If you haven’t heard of all this mess yet today, let me sum up:
Harriton High School, one of the richest high schools in the country, has been named in a lawsuit for using webcam-activation software on school-issued laptops to spy on a student. It’s come to light that all 2,000+ laptops issued (for which the students paid insurance) had been set up with remote-activation webcam software. This means that the school district could turn on the webcam in any laptop at any time. It did so in the case of Blake Robbins and used evidence obtained from the laptop in Robbins’ possession to bring about disciplinary action against Robbins. Robbins parents are now suing the district, seeking class-action status.
One of only three International Baccalaureate Diploma Programs in the Delaware Valley (i.e. western Philadelphia suburbs); student/teacher ratio of 16:1; extensive AP programs) and honors course offerings; 94 percent of graduates attend four-year college; two-time recipient of Department of Education Blue Ribbon School of Excellence Award. The school district of Lower Merion township, in Montgomery County, PA, has an annual budget of $175.2 million. The school district serves mostly privileged upper middle class and upper class kids.
Here are a few of my questions, as a former systems admin:
How efficient is this webcam tracking system? If a real criminal stole the laptop, he or she would have the harddrive wiped clean before attempted resale, so the webcam- remote activation software would be wiped with the rest of the files on the drive. Basically, this software was installed with the intent not to catch hardened non-student criminals. It was installed to catch fellow students stealing other students’ laptops. Intentionally spying on minors without guardian consent is in violation of the wire tapping act. Plus, I’ve met a few of these students before and I’ve seen the laptops. They informed me they had to pay insurance on them. Why track them if there is money to replace them? Doesn’t this kind of action put students at risk of retaliation and violence? Just let the laptop go and replace it! This kind of spying also opens up the school district for lawsuits, obviously. It will definitely be a landmark case, however it plays out.
Did Blake Robbins, the student against whom evidence gathered from the webcam, steal the particular laptop? Did the webcam get activated upon request of the victim of theft? Harritons’ website is suggesting this in their statement.
Did the school district ever inform parents of the possibility of remote-activation of webcams? Did each student and parent give informed, signed consent for this potential action? (Everything I read says NO. A clear Terms of Service would have helped the school district in this situation).
This smacks of amateur administration to me. When I worked as a systems administrator, the Fortune 500 I worked for issued laptops to the sales force. The support staff could access the laptop remotely, but only with the user there to click through the permission screens. As soon as the user rebooted the machine, the permissions would have to be granted to the support staff again. Also, we had very, very clear policies of appropriate use of the laptop and software, including email. As an administrator, I could go into anyone’s email. Absolutely any email account in the entire company. Did I? No, of course not. Having the keys to the kingdom also means having the knowledge of the policies (Plus, who has time? I’m not interested in your emails to your mom. My team was busy enough trying to keep the manufacturing lines up and the grid healthy).
I actually got into a bit of hot water once, when a very high-ranking manager came to me, asking for access to his employees accounts. A “bad email” (i.e. racist jokes) was being sent around to his whole manufacturing site. He called me and asked me to track the emails. Together (him remotely) we paged through some email accounts.
I was too inexperienced to have the wherewithal to tell the supervisor to contact my supervisor or my boss’s boss who was equal in rank. I told my boss what happened and I was on the verge of being disciplined. They took mercy on me, because I was new. Eventually I’d come to say “No” constantly to all sorts of high-ranking CEOs in the company, but it was a lesson hard learned.
My point in telling you this story: it’s the tech administrator’s job to know what opens up the company to potential lawsuits. The installation of this webcam software without a very clear Terms of Service and informed consent was just plain stupid. If you are a techie at all, you know about the wire tapping act. You also know that the law doesn’t much care about who “owns” the camera. Your job is to know how to design the infrastructure to protect the company.
I must hold out hope for humanity by imagining that a lowly techie at Harriton High School knew the score, probably spoke up, and the non-technical department heads ignored the warnings. (I can’t tell you how many times that happened to me, telling my boss or others about a weakness in the infrastructure, me being ignored, then a few days later watch it all crash down. After a while, you just don’t even get angry anymore. You just do as you’re told and go home at the end of the day.) It’s hard for me to think that there was not one person in all of the sickeningly-well-funded Harriton school district’s employ that didn’t have 1 clue about the potential mess remote-activation of camera software would bring, no matter what circumstance. I can’t stand to think they’d ALL be that stupid.
And yet, here we are.
Let me know what you think in the comments.
-Christine Cavalier, PurpleCar
The pdf of the actual lawsuit:
UPDATE: Feb 19, 2010: The Associated Press reports that the FBI is now looking into criminal charges against the district. The webcams were activated 42 times in the last 14 months supposedly in search of stolen or missing laptops. article here. Also, this video says that Apple released a statement about a bug in the intel-based macbooks that caused the webcam recording light to come on even though the camera wasn’t recording. NBC10 has a bit more to say, including the name of the assistant principal involved. The main question: if only 2 tech admins had access to turn on the webcams, how did the assistant principal get access? (Probably she strong-armed a tech into giving it to her, or she stood over the shoulder of the tech and watched while she/he carried out her commands, much like the email scanning situation I was in that I mentioned above).
CNN has more, citing quotes from Doug Young, the school district’s spokesman:
“Doug Young, a spokesman for the Lower Merion School District, said the district would only remotely access a laptop if it were reported to be lost, stolen or missing.
Young said if there were such a report, the district first would have to request access from its technology and security department and receive authorization. Then it would use the built-in security feature to take over the laptop and see whatever was in the webcam’s field of vision, potentially allowing it to track down the missing computer.
Young said parents and students were not explicitly told about this built-in security feature.
To receive the laptop, the family had to sign an “acceptable-use” agreement. To take the laptop home, the family also would have to buy insurance for the computer.
In an “acceptable-use” agreement, the families are made aware of the school’s ability to “monitor” the hardware, he said, but it stops short of explicitly explaining the security feature. He termed that a mistake.
Young added that mistakes might be made when combining technology and education in a cutting-edge way.”
Wow is this district in hot water or what? There are some lost careers here for sure. Unfortunately, the poor lowly techs – who should’ve known better and should’ve refused – will face criminal charges most likely, when this all comes out. Ultimately, they are the ones who broke the wiretapping laws. Take heed, fellow admins: know your limits.
And Mr. Young’s last statement is ludicrous. Oh sure, “mistakes might be made.” Yes, mistakes might be made when combining technology and dressing rooms too. Or combining alcohol or cars. How about combining idiots with security design?
Flippantly saying “oh, you know, we’re trying, and it’s all new to us” trivializes the matter and further violates and betrays the students and families in the district. It really is no excuse. He’s trying to garner public sympathy by playing on the same old fears of any new media and technology.
The family speaks: ABC6 News Apparently, Blake Robbins was “dealing” Mike & Ikes (mute your speakers before you click that link, jeez!). In the news video, listen to what the father says about worrying about his daughter being photographed when exiting the shower, then see Forrest’s comment below. This case will come down to child porn, especially if the feds are involved.
UPDATE: Feb 22, 2010: Evidence that the admins were stupid, and the administration should listen to its student leaders: http://www.philly.com/inquirer/home_top_stories/20100222_Laptop_camera_snapped_away_in_one_classroom.html The computing staff lauds the security system in this article, and there’s a link to a webcast about it. The systems administrator goes on and on about how great the camera shots are, without any sense of the law or the possible implications of using this feature with minors. Wow. Just, wow.
UPDATE: Feb. 24th 2010: More he said she said. http://www.philly.com/inquirer/breaking/news_breaking/20100224_L__Merion_spying_case_figure__I_did_not_snoop_on_kids.html
This techrepublic blog has a great round-up of tech articles about the software, LanRev, and some other similar apps, as well as commentary about the implications. http://blogs.techrepublic.com.com/itdojo/?p=1559
UPDATE: April 20, 2010 The school district releases the fact that they’ve collected over 56,000 images from the laptops. Over 2/3rds of that number, about 38,500 came from 6 stolen laptops over a 6 month period where the district worked with police and eventually charged the perpetrator with theft. No word on where those laptops were, though, and what the pictures contain. The other 17,500 images are of other students, and the district admits not all uses of the cameras were justified. Why am I not surprised? I’m sure there will be missing images… admins aren’t so stupid as to keep the kiddie porn ones on the district’s servers. http://www.philly.com/philly/news/breaking/20100419_Lower_Merion_details_Web_cam_scope.html
UPDATE: May 12, 2010: The family changes their lawsuit from a class action filing to a personal filing, so other families can individually sue the school district. This is bad news for the school district, I think. We’ll see how it plays out. http://www.philly.com/philly/news/breaking/20100512_Spy-cam_suit_family_drops_plan_for_class-action_status.html