Hello,
I consider myself deeply invested in privacy, and as such I only have a GrapheneOS phone and do not use a SIM card on the daily. This is context for what follows.
I am a university student at a public french university, and one of the required courses consists creating a basic website. When I went to my first class of this course, the professor told us to reffer to a PDF document, which she went through with us. The class seemed easy, creating a website with pages and subpages with links, media etc, but the weird part was when the required tool to use was Google Sites.
In good faith, I asked the professor if it was truly necessary to use Google Sites, as it of course needs a Google account. She replied yes, and that i had to refer to the document to create one, as I do not have any. As I was seeing she was clearly standing her ground on not using any other tool than what was written on that file, I ultimately resorted to creating an account after first refusing to do so.
So I tried to create a Google account on the dekstop provided by the university, thinking this would go smoothly as I provided my real name and of course having the university IP address, but I found out that Google needed a phone verification, and not even a classical one, a strange “Scan this QR code to verify your identity”. Again, the last thing I want to do, but I had to as the professor still refused to come up with a solution. So I did end up scanning that QR code, and after scanning it I arrived on a page saying something like “Send SMS”. Of course this verification failed, as I don’t have any SIM on my phone. And this is basically the end of the story. I ultimately solved this problem by finding, all by myself, another free website hoster that was more privacy-friendly, and thankfully I got a decent grade even though I didn’t even use the required tool.
However, even though this went well for me, I cannot help but wonder, is this even legal? Can a university reasonably expect its students to give up their privacy to Google just to make a stupid website?? I feel like the university (or at least the professors monitoring the course) expect us to have one as if it was the default, but this is just not the case and it should never be in my opinion. Furthermore, I discovered during this process that it now requires a smartphone and a SIM card simultaneously to create a Google account, but what if I’m in a precarious situation and somehow do not have access to a smartphone during the course or a valid SIM subscription?
In all honesty, it’s been some time now and I still haven’t taken action on anything for two reasons even though I would like to : first, I do not know if it is the norm for universities, in particular public french ones, and second I never had to stand up for privacy for years until now, and I do not know what to do. This is ultimately why I am writing this post, thanks in advance for your help.
I am not a lawyer, but what law would they be breaking by requiring you to use a Google account?
Can a university reasonably expect its students to give up their privacy to Google just to make a stupid website??
I imagine the professors can require whatever they want. It’s not like Google is an anti-gdpr provider, even if they’ve been fined (haven’t looked into this).
I doubt the teacher really cares what site it was on, she just wanted to keep it simple by giving one instruction, although I imagine a petty teacher could drop your grade for using a different site, even if it’s the same just because.
Perhaps figure out a way to get a google account. I was able to make one with Incogniton Browser and it only asked to receive an SMS instead of send one, presumably because of a low risk score for the browser. You can either give your real phone number or buy one on SMSPool.net.
Apparently there’s a consent clause in the GDPR so maybe it is against the GDPR. But that doesn’t stop banking..
They can’t, you’re protected by the GDPR. But you’d likely need to file a complaint (e.g. with your local data protection authority), and that can take time.
Thanks for your response, I’ll keep that advice in mind!
I do not know precisely, that’s why I’m writing here to ask for help on what to do, but knowing I live in Europe and that we have GDPR, I imagine there would be something about keeping data about university stuff inside the university servers, as they have plenty of tools and could integrate more, for example wordpress to make websites.
I can imagine there are relatively private ways of making accounts sure, but the fact is I wasn’t able to do so using what the university provided, and that’s the most concerning part for me.
Thanks for your response. I imagine I could write an e-mail to the university administration for sure, but my fear is that they straight up ignore me because they see no wrongdoing. I guess I lose nothing by trying, I’ll do that ASAP.
I would also like to add that I dove deeper into that course’s official description, and what we did does not reflect what is said by the curriculum, so I guess the professors did something on their own, and by doing so overlooked their “privacy duty” if I can call it that.
You can create a Google account on your phone without SMS verification by resetting it to factory settings. If you contact the prosecutor’s office to seek redress for a violation of your rights, you could easily be expelled from the university. They have the power, you have nothing.