We are a mixed-platform household. We have Windows PCs and an iPad, Android Phones and tablets, and a family Chromebook. To manage the devices the kids use, however, I’ve focused down on ChromeOS and Android and use the Google Family Link service that enables us to keep an eye on the amount of time the kids have on screens, control the apps that they use, and provide restrictions around the murkier parts of the Internet (including, by Google’s default, blocking common-or-garden YouTube).
At some point, they’ll grow up and I’ll need to help them to understand how to protect themselves, but at the moment both under the age of 10, daddy knows best.
As a result of the device choices, they also use Google G-Suite for creating documents and presentations, mostly for their school work. My eldest seems to get great pleasure from creating slide decks, which I’m not sure I’m particularly happy about…
Their school has also recently introduced Google G-Suite into their technology setup, and yesterday there was a strange case of how good intentions lead to massively insecure unintended consequences.
The boys have been provided with logins for Google by the school.
If you are logged into a device controlled by family link then you can’t log into any other Google account. That presumably would break their control model somehow on a managed device.
No problem, I thought. We can log into their school account, create a folder in Google Drive, and share it back to their GMail account with read/write access. The Power of the Cloud (TM).
Except, of course, the school has blocked sharing of files and folders with accounts other than other school accounts within the same G Suite domain.
So the net result is that to give the kids access to their schoolwork, they have to log into the Chromebook directly with their school account, which bypasses the Family Link services (because GSuite accounts can’t be managed by Family Link). So they can get their documents and, unfortunately, everything else on the Internet in its entirety.
Now thankfully the headteacher is a very clever and sensible chap, and when I spoke to him about it this morning he understood immediately the problem, and also how it could be resolved (by allowing sharing outside of the school). I really feel for school management these days as they have complex IT to manage, usually these days with scarce resource.
This isn’t a problem with just my kids’ school, though. The decades of IT thinking that have determined that an organisations resources are behind some sort of firewall, and anything that enables you to access something within the domain must carry high risk is deeply ingrained. So many of the organisations that I work with have installed either Google or Office365 with the default set to not allow sharing outside.
The net result is that people find work-arounds that are both less secure and also fail to allow them to take advantage of the cloud-based nature of the new technology. Things mostly involving sending attachments in email.
We have had these kinds of cloud-based collaborative documents for over a decade now. The thinking about what is secure or not is still struggling to catch up.