Privacy: Absolute or Absolution?

Thursday, July 29, 2010

Wayde York


When one receives access to a computer system within the Department of Defense, Federal government or most large corporations, a warning banner is displayed at login telling the user that they essentially have no expectation of privacy, for what they do on that system.

This goes for desktops and laptops.Therefore none of us who see that banner at each login should be surprised if what we do on the computer is being watched or logged.

In fact, anytime a system is made available by an authority, and that authority retains ownership, a reasonable person would not expect the work they do on that system to be private. Or would they?

In the Lower Merion School District in Montgomery County, Pennsylvania, privacy of computer use takes a new twist.

Now, the school district is being sued by a second family who found their student’s school computer was taking pictures of him and the family, via the built-in webcam.

Nearly 1000 photos and screen shots were taken through the webcam over a period of nearly three months. Previously, the school district was sued for the same activity on February 16 of this year.

At that time, according to an article here:

The district has acknowledged that more than 58,000 photos and screen shots were captured from students' computers while the remote-monitoring policy was in place. More than half the images, the district has said, resulted from technicians' forgetting to turn off monitoring software after computers were recovered.”

An important point is that the security software that activates the camera is not “controlled” by an admin who is viewing snapshots in real-time. Nor is this a video capture capability.

Is this case gross violation of privacy, or a case of misplaced expectations? This case could have both of these components.

I wonder though, how far the privacy claim will go, given the fact that the computers are owned by the school system and loaned to the student. Do expectation of privacy rules differ from Government and corporate rules simply because students are involved?

If the students only used their school-supplied laptops with webcams for school work and nothing else, the likelihood of capturing more than 58,000 images across the affected population would be slim.

The acceptable use policy for students, found here, states that files stored on school assets are not private and ”Network security is designed to allow access to certain areas only by designated users; however, the network administrator may review files and communications to maintain system integrity and ensure that students are using the system responsibly.”

From the looks of it, as a non-lawyer of course, giving out laptops with cameras activated was shortsighted. The admins at the school should have found a way to disable them.

 If the students, or parents, had been savvier to put tape over the camera when it’s not in use, this issue would not have been an issue. But is the school district guilty of a privacy violation versus having an immature security program? I think not.

Possibly Related Articles:
Post Rating I Like this!
Ray Tan It is reasonable that we need to sacrifice our privacy for the consideration of security, in some Chinese companies, the activity of the employers are monitored quietly, people even do not know it.
It is far better in USA, you will get noticed before you use the equipments being monitored.
Niels Groeneveld I think the school should have considered proportionality and subsidiarity. Were these intrusive measures really needed, and were no less intrusive alternatives available ? Also, I wonder what American privacy laws say about covertly taking pictures of people in the privacy of their own homes. The sole fact that the school owned the device doesn't mean that they don't have to take such legislation into account.

Even if you would assume that there was nothing wrong with taking the pictures, you could wonder whether the images could be used for other purposes not related to the purpose for which they were captured. Are student activities in their own homes, which are unrelated to the usage of the school owned devices, of concern to the school ? I don't think schools should be able to discipline students for activities which happen outside of the school, and which are unrelated to the school.

After all, a school is not a substitute for the police, or for the department of justice. The activities detected were not related to the school, were not related the system integrity, and were not related to responsible use of the equipment either.

"If the students, or parents, had been savvier to put tape over the camera when it’s not in use, this issue would not have been an issue."

Wouldn't that be a violation of this security policy, and couldn't violation have led to sanctions (such as having to return the laptop) ? Also, I don't think the possibility to put tape over the camera changes anything in this discussion.

"An important point is that the security software that activates the camera is not “controlled” by an admin who is viewing snapshots in real-time. "

The content was accessible to the school staff, and whether they looked at it 'realtime' seems irrelevant. The question whether these 58.000 pictures were made due to misconfiguration is relevant though. Was the software working as it should, or was the software misconfigured, and shouldn't the pictures have been taken in the first place.

"Do expectation of privacy rules differ from Government and corporate rules simply because students are involved?"

Do you assume that corporations can use laptops for intrusive spying on their employees, or that they could discipline employees for activities unrelated to their work ?

Do you assume that the fact that your employer owns your corporate laptop would allow them to take pictures in your house ?

If so, why wouldn't you allow them to monitor conversations using the device, or to record video so they can see what you do at home ? They own the device, so you shouldn't expect privacy ?

If my employer would show such behavior, I would consider to go to court. There's a huge difference between monitoring my activities on my PC, and using the PC to monitor and record my activities in my own home, where I should reasonably be able to expect privacy.
Niels Groeneveld "Do expectation of privacy rules differ from Government and corporate rules simply because students are involved?"

I think there is a huge difference. You can't reasonably expect a minor to keep "business" and "private" life seperated. Or to have one system for school work, and another system for more private activities.

Intrusive monitoring gives the school access to a lot of content which they should not have access to. Should schools be able to monitor any communication between students ?

This could mean conversations between students about their teachers, conversations between boyfriends and girlfriends, and it could also include materials which legally could be considered as child pornography when captured.

After all, the school could capture a child in his or her room naked after taking a shower. Or children who are experimenting, and who might undress themselves in front of their webcam for their boy- or girlfriend.

Regardless what you think about such behavior, I don't think school employees should be able to record or view such materials, whether recorded intentionally or unintentionally.

From that point of view, I think there is a huge difference between privacy an employee should be able to expect, and privacy a minor should be able to expect, even though in both cases they do not own the device.

Tommy Ward Whoever made the decision to deploy such a system at this school is pretty clueless. It is not just a privacy issue, ie. using the PC's to invade the privacy of student's homes.

There are at least 2 larger legal risks that this usage posed. The first and lesser one is potential violation of the Child Online Privacy Protection Act. I'm assuming here that some of the students were under 13. More critically and much more serious, many adolescents are experimenting with their sexuality, and surreptitiously turning on video recording on these laptops (at least some of which might have been in the kid's bedrooms) creates a non-zero chance of creating what would legally be defined as child pornography.

The decision makers who approved this should be fired at a minimum, because they are not qualified to be making such decisions.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.