Peekaboo, I see you
In a very disturbing turn of events, laptops given to students in Pennsylvania high schools have recently been outed as spying tools.
The laptops were given to students of the Lower Merion School District of Ardmore, Pa. in order to meet the goals of the district’s one-to-one student-to-laptop initiative. Unbeknownst to the students who received these laptops and their parents, the laptops’ webcams were able to be remotely activated by school officials, which allegedly allowed them to capture a webcam image and screen shot.
Michael and Holly Robbins first learned of this fact when a high school official accused their son of improper behaviour in his home; they supported this by supplying a picture taken from his laptop. In very short order, the press revealed publicly that school officials were able to take remote photographs, and supposedly had been doing so for some time (because how else would a random picture taken with one random laptop reveal something inappropriate?). School officials acknowledged this capability, and claimed that the feature was a security measure; only implemented to help track down stolen laptops; they also quickly disabled the feature, at least for the moment. As of the time of this writing, no public source has released any implementation details, or instructions on how to disable or remove these back doors on the students’ laptops, should the school administrators decide to re-activate the software without express consent from the students and their parents.
It’s no grand task to begin asking some very damning questions here:
- How was this school official able to conveniently take a picture of the student in question doing something inappropriate randomly? Just how many pictures did officials take of this student (or other students) in order to capture this single image?
- Why was this capacity not documented somewhere? The parents claim that it was not mentioned either by an official, in the documentation given with the laptop, or on the district’s website.
- Why, specifically, did officials elect to use a webcam image? Surely something slightly less invasive, such as a GPS system, could have worked.
- Why was the back door so readily and haphazardly used? Surely the right to invade another’s privacy should only be granted under fairly extreme conditions, with some sort of paper trail present for audit purposes.
- What can happen to these images? If this official was able to remove the picture from the system to show with the student’s parents, what could a sick-minded official do if he or she were to end up taking a picture when the student was nude?
Michael and Holly Robbins have filed a lawsuit against the district, understandably enough. In response, the district released a statement on their website, claiming that the feature had never been activated for any purpose beyond laptop recovery. Clearly, one of these parties is lying; it still raises serious concerns regarding privacy, however.
Unfortunately, these kinds of issues continue to crop up, and will continue to do so as long as money or assets are on the line. Companies regularly employ some form of tracking software to restrict internet traffic, or log instant message conversations. It brings to mind the very pertinent question that’s being asked these days: “to what degree do we trade privacy for security?” It’s a question that the individual, not the system, should answer.
I’d like to hear your thoughts on issues like these; do companies or organizations who supply assets in some way have the right to protect those assets, no matter how invasive? To what degree do they have the right to do so? How might something like this be implemented responsibly?
I wrote this post for a computer security class I’m taking, but I elected to post it here as well. If you found your way here through a link in my post on the school board, please comment there rather than here.
~ by buncythefrog on February 19, 2010.