Webcamgate Is an Expensive Lesson in Security, Privacy
Though it's not getting quite the 24/7 cable news treatment as it garnered when it first hit the wires, the Webcam scandal in Southeastern Pennsylvania (aka "Webcamgate") is still twisting and turning in unpredictable ways. We still don't know exactly what happened, but we do know there are lessons here for everyone concerned about IT security and personal privacy.
For readers just tuning in, here's the background: In February, the Robbins family of Penn Valley sued the Lower Merion School District after discovering that MacBooks issued to all 2,620 students in the district were equipped with Webcams that could be turned on remotely by school officials. How did they found out? Because the Robbins' 15-year-old son Blake was called into a meeting with the school vice principal, during which he was (they say) shown an image of himself at home working on his school-supplied laptop and was questioned about possible inappropriate behavior. According to one report, the school apparently thought Blake was popping pills when he was really just eating candy.
[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or war tale from the trenches. Send your story to email@example.com. If we publish it, we'll keep you anonymous and send you a $50 American Express gift cheque. ]
The district admitted it used remote Webcams for tracking lost or stolen laptops -- some 42 times over the last year -- without telling anybody about it. That feature is now disabled. The vice principal in question says quite defiantly that "no time have I ever monitored a student via a laptop web cam, nor have I ever authorized the monitoring of a student via security tracking web cam." (She did not, however, confirm or deny showing Blake Robbins a snapshot of him eating Mike-N-Ikes.)
Since then, local and federal law authorities have opened investigations into the school's use of spy cams. The school district itself hired a computer forensics expert to do his own investigation. Senator Arlen Specter (D-Pa.) is planning to hold hearings about the topic in Philly on March 29, if for no other reason than to have something else to talk about besides health care reform.
Here's where it gets twistier.
The two IT admins who had the ability to turn on the cams are on administrative leave pending the outcome of the district investigation (standard operating procedure, says the school district). One of these techs, Mike Perbix (whose voice can be heard in this video bubbling with excitement over the LANrev tracking technology) is cooperating with the investigation. So is the vice principal, Lindy Matsko. However, the other tech, Carol Cafiero, has refused to give a deposition in the case.
According to a report in the Philadelphia Daily News:
....her attorney, Charles Mandracchia, filed a motion yesterday to block her deposition, saying that it was "premature" and "unnecessary."
Mandracchia said that his client does not have access to pertinent documents. He expressed concern that Robbins' attorney, Mark Haltzman, would "ambush her" in a deposition.
"We didn't say we wouldn't produce her," Mandracchia said. "We're just saying we're not going to produce her now."
(In other words, maybe they'll produce her later. Maybe after Hell freezes over. Or maybe after the District has written a large check to the Robbins family and quietly buried the affair.)
According to news reports, two members of the Harrinton High student council heard about the spy cam feature and approached school principal Steven R. Kline last year. Per the Philadelphia Inquirer:
When Kline confirmed it, students told him they were worried about privacy violations and asked about other types of monitoring. But nothing happened -- not even after the students returned for a follow-up visit, according to other council members who were briefed afterward.
Another group of parents have banded together in an effort to stop the Robbins lawsuit. They've filed a motion asking the judge to allow them to intervene, with the intention of making sure it doesn't get certified as a class-action suit. They don't want to be on the hook for paying a settlement essentially to themselves (and the Robbins' attorneys). And they don't want the district to quietly bury the affair with a large check.
The Inquirer's Joe Tanfani has a great story detailing the history of the case, from the decision to adopt the tracking software (while forgetting to tell anyone about it) to what really happened in the Robbins case. From his account, it sounds like an accumulation of largely well-intentioned-but-brain-dead mistakes. It's worth a read.
The lessons du jour? The unintended consequences of technology can come back and bite you in the behind (because that's where most of us keep our wallets).
Want to protect something? Putting it under lock and key, with a security cam trained on the door and a vicious Doberman in front of it, is one way to do it. But telling everyone about the lock, the cam, and the dog is an even better way. Security is more effective when it's not a secret.
That's my 2.7 cents, adjusted for inflation. What about yours? Post your thoughts below or email me: firstname.lastname@example.org.
his article, "High school Webcam follies, part II: Dumb and dumber," was originally published at InfoWorld.com. Read more of Robert X. Cringely's Notes from the Field blog.