Jesper Graugaard's Fight Against Chromebooks in Danish Schools (1/2)

18 Oct, 2023

I learned about Danish parent activist Jesper Graugaard in April of 2023, when I was doing research for my article "Should I Raise Privacy Concerns with the School?" We initially got in touch via Twitter, but as Jesper started all his messages with the awkward-but-comical 'Dear Dad', we thought it best to introduce ourselves properly and continue the conversation on a different platform.

Jesper's challenge to the use of Google Chromebooks in his child's school in 2019 led to a ban of Chromebooks in schools in the Elsinore Municipality and started a nation-wide discussion about data-collecting platforms in schools. Much of the reporting on his activism is in Danish, but there are a few articles in English helped me gain a better understanding of the issue; a 2022 Wired article was particularly helpful.

I discovered Jesper and I have a lot in common. We are interested in music (Jesper managed a music label), we are both fathers without IT backgrounds interested in digital privacy for our children, we are both fans of feature phones, and we both see skepticism as healthy.

One of the most rewarding aspects of writing this blog has been getting to know individuals with similar interests and concerns. It has been a privilege to get to know Jesper better, and I am happy he agreed to this interview.

You can find Jesper on LinkedIn here.

Note: There have been a lot of developments with Jesper's case against Google Chromebooks recently, so there is a lot to cover. I've decided for that reason to publish this interview in two parts.

Interview (Part 1)

The Wired article calls you "an unlikely parent activist." What are your thoughts on that description?

It might be true. It is still unusual to see a parent with hardly any tech or law knowledge come this far with a case about violation of privacy on children's data. It requires a lot of stamina...I have that.

Were you interested in digital privacy before the Chromebook issue? If not, can you explain how this incident started your interest in privacy?

Growing out of the 90s culture of trust in tech and the dream that tech would change everything for the better, I am the generation who gave everything to Big Tech in the early 2000s.

I grew up with Google being the punk kid in tech. We shared a private links among friends and invited each other to get a Gmail account and thereby leave the dominance of Microsoft. We were free. Later, Facebook came around, and even though I was one of the last among my friends to jump on the Facebook ride, I did not worry that much about privacy and data harvesting. When I realised what was going on with my privacy, it was already too late. So then I thought: it's all about teaching my children a better way to understand how algorithms and data work, and what privacy means in the age of the digital world.

I never imagined that privacy would be a problem in schools until the Chromebook came into my home. I honestly thought the school administration had everything in place and would ensure a digital safe space in school for my children, with protected data and privacy.

The day my kids came home with their first Chromebook, they were proud. I was even positive, as I expected they were about to learn coding, and tech history and culture. I put aside the knowledge that the Chromebook was a Google product, a company that makes most of its revenue by harvesting data and selling it.

But my hopes soon turned into disappointment and it became a digital nightmare. They were not learning anything. They were using the Chromebook as a substitute for books, pen and paper. And Google were doing what they do best: getting the data. First, I laughed ironically; getting data from a person age six is a best case scenario for a company like Google. And to achieve this nation-wide is better than ever imagined. They actually got it for free, and we even paid them for collecting data.

When the school implemented YouTube profiles for the students, giving away my child's full name, age, school name and class, that was the tipping point for me. I had not given consent to share everything about my child in public school.

It was then I really understood the importance of protecting my children's digital copy - the digital twin - and their data in the same way that I protect and care for my children in other aspects of their life and education. As long as they are not of legal age, it is my duty as a parent to do that. But in this situation, I couldn't. Or at least, it felt very difficult to achieve this within the public school framework in Denmark. As a parent you are not informed about what data is being collected and shared. In some schools there are more than 400 apps in use. Who can keep track on any of these ?

At the end of the day the problem is simple. If you haven't done your duty of protecting your children, then you might as well hand over their identity when they become adults. I could hand over a digital copy of them. A copy owned by a company; a copy they have no legal rights to and cannot get back. Take a deep breath and think about that!

The Wired article states you made "an official complaint to Denmark's data protection regulator" in 2019. Is the data protection regulator the same as the Danish Data Protection Authority? How did you reach out to them, and what is their role?

Yes, Denmark's data protection regulator is the Danish Data Protection Authority (DPA).The Danish Data Protection Authority is the central, independent authority that supervises that the rules on data protection are complied with.

I did not know much about them or their role before this case. I found out about them as I called friends within the tech industry and explained my problem. I approached the DPA, explained my issue to them, and they explained how to file the case, and what documentation was needed in order to start the case.

Their role is then to investigate the documentation and the solution to create closure on the case for now. Their decisions will set the standard what Google and the municipalities shall do in order to make Chromebooks GDPR compliant.

If I do not agree on the final decision, which will hopefully be made this autumn, I will have to re-think my case and go the EU.

Your complaint led to a ban on Chromebooks in schools in the Elsinore Municipality in 2021. Is this ban still in place? Has the ban expanded to other areas?

The ban was disabled after 3 months or so, because there was no Plan B for continuing education in public schools. Without Chromebooks, no school. The ban did not expand to other areas or municipalities.

The ban can be reinstated if the DPA decides to do so. But if that happens, I expect that the ban will be final, and Google is out and schools will have to come up with a plan B.

But there is no development of such plan B right now. Everybody is just sitting quietly waiting. That surprises me. Especially considering the current cases in the USA. From the Whitehead & Farewell case, where Google illegally collected biometric data on millions of schoolchildren without consent, to the big monopoly cases in Germany and the USA. I mean, if Google was a person, would you let that person into your children's classroom and teach?

Note from The Privacy Dad: please see links at the bottom of the article for further details on these cases

What is the situation today?

We are waiting for the final closure of the case from the DPA. It was expected to come end June, then in August and now in October. Not sure how long it will take, but it could be any day now. I am very excited.

We have at least 53 municipalities using Chromebooks in public schools who are waiting to know whether its legal to continue doing so or not. Then we have the rest of the 50 municipalities that are using Microsoft. They are holding their breaths alongside Microsoft.

On the 4th October, the Danish tech media site Version 2 published an article with access to documents that reveal that these Chromebook municipalities are tied to illegal transfers of school children's personal data to countries such as Mexico, Colombia and India. This is shown in the latest memo from the National Association of Municipalities to the Danish Data Protection Authority, which has announced a decision will be made very soon. It also documents that:

“Before the children's information - such as names, email addresses, direct communication, school assignments and much more - ends up in countries outside the EU, it is sent to Ireland, where Google, like other tech giants, has its European headquarters. Google's American department can also be sent the information, but after the recent data agreement between the EU and the US, it is no longer illegal to send personal data across the Atlantic.” link

What are your main frustrations with the case?

I am deeply frustrated about several issues. How long do we have to wait? It has taken more than four years now! How can the use Chromebooks in schools continue if we do not know if it's legal? If your car is not legal, you are not allowed to drive it. But here we have a technology which is used by children, who are supposed to be especially protected by the GDPR law, and yet we do not know if its legal.

How can it be that schools are still using Chromebooks while their use is being investigated for security & privacy issues? Public schools are using Chromebooks because there is no plan B. Today the Danish public school system is deeply dependent on two Big Tech companies, and there seems to be no way out.

And while we are waiting, so-called 'specialists', whom I call sales persons, are touring public schools to make them ready for AI. And this without making sure that children or their teachers have learned even a basic technical understanding of privacy, and how this technology is designed, built and used.

Why is it so? Who has decided that education will be better just because its done via a digital device, an app and by tapping on a screen? Why this Fear of Missing Out? This is not the development of tech skills; it is passive use of technology.

Make no mistake: I am not afraid of tech in schools. I just want to secure my children's rights to privacy, and I want schools to have relevant technology training and a safer digital culture. The current digital strategies that schools are following are more than 10 years old and were designed in an era where digital safety and awareness were far from where we are today.

The mistakes and lack of understanding of digital safety were brought to light with the Chromebook case in 2019, just one year after GDPR law was introduced. In 2022 the civil servants of Elsinore made excuses about their lack of following the law, stating GDPR was so new.

Today, we are still not understanding the seriousness of protecting personal data, and I have weekly talks with parents who tell me about incidents in their schools, where basic mistakes are happening which put children's personal data and digital safety at risk. Photos are shared on social media, and passwords and logins for Chromebooks placed with stickers on the device or displayed on the wall in the classrooms.

Recently, we had a major hack on five educational institutions in Southern Denmark, because one laptop with infectious ransomware was connected to the school network, thereby giving hackers access to more than 10.000 students' private data, that now are being published on the dark web. This hacker attack led to schools having to contact 40.000 people potentially affected by the attack.

On the 11th of October, the Danish government presented an new plan for the public school sector to try to make schools and education better and more relevant. However, they did this without mentioning safety just once and without introducing specified subjects for technology. Put this in context to that Denmark proudly claims to be the best digitalized society in the world.

What would be the best outcome for you? Have there been positive outcomes for your case already?

For me the best outcome of the case would be that Chromebooks and Microsoft are left out of the classroom, at least until the children are around ages of 10 to 12. To date, I haven't seen any sound educational arguments for using Chromebooks earlier than that.

Another positive outcome would be if Scandinavian countries got together to design their own custom educational platforms and hardware as an alternative to Google's and Microsoft's solutions. One of the main arguments for a combined Scandinavian strategy is our shared values and culture. Scandinavian countries share similar priorities, which are different to USA culture and ideas.

But this case is only focused on public schools. What about the private school sector? In Denmark, private schools don't work within a local authorities framework. In some of these schools, it is the parents who supply the digital device, which makes them the legal data controller instead of the school or local municipality. It is the responsibility of the data controller to make sure the device is GDPR compliant, but can we expect the parents really understand GDPR and can have that responsibility on their shoulders? Also, if private schools have their own device policies, they have to ensure that both risk and consequence analyses are in place.

To the question about positive outcomes: when I started the case back in 2019, the debate about data, privacy and screens was a very closed one, held among scientists, tech people, educators within their own communities, and tech media. The discussion was far-removed from the lives of everyday people, which seems odd, considering Denmark is one of the most digitalized countries on the planet.

The Chromebook case has pushed the debate of digitalization significantly into mainstream, and there is a growing awareness of the detrimental consequences of hardcore digitalization of modern society.

The Chromebook case has become a PhD fellowship programme at Aarhus University. Students across universities and schools are now doing Bachelor theses on the case. The Chromebook case is becoming part of the education, part of the history of tech.

I have spoken to Data Protection Officers across the country, and they confirm that my case has pushed Google to change, so I am sure that both Larry Page and Sergey Brin (Founders of Google) are familiar with my name. Politicians in the US Congress are also familiar with my case.

The Chromebook case in Elsinore has become part of the global knowledge base in the debate of education and children's digital rights, from Denmark to India, from Elsinore to Washington.

Conclusion to part 1

This concludes the first half of the interview. I hoped you have enjoyed reading about Jesper's ideas and activism as much as I have. This has the potential to be such an important case for student privacy and learning world-wide.

Next week, we'll publish the second half of the interview, which covers Jesper's current activism, his personal experiences of becoming an activist, alternatives to the use of Chromebooks in schools, and finally, Jesper's tips for parents.

If any new developments arise in the meantime, we'll certainly include those as well!