≡ Menu

Local school district allegedly spyed on kids via issued laptops.

If you haven’t heard of all this mess yet today, let me sum up:

Harriton High School, one of the richest high schools in the country, has been named in a lawsuit for using webcam-activation software on school-issued laptops to spy on a student. It’s come to light that all 2,000+ laptops issued (for which the students paid insurance) had been set up with remote-activation webcam software. This means that the school district could turn on the webcam in any laptop at any time. It did so in the case of Blake Robbins and used evidence obtained from the laptop in Robbins’ possession to bring about disciplinary action against Robbins. Robbins parents are now suing the district, seeking class-action status.

Here are some articles on the subject:
Ars Technica
New York Times
Philly Inquirer

One of only three International Baccalaureate Diploma Programs in the Delaware Valley (i.e. western Philadelphia suburbs); student/teacher ratio of 16:1; extensive AP programs) and honors course offerings; 94 percent of graduates attend four-year college; two-time recipient of Department of Education Blue Ribbon School of Excellence Award. The school district of Lower Merion township, in Montgomery County, PA, has an annual budget of $175.2 million. The school district serves mostly privileged upper middle class and upper class kids.

Here are a few of my questions, as a former systems admin:
How efficient is this webcam tracking system? If a real criminal stole the laptop, he or she would have the harddrive wiped clean before attempted resale, so the webcam- remote activation software would be wiped with the rest of the files on the drive. Basically, this software was installed with the intent not to catch hardened non-student criminals. It was installed to catch fellow students stealing other students’ laptops. Intentionally spying on minors without guardian consent is in violation of the wire tapping act. Plus, I’ve met a few of these students before and I’ve seen the laptops. They informed me they had to pay insurance on them. Why track them if there is money to replace them? Doesn’t this kind of action put students at risk of retaliation and violence? Just let the laptop go and replace it! This kind of spying also opens up the school district for lawsuits, obviously. It will definitely be a landmark case, however it plays out.

Did Blake Robbins, the student against whom evidence gathered from the webcam, steal the particular laptop? Did the webcam get activated upon request of the victim of theft? Harritons’ website is suggesting this in their statement.

Did the school district ever inform parents of the possibility of remote-activation of webcams? Did each student and parent give informed, signed consent for this potential action? (Everything I read says NO. A clear Terms of Service would have helped the school district in this situation).

This smacks of amateur administration to me. When I worked as a systems administrator, the Fortune 500 I worked for issued laptops to the sales force. The support staff could access the laptop remotely, but only with the user there to click through the permission screens. As soon as the user rebooted the machine, the permissions would have to be granted to the support staff again. Also, we had very, very clear policies of appropriate use of the laptop and software, including email. As an administrator, I could go into anyone’s email. Absolutely any email account in the entire company. Did I? No, of course not. Having the keys to the kingdom also means having the knowledge of the policies (Plus, who has time? I’m not interested in your emails to your mom. My team was busy enough trying to keep the manufacturing lines up and the grid healthy).

I actually got into a bit of hot water once, when a very high-ranking manager came to me, asking for access to his employees accounts. A “bad email” (i.e. racist jokes) was being sent around to his whole manufacturing site. He called me and asked me to track the emails. Together (him remotely) we paged through some email accounts.

I was too inexperienced to have the wherewithal to tell the supervisor to contact my supervisor or my boss’s boss who was equal in rank. I told my boss what happened and I was on the verge of being disciplined. They took mercy on me, because I was new. Eventually I’d come to say “No” constantly to all sorts of high-ranking CEOs in the company, but it was a lesson hard learned.

My point in telling you this story: it’s the tech administrator’s job to know what opens up the company to potential lawsuits. The installation of this webcam software without a very clear Terms of Service and informed consent was just plain stupid. If you are a techie at all, you know about the wire tapping act. You also know that the law doesn’t much care about who “owns” the camera. Your job is to know how to design the infrastructure to protect the company.

I must hold out hope for humanity by imagining that a lowly techie at Harriton High School knew the score, probably spoke up, and the non-technical department heads ignored the warnings. (I can’t tell you how many times that happened to me, telling my boss or others about a weakness in the infrastructure, me being ignored, then a few days later watch it all crash down. After a while, you just don’t even get angry anymore. You just do as you’re told and go home at the end of the day.) It’s hard for me to think that there was not one person in all of the sickeningly-well-funded Harriton school district’s employ that didn’t have 1 clue about the potential mess remote-activation of camera software would bring, no matter what circumstance. I can’t stand to think they’d ALL be that stupid.

And yet, here we are.

Let me know what you think in the comments.
-Christine Cavalier, PurpleCar

The pdf of the actual lawsuit:
robbins17

UPDATE: Feb 19, 2010: The Associated Press reports that the FBI is now looking into criminal charges against the district. The webcams were activated 42 times in the last 14 months supposedly in search of stolen or missing laptops. article here. Also, this video says that Apple released a statement about a bug in the intel-based macbooks that caused the webcam recording light to come on even though the camera wasn’t recording. NBC10 has a bit more to say, including the name of the assistant principal involved. The main question: if only 2 tech admins had access to turn on the webcams, how did the assistant principal get access? (Probably she strong-armed a tech into giving it to her, or she stood over the shoulder of the tech and watched while she/he carried out her commands, much like the email scanning situation I was in that I mentioned above).

CNN has more, citing quotes from Doug Young, the school district’s spokesman:

“Doug Young, a spokesman for the Lower Merion School District, said the district would only remotely access a laptop if it were reported to be lost, stolen or missing.

Young said if there were such a report, the district first would have to request access from its technology and security department and receive authorization. Then it would use the built-in security feature to take over the laptop and see whatever was in the webcam’s field of vision, potentially allowing it to track down the missing computer.

Young said parents and students were not explicitly told about this built-in security feature.

To receive the laptop, the family had to sign an “acceptable-use” agreement. To take the laptop home, the family also would have to buy insurance for the computer.

In an “acceptable-use” agreement, the families are made aware of the school’s ability to “monitor” the hardware, he said, but it stops short of explicitly explaining the security feature. He termed that a mistake.

Young added that mistakes might be made when combining technology and education in a cutting-edge way.”

Wow is this district in hot water or what? There are some lost careers here for sure. Unfortunately, the poor lowly techs – who should’ve known better and should’ve refused – will face criminal charges most likely, when this all comes out. Ultimately, they are the ones who broke the wiretapping laws. Take heed, fellow admins: know your limits.

And Mr. Young’s last statement is ludicrous. Oh sure, “mistakes might be made.” Yes, mistakes might be made when combining technology and dressing rooms too. Or combining alcohol or cars. How about combining idiots with security design?

Flippantly saying “oh, you know, we’re trying, and it’s all new to us” trivializes the matter and further violates and betrays the students and families in the district. It really is no excuse. He’s trying to garner public sympathy by playing on the same old fears of any new media and technology.

The family speaks: ABC6 News Apparently, Blake Robbins was “dealing” Mike & Ikes (mute your speakers before you click that link, jeez!). In the news video, listen to what the father says about worrying about his daughter being photographed when exiting the shower, then see Forrest’s comment below. This case will come down to child porn, especially if the feds are involved.

UPDATE: Feb 22, 2010: Evidence that the admins were stupid, and the administration should listen to its student leaders: http://www.philly.com/inquirer/home_top_stories/20100222_Laptop_camera_snapped_away_in_one_classroom.html The computing staff lauds the security system in this article, and there’s a link to a webcast about it. The systems administrator goes on and on about how great the camera shots are, without any sense of the law or the possible implications of using this feature with minors. Wow. Just, wow.

UPDATE: Feb. 24th 2010: More he said she said. http://www.philly.com/inquirer/breaking/news_breaking/20100224_L__Merion_spying_case_figure__I_did_not_snoop_on_kids.html

This techrepublic blog has a great round-up of tech articles about the software, LanRev, and some other similar apps, as well as commentary about the implications. http://blogs.techrepublic.com.com/itdojo/?p=1559

UPDATE: April 20, 2010 The school district releases the fact that they’ve collected over 56,000 images from the laptops. Over 2/3rds of that number, about 38,500 came from 6 stolen laptops over a 6 month period where the district worked with police and eventually charged the perpetrator with theft. No word on where those laptops were, though, and what the pictures contain. The other 17,500 images are of other students, and the district admits not all uses of the cameras were justified. Why am I not surprised? I’m sure there will be missing images… admins aren’t so stupid as to keep the kiddie porn ones on the district’s servers. http://www.philly.com/philly/news/breaking/20100419_Lower_Merion_details_Web_cam_scope.html

UPDATE: May 12, 2010: The family changes their lawsuit from a class action filing to a personal filing, so other families can individually sue the school district. This is bad news for the school district, I think. We’ll see how it plays out. http://www.philly.com/philly/news/breaking/20100512_Spy-cam_suit_family_drops_plan_for_class-action_status.html

Comments on this entry are closed.

  • Attitude 18 February 2010, 9:19 pm

    Schools tend to have a lot of discretion when it comes to privacy issues – a lot like a company. Individual rights to privacy (including employees and students) have become less protected with time. This will be an interesting case if it isn’t quickly settled first.

    • PurpleCar 18 February 2010, 9:25 pm

      This is true but see the NYT article. It quotes Supreme Court Justice Scalia about the clear line being marked at the door of one’s home. Also, no court will take kindly to the way this software was installed and used without proper consent.

      It won’t be settled quickly. Where Harriton is (very close to me) is the home of all those Philadelphia Main Line lawyers you hear about. It will go on and on. Even though it’s practically next door, I’m actually in another county, so I wouldn’t have a chance to be on a jury. But the school district wants to avoid a jury at all costs, because none of these helicopter, privileged parents will have any sympathy.

      ________________________________

      • tmilewski 18 February 2010, 9:33 pm

        I completely agree.

  • Forrest Cavalier 20 February 2010, 8:38 am

    I agree with the commentary about sys admin pitfalls.

    But I am wondering if the TOS, consent, wiretapping, and theft are the issues. I don’t think a thief has any statutory expectation that stolen property affords privacy in its use. A thief does not consent to the TOS so is not availed of its conditions and limitations. Even if the thief consented to the TOS on the laptop they were issued, it applies to the laptop they were issued, not the one they stole. Newer cars have satellite based anti-theft mechanisms which can track location and degrade engine location. Is there any legal basis for a thief to sue under privacy that they had not consented to the use of technology owned by another and in the possession of the thief illegally? If they activated On-Star, is it protected by wiretapping laws? I doubt it.

    Wiretapping applies to “intercepted communications.” Turning on the webcam as described does not “intercept communication.”

    The school district is shown to have made mistakes, but I think the most grievous and risky one is that turning on the webcams remotely and violating the wiretapping law is not the most serious legal risk. Violating child pornography and civil privacy laws are. There are probably other laws that restrict this kind of do-it-yourself detective work, too.

    In the end, I suspect that child pornography may be what this case is actually about. “Engaging in inappropriate behavior _at home_” is not how one would describe theft, even euphemistically, is it?

    • PurpleCar 20 February 2010, 12:06 pm

      Wiretapping & Electronic Privacy isn’t just about interception of communication, it’s about peeping tom actions too.

      Seems as though the school district was doing some amateur detective work (see the video I just posted from ABC6 news).

      In the video, the father expresses concern about child porn (in this case, it wouldn’t be child porn because his daughter is 18, but that’s besides the point).

      The concern I have about the child porn charges is that I don’t know if they will stick. The prosecution would be hard pressed to show intent to make and distribute child porn, especially if all 42 cases of the camera activation were in response to a stolen laptop (Well, 41 cases, as the Robbins say they never reported a stolen laptop). The news said they recovered 28 laptops using the webcam system.

      Maybe the school district is so stupid as to not wipe their drives before the feds got there, and we’ll see if any child porn comes out. It’s obvious to me the system was not only ill-thought out but abused. There are so many other ways to track stolen laptops. A webcam shot is such a back-assward, low tech solution, it’s almost embarrassing. Since the idea is SO egregiously stupid (especially when other security systems were in place like an IP ping), it makes me think that the school district’s intent was to spy on students. It makes me think they knew what they were doing and just didn’t think they’d be caught.

      But yes, it will probably come down to child porn. I disagree with you that the wiretapping act wasn’t violated. Even the ACLU and the EFF have said so. But I’m sure the Feds are chomping at the bit to charge whomever they can with child porn violations. The Feds have been known to prosecute minors on sexting, and that’s when the minors texted pictures of their own bodies to friends. They don’t fool around.

      So, we’ll see what comes out. I wonder how this Blake Robbins kid got under the skin of the assistant principal for her to go after him with such vigor, but all of that is irrelevant to the case. I really don’t think any of this will show up in court. It’s pretty clear cut so far. People can’t do amateur detective work. School districts have no more rights than the police. These are consistent, clear messages the Supreme Court has sent over the years, and Lower Merion just thought themselves too lofty and immune to listen.

      ________________________________

  • Forrest Cavalier 23 February 2010, 8:10 am

    I think there is something very interesting in the link in your Feb 22 update, all the way at the end. The students quoted think the media has a ‘ridiculous’ portrayal of the situation. And apparently the student body leaders didn’t think it serious enough to go public. I have a hard time believing that with 18 stolen laptops (rich kids steal too) recovered, that the snapshot video feature was not common knowledge. ‘How I got busted’ is irresistible cafeteria talk.

    PurpleCar commented on what the kid did to get on the principal’s bad side. I don’t know what supports that comment. I guess I’m more willing to believe that a principal is genuinely concerned for a student in an area dripping with cash and at high risk for upper class drug abuse and privately calls him aside based on more than just one snapshot. It blows up from there as a defensive denial, a parent’s overprotection and maybe denial of a real problem, media Schadenfreude, and knee-jerk over reactive protections of privacy that we tech-savvy outsiders are only projecting onto the situation based on the morsels we have been fed.

    Suing the school district over this is messed up. Waiting to be sued, or waiting for a media circus in order to comply with the law is messed up. The courts were never intended to sort out this much failure of cool heads, common sense, and willful ignorance. I mean it is no big news to deploy new technology and not realize the implications. Law of unintended consequences applies all the time in tech. But knowing the legal landscape of the last 20 years, and having a student come to you with concerns should have triggered a conversation with the district solicitor.

    • PurpleCar 23 February 2010, 2:11 pm

      As for my “bad side” comment, I was just musing about the randomness of picking out Blake Robbins. I mean, it couldn’t have been a random moment, there are just too many students in that district with those laptops (over 2,000). So the asst. principal had a reason to start up that laptop or to observe Blake Robbins. We don’t know the truth of the situation yet.

      I wouldn’t take one student’s opinion of the news frenzy as an indication of what all the students feel at Harriton. Chatter on the web pretty much is unanimous that they feel pretty violated, but they had all heard rumors that the school district could observe them at the district’s will, by using the webcam option. So they had time to process the injustice and learn to live with it, justifying it in their heads until they came to a point where they could live with it day by day. The post-it note placed over the camera seems to be a well-used option by those who couldn’t come to that peaceful point. (This was all before the media frenzy).

      Knowing the school district and the people as I do, I have to assume that the actions of the system admins and the principal in installing the software and the ignoring of the student leaderships’ concerns are all due to arrogance. This is a very entitled bunch for sure. Of course the parents would sue the district — but only after an egregious overstepping of bounds. Because otherwise, believe me, they can’t be bothered. This is the Main Line. Look it up in Wikipedia. They are more concerned with themselves than community, and the school getting their kid into a good college is the only thing these parents care about. It’s every man for himself out this way. We don’t have McMansions, we have mansions. 16-year-olds don’t inherit their parents’ stationwagons, they get brand new cars for their birthday. They don’t care about privacy unless it is their own. They will only speak up once that has been violated in a way that can’t be justified. Child porn
      potential is the sure-fire winner in the “you’ve got our attention now” game.

      But I still can’t get over the pure, unadulterated stupidity of the admin. I mean, honestly, singing the praises of this software? Is he nuts? It just reeks of amateur all around. We, as administrators, never worked without the close partnership of the law firms. We just didn’t.

      -Christine Cavalier

      ________________________________

Close
Powered by ShareThis