Computer spying
Posted: Sun Feb 21, 2010 11:38 am
I subscribe to several IT newsletters. I got this article in one of them today.
It just goes t show that anything that can be used can and will be abused. Now maybe my friends will understand I won't buy GM car because of OnStar.
http://blogs.techrepublic.com.com/itdoj ... ag=nl.e103
IT run amok: Pa. school allegedly spied on students via webcams
Date: February 19th, 2010
Author: Bill Detwiler
Category: Apple, Network Administration, Poll, Security, TR Dojo, privacy
Tags: Security, Webcam, Information Technology, Student, Monitoring, Laptop Computer, Lower Merion School District, Security Feature, Bill Detwiler
Earlier this week, I published a TR Dojo episode on using Prey to recover stolen laptops. This free application allows individuals to collect information that can describe a stolen machines whereabouts, such as the status of the computer, a list of running programs, network and Wi-Fi information, a screenshot of the running desktop, and a picture of the physical surroundings (if the machine has a webcam). Its this last piece of information that can be extremely helpful, but also the most controversial.
On Tuesday, a federal lawsuit was filed against the Lower Merion School District in Ardmore, Pa. accusing school officials of spying on students at Harriton High School through the webcams on school-issued Macbooks. By Wednesday, the story had exploded across the Web and been picked up by local and national media outlets.
According to an Associate Press report published by CBS News:
Lower Merion School District officials can activate the webcams without students knowledge or permission, the suit said. Plaintiffs Michael and Holly Robbins suspect the cameras captured students and family members as they undressed and in other embarrassing situations, according to the suit.
How did the plaintiffs find out about the school districts ability to remotely activate the webcams? Heres another excerpt from the same AP report:
The Robbinses said they learned of the alleged webcam images when Lindy Matsko, an assistant principal at Harriton High School, told their son that school officials thought he had engaged in improper behavior at home. The behavior was not specified in the suit.
(Matsko) cited as evidence a photograph from the webcam embedded in minor plaintiffs personal laptop issued by the school district, the suit states.
Matsko later confirmed to Michael Robbins that the school had the ability to activate the webcams remotely
The Philadelphia Inquirer posted a complete text of the suit (PDF document).
Its important to note that the activities outlined in the lawsuit are still accusations and have not been proven in a court. And although Christopher McGinley, the superintendent of Lower Merion School District, admitted that district personnel could remotely activate the webcams, he asserted that such action was only taken to recover a lost or stolen machine.
In a letter sent to parents and posted on the school districts Web site, McGinley wrote:
Upon a report of a suspected lost, stolen or missing laptop, the feature would be activated by the Districts security and technology departments. The security features capabilities were limited to taking a still image of the operator and the operators screen. This feature was only used for the narrow purpose of locating a lost, stolen or missing laptop. The District never activated the security feature for any other purpose or in any other manner whatsoever.
And on Friday, the AP reported that, Doug Young, a spokesman for the Lower Merion School District, said that district personnel remotely activated webcams 42 times to find missing student laptops, but never did so to spy on students, as a lawsuit claims. Young also told the AP that only two technology department employees were authorized to activate the cameras and only to locate missing laptops.
Spying or hardware monitoring?
These were school-issued machines and, according to reports, students and parents signed agreements to use the machines appropriately. According a CNN report:
To receive the laptop, the family had to sign an acceptable-use agreement. To take the laptop home, the family also would have to buy insurance for the computer. In an acceptable-use agreement, the families are made aware of the schools ability to monitor the hardware, [Young] said, but it stops short of explicitly explaining the security feature.
And, I would expect no less. IT departments having been using acceptable-use policies for decades, and I think most end users are aware that their activity on a company/institution-owned computer can be monitored. However, I believe most reasonable people (both IT professionals and end-users alike) would interpret monitoring to include scanning files on the hard drive, looking for unauthorized applications, and perhaps logging the Web sites accessed through the machines browser. I find it nearly impossible to believe a reasonable person would assume monitoring meant remotely activating a Web cam and taking pictures inside an individuals home.
Unfortunately, theres still a lot we dont know about this case, and there are direct contradictions in the school districts statements and the claims of the plaintiffs and even other students. Various news outlets have quoted Harriton High School students who claim that their Macbook webcams would turn on at random times and without any action on their part. Furthermore, according to a Gizmodo report, when students reported the webcam activations, district IT personnel said the behavior was a technical glitch.
IT/management run amok?
Ive been in IT for nearly 15 years and seen plenty of poor decisions, bad behavior, and even a few cases of true legal violations by IT personnel. But if these allegations are true, this episode takes the cake. And, I cant wait to learn the answers to several important questions.
First, were the webcams EVER activated outside the 42 instances of lost/stolen laptops mentioned by Young? The Lower Merion School District seems to be saying no, while, according to students, district IT personnel have said the camera could be activated due to a technical glitch. Which is it?
Second, was an image taken from a webcam used as evidence as described in the lawsuit. If so, what was the justification for taking such a photo? Had the laptop been reported lost or stolen?
Third, if the cameras were being activated, who was doing the activating and why? Were IT personnel secretly spying on students? Were administrators instructing IT personnel to activate the Webcams when they suspected students were involved in inappropriate behavior?
Lastly, did anyone involved in the decision making process which led to the installation of the monitoring software think this was a bad idea? Didnt anyone think parents and students should be told they might be photographed without their knowledgeeven if it was by accident?
Watching this play out in the courts
As of this posting, the Lower Merion School District has said it is immediately disabled the tracking system, performing a thorough review of the existing policies for student laptop use and reviewing security procedures to help safeguard the protection of privacy, including a review of the instances in which the security software was activated.
