← Laptops
D

Google Chromebook

170 million students use Chromebooks. Google sees every keystroke. The kids never had a choice.
Serious concerns
Lenovo · 🇨🇳 China · WiFi + Bluetooth
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
FCC ID: O57DUET3CB7C
Chipset: Qualcomm Snapdragon 7c Gen 2 + WCN3991
Manufacturer: Lenovo / Google (ChromeOS)
Model: Lenovo Chromebook Duet 3 (11Q727)

⚠️ The bottom line

Google says no ads in education tools. Technically true — for some of them. But YouTube? Regular Google tracking. Google Search? Same. Students use both daily for school. Like a casino saying "no gambling in the lobby" while slot machines are in the next room with the door always open. Google signed a pledge not to collect student data beyond educational needs. Then left Chrome Sync on by default, uploading every website your kid visits. The opt-out was buried so deep the EFF and a state AG both called it deceptive. Your kid can't choose not to use the Chromebook.

Legal jurisdiction
🇨🇳 China (headquarters)
National Intelligence Law read more →
Company must secretly hand data to Chinese intelligence on request
Data Security Law read more →
State can classify any data as 'important' and demand access for national security
🇺🇸 United States (data storage)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
3/4 HIGH
Is someone spying on me?
Kids at risk
Data Sharing
4/4 EXTREME
Who gets my data?
Kids at risk
Security
0/4 N/A
Is it actually secure?
Honesty
4/4 EXTREME
Can I trust what they say?
Kids at risk
REPLACE Extreme risk. Look for alternatives or lock down hard.
10Contradictions
3Critical
5High
2Medium
4Sources
Findings by concern
Spying 3/4 HIGH 1 finding
⚠️ criticalapp permissions vs regulatory findings
Google scanned your kid's face and recorded their voice to build biometric profiles. On school laptops. Without asking you. For ten years. They settled for $8.75 million — less than Google makes during a bathroom break. They call this "strong controls."

What they claim: Google: "strong controls to protect student data" with schools required to "obtain parental consent when needed."

What we found: Collected voiceprints and face templates from students via Voice Match/Face Match on school Chromebooks for 10 years. $8.75M BIPA settlement (2024). $170M YouTube COPPA (2019). $5.5M NM COPPA (2024). A decade of biometric collection from minors.

Data Sharing 4/4 EXTREME 4 findings
⚠️ criticalpolicy claims vs app permissions
Google says no ads in education tools. Technically true — for some of them. But YouTube? Regular Google tracking. Google Search? Same. Students use both daily for school. Like a casino saying "no gambling in the lobby" while slot machines are in the next room with the door always open.

What they claim: Google: "No ads in Google Workspace for Education Core Services, and student information in Core Services is never used for ad targeting."

What we found: Google is 77% advertising revenue. Core Services have no ads but YouTube ("Additional Service") operates under consumer privacy terms with full ad tracking. Google Search same. Students use both daily via same account. When students turn 18, ecosystem familiarity converts into advertising relationship.

⚡ highpolicy claims vs policy claims
Google tells schools education is at the core. Internal slides say the quiet part out loud: get kids hooked in kindergarten and you have them for life. They called it a "pipeline of future users." They're not selling a learning tool. They're selling advertisers a 13-year onboarding program.

What they claim: Google for Education: "We build products that help students learn, educators teach, and schools transform — with privacy and security at the core."

What we found: Internal docs (NBC News, Jan 2026, from lawsuit discovery): presentations describe school Chromebook adoption as "pipeline of future users." Nov 2020 slide: "You get that loyalty early, and potentially for life." YouTube strategy: "pipeline of future users and creators" by getting unblocked in schools.

⚡ highpolicy claims vs regulatory findings
93% of US schools buy Chromebooks. Sign Google's consent form or your child falls behind. That's not consent — it's coercion with a permission slip. Google collects data from 170 million students and calls it "voluntary" because a parent clicked "I agree" on a form they couldn't refuse.

What they claim: Google: schools "choose which services to enable" with "controls to manage student data."

What we found: 93% US districts buy Chromebooks. 60.1% global education market. Students legally required to attend school. Declining consent = child excluded from digital classwork. Schwarz v. Google (2025) argues government-compelled use implicates Fourth Amendment.

⚫ mediumpolicy claims vs network analysis
Google doesn't need to target ads at students. It's playing the long game. Get a kid using Gmail at 5, Docs at 7, YouTube at 10. By 18 they can't imagine using anything else. Then the ads turn on. Most patient customer acquisition in history: 13 years free for a lifetime of ad revenue.

What they claim: Google: "Personal information from K-12 users is never used for personalized advertising."

What we found: Internal "pipeline of future users" works on 13-year timeline. Child starts Google in kindergarten. By graduation: 13 years of muscle memory, Gmail IS their identity, years of Drive files, complete lock-in. At 18, education account converts to consumer with full ad terms.

Honesty 4/4 EXTREME 5 findings
⚠️ criticalpolicy claims vs firmware analysis
Google signed a pledge not to collect student data beyond educational needs. Then left Chrome Sync on by default, uploading every website your kid visits. The opt-out was buried so deep the EFF and a state AG both called it deceptive. Your kid can't choose not to use the Chromebook.

What they claim: Student Privacy Pledge (Jan 2015): "not collect, maintain, use, or share student personal information beyond authorized educational purposes."

What we found: EFF FTC complaint (Dec 2015): Chrome Sync enabled by default, uploading every website, search term, YouTube video. NM AG (2020) confirmed same. Chrome telemetry 2.3x Firefox. On legally-required school devices, "opt-out" is not meaningful consent.

⚡ highpolicy claims vs app permissions
Google built a privacy wall between "Core" (protected) and "Additional" (tracked). Then put YouTube and Search on the tracked side. Same kid, same account, same session. Kid writes an essay in Docs (protected) then watches assigned YouTube video (tracked). The wall is made of paper.

What they claim: Google: "Core Services" like Classroom/Docs have no ads and strict data protections under Education agreement.

What we found: YouTube, Search, Maps are "Additional Services" under consumer Privacy Policy. Schools can enable them. In practice, YouTube used constantly for education. Same student account across both. Google delegates consent enforcement to schools. Wall is legal fiction, not technical.

⚡ highnetwork analysis vs policy claims
When your kid types in the address bar, every letter goes to Google before they hit Enter. Type "p-o-r" looking for a school portal and Google already has those three letters. On a Chromebook, Chrome IS the computer. There is nowhere to hide.

What they claim: Chrome privacy whitepaper: omnibox suggestions can be disabled and "Chrome does not send any information to Google" when off.

What we found: By default, every character typed in address bar sent to Google in real-time BEFORE Enter. On managed school Chromebooks, students can't change this. Chrome telemetry 2.3x Firefox. On ChromeOS, omnibox IS the interface — every URL attempt, misspelling, half-formed thought goes to Google.

⚡ highregulatory findings vs policy claims
Google has been fined four times for collecting kids' data. Total penalties = what Google makes before lunch on a Tuesday. The 2025 lawsuit alleges the exact same thing as the 2015 complaint. Nothing changes because nothing has to. The fines are a rounding error.

What they claim: After each enforcement action, Google states it has "addressed concerns and improved practices."

What we found: $170M YouTube COPPA (2019) = 0.1% of revenue. $5.5M NM (2024) + $8.75M BIPA (2024) = less than Google earns in 3 minutes. FTC took no action on 2015 EFF complaint. Schwarz v. Google (2025) alleges same practices. Same allegations repeat decade apart.

⚫ mediumfirmware analysis vs policy claims
On Windows you can install Firefox. On Mac, Safari. On a Chromebook, there is Chrome. That's it. Every click goes through Google's browser on Google's OS to Google's servers. Like if Ford made a car where the only road you could drive was Ford's and it reported everywhere you went.

What they claim: Google promotes ChromeOS as offering "speed, simplicity, and security."

What we found: ChromeOS architecturally locked to Chrome as system browser. Cannot install Firefox, Brave, or any alternative. Every request routes through Google's browser on Google's OS to Google's servers. EU DMA requires browser choice on phones but not ChromeOS. No escape hatch on $200 school device.

What happened to real people
Documented incidents involving Lenovo products and user data.
Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed. [source]
PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses. [source]
Google received 180 geofence warrants per week by 2019. Each warrant searches tens of millions of accounts. Supreme Court hearing constitutionality (Chatrie v. United States). [source]
What your data is worth to governments
Google complied with 235,000 government data requests in H1 2024. That's +530% over 10 years. Google has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).
Documented: Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed.
Documented: PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources