Hi, please

Tag Archives: webcam

The You in Youtube – Conclusion for Travelogue 4

YouTube Preview Image

WebcamGate: general state of (dis-)TRUST

The webcam school spying scandal that broke in mid-February was a bombastic scoop. It offered excellent material for sensationalist media coverage, nourished paranoiac fears, and created a heated debate about security and privacy in the Internet.

Harriton High school caught spying!

15-year-old student Blake Robbins accused its school of spying

A high school in Pennsylvania that distributed about 2300 laptops to its students, has got in the spotlight of the news as it was revealed that school officials activated secretly the webcameras, even when students were at home. The scandal unfolded when the assistant principal summoned a student to her office, and accused him of “inproper behavior” consuming drugs. She based her allegations on photos that were taken by the kid’s webcam showing him eating suspicious substances at home, or what later turned out to be Mike and Ikes candy. Shortly after, the student’s parents have filed a class-action lawsuit against the school. As the scandal become public, various other students reported that they had been perplexed by the bizarre on- and off-going green lights of their laptops. The school denied that it invaded the students privacy, and explained that the software installed on the computers that allowed to remotely access the cameras was a monitoring and security device that allowed to locate laptops in case of theft. It admitted that it has activated the students’ webcams 42 times over a 14-month period to recover 28 laptops. However, the family claims that it has never reported the computer missing. The FBI is now leading its own investigation. YouTube Preview Image

However, in the era of Skype, ChatRoulette, and the ubiquitous use of security cameras and webcams, this case raises concerns about general security and privacy issues in the Internet. Similar scenarios have occurred in the past. In 2008, a woman discovered that she was webcamera-stalked by a tech guy who was supposed to repair her computer, but turned out to take about 20,000 photos of her and her friends.

The slippery slope between monitoring and spying

It is not unusual that schools monitor on their students, as a documentary segment called „How Google saved a school“ indicates. However, the Harriton WebcamGate stands out as teachers accessed the webcameras of their students in their private homes. A blogger called Stryde Hax , a part-time hacker and consultant for an Internet security company called Intrepidus Group, has investigated the case and discussed it on his blog. Stryde Hax explains that the school installed a remote monitoring product named LANRev on their laptops. Even when computer were connected outside the school networks, the track-and-monitor feature reported back to the administrator, and allowed to remotely activate the camera. As the remote control was invisible (except the brief moments when the camera lit up), and the victims were unaware about it, this software qualifies as spyware, defined as„a type of malware that is installed on computers and collects little bits information at a time about users without their knowledge.“ Abundant similar products are on the market for private use, as for example Power Spy 2010, and even skype cameras can be converted into covert snoopers. Another troubling factor is that in Harriton High school,  only official computers with monitoring/spyware were allowed, and “jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion“ (source: Stryde Hax).

Two IT employees involved in the spying were placed on temporary leave while the investigations into the case continue. However, their lawyers claim that the technicians only turned on the tracking software when they believed that the computers were stolen.  They argue that the student who filed the lawsuit hadn’t paid a $55 insurance fee to take the laptop home, so technically there were authorized to track down the computer. Computer recovery softwares, like for example Prey, an open source project, seem to have become very common. Even NYU offers such a service.

In the Harriton High case, a federal court judge banned the webcam activation of the school distributed laptops, and the company that sold the tracking feature has changed the name of its program and its user policy; from now on, the end users can’t activate the remote webcam anymore.

Is it legal or not?

Does this sort of spying violate wiretapping laws? In the case of Harriton High, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) believe that it constitutes an infringement, and filed an amicus brief in support of the victim. However, the matter is not that obvious. Kevin Bankston, an attorney for EFF, explains why:

“There is no federal statute that criminalizes or creates civil liability for such secret videotaping unless it involves sound, because then it is an intercept of a verbal communication. So no one can plant a bug in your house without violating wiretapping law, but they can still plant a camera without violating federal wiretapping laws.“

A Skype-camera spy-attack would therefore be illegal. But how about monitoring  software use in a school or a company with prior consent? According to the EFF, „private schools or employers can ask you to sign away your right to privacy, but not a government entity like a public school.“ However, there is no juridical precedent, and is up to the court to give further indications. Even for the business world, the case holds important lessons learned for legal monitoring programs. Itn the past, he U.S. Supreme Court has underlined the importance of home privacy, as in 2001-ruling that reaffirmed that “police could not, without a warrant, use thermal imaging equipment outside a home to see if heat lamps were being used inside to grow marijuana.

