The recent webcam spying scandal at a school in Pennsylvinia has caused worldwide uproar in the news, and proves that paranoiac scenarios are actually not so far stretched. In the era of Skype, ChatRoulette, and the ubiquitous use of security webcameras, this case raises serious questions about privacy and Internet security. As I will combine my introductory post and my question, here first some background information.
The spying scandal at Harriton High School
In mid-February, a high school in Pennsylvania got in the spotlight of the news- and now of the FBI- as it was revealed that school officials were spying on their students by secretly activating the webcameras of school-issued laptops, even when students were at home. The scandal unfolded when the assistant principal summoned a student to her office, and accused him of selling and taking drugs. She based her allegations on photos that were taken by the kid’s webcam showing him eating suspicious substances at home, or what later turned out to be Mike and Ikes candy. Shortly after, the student’s parents have filed a lawsuit against the school. As the scandal become public, various other students reported that they had been perplexed by the bizarre on- and off-going green lights of their laptops. The school denied that it invaded the students privacy, and explained that the software installed on the computers that allowed to remotely access the cameras was a monitoring and security device that allowed to locate laptops in case of theft.
It is not unusual that schools monitor and spy on their students, as an documentary segments called „How Google saved a school“ indicates. However, Harriton school stands out as teachers accessed the webcameras of their students in their private homes, a reason why the FBI is now investigating the case.
The scandal poses general questions about the education system, authority, and where to draw the line between monitoring and spying. What is the legal basis or guideline? But first of all, I’d like to know how this is technologically possible. Considering that most laptops have built-in cameras and have become all purpose devices that we use 24/7, how big is the risk of such kind of surveillance?
How can somebody spy on your webcam?
A simple Twitter search for #spycam quickly leads me to what seems the ultimate information source about the technology behind the Harriton Hight School scandal. A blogger called Stryde Hax , a part-time hacker and consultant for an Internet security company called Intrepidus Group, has investigated the case and discussed it on his blog. Stryde Hax explains that the school installed a remote monitoring product named LANRev on their laptops. Even when computer were connected outside the school networks, the track-and-monitor feature reported back to the administrator, and allowed to activate the camera remotely and take secret pictures. As the remote control was invisible (except the brief moments when the camera lit up), and the victims were unaware about it, this software would qualify as spyware, defined as„a type of malware that is installed on computers and collects little bits information at a time about users without their knowledge.“
The market for spy camera software seems to be tremendous! On Google search, a multitude of companies sell this kind of product. For example, Power Spy 2010 proudly claims that it is „[p]erfect for catching cheaters, monitoring employees, children and spouse and even investigating crimes!“
The software allows you to monitor all computer and Internet activities, take screen snapshots like a surveillance camera, record usernames and passwords, but is „completely legal“ according to the company that sells it. However, there are also cheaper ways to turn your webcam into a spying tool, you could simply “use Skype as a covert snooper.“
Legal issues involved
Does this sort of spying violate wiretapping laws? In the case of Harriton High, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) believe that it constitutes an infringement, and filed an amicus brief in support of the victim. However, the matter is not that obvious. Kevin Bankston, an attorney for EFF, explains why:“There is no federal statute that criminalizes or creates civil liability for such secret videotaping unless it involves sound, because then it is an intercept of a verbal communication. So no one can plant a bug in your house without violating wiretapping law, but they can still plant a camera without violating federal wiretapping laws.“
A Skype-camera spy-attack would therefore be illegal, but how about soundless spying with Power Spy 2010? For example, is it legal to use this software in an company or could you give your consent to spy? According to the EFF, „private schools or employers can ask you to sign away your right to privacy, but not a government entity like a public school.“ However, there is no juridical precedent, and is up to the court to give further indications. Collecting usernames and passwords without previous consent is certainly a violation of the Forth Amendment. Another troubling factor is that in Harriton High School, only official (and monitored) computers were allowed, and “jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion“ (source: Stryde Hax). How will this case be resolved?
Welcome to hacker culture!
Obviously, another central question is whether somebody can intrude your computer and gain control of your webcam by other means. As I am quite illiterate in technical issues, I turn to the wisdom of the crowd, and search the answer on Google, web forums, and even Yahoo Answer. I found out that all you need is trojan virus which can remotely access your webcam, and that a normal Windows firewall will not stop. Another option is to turn to social engeneering and to get crucial information (in-)voluntarily from the victim rather than breaking into its system. How easy/difficult is this?
To my surprise, the hacker community is very generous about sharing its tips and tricks: there are plenty of fun tutorials on Google on how to hack into your friends’ computers and spy trough their webcams. In addition, I learn that under the surface of anarchy, there are quite institutionalized platforms and various social norms. There even exists a Hacker Quarterly, and a related biennial hacker conference called HOPE (Hackers On Planet Earth), where the state of the art and future challenges are discussed. More basic, hacking isn’t only about hacking: different subcultures and -groups exist, like white hats (=ethical hackers, specialized in penetration testing), or black hats (=specialized in unauthorized penetration, seek personal profit). Is Stryde Hax therefore a white hat? Has he been a black hat before, like Kevin Mitnick? Who designs these categories? Plenty of questions to follow…