I first heard about the case of the Lower Merion School District using built in webcams to spy on students a couple days ago, and my initial reaction was a bit of anger.
Today, I read a more in-depth article about the incident, and my anger was somewhat lessened.
The Washington Post article is here:
The WaPo article reveals that the computers were actually suspected of being stolen, or taken without permission, from the school district, and that the ability to turn on the webcam was used to attempt to find out where the possibly purloined computers were located.
Some comment was made in the article that the presence of “security software” was not disclosed in something like a user agreement. That is a reasonable objection, but I do not think that a lack of disclosure of the presence of security software, on a computer that belongs to the school district, is grounds for the probably inevitable lawsuit.
One example, the laptop that I carry is issued to me by the Air Force. Every time I log on I have to acknowledge that the computer is subject to monitoring. Now, the Air Force does not tell people what they do to monitor a computer, but merely perusing the task list, or watching the packets flow over the Ethernet port from the computer to the authentication server, can tell you precisely what is being “phoned home”. I also have to sign a form every year that tells me that the computer isn’t mine, and it belongs to the Air Force, and I can’t put my own software on it, and I can’t put non-mission things on it, like music.
The worst part of this is probably the idea that using a webcam is really needed. I suppose that the idea was to be able to see the users face and so ID the thief/unintentional borrower. I submit that in the case of a true theft, the face of the user likely is not going to be a student, but a person who was given or bought the purloined machine (although the face could be captured for later identification). So the system administrators would be better off with some gathered forensic data.
They should already know the machines MAC. That would be tied to the IP address, and that takes you to the upstream router, and that tells you the ISP (who in almost all cases are perfectly willing to rat out a customer). In most cases you get login information (a lot of SMTP logins are in the clear), so that gives you a name and a billing address and/or a phone number. A keystroke logger could be activated to get similar information.
The fact that only two system administrators were able to enable the webcams is good, as long as there are procedural safeguards (administrative and technical) to ensure that randy admins operating “off the books” can be found out.
So it comes down to who owns the machines. If the school district owns them, then they can basically do what they want with them, and the users can choose to not use the computer if the security requirements are too onerous. And instead of using the webcam, the distract can also DOS the machine for internet use, or something similar, by zorching the Winsock DLL or something similar.
0 comments: on "Security Software, Webcams, and Privacy"
Post a Comment