Peekaboo, I see you

In a very disturbing turn of events, laptops given to students in Pennsylvania high schools have recently been outed as spying tools.

Stock spy tool photo

Who needs fancy spying equipment when you can just give someone a laptop?

The laptops were given to students of the Lower Merion School District of Ardmore, Pa. in order to meet the goals of the district’s one-to-one student-to-laptop initiative.  Unbeknownst to the students who received these laptops and their parents, the laptops’ webcams were able to be remotely activated by school officials, which allegedly allowed them to capture a webcam image and screen shot.

Michael and Holly Robbins first learned of this fact when a high school official accused their son of improper behaviour in his home; they supported this by supplying a picture taken from his laptop.  In very short order, the press revealed  publicly that school officials were able to take remote photographs, and supposedly had been doing so for some time (because how else would a random picture taken with one random laptop reveal something inappropriate?).  School officials acknowledged this capability, and claimed that the feature was a security measure;  only implemented to help track down stolen laptops; they also quickly disabled the feature, at least for the moment.  As of the time of this writing, no public source has released any implementation details, or instructions on how to disable or remove these back doors on the students’ laptops, should the school administrators decide to re-activate the software without express consent from the students and their parents.

It’s no grand task to begin asking some very damning questions here:

  • How was this school official able to conveniently take a picture of the student in question doing something inappropriate randomly?  Just how many pictures did officials take of this student (or other students)  in order to capture this single image?
  • Why was this capacity not documented somewhere?  The parents claim that it was not mentioned either by an official, in the documentation given with the laptop, or on the district’s website.
  • Why, specifically, did officials elect to use a webcam image?  Surely something slightly less invasive, such as a GPS system, could have worked.
  • Why was the back door so readily and haphazardly used?  Surely the right to invade another’s privacy should only be granted under fairly extreme conditions, with some sort of paper trail present for audit purposes.
  • What can happen to these images?  If this official was able to remove the picture from the system to show with the student’s parents, what could a sick-minded official do if he or she were to end up taking a picture when the student was nude?

Michael and Holly Robbins have filed a lawsuit against the district, understandably enough.  In response, the district released a statement on their website, claiming that the feature had never been activated for any purpose beyond laptop recovery.  Clearly, one of these parties is lying; it still raises serious concerns regarding privacy, however.

Unfortunately, these kinds of issues continue to crop up, and will continue to do so as long as money or assets are on the line.  Companies regularly employ some form of tracking software to restrict internet traffic, or log instant message conversations.  It brings to mind the very pertinent question that’s being asked these days: “to what degree do we trade privacy for security?”    It’s a question that the individual, not the system, should answer.

I’d like to hear your thoughts on issues like these; do companies or organizations who supply assets in some way have the right to protect those assets, no matter how invasive?  To what degree do they have the right to do so?  How might something like this be implemented responsibly?

Sources:

http://news.cnet.com/8301-17852_3-10456128-71.html?part=rss&subj=news&tag=2547-1_3-0-20

http://www.computerworld.com/s/article/9158818/Pennsylvania_schools_spying_on_students_using_laptop_Webcams_claims_lawsuit?taxonomyId=84

http://www.lmsd.org/sections/news/default.php?m=0&t=today&p=lmsd_anno&id=1137

I wrote this post for a computer security class I’m taking, but I elected to post it here as well.  If you found your way here through a link in my post on the school board, please comment there rather than here.

Advertisements

~ by buncythefrog on February 19, 2010.

4 Responses to “Peekaboo, I see you”

  1. All I thought from this is all the pr0n that the security people can take when turning the laptops… still, I find great lol in this issue ^_^

  2. So, what is being done now that people are aware of this, to prevent things from happening in the future? My guess is nothing, and knowing that is probably what’s going to happen, its rather sad what people seem to think. Clearly this tech was not well thought out, sure its inexpensive to stick a webcam in a laptop, surely there are other tracking methods that are equally viable, and honestly, I can think of one off the top of my head that would cost nothing. Why didn’t they just use some piece of software to track it upon touching the internet? Is it that hard to have a piece of software written, and implemented somewhere it can’t be easily overridden, that, as soon as an internet connection is available, pings somewhere, such that the person’s ip is visible, I mean, what elseis really needed to track a computer? Clearly this was designed for some invasion of privacy, because this ip based solution would in theory cost significantly less, and when it comes to theft, I’m pretty sure an isp would be more than happy to hand over the address that the laptop had sent its ip from. Sure there is the issue of a proxy, but fopr what is probably roughly the cost of a netbook, i don’t think the typical theif would think that far. The only remaining possibility, it was meant to collect data on the students, and there is probably more we are not aware of. As mentioned, while this is mostly harmless, in the hands of some sick minded idiot, it could mean much worse than how it was probably intended.

    • Despite your name, that was a pretty even-handed and thoughtful comment 😀

      The IP tracking solution could be viable… But one huge flaw comes to light, and it does relate to the proxy comment. When some networks are set up so all ___ number of machines on it all share the same IP address, it starts to become far less viable or possible to track down the user of the laptop. If the thief only used it by plugging it into large networks (the school and free wifi hotspots), that method alone wouldn’t be enough to find them. It might, however, help reveal a pattern, and they might be able to catch the person by just anticipating their actions.

      A better option might then be to install a GPS unit into the machine, which reports the laptop’s position if stolen.

      Even better, have the student be the gatekeeper of the service by having each of them provide a password that only they know which enables it. That would prevent the creeper school official issue, at least.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: