I delete the extension or does it come back the next time they login?

Here’s what I found:

  • Whether or not the kid is logged in, GoGuardian’s chrome extension IS resident on my computer’s hard drive. In other words, if they aren’t logged in, it may not be running, but it IS resident on the drive and occupying about 12MB worth of space. I did not consent to this and the machine is my property, and it is NOT welcome on my machine or in my home!
  • I was able to delete the directory containing the extension (the directory is named after the extension ID – you can get this ID by going to chrome://extensions then click on the GoGuardian extension and the ID is visible in the address bar of the browser. I deleted the directory and it was removed. The next time my kid signed into school, the extension was re-deployed to my computer!

See the screenshot showing the contents of the directory (click for larger image):

There is NO WAY to permanently remove this software unless the school administration removes it – such removal is governed by their GSuite deployment policy, which they control. This is what causes the GoGuardian software to deploy to private computers in private residences. Such deployment to, and active wholesale monitoring of private property should be illegal and stopped.

I believe this is why GoGuardian wishes not to speak about data collection, retention, and destruction with parents because they are likely aware they are riding the very sharp edge of the law here with regard to their software ending up on private computing assets. THIS IS WHAT I’M FIGHTING FOR – privacy and private property rights! I’m OK if the software runs on school owned equipment within the school campus, but in my private residence, that’s NOT ACCEPTABLE!