It just goes t show that anything that can be used can and will be abused. Now maybe my friends will understand I won't buy GM car because of OnStar.
http://blogs.techrepublic.com.com/itdoj ... ag=nl.e103
IT run amok: Pa. school allegedly spied on students via webcams
Date: February 19th, 2010
Author: Bill Detwiler
Category: Apple, Network Administration, Poll, Security, TR Dojo, privacy
Tags: Security, Webcam, Information Technology, Student, Monitoring, Laptop Computer, Lower Merion School District, Security Feature, Bill Detwiler
Earlier this week, I published a TR Dojo episode on using Prey to recover stolen laptops. This free application allows individuals to collect information that can describe a stolen machines whereabouts, such as the status of the computer, a list of running programs, network and Wi-Fi information, a screenshot of the running desktop, and a picture of the physical surroundings (if the machine has a webcam). Its this last piece of information that can be extremely helpful, but also the most controversial.
On Tuesday, a federal lawsuit was filed against the Lower Merion School District in Ardmore, Pa. accusing school officials of spying on students at Harriton High School through the webcams on school-issued Macbooks. By Wednesday, the story had exploded across the Web and been picked up by local and national media outlets.
According to an Associate Press report published by CBS News:
Lower Merion School District officials can activate the webcams without students knowledge or permission, the suit said. Plaintiffs Michael and Holly Robbins suspect the cameras captured students and family members as they undressed and in other embarrassing situations, according to the suit.
How did the plaintiffs find out about the school districts ability to remotely activate the webcams? Heres another excerpt from the same AP report:
The Robbinses said they learned of the alleged webcam images when Lindy Matsko, an assistant principal at Harriton High School, told their son that school officials thought he had engaged in improper behavior at home. The behavior was not specified in the suit.
(Matsko) cited as evidence a photograph from the webcam embedded in minor plaintiffs personal laptop issued by the school district, the suit states.
Matsko later confirmed to Michael Robbins that the school had the ability to activate the webcams remotely
The Philadelphia Inquirer posted a complete text of the suit (PDF document).
Its important to note that the activities outlined in the lawsuit are still accusations and have not been proven in a court. And although Christopher McGinley, the superintendent of Lower Merion School District, admitted that district personnel could remotely activate the webcams, he asserted that such action was only taken to recover a lost or stolen machine.
In a letter sent to parents and posted on the school districts Web site, McGinley wrote:
Upon a report of a suspected lost, stolen or missing laptop, the feature would be activated by the Districts security and technology departments. The security features capabilities were limited to taking a still image of the operator and the operators screen. This feature was only used for the narrow purpose of locating a lost, stolen or missing laptop. The District never activated the security feature for any other purpose or in any other manner whatsoever.
And on Friday, the AP reported that, Doug Young, a spokesman for the Lower Merion School District, said that district personnel remotely activated webcams 42 times to find missing student laptops, but never did so to spy on students, as a lawsuit claims. Young also told the AP that only two technology department employees were authorized to activate the cameras and only to locate missing laptops.
Spying or hardware monitoring?
These were school-issued machines and, according to reports, students and parents signed agreements to use the machines appropriately. According a CNN report:
To receive the laptop, the family had to sign an acceptable-use agreement. To take the laptop home, the family also would have to buy insurance for the computer. In an acceptable-use agreement, the families are made aware of the schools ability to monitor the hardware, [Young] said, but it stops short of explicitly explaining the security feature.
And, I would expect no less. IT departments having been using acceptable-use policies for decades, and I think most end users are aware that their activity on a company/institution-owned computer can be monitored. However, I believe most reasonable people (both IT professionals and end-users alike) would interpret monitoring to include scanning files on the hard drive, looking for unauthorized applications, and perhaps logging the Web sites accessed through the machines browser. I find it nearly impossible to believe a reasonable person would assume monitoring meant remotely activating a Web cam and taking pictures inside an individuals home.
Unfortunately, theres still a lot we dont know about this case, and there are direct contradictions in the school districts statements and the claims of the plaintiffs and even other students. Various news outlets have quoted Harriton High School students who claim that their Macbook webcams would turn on at random times and without any action on their part. Furthermore, according to a Gizmodo report, when students reported the webcam activations, district IT personnel said the behavior was a technical glitch.
IT/management run amok?
Ive been in IT for nearly 15 years and seen plenty of poor decisions, bad behavior, and even a few cases of true legal violations by IT personnel. But if these allegations are true, this episode takes the cake. And, I cant wait to learn the answers to several important questions.
First, were the webcams EVER activated outside the 42 instances of lost/stolen laptops mentioned by Young? The Lower Merion School District seems to be saying no, while, according to students, district IT personnel have said the camera could be activated due to a technical glitch. Which is it?
Second, was an image taken from a webcam used as evidence as described in the lawsuit. If so, what was the justification for taking such a photo? Had the laptop been reported lost or stolen?
Third, if the cameras were being activated, who was doing the activating and why? Were IT personnel secretly spying on students? Were administrators instructing IT personnel to activate the Webcams when they suspected students were involved in inappropriate behavior?
Lastly, did anyone involved in the decision making process which led to the installation of the monitoring software think this was a bad idea? Didnt anyone think parents and students should be told they might be photographed without their knowledgeeven if it was by accident?
Watching this play out in the courts
As of this posting, the Lower Merion School District has said it is immediately disabled the tracking system, performing a thorough review of the existing policies for student laptop use and reviewing security procedures to help safeguard the protection of privacy, including a review of the instances in which the security software was activated.
)...one day one talked about who he made money...every month he went to the county court house and bought a list of all the people that had been arrested for DUI. He then broke that list down and sold it to the same lawyers each month...the point being that if you own a home, received a ticket, gotten a DUI, been in a accident, etc.. then your information is for sale at your local court/county records and any one can go in and buy a copy to use.