With the pandemic forcing many people to work and attend school from home, there has been a major shift in the use of technology for many businesses and learning institutions. And this has brought a lot of interesting findings, at least from my own.

My kids have been attending school virtually this year, and I’m glad that schools can offer options and provide a high level of education virtually during the Covid-19 pandemic. One of these options is the use of Chromebooks. While many US school districts have been providing Chromebooks to children at school for some time, the scale of this need changed significantly in 2020. Fortunately, some school districts have found the ability to get more computers for students who need them at home.

Many kids now have school-supplied computer equipment away from the school network. This is great if you’re among the many families who need computers to have your kids learn remotely. However, with this come privacy and security concerns. In some cases, they are easy to avoid, but in other cases some time and modifications are needed to ease these concerns.

Privacy and security concerns with at-home learning

As they started the 2020 – 2021 school year, many kids were given school-owned computers to perform their tasks. In some cases, this was not an option for you to take — even if you didn’t need a device for your student, you must have one anyway.

This was the case for my family earlier in the year. We brought home the school-provided Chromebook and put it aside while my child used their own computer. But then the complaints started coming from my child about blocked websites, including some search engines. These complaints echoed those of other students and parents.

Being a security professional, I had been blocking some things on my own home network anyway, but not the search engines in question. This was when I started looking into this more.

Again, my child was using a computer that I own. It was being used for school purposes, as well as for playing games and browsing the web outside of school hours. But even though it was a personal computer, the school had taken over the Chrome browser on it. My child’s school was pushing its policies to my Chrome browser on a personally owned device.

According to Google, this ownership syncing is because of default settings that sync browser information upon sign-in to Google services, including Gmail and Google Classroom. These can be disabled by following the instructions here.

However, this might be only a small portion of what happened to the computer during this time. As it turned out, extensions were also pushed to my child’s computer. This meant that on the personally owned device, extensions were installed that track, monitor, and force policies onto the browser. This is why the search engine my child was trying to use was blocked. 

Another interesting thing about these Chromebooks sent home from schools is that some of them have been used in the schools for quite some time. However, despite the standard practice of erasing the personal data on Chromebooks before reissuing them to their new users, the Chromebook that was sent to us came with roughly a dozen students’ information (including both login and system information). This had me thinking about the research released by Check Point earlier this year around hackers targeting children through the Google Play Store to infect Android and Chromebook devices. 

While I control my home network based on my knowledge of the industry, here I was expected to bring an unknown device that had been used before by at least a dozen kids who might have installed malware in one way or another. And parents were expected to bring such devices onto their home networks and trust them as their children’s school devices.

This led me to think about other situations in which this could be a problem not just for students but also for anyone working from the same home. Before this time of people working from home because of the pandemic, many employees had only a desktop computer at their work. Their companies might have even used thin clients to reduce the administrative overhead. Now, these people might also be using their own personal computers for work functions. Some parents might even be using for work the same computers that their kids are using for school — in which case the children’s schools might have taken over the browser to block sites and push apps that monitor the behaviors of the computers.

Say there might be a time in the near future when not only does your company control the device you are using (regardless of whether or not it’s your personal device), but it also sets policies for the devices that you have on your home network, like network-based site blocking or network traffic monitoring. In the near future, you might even see companies that don’t allow their assets on the network with more unsecure devices that they don’t control. This means that kids’ Chromebooks might not be allowed to be used on the same network as the one you’re using for your job.

Larger companies do have the resources to solve these security and privacy issues by sending home all the necessary equipment to secure the devices. Sometimes that’s a separate router that their machine sits behind. Some companies send home hardened machines that will connect to the corporate network only via virtual private network (VPN), thereby preventing anything from happening to their assets outside of their network by forcing the devices back to the corporate network.

Protecting your family’s privacy and security

While most of what we have seen is likely a configuration issue, this configuration issue could lead to a whole list of problems for the privacy, security, and even usability of the affected machines.

You can always take proactive measures at the network level if you feel comfortable doing so. There are a few approaches to doing this, and the easiest is to block domains in your router (if your router allows it). As an example, in Linksys routers this is done by using parental controls that allow you to block or allow domains based on your preferences and desired restrictions. For parents, this is a good way to ensure that your kids can’t visit websites you don’t want them to visit, as well as block ads and other tracking apps that might monitor activity at the domain level.

Other privacy concerns exist with apps for video monitoring or assignments requiring students to share their photos and videos. Parents might wonder how these photos and videos are being used after they’re sent to the schools. Unfortunately, some kinds of risk like this have to be accepted for your kids to participate in their school activities. But these concerns should be made known to the schools. They hopefully have outlined policies for how this data is used and deleted to maintain student privacy. And at the very least, Chromebooks and other loaned devices for at-home use should be wiped before they are reissued.

Seeing as this is a difficult time for schools to continue educating students in and out of the classroom, we at Trend Micro want to encourage schools to understand the larger impact that IT decisions could have on students during this time of remote learning and beyond. Resources for schools and educators are available through the Trend Micro Initiative for Education.

We also want to enable parents to confidently manage their home networks, including personal and school-owned devices. More resources for families are available through Trend Micro Internet Safety for Kids and Families.

Take this time while everyone is working and learning from home to understand your home network and take control of your family’s privacy and security.