Friday, February 26, 2010

Spycamgate followup

I’ve written previously about “Spycamgate,” wherein a school administrator tried to hold a student accountable for perceived behavior at home based on images taken from a camera on the student’s school-issued laptop. The school’s defense is that the webcams are a security feature to track down lost or stolen machines. If so, the school is illustrating how not to do security. In this instance, doing security wrong consists of doing security in a way that is disrespectful of other people’s security. The case for the importance of meticulously respecting other people’s security is simple to make: there are civil and criminal laws against disrespecting other people’s security:

The FBI’s gotten involved, because wiretapping’s a federal felony if you don’t follow the rules. A grand jury as issued a subpoena for the school’s records about how the system was set up and operated. The local DA’s looking into it as well. The class action suit is underway.

I’m skeptical of the school’s claim that this is all a grave misunderstanding and they acted in good, if bumbling, faith. The school is protesting it’s innocence, but they’ve got a lot of work ahead of them to explain how a school administrator was in a position to confuse Mike and Ikes with narcotics if only two specifically authorized personnel ever activated the cameras, and they only did so when computers were reported as lost or stolen. The administrator was not one of the two people, the computer was not reported as lost or stolen.

They’ve also got a lot of work ahead of them explaining why a systems administrator were telling students that the camera light turning on was simply a glitch. Stryde has plenty more about this, including a good technical discussion and potentially damning links to the system administrator’s blog about how to disable the camera for a user but still let administrators get to it remotely.

As the consequences mount for Spycam School, let’s take a moment to examine the lessons already learned:

  • When you do something to enhance your security, you have to examine what impact it might have on other people’s security.
  • When you do something that might impact other people’s security, it’s a really good idea to make sure they understand that signing on to what you’re doing poses a risk to them, so that they can manage that risk for themselves.
  • When you do something that might impact other people’s security, it’s a really good idea to make sure you take as many steps as possible to prevent “might” from becoming “does.”
  • When you do something that does impact other people’s security, it’s a really bad idea to lie to them about it.
  • When doing all of this, having rules to follow will not protect you in the eyes of the law or the public if you do not follow them.

What lessons do you see here? How do you apply those lessons to your business, your personal computing, your offline lives?