Similar dilemmas arise also in the context of computer theft tracking software. In the beginning of March, a techie made it into the headlines in Boston when he helped the police to recover his stolen computers. Is is debatable if evidence collected in this way would be admissible in court, as it doesn’t prove who has actually stolen the computers. In addition, justice initiaves by individual citizens shouldn’t be promoted.

Who´s to blame?

The schools behavior provoked a public outcry. How could school officials abuse the trust that students and parents give them? The plaintiff argued that students were unaware of the school’s authority to track their computers. On the other hand, it becomes obvious that the responsibilty for the failure is shared. The statements issued by parents who sends his children to the Harriton High school contacted on Facebook draw a very different picture:

This means that parents knew about the feature, but haven’t discussed the full implications and privacy risks with their children or the school’s officials. Did therefore naiv trust in the school led to the spying scandal? The SANS Computer Security Institute points out that trust is the Internet’s biggest week points, as phishing and pharming- two forms of social engeneering that are based on eliciting crucial information from victims, represent one of the biggest security problems on the Internet. From this perspective, it is crucial to re-establish trust between the school and the students, indispensable for the success of the whole education system. However, the contrary point can be argued too. By installing the surveillance feature, the school proved to generally distrust its students. If the relationship would have been based on trust, the spy-problem wouldn’t have been occurred in the first place.

One for all, but not all for one?

As a commentator called willy25 points out on the comment section of ABC’s local Philadelphia television statement: “[o]nce one child’s rights have been violated, all children are at risk.” However, not all parents back the allagations against the school. In fact, the scandal has divided the school’s community. Students show their opposition to the schools policy with “LMSD [Lower Merion School District] is watching you” T-shirts. On the correspondent Facebook group, they refer to the school as a “prison.”  On the other side, many parents and kids defend the school, and have formed different anti-lawsuit groups, like LMSDParents.org / “Reasonable LMSD parents refusing to rush to judgement” (to whom belongs Jan Klinkewicz), or Parents in Support of the Lowe Merrion School District, which collects signatures for a petition to fight the lawsuit. Concerned about the financial impact of a large class-action settlement, the group held several meetings in opposition to the class-action lawsuit. At its current pace, the Lower Merion could end up spending estimating more than $1 million a year in legal fees to continue until June- at the expense of the taxpayers, the parents!

It seems that this week, a compromise has been found as lawyers for the school and the family yesterday agreed to “freeze the case for 30 days while computer experts from both sides determine how often the school used the remote tracking software, and how many students were photographed.” However, the question arises if parents would have gone trough with the lawsuit if they wouldn´t have to pay the costs out of their own pockets. Do we assist to a partial interpretation of privacy? Is the defense of civil rights a matter of financial resources? Besides these important questions, the Harriton Hight spy-case should open a wider and long-lasting debate about the education system in general, the implications of new technologies for society, and the role of both private and public actors in addressing its risks and opportunities.

New developments in the “WebcamGate”

Last Thursday, two IT employees involved in the Harriton High School webcam scandal were placed on temporary leave while the investigations into the case continue. However, their lawyers claim that the technicians only turned on the tracking software when they believed that the computers were stolen.  They argue that the student who filed the lawsuit hadn’t paid a $55 insurance fee to take the laptop home, so technically there were authorized to track down the computer.

Justice in your own hands?

According to media reports, the Lower Merrian Police Department also knew about the software. In the case of a theft, the security feature would take every 15 minutes a photo with the webcam. Meanwhile, the company that sold the tracking feature to the Harriton High School, has changed the name of its program and its user policy; from now on, the end users can’t activate the remote webcam anymore. In the Harriton High case, a federal court judge banned the webcam activation of the school distributed laptops. Computer recovery softwares, like for example Prey (open source project!), seem to have become quite common. Even NYU offers such a service. This week, a techie made it into the headlines in Boston when he helped the police to recover his stolen computers. In this case, the victim had previously connected his home computer to his laptops (GoToMyPC is a software that would enable that), and could therefore access the stolen devices, and track their location. However, this feature has a flip side too. As the amateur techie observed, “[i]f (the family) had known what they were doing, they actually could have accessed my home computer from the laptop.” In addition, the question remains if individuals should be motivated to use this software. It is also debatable if evidence collected in this way would be admissible in court. First, it doesn’t prove who has actually stolen the computers; it only shows who the new user is. Second, isn’t first a warrant needed to follow up (even your own) computer?

Who knew what?

The are contrary statements on who knew about the school’s authority to track their computers. On one hand, the plaintiff argues that he was unaware of the feature. On the other hand, I contacted on Facebook a parent who sends his children to the Harriton High school, and he told me the following:

However, it is unclear if teachers have discussed the full implications of the tracking feature with its students, and pointed out the possible risk of privacy invasion. In addition,  as I outlined in my previous post, the Electronic Frontier Foundation (EFF) believes that “private schools or employers can ask you to sign away your right to privacy, but not a government entity like a public school.“

Polarized reactions

The scandal has divided the school’s community. Students show their opposition to the schools policy with “LMSD [Lower Merion School District] is watching you” T-shirts. On the correspondent Facebook group, they refer to the school as a “prison.” I’ve contacted several students to get more details, but they haven’t got back to me (yet). Nevertheless, many parents and kids defend the school, and have formed different anti-lawsuit groups, like LMSDParents.org / “Reasonable LMSD parents refusing to rush to judgement” (to whom belongs Jan Klinkewicz), or Parents in Support of the Lowe Merrion School District, which collects signatures for a petition to fight the lawsuit. Concerned about the financial impact of a large class-action settlement, the group held a meeting in opposition to the lawsuit last Tuesday.

I’ve also detected ad-hominem attacks on the comment section of ABC’s local Philadelphia television statement, that seek to discredit the plaintiff’s family and imply that they are seeking personal financial profit from the affair. What should be the appropriate steps to follow? One commentator called willy25 underlines that “[o]nce one child’s rights have been violated, all children are at risk.” In any case, I believe that the most important step is to (re-)establish trust between the school and the students, indispensable for the success of the whole education system.

How can somebody spy on your webcam?

The recent webcam spying scandal at a school in Pennsylvinia has caused worldwide uproar in the news, and proves that paranoiac scenarios are actually not so far stretched. In the era of Skype, ChatRoulette, and the ubiquitous use of security webcameras, this case raises serious questions about privacy and Internet security. As I will combine my introductory post and my question, here first some background information.

The spying scandal at Harriton High School

In mid-February, a high school in Pennsylvania got in the spotlight of the news- and now of the FBI- as it was revealed that school officials were spying on their students by secretly activating the webcameras of school-issued laptops, even when students were at home. The scandal unfolded when the assistant principal summoned a student to her office, and accused him of selling and taking drugs. She based her allegations on photos that were taken by the kid’s webcam showing him eating suspicious substances at home, or what later turned out to be Mike and Ikes candy. Shortly after, the student’s parents have filed a lawsuit against the school. As the scandal become public, various other students reported that they had been perplexed by the bizarre on- and off-going green lights of their laptops. The school denied that it invaded the students privacy, and explained that the software installed on the computers that allowed to remotely access the cameras was a monitoring and security device that allowed to locate laptops in case of theft.YouTube Preview Image

It is not unusual that schools monitor and spy on their students, as an documentary segments called „How Google saved a school“ indicates. However, Harriton school stands out as teachers accessed the webcameras of their students in their private homes, a reason why the FBI is now investigating the case.

The scandal poses general questions about the education system, authority, and where to draw the line between monitoring and spying. What is the legal basis or guideline? But first of all, I’d like to know how this is technologically possible. Considering that most laptops have built-in cameras and have become all purpose devices that we use 24/7, how big is the risk of such kind of surveillance?

How can somebody spy on your webcam?

A simple Twitter search for #spycam quickly leads me to what seems the ultimate information source about the technology behind the Harriton Hight School scandal. A blogger called Stryde Hax , a part-time hacker and consultant for an Internet security company called Intrepidus Group, has investigated the case and discussed it on his blog. Stryde Hax explains that the school installed a remote monitoring product named LANRev on their laptops. Even when computer were connected outside the school networks, the track-and-monitor feature reported back to the administrator, and allowed to activate the camera remotely and take secret pictures. As the remote control was invisible (except the brief moments when the camera lit up), and the victims were unaware about it, this software would qualify as spyware, defined as„a type of malware that is installed on computers and collects little bits information at a time about users without their knowledge.“

The market for spy camera software seems to be tremendous! On Google search, a multitude of companies sell this kind of product. For example, Power Spy 2010 proudly claims that it is „[p]erfect for catching cheaters, monitoring employees, children and spouse and even investigating crimes!“

For reasons to spy on your spouse and other healthy relationship advice, please click on the picture above.

The software allows you to monitor all computer and Internet activities, take screen snapshots like a surveillance camera, record usernames and passwords, but is „completely legal“ according to the company that sells it. However, there are also cheaper ways to turn your webcam into a spying tool, you could simply “use Skype as a covert snooper.“

Legal issues involved

Does this sort of spying violate wiretapping laws? In the case of Harriton High, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) believe that it constitutes an infringement, and filed an amicus brief in support of the victim. However, the matter is not that obvious. Kevin Bankston, an attorney for EFF, explains why:

“There is no federal statute that criminalizes or creates civil liability for such secret videotaping unless it involves sound, because then it is an intercept of a verbal communication. So no one can plant a bug in your house without violating wiretapping law, but they can still plant a camera without violating federal wiretapping laws.“

A Skype-camera spy-attack would therefore be illegal, but how about soundless spying with Power Spy 2010? For example, is it legal to use this software in an company or could you give your consent to spy? According to the EFF, „private schools or employers can ask you to sign away your right to privacy, but not a government entity like a public school.“ However, there is no juridical precedent, and is up to the court to give further indications. Collecting usernames and passwords without previous consent is certainly a violation of the Forth Amendment. Another troubling factor is that in Harriton High School,  only official (and monitored) computers were allowed, and “jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion“ (source: Stryde Hax). How will this case be resolved?

Welcome to hacker culture!

Obviously, another central question is whether somebody can intrude your computer and gain control of your webcam by other means. As I am quite illiterate in technical issues, I turn to the wisdom of the crowd, and search the answer on Google, web forums, and even Yahoo Answer. I found out that all you need is trojan virus which can remotely access your webcam, and that a normal Windows firewall will not stop. Another option is to turn to social engeneering and to get crucial information (in-)voluntarily from the victim rather than breaking into its system. How easy/difficult is this?

Kevin Mitnick, worldwide hacker celebrity and now security consultant

To my surprise, the hacker community is very generous about sharing its tips and tricks: there are plenty of fun tutorials on Google on how to hack into your friends’ computers and spy trough their webcams. In addition, I learn that under the surface of anarchy, there are quite institutionalized platforms and various social norms. There even exists a Hacker Quarterly, and a related biennial hacker conference called HOPE (Hackers On Planet Earth), where the state of the art and future challenges are discussed. More basic, hacking isn’t only about hacking: different subcultures and -groups exist, like white hats (=ethical hackers, specialized in penetration testing), or black hats (=specialized in unauthorized penetration, seek personal profit). Is Stryde Hax therefore a white hat? Has he been a black hat before, like Kevin Mitnick? Who designs these categories? Plenty of questions to follow…