← Operating System
D

ChromeOS

Serious concerns
Google · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.google.chrome
Manufacturer: Google

⚠️ The bottom line

In 2015, Google signed the Student Privacy Pledge — a promise not to collect children's data for non-educational purposes. The same year, EFF caught Chrome Sync silently uploading every student's browsing history, passwords, and bookmarks to Google's servers. Google promised to fix it. In 2020, New Mexico sued over the same thing. In 2025, another federal lawsuit alleged the same thing. Three lawsuits in ten years. The pledge is a decade-old broken promise Google renews every time it gets caught. Google tells schools it never uses student data for advertising. A 2025 federal lawsuit alleges Google builds a unique digital fingerprint of every student — what they browse, what apps they use, what they search — then uses those profiles to sell more Google products to schools. Seventy percent of American schools use Google Workspace. That's potentially 50 million children profiled to help Google sell more Google.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
3/4 HIGH
Is someone spying on me?
Kids at risk
Data Sharing
2/4 MODERATE
Who gets my data?
Kids at risk
Security
2/4 MODERATE
Is it actually secure?
Honesty
4/4 EXTREME
Can I trust what they say?
Kids at risk
REPLACE Extreme risk. Look for alternatives or lock down hard.
Use Linux Mint instead
Zero telemetry, rejected Snap, community-funded
See report →
13Contradictions
4Critical
5High
4Medium
12Sources
Findings by concern
Spying 3/4 HIGH 2 findings
⚡ highpolicy claims vs regulatory findings
Google says it doesn't collect biometric data from students without consent. A class action lawsuit says Google collected children's voiceprints and face scans through school-issued Chromebooks — without any parent ever being asked. Under Illinois BIPA, biometric data requires explicit consent. Under COPPA, children under 13 need parental permission. Google allegedly violated both, on devices schools told parents were safe.

What they claim: Google claims it does not collect biometric data from students without consent.

What we found: A class action lawsuit alleged Google collected voiceprints and facial templates from children using school-issued Chromebooks, in violation of Illinois BIPA and federal COPPA. Children using Google services on school devices had biometric identifiers collected without parental knowledge or consent.

⚡ highpolicy claims vs network analysis
Google says student data stays in the classroom. The New Mexico AG found that when kids took Chromebooks home — as schools intended — Google followed them. Every search at the kitchen table, every YouTube video on the couch, every website on a Saturday morning. The surveillance didn't stop at the school door. Google tracked children 24/7, in their own homes, on devices their schools told them to use.

What they claim: Google claims student data stays within the education environment and is used only for educational purposes.

What we found: New Mexico AG documented that data collection "bled over" into children's home activities. When students took Chromebooks home, Google's surveillance extended from the classroom to the living room, tracking browsing, search, and YouTube activity 24/7 — evenings, weekends, and holidays.

Data Sharing 2/4 MODERATE 1 finding
⚠️ criticalpolicy claims vs third party research
Google tells schools it never uses student data for advertising. A 2025 federal lawsuit alleges Google builds a unique digital fingerprint of every student — what they browse, what apps they use, what they search — then uses those profiles to sell more Google products to schools. Seventy percent of American schools use Google Workspace. That's potentially 50 million children profiled to help Google sell more Google.

What they claim: Google Education privacy page: "We do not use personal information from users in primary and secondary schools to target ads." "Student personal data is never sold to third parties."

What we found: The 2025 Schwarz v. Google lawsuit alleges Google creates unique "fingerprints" of each student's online activity — recording internet activity, websites visited, and apps used — then uses these profiles to market additional Google products to schools. The lawsuit covers approximately 70% of US schools that use Google Workspace for Education.

Security 2/4 MODERATE 2 findings
⚫ mediummarketing claims vs firmware analysis
Google calls ChromeOS "secure by design." After the expiration date, it's insecure by design — zero security patches, ever. A 2019 Chromebook stopped getting updates before a 2012 MacBook. Google extended support to 10 years, but only for new devices. Millions of older Chromebooks are permanently unpatched. "Secure by design" has an expiration date Google chose.

What they claim: Google markets ChromeOS as "secure by design" and "privacy-first."

What we found: After the Auto Update Expiration date, Chromebooks receive zero security patches. Unlike Windows or macOS laptops which receive updates for 10+ years, pre-2021 Chromebooks get as few as 6 years of support. Google extended to 10 years only for devices from 2021 onward — leaving millions of older devices permanently vulnerable.

⚫ mediummarketing claims vs third party research
Google says Chromebooks save schools money. Schools have to replace entire fleets every 4-6 years because Google stops patching them. Extending their life would save $1.8 billion in taxpayer money. Instead, two-thirds of dead Chromebooks go to landfill — 31 million pandemic devices becoming 9 million tons of CO2. Google saves schools money the way razor companies sell cheap handles: the replacements are where the profit is.

What they claim: Google claims Chromebooks reduce costs for schools and are an economical choice for education.

What we found: The forced obsolescence cycle means schools must replace entire fleets every 4-6 years. Doubling Chromebook lifespan would save taxpayers $1.8 billion and cut carbon emissions equivalent to taking 900,000 cars off the road for a year. Only 1/3 of end-of-life Chromebooks are recycled; 2/3 go to landfill.

Honesty 4/4 EXTREME 8 findings
⚠️ criticalpolicy claims vs regulatory findings
In 2015, Google signed the Student Privacy Pledge — a promise not to collect children's data for non-educational purposes. The same year, EFF caught Chrome Sync silently uploading every student's browsing history, passwords, and bookmarks to Google's servers. Google promised to fix it. In 2020, New Mexico sued over the same thing. In 2025, another federal lawsuit alleged the same thing. Three lawsuits in ten years. The pledge is a decade-old broken promise Google renews every time it gets caught.

What they claim: Google signed the Student Privacy Pledge promising not to collect student data for non-educational purposes.

What we found: EFF's 2015 FTC complaint found Chrome Sync was enabled by default on school Chromebooks, uploading students' entire browsing history, bookmarks, saved passwords, and open tabs to Google servers. The 2020 New Mexico AG lawsuit and 2025 Schwarz v. Google lawsuit allege the same practice continues a decade later — three lawsuits over ten years for the same violation.

⚠️ criticalpolicy claims vs regulatory findings
Google claims COPPA compliance. COPPA requires parental consent before collecting data from children under 13. In Denmark, schools created Google accounts for children without telling parents. In New Mexico, Google collected voice recordings, location data, and browsing history from seven-year-olds — no parent ever said yes. Google settled for $3.8 million. Their annual revenue is $300 billion. That's like fining a millionaire twelve cents.

What they claim: Google for Education: "Google Workspace for Education can be used in compliance with FERPA, COPPA, and GDPR."

What we found: In Helsingor, Denmark, schools created Google accounts for students without parents' knowledge or consent — children's real names appeared on YouTube and Gmail. New Mexico AG Hector Balderas found Google collected location data, voice recordings, browsing history, and search terms from children as young as 7 without parental consent. COPPA requires verifiable parental consent for children under 13.

⚠️ criticalpolicy claims vs regulatory findings
Google told schools: you own your data, we just process it. Denmark's privacy authority found that was false — Google is an independent data controller, processing student data for its own purposes. Google isn't the school's servant; it's helping itself to the school's data. Denmark banned Chromebooks outright. The Danish authority noted its findings "will probably apply to other municipalities" — meaning every school in Denmark, and likely Europe, was affected.

What they claim: Google Workspace for Education FAQ: "School data is owned and managed by the organization, not Google." Google's response to Danish DPA: "Schools own their data."

What we found: The Danish Data Protection Authority found Google acts as an independent data controller — not just a processor — processing student data for its own purposes, not just at the school's direction. The DPA noted its conclusions "will probably apply to other municipalities." Denmark banned Chromebooks and Google Workspace in schools outright in July 2022.

⚡ highpolicy claims vs regulatory findings
Google says ChromeOS is GDPR-compliant. Four European countries disagreed and banned or restricted it in schools. The Netherlands had to disable spell-checking and machine translation — basic educational features — just to make it safe enough. Google eventually built a special Dutch version of ChromeOS. If the standard product were safe for children, why did Google need to build a separate version for a country that actually enforces privacy law?

What they claim: Google claims Workspace for Education is GDPR-compliant and meets European data protection standards.

What we found: Denmark banned Chromebooks and Google Workspace in schools in July 2022 for GDPR violations — the fourth EU country to impose restrictions. The Netherlands forced schools to disable ad personalization, spell-checking, and machine translation just to meet baseline privacy. Google eventually built a special Dutch version of ChromeOS, tacitly admitting the standard version wasn't safe for children.

⚡ highmarketing claims vs firmware analysis
Google sells Chromebooks as affordable for schools. Then it kills them with an expiration date. After the Auto Update Expiration, the device gets zero security patches — it's unsafe for a child to use online. Schools must replace entire fleets every 4-6 years. Thirty-one million pandemic-era Chromebooks are expiring right now. PIRG says this forced obsolescence costs taxpayers $1.8 billion. Two-thirds of dead Chromebooks end up in landfill. "Affordable" means affordable to buy, expensive to keep, and devastating to throw away.

What they claim: Google markets Chromebooks as affordable, cost-effective devices for education.

What we found: Chromebooks have an Auto Update Expiration (AUE) date after which they receive zero security patches. Average lifespan: ~4 years vs 6-8 for traditional laptops. 31 million Chromebooks sold during the pandemic are expiring in 2025-2026. Only 1/3 of expired devices are recycled. PIRG estimates extending Chromebook lifespans could save taxpayers $1.8 billion. Doubling lifespan would cut emissions equivalent to taking 900,000 cars off the road.

⚡ highpolicy claims vs app permissions
Google says students control their data through Chrome Sync settings. The New Mexico Attorney General found those settings were "buried" where "parents and students likely never see" them. Google expects seven-year-olds to navigate privacy menus to protect themselves from a trillion-dollar data company. That's not user control — it's plausible deniability.

What they claim: Google promises Chrome Sync settings give users control over their data.

What we found: New Mexico AG found the option to disable sync was "buried in settings that parents and students likely never see." Students as young as 7 are expected to navigate Google's privacy settings to protect themselves from data collection by one of the world's largest companies.

⚫ mediumpolicy claims vs regulatory findings
Google promised reforms after EFF's 2015 complaint. New Mexico sued in 2020 and found the same practices. Schwarz sued in 2025 and alleged the same practices. Three investigations, three promises, zero change. Google's reform cycle: get caught, promise to fix it, wait five years, get caught doing the same thing.

What they claim: Google promised the FTC it would reform Chrome Sync practices after EFF's 2015 complaint.

What we found: Ten years and three lawsuits later (EFF 2015, New Mexico 2020, Schwarz 2025), the same fundamental allegation persists: Google collects student data through Chrome Sync and uses it for non-educational purposes. Each time, Google promises change. Each time, the next investigation finds the same practices.

⚫ mediumpolicy claims vs third party research
Google says education accounts are separate from personal ones. Senator Al Franken found "a discrepancy" — when students log into their education account, they also access YouTube, Google Search, and other services where Google's regular data policies apply, not the education ones. The education account is a front door into Google's entire ecosystem. The wall between "school data" and "Google data" has a door Google left open.

What they claim: Google claims students' education accounts are "completely separate" from personal Google accounts and services.

What we found: Senator Al Franken wrote to CEO Sundar Pichai noting "a discrepancy" in how Google treats data from education-specific apps versus other Google services students access while logged into their education accounts. Students logged into Workspace for Education still access YouTube, Search, and other Google services where different data policies apply.

What happened to real people
Documented incidents involving Google products and user data.
Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed. [source]
PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses. [source]
Google received 180 geofence warrants per week by 2019. Each warrant searches tens of millions of accounts. Supreme Court hearing constitutionality (Chatrie v. United States). [source]
What your data is worth to governments
Google complied with 235,000 government data requests in H1 2024. That's +530% over 10 years. Google has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).
Documented: Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed.
Documented: PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources