Earlier this week, I published a TR Dojo episode on using Prey to recover stolen laptops. This free application allows individuals to collect information that can describe a stolen machine’s whereabouts, such as the status of the computer, a list of running programs, network and Wi-Fi information, a screenshot of the running desktop, and a picture of the physical surroundings (if the machine has a webcam). It’s this last piece of information that can be extremely helpful, but also the most controversial.

On Tuesday, a federal lawsuit was filed against the Lower Merion School District in Ardmore, Pa. accusing school officials of spying on students at Harriton High School through the webcams on school-issued Macbooks. By Wednesday, the story had exploded across the Web and been picked up by local and national media outlets.

According to an Associate Press report published by CBS News:

Lower Merion School District officials can activate the webcams without students’ knowledge or permission, the suit said. Plaintiffs Michael and Holly Robbins suspect the cameras captured students and family members as they undressed and in other embarrassing situations, according to the suit.

How did the plaintiffs find out about the school districts ability to remotely activate the webcams? Here’s another excerpt from the same AP report:

The Robbinses said they learned of the alleged webcam images when Lindy Matsko, an assistant principal at Harriton High School, told their son that school officials thought he had engaged in improper behavior at home. The behavior was not specified in the suit.

“(Matsko) cited as evidence a photograph from the webcam embedded in minor plaintiff’s personal laptop issued by the school district,” the suit states.

Matsko later confirmed to Michael Robbins that the school had the ability to activate the webcams remotely…

The Philadelphia Inquirer posted a complete text of the suit (PDF document).

It’s important to note that the activities outlined in the lawsuit are still accusations and have not been proven in a court. And although Christopher McGinley, the superintendent of Lower Merion School District, admitted that district personnel could remotely activate the webcams, he asserted that such action was only taken to recover a lost or stolen machine.

In a letter sent to parents and posted on the school district’s Web site, McGinley wrote:

Upon a report of a suspected lost, stolen or missing laptop, the feature would be activated by the District’s security and technology departments. The security feature’s capabilities were limited to taking a still image of the operator and the operator’s screen. This feature was only used for the narrow purpose of locating a lost, stolen or missing laptop. The District never activated the security feature for any other purpose or in any other manner whatsoever.

And on Friday, the AP reported that, Doug Young, a spokesman for the Lower Merion School District, said that district personnel “remotely activated webcams 42 times to find missing student laptops, but never did so to spy on students, as a lawsuit claims.” Young also told the AP “that only two technology department employees were authorized to activate the cameras — and only to locate missing laptops.”

Spying or hardware monitoring?

These were school-issued machines and, according to reports, students and parents signed agreements to use the machines appropriately. According a CNN report:

To receive the laptop, the family had to sign an “acceptable-use” agreement. To take the laptop home, the family also would have to buy insurance for the computer. In an “acceptable-use” agreement, the families are made aware of the school’s ability to “monitor” the hardware, [Young] said, but it stops short of explicitly explaining the security feature.

And, I would expect no less. IT departments having been using acceptable-use policies for decades, and I think most end users are aware that their activity on a company/institution-owned computer can be monitored. However, I believe most reasonable people (both IT professionals and end-users alike) would interpret “monitoring” to include scanning files on the hard drive, looking for unauthorized applications, and perhaps logging the Web sites accessed through the machine’s browser. I find it nearly impossible to believe a reasonable person would assume “monitoring” meant remotely activating a Web cam and taking pictures inside an individual’s home.

Unfortunately, there’s still a lot we don’t know about this case, and there are direct contradictions in the school district’s statements and the claims of the plaintiffs and even other students. Various news outlets have quoted Harriton High School students who claim that their Macbook webcams would turn on at random times and without any action on their part. Furthermore, according to a Gizmodo report, when students reported the webcam activations, district IT personnel said the behavior was a technical glitch.

IT/management run amok?

I’ve been in IT for nearly 15 years and seen plenty of poor decisions, bad behavior, and even a few cases of true legal violations by IT personnel. But if these allegations are true, this episode takes the cake. And, I can’t wait to learn the answers to several important questions.

First, were the webcams EVER activated outside the 42 instances of lost/stolen laptops mentioned by Young? The Lower Merion School District seems to be saying no, while, according to students, district IT personnel have said the camera could be activated due to a technical glitch. Which is it?

Second, was an image taken from a webcam used as evidence as described in the lawsuit. If so, what was the justification for taking such a photo? Had the laptop been reported lost or stolen?

Third, if the cameras were being activated, who was doing the activating and why? Were IT personnel secretly spying on students? Were administrators instructing IT personnel to activate the Webcams when they suspected students were involved in “inappropriate behavior?”

Lastly, did anyone involved in the decision making process which led to the installation of the monitoring software think this was a bad idea? Didn’t anyone think parents and students should be told they might be photographed without their knowledge–even if it was by accident?

Watching this play out in the courts

As of this posting, the Lower Merion School District has said it is immediately disabled the tracking system, performing a “thorough review of the existing policies for student laptop use” and reviewing “security procedures to help safeguard the protection of privacy, including a review of the instances in which the security software was activated.”

Will this be enough to satisfy parents and students? Would it satisfy you?

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.