Friday, February 19, 2010

School Principal Spys on Children at Home via Laptop Camera

Whichever side of the infosec coin one is on, a jargon we use to refer to the control of a system is ownership. We refer to a system as “compromised” or “owned” or “pwned” if the person who owns it isn’t also the person who owns it in the legal sense of the term. Most information security practice is concerned with preventing and detecting inappropriate changes in ownership-with-a-p. (I try not to write “pwn” and associated formulations very often, but it’s a temporarily useful distinction to draw out.)

So you own your computer, and do all the right things to make sure no one pwns it, but what about when you’re using a system you don’t own? Many of us have the legal use of a computer in our home that we don’t actually own. Your employer may have issued it to you so that you can do your job. Your school may have issued it to you so that you can do your schoolwork. A friend may have lent you a spare because yours is broken. Some companies insist that its employees work on asset machines to ensure control of company information is never outside company hands.

Privacy on these machines doesn’t work quite the way privacy on your own system works. If you have a computer from your employer, you likely signed something that says you recognize you have no expectation of privacy over that computer. The policy is probably that the company’s staff has the right to look at everything on that computer whenever they like. This just got a bit hairier.

Via Gizmodo, A Principal of a Philadelphia school had the IT staff spying on students at home using the cameras on their school-issued laptops. This came to light in two ways.

First, students noticed as early as 2008 that the light on the camera was turning on at random times. That light is a security feature. The reason cameras on laptops have lights is to alert the person being viewed that the camera is operational. The children who observed the alert did the right thing and called the IT department to report the matter. Unfortunately, the IT department appears to have been on it and told them nothing was wrong.

Second, the Principal had the temerity to discipline a child for “improper behavior in his home,” and produced a photograph taken from the camera to document the incident.

Students are now suing the school and principal, and that’s a good start. There should also be a criminal investigation of the Principal, the IT staff, and anyone else who knew this was going on. Did the children’s parents sign a document indicating that they understood and approved this surveillance? If not, a federal law has been broken. Did anyone with access to these cameras use the images captured for additional criminal purposes, such as extortion or child pornography? We need to know, and it is not merely a civil matter.

The question remains, what to do about the computers in your home that you don’t own? This is the first incident of this type of illegal surveillance I’ve seen hit the news, but we’vetalking about the possibility since the 1990s. In a future article, I’ll talk about the risk management process of deciding how much effort to spend safeguarding yourself and your family from this threat and some practical steps to reduce the risk.


Torris said...

This is absolutely crazy! I ask you what next? Privacy is gone... I loved the Will Smith movie, "Enemy of the State", the concept behind that movie was great. My friends I'm convinced we are living in that day and age now.

Dan Holzman-Tweed said...

Good to see you here, Torris!

I enjoyed Enemy of the State as well, particularly that (if I recall correctly) all the technology in it currently exists.

Magicat said...

As i recall a small piece of tape over the camera prevents it from taking pictures, and the same for the inbuilt microphone.
Or if you want to go really high-grade a bit of chewing gum will do the same thing.

Dan Holzman-Tweed said...

Magicat, that's correct -- and once it came out that they were being peeped on, students started putting tape over the camera!

Part of what I want to do with this blog is talk about how to either raise people to evaluate whether they need to do that before something like this happens; or teach people who have already been raised to get into that sort of habit.

Magicat said...

Good luck with the education of people. I have been "advising" people and organisations about data security for 40 years and I still find passwords taped under phones and memory sticks and Data CD's in unlocked desk drawers when I visit new sites.
Something about leading horses to water springs to mind.
The sad fact is that I have found that most computer users are naturally 'security lazy' and they cannot be trained to think "secure it or lose it", unless that is, they are in an IT security department.

Unfortunately I still get calls to visit sites that have had data losses more than once. The plaintif cry of "we've been robbed" should be changed to "we've been lazy and paid the price....again".

Post a Comment