7 minute read
3.2 Privacy controls administrators
By default, the transmission of personal data in crash reports and usage statistics to Google is enabled. The Enhanced Spellcheck is disabled in the Chrome browser, but end users can enable it. As explained in Section 1.4.3, admins cannot centrally prevent end users from turning using the Enhanced Spellcheck.
3.2 Privacy controls administrators
Advertisement
Administrators of G Suite Enterprise can exercise control over the devices of employees in multiple ways, for example through advanced mobile device management.
For this report, three controls were examined: 1. Access for end users to Additional Services 2. Privacy controls for the Chrome Browser 3. Access to Marketplace apps
These controls are discussed below, in Sections 3.2.1 to 3.2.3.
Section 3.2.4 discusses different types of data processing for which there are no administrator privacy controls.
3.2.1 Access to Additional Services Access to the Additional Services is enabled by default for G Suite Enterprise. Google explains that it has chosen this setting “to offer a smooth experience to G Suite customers, with no additional charge.”146
There are currently 53 Additional Services that can be controlled individually, but this list is dynamic and therefore subject to change. Administrators can choose to collectively or individually enable or disable access to those Additional Services. Google warns that the overview of Additional Services, with or without individual controls, is subject to change without notice.147 Google describes that admins can choose how new user features are released to users.148 As shown in Figure 25 when
146 Google reply to part A of the DPIA. 147 Google, G Suite Admin Help, Additional Google services, URL: https://support.google.com/a/answer/181865?hl=en 148 Google, Automatically turn newly released services on or off, URL: https://support.google.com/a/answer/82691
an administrator has disabled access to all Additional Services and a new Additional Service is added by Google, access to the new service is automatically released to all users, with a delay of 1 to 2 weeks after the introduction.
Figure 25: Default setting: automatic release of new features
When Google offers opt-out controls for use of the Additional Services, these controls are granular. A system administrator can turn a specific Additional Service off for all end users, only for a group of end users in an organisational unit, or for a set of end users across or within organisational units.
As examples of Additional Services without an opt-out control, Google mentions Allo, Chromecast and Google Surveys.149 Admins can only block access to these Additional Services all at once.
Figure 26: Admin overview of 51 additional Google services and Marketplace apps150
Access to blocked Additional Services Privacy Company has tested what happens if an admin has turned off an Additional Service, such as Google Search or YouTube, but a G Suite Enterprise end user nevertheless accesses the service. In that case, the end user is silently signed out from the Google Account, and can visit the service as end user without Google Account. Google does not show any warning that the end user has left the G Suite Enterprise environment.
After the Additional Service Search and Assistant was disabled, Google still served personalised ads to the (signed-out) end user. However, these ads were based on
149 Google G Suite Admin Help, Manage services that are not controlled individually, URL: https://support.google.com/a/answer/7646040 150 Idem.
the search query, or other contents of that particular browsing session. After searching for baby products, Google Search showed contextual ads in the search engine for nannies and nurseries in The Hague.
Google explained: “If the Search and Assistant setting is disabled, Search processes queries as if the end user was not authenticated. These G Suite end users may see targeted advertising based on their current session activity but will not be served advertisements based on their use of G Suite or any of their Google Account attributes.”151
As explained in Section 3.1.6, if an employee is simultaneously signed in with a consumer account, Google can process the search data to enrich the Ads Personalization profile of the consumer Google Account.
3.2.2 Privacy controls for the Chrome browser Administrators can exercise some control over the Chrome browser. In reply to this DPIA, Google frequently points to Chrome Enterprise, but since this is a separate product, not included in G Suite Enterprise, these controls are out of scope of this DPIA. As explained in Section 1.4.3, in G Suite for Enterprise admins cannot block the use of the Enhanced Spellcheck in the Chrome browser.
