Feb 20 2010

Don’t spy on my children!

I am amazed that the administration at Lower Merion School District (LMSD) couldn’t figure out something my eight year old son realized in just a few minutes, “Spying on people in their own home is wrong.  And really creepy.”  But they obviously couldn’t, so when they supplied 18oo students with Apple laptops 18 months ago, they included software with the laptops that would allow them to track stolen laptops and remotely turn on the iSight cameras on the Macs and take pictures of the thief.  Or pictures of a student doing something unnamed and naughty in his own home.  And then use that picture as evidence to prove that a student was doing something inappropriate in his own home.  After all, who’d ever think a teenager with a laptop would do something inappropriate when home, alone, with access to the Internet and all the sites that are normally forbidden to him?

When LMSD purchase 1800 Mac laptops for their student body, they made what was obviously a legitimate decision in their eyes: place software on the laptops that would allow the district to track their investment if it was lost or stolen.  These are laptops we’re talking about, they’re highly mobile and cost approximately $2000 each, so it’s understandable that the district might want to protect their investment.  But they never told the students or their parents that the software came as part of accepting the laptops.  As far as I can tell, the software installed was most likely one of the following:  LoJack, Undercover, MacTrak, BigFix or Hidden.  All of these systems are meant to be used to track stolen laptops, have the ability to turn on the camera remotely and can take screen captures and pictures through the Mac’s iSight camera.  There maybe several other solutions, and with the exception of BigFix, these are all consumer level products that are meant for one user to track one laptop and aren’t really meant for tracking a large number of users.  This is important because an enterprise version of this spyware is going to have significant logging capabilities, where as a consumer version might be utterly lacking in logging.  Allegedly, only two administrators had access to the systems for turning on the tracking and camera capabilities of the software.  What we’ll have to see now is what sort of logging the use of the software generated.  If it’s a consumer level product, I don’t have much hope for an accurate count, unless the tracking service itself keeps a log of how often the tracking of each laptop is turned on.  LMSD maintains that they “only” used the software 42 times or less than 50, their stories are conflicting.

I’ve been working in IT for a long time and a lot of my friends and acquaintances are people who would loosely be called ‘hackers’ by the public.  I don’t mean the people who are trying to break into your computer, I mean the people who test the limits of any system they come in contact with, just to see what it can do.  Most of the people I know who are good at their IT and computer security jobs are like this; they want to push the envelope so that they know what their systems can and cannot do.  Which is why having tracking and spying software on student laptops scares the snot out of me!  I know from personal experience that one of the first things the administrators of this system probably did was test it to see what they could and could not see from using the spying software, see if they’d be detected when it was turned on and see how they’d be tracked when they did turn on the spy software.  In and of itself, this attitude isn’t a bad thing, it’s part of the nature of the business we work in and the people it attracts.  But given the sensitive nature of who and where these laptops were going to be, unless there’s a complete, unmodifiable log of everything that was done using the spyware, I’m all but certain it was abused at least once during the time it was enabled on student laptops.

Another potential for abuse is exactly what happened to crack this whole issue wide open; a well meaning, if ignorant, Vice Principal used the capability of the spyware to take a picture of a student doing something he wasn’t supposed to.  It’s not clear yet exactly what the nature of the student’s abuse was, if his laptop had been reported stolen, if the software was activated for some other reason or if this was part of a systematic spying on the students.  What is known is that the Vice Principal used pictures taken from the iSight camera with the spying software to confront a student and his family with evidence of wrongdoing in a misguided attempt by the Vice Principal to do what she considered to be the right thing.  Unluckily for her, when it comes to spying on students at home, it’s much less of a slippery slope and more of a sudden drop off into the abyss of ‘1984‘.  I guess the whole school district skipped the ethics class when they were earning their teaching credentials.

The scariest potential abuses of this system both involve people who’d purposefully and knowingly break the rules the school set around this spying system.  Imagine if one of the administrators of the spyware was a closet pedophile or simply thought one of the students was much more mature than his or her years.  Students probably had their laptops sitting on their desks and undressed in front of them fairly often; after all, normal people don’t think their laptop is going to spy on them, so why bother turning it off or closing it before getting ready for bed.  Even worse is the thought that some student or malicious outsider (the classic media definition of ‘hacker’) found out that LMSD had this software installed and was able to break into the spyware system and use it at will.  These are merely suppositions, worse-case scenarios, but they are some of the factors that LMSD should have thought of before implementing spyware on student laptops.  A system such that has this much potential for abuse should have a similarly appropriate level of tracking, alerting and logging to prevent the curious and malicious from doing unethical, illegal and immoral.  Don’t be surprised if at some point in the near future pictures of LMSD students start showing up on the Internet.

The good news is that in addition to the civil suit the Lower Merion School District has been hit with, the FBI has started an investigation into the allegations of wrong doing.  The lawsuit alone is going to cost LMSD more than losing every last laptop would have, possibly by several orders of magnitude.  The business decision to track the laptops therefore turns out to be an utter failure.  Hopefully the FBI will be able to poke around the LMSD systems deeply enough that they’ll find any abuse of the system or confirm the districts assertion that the system was only used 42 times.  This is where all the logging capabilities of the spyware will be tested and the software vendor should expect a subpoena and visit from the FBI soon.  My suggestion to the FBI would be to pay special attention to any system administrator or school official that has had their computer recently re-imaged; while not proof of guilt, given the severity of the potential crimes that could be committed with the schools spyware, it’d be worth sending out the hard drives for recovery of the previous file system.
 
I truly hope that the FBI finds that the LMSD number of 42 times the spyware was used is accurate.  That would mean that most of my worst case scenarios haven’t happened.  But I suspect that even if the system wasn’t purposefully abused, 42 only represents the number of times that the spyware was used while going through the proper processes and procedures at the school district; it might have been used or abused many more times by the people who had access to it by design or by flaw.  And even if 42 is accurate, it will be up to a jury to decide if each of those uses were justifiable and legal.  In a civil court it’s going to be much harder for the school district to defend itself than it will be when the criminal charges are brought against the people responsible for the installation of the spyware.  And I’m confident that at least one person will be brought up on charges unless the whole school district is run and managed by people who are perfect angels.  Given that the system has already been abused, I’m pretty sure that supposition has been disproven.

I’m a parent of two pre-teen boys.  I probably wouldn’t have accepted a laptop from the school for either of them personally; I have more than enough computing power at home that I don’t need to bring someone else’s computer into the house.  And if this had happened in my school district, I’d be screaming for blood.  The school administrators who instigated and ran this program need to lose their jobs; they obviously don’t have enough of a moral compass to understand the difference between right and wrong and have no right to be working with children and teaching the next generation.  That may sound harsh, but these are people who thought that the security and safety of a few laptops was more important than the privacy and safety of the students who were using the same laptops.  A piece of hardware may be expensive, but it’s infinitely less important than my children and the children who live in the Lower Merion School District.  The inability to see that fact is proof of their utter lack of suitability to be working with children in the first place.

It may be that we find out that the spyware LMSD installed was never abused and that every instance of it’s use was justifiable.  But the installation and use of the system in the first place without notifying the parents and students was a utter and complete violation of these families civil liberties and right to privacy, not to mention the administrator’s ethical responsibility.  It shows that the school district placed more value on the laptops than the Constitutional rights of these families.  I find that unacceptable and hope that between the civil suit and the FBI investigation a strong message is sent to schools around the country that this sort of spying on students is not and never will be acceptable in any way, shape or form.  I hate to think about what I’d do if I ever found out my sons’ school district was spying on them in this way; there’s a reason I earned the nickname “Captain Privacy”. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

6 Responses to “Don’t spy on my children!”

  1. @securityinternon 20 Feb 2010 at 7:35 am

    School systems seemingly play by their own rules so often, they have lost all sense of propriety and legality in the process. On the aside, I was encouraged by the students questioning of their laptops behaviour. In the comments of the original Boing Boing post on this issues, students from LMSD stated that they had questioned IT about the “green light”. They were given pat answers, but awareness is good.

    It’ll be interesting to see how this all plays out.

  2. Carlon 20 Feb 2010 at 10:02 am

    Excellent post Martin. I couldn’t agree more with you. What were they thinking? This was a very bad and stupid idea. Like @securityintern said “It’ll be interesting to see how this all plays out.”

  3. The Ashimmy Blogon 20 Feb 2010 at 12:21 pm

    The road to perdition is paved with good intentions…

    So Captain Privacy, my friend Martin McKeay has reacted with the expected outrage over the disclosure that a school district in Pennsylvania had installed “spying” software (not spyware mind you, spying software) on some school issued laptops. I won’t …

  4. […] the privacy of students that used them. The information security community I follow on Twitter, Martin Mckeay in general, are up in arms regarding the school’s behavior, and rightly so. But, with the way things are […]

  5. […] School District.  I’m glad I didn’t see the interview before I’d written my previous post on the situation.  If what the family says is true, almost every statement that the school has made so far is […]

  6. […] the Lower Merion School District forgot in their rush to use camera’s on student laptops to spy on the kids and prove wrong-doing that may or may not have been […]

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: