Hi, please

Tag Archives: monitoring

WebcamGate: general state of (dis-)TRUST

The webcam school spying scandal that broke in mid-February was a bombastic scoop. It offered excellent material for sensationalist media coverage, nourished paranoiac fears, and created a heated debate about security and privacy in the Internet.

Harriton High school caught spying!

15-year-old student Blake Robbins accused its school of spying

A high school in Pennsylvania that distributed about 2300 laptops to its students, has got in the spotlight of the news as it was revealed that school officials activated secretly the webcameras, even when students were at home. The scandal unfolded when the assistant principal summoned a student to her office, and accused him of “inproper behavior” consuming drugs. She based her allegations on photos that were taken by the kid’s webcam showing him eating suspicious substances at home, or what later turned out to be Mike and Ikes candy. Shortly after, the student’s parents have filed a class-action lawsuit against the school. As the scandal become public, various other students reported that they had been perplexed by the bizarre on- and off-going green lights of their laptops. The school denied that it invaded the students privacy, and explained that the software installed on the computers that allowed to remotely access the cameras was a monitoring and security device that allowed to locate laptops in case of theft. It admitted that it has activated the students’ webcams 42 times over a 14-month period to recover 28 laptops. However, the family claims that it has never reported the computer missing. The FBI is now leading its own investigation. YouTube Preview Image

However, in the era of Skype, ChatRoulette, and the ubiquitous use of security cameras and webcams, this case raises concerns about general security and privacy issues in the Internet. Similar scenarios have occurred in the past. In 2008, a woman discovered that she was webcamera-stalked by a tech guy who was supposed to repair her computer, but turned out to take about 20,000 photos of her and her friends.

The slippery slope between monitoring and spying

It is not unusual that schools monitor on their students, as a documentary segment called „How Google saved a school“ indicates. However, the Harriton WebcamGate stands out as teachers accessed the webcameras of their students in their private homes. A blogger called Stryde Hax , a part-time hacker and consultant for an Internet security company called Intrepidus Group, has investigated the case and discussed it on his blog. Stryde Hax explains that the school installed a remote monitoring product named LANRev on their laptops. Even when computer were connected outside the school networks, the track-and-monitor feature reported back to the administrator, and allowed to remotely activate the camera. As the remote control was invisible (except the brief moments when the camera lit up), and the victims were unaware about it, this software qualifies as spyware, defined as„a type of malware that is installed on computers and collects little bits information at a time about users without their knowledge.“ Abundant similar products are on the market for private use, as for example Power Spy 2010, and even skype cameras can be converted into covert snoopers. Another troubling factor is that in Harriton High school,  only official computers with monitoring/spyware were allowed, and “jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion“ (source: Stryde Hax).

Two IT employees involved in the spying were placed on temporary leave while the investigations into the case continue. However, their lawyers claim that the technicians only turned on the tracking software when they believed that the computers were stolen.  They argue that the student who filed the lawsuit hadn’t paid a $55 insurance fee to take the laptop home, so technically there were authorized to track down the computer. Computer recovery softwares, like for example Prey, an open source project, seem to have become very common. Even NYU offers such a service.

In the Harriton High case, a federal court judge banned the webcam activation of the school distributed laptops, and the company that sold the tracking feature has changed the name of its program and its user policy; from now on, the end users can’t activate the remote webcam anymore.

Is it legal or not?

Does this sort of spying violate wiretapping laws? In the case of Harriton High, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) believe that it constitutes an infringement, and filed an amicus brief in support of the victim. However, the matter is not that obvious. Kevin Bankston, an attorney for EFF, explains why:

“There is no federal statute that criminalizes or creates civil liability for such secret videotaping unless it involves sound, because then it is an intercept of a verbal communication. So no one can plant a bug in your house without violating wiretapping law, but they can still plant a camera without violating federal wiretapping laws.“

A Skype-camera spy-attack would therefore be illegal. But how about monitoring  software use in a school or a company with prior consent? According to the EFF, „private schools or employers can ask you to sign away your right to privacy, but not a government entity like a public school.“ However, there is no juridical precedent, and is up to the court to give further indications. Even for the business world, the case holds important lessons learned for legal monitoring programs. Itn the past, he U.S. Supreme Court has underlined the importance of home privacy, as in 2001-ruling that reaffirmed that “police could not, without a warrant, use thermal imaging equipment outside a home to see if heat lamps were being used inside to grow marijuana.

Similar dilemmas arise also in the context of computer theft tracking software. In the beginning of March, a techie made it into the headlines in Boston when he helped the police to recover his stolen computers. Is is debatable if evidence collected in this way would be admissible in court, as it doesn’t prove who has actually stolen the computers. In addition, justice initiaves by individual citizens shouldn’t be promoted.

Who´s to blame?

The schools behavior provoked a public outcry. How could school officials abuse the trust that students and parents give them? The plaintiff argued that students were unaware of the school’s authority to track their computers. On the other hand, it becomes obvious that the responsibilty for the failure is shared. The statements issued by parents who sends his children to the Harriton High school contacted on Facebook draw a very different picture:

This means that parents knew about the feature, but haven’t discussed the full implications and privacy risks with their children or the school’s officials. Did therefore naiv trust in the school led to the spying scandal? The SANS Computer Security Institute points out that trust is the Internet’s biggest week points, as phishing and pharming- two forms of social engeneering that are based on eliciting crucial information from victims, represent one of the biggest security problems on the Internet. From this perspective, it is crucial to re-establish trust between the school and the students, indispensable for the success of the whole education system. However, the contrary point can be argued too. By installing the surveillance feature, the school proved to generally distrust its students. If the relationship would have been based on trust, the spy-problem wouldn’t have been occurred in the first place.

One for all, but not all for one?

As a commentator called willy25 points out on the comment section of ABC’s local Philadelphia television statement: “[o]nce one child’s rights have been violated, all children are at risk.” However, not all parents back the allagations against the school. In fact, the scandal has divided the school’s community. Students show their opposition to the schools policy with “LMSD [Lower Merion School District] is watching you” T-shirts. On the correspondent Facebook group, they refer to the school as a “prison.”  On the other side, many parents and kids defend the school, and have formed different anti-lawsuit groups, like LMSDParents.org / “Reasonable LMSD parents refusing to rush to judgement” (to whom belongs Jan Klinkewicz), or Parents in Support of the Lowe Merrion School District, which collects signatures for a petition to fight the lawsuit. Concerned about the financial impact of a large class-action settlement, the group held several meetings in opposition to the class-action lawsuit. At its current pace, the Lower Merion could end up spending estimating more than $1 million a year in legal fees to continue until June- at the expense of the taxpayers, the parents!

It seems that this week, a compromise has been found as lawyers for the school and the family yesterday agreed to “freeze the case for 30 days while computer experts from both sides determine how often the school used the remote tracking software, and how many students were photographed.” However, the question arises if parents would have gone trough with the lawsuit if they wouldn´t have to pay the costs out of their own pockets. Do we assist to a partial interpretation of privacy? Is the defense of civil rights a matter of financial resources? Besides these important questions, the Harriton Hight spy-case should open a wider and long-lasting debate about the education system in general, the implications of new technologies for society, and the role of both private and public actors in addressing its risks and opportunities.