Google explains that the Chrome browser will share location data ‘with your default search engine’ by default:
“Chrome won't allow a site to access your location without your permission; however, on mobile devices, Chrome automatically shares your location with your default search engine if the Chrome app has permission to access your location and you haven’t blocked geolocation for the associated web site. Chrome uses Google Location Services to estimate your location. The information that Chrome sends to Google Location Services may include:
The Wi-Fi routers closest to you Cell IDs of the cell towers closest to you The strength of your Wi-Fi or cell signal The IP address that is currently assigned to your device.”152
The default search engine is Google Search as shown in Figure 27. 153
Figure 27: Default browser in Chrome (pre-ticked)
Administrators have the ability to apply policies to managed Chrome browsers and Chromebooks. Google explains in its Chrome Privacy Notice:
151 Google response 5 June 2020. 152 Google Chrome Privacy Notice, Last modified: 20 May 2020, URL: https://www.google.com/chrome/privacy/?hl=en_GB 153 As tested repeatedly by Privacy Company in a new clean install of a Chrome browser.
“Chrome contacts Google to check for these policies when an end user first starts browsing (except in guest mode). Chrome checks periodically for updates to policies. An administrator can set up a policy for status and activity reporting for Chrome, including location information for Chrome OS devices. Your administrators may also have the ability to access, monitor, use or disclose data accessed from your managed device.”154
3.2.3 Access to Marketplace apps The G Suite Marketplace is an app store. Anyone with a Google Account can download apps relating to G Suite from the Marketplace. These apps are called add-ins. By default, Google allows G Suite Enterprise end users to install all available add-ins from the G Suite Marketplace.155 If those add-ins want to access the G Suite Customer Data (which is almost always the case), the end user can easily give such an app access in the same way as authorising any other website for single sign-on, via OAUTH or SAML.
Administrators have three choices in managing the G Suite Marketplace. They can prohibit the installation of all apps, allow only whitelisted apps, or allow everything. The default setting of installed Marketplace apps is that access to Customer Data is enabled by default. Administrators can centrally disable this access, and can also give each app restricted or unrestricted access to Customer Data (See Figure 28 below).
If administrators allow employees to install (whitelisted) apps, they have only limited control over that app's access to Customer Data. The available control only allows for a Yes or No choice. Google does not provide a more granular control over the different kinds of permissions that the app needs, such as access to contacts, to camera, etcetera.
154 Ibid. 155 See: https://gsuite.google.com/marketplace
Figure 28: Default settings Marketplace: all access is allowed
After installation by the end-user, administrators can see that the end user has installed the app, and what permissions that app requires.
Figure 29: Default setting: unrestricted access to Customer Data
3.2.4 Access rights for external apps and sites via Single Sign-in For this DPIA, a test user authorised the third-party service Dropbox with single signin. In this case Dropbox requested two permissions: for 'Context', and 'Other'. Single sign-on is enabled by default for end users.
As shown in Figure 30 below, admins can change the default setting of full access to all Google services, to limited access, to unrestricted Google services. The default setting is that access to all Google services is unrestricted, so this setting by itself does not immediately limit access to Customer Data.
Figure 30: Changing access rights per app from full access to limited access
3.2.5 Missing central privacy controls for administrators This DPIA identifies five scenarios where administrators of G Suite Enterprise should be able to exercise central privacy control, but where such a control is not available.
Admins cannot: 1. Prevent use of Enhanced Spellcheck in Chrome; 2. Prevent reuse of Customer Data trough Spelling and grammar for machine learning; 3. Limit the collection of telemetry data and other Diagnostic Data; 4. Change the default setting for Ads Personalization; and 5. Prohibit the use of services for which Google is the data controller, such as Feedback.
Section 2.3 and Figure 15 describe how content from files that Google obtains as Customer Data may end up in the telemetry data (Diagnostic Data) as a result of the use of the Enhanced Spellcheck in the Chrome browser. Admins can only centrally block this traffic if they separately procure Chrome Enterprise (not part of the G Suite Enterprise offering, out of scope of this DPIA).