Report Blames IT Staff for School Webcam 'Spying' Mess
The IT department of the Pennsylvania school district accused of spying on students using their school-issued laptops took the brunt of the blame in an independent report released Monday.
According to the report, which was commissioned by the Lower Merion School District and conducted by a local law firm, the IT staff not only failed to inform school officials and administrators of the tracking capabilities of the LANrev software, but argued that telling students about the software's ability to remotely trigger notebook Webcams would "defeat its purpose" as a way to recover lost or stolen computers.
The report also shed light on the incident that led a student and his family to sue the district, and revealed that privacy concerns had been raised by another student as early as 2008.
Lower Merion, of Philadelphia suburb Ardmore, Pa., was first sued by Michael and Holly Robbins, and their teenage son Blake, a high school student at Harriton High School, in mid-February after an assistant principal accused Blake of selling drugs and taking pills, and used a snapshot taken by the computer as evidence. Robbins claimed the pictures showed him eating candy.
The Robbins' lawsuit is ongoing.
Saying that the district's information services department had withheld information about LANrev's spying capabilities from the school board, administrators and students, the report noted that among themselves, the IT staff "expressed zeal for what TheftTrack could do." According to the report, people involved with LANrev's TheftTrack feature repeatedly told of tracking a stolen teacher's computer to a local residence, then to Pakistan, then back to Pennsylvania.
Since the Robbins' lawsuit, Absolute Software, LANrev's seller, has issued a patch that disables the function.
Virginia DiMedio, until June 2009 the district's director of technology, came under fire for not telling school officials of TheftTrack and its capabilities, although she allegedly had several opportunities to do so. DiMedio declined to be interviewed for the report unless she was compensated for the time her personal lawyer would be billed; the district refused to reimburse her.
In August 2008, a Harriton High student intern in the IT department raising concerns about the tracking feature with DiMedio. "I would not find this a problem if students were informed that this was possible, for privacy's sake. However, what was appalling was that not only did the District not inform parents and students of this fact...," the student wrote in an e-mail to DiMedio.
In the same e-mail, the student proved prescient. "I feel it would be best that students and parents are informed of this before they receive their computers. And while this only slightly sways my opinion on 1:1 [the district's program to provide a MacBook to every high school student], i could see not informing parents and students of this fact causing a huge uproar."
Both DiMedio and another IT staffer, Mike Perbix, dismissed the student's concerns in reply e-mails.
"There is no way that I would approve or advocate for the monitoring of students at home," said DiMedio. "I suggest you take a deep breath and relax."
"It is only used in the case where a laptop is reported as stolen of missing," Perbix told the student.
Actually, the district activated notebook cameras remotely for other reasons, including in the case of Blake Robbins.
In October 2009, Robbins had been issued a loaner laptop after he turned in his for repair of a broken screen; later that same day, school personnel said that he should not have been given a loaner since he had outstanding insurance fees. The IT department activated tracking in an attempt to locate the loaner, but left the photo-snapping feature on for more than two weeks, during which LANrev took 210 photographs and 218 screenshots.
On Oct. 26, Perbix noted a screenshot taken of Robins' laptop that "included an online chat that concerned him;" he later brought it to the attention of George Frazier, the director of information services, and his boss.
In early November, several Harriton High administrators, including Lindy Matsko, an assistant principal at the school, and Steve Klein, the school's principal, met to discuss images captured by Robbins' computer.
"According to Ms. Matsko, Mr. Kline advised her that unless there was additional evidence that gave them a contextual basis for doing so, school officials should not discuss the images with the student or his parents because they involved off-campus activities," the report stated. "Ms. Matsko ultimately decided, about one week later, that it was appropriate to discuss certain seemingly troubling images with Mr. Robbins and/or his parents."
The report also disclosed that tens of thousands of photographs had been captured by the district's LANrev software -- the exact total is unknown because the IT department purged the program's database last year in an attempt to boost performance -- and that in at least two instances, Webcams were activated on the wrong laptops.
"Although we found no evidence that District personnel used TheftTrack to 'spy' on students, or that District personnel surreptitiously downloaded images from the LANrev server, our investigation leaves unresolved questions that raise serious concerns about why so many images were captured without apparent regard for privacy considerations," the report concluded.
Last week, the federal judge overseeing the Robbins' lawsuit issued an order that required Carol Caliero, the district's information systems coordinator, to let the Robbins' attorney make copies of the hard drives of her two personal computers. The order was in response to a motion by the Robbins' lawyer to determine whether Caliero -- along with Perbix, the only school employees allowed to switch on the cameras -- had used the software to spy on students, and had transferred images to her own machines.
Caliero and Perbix, both 12-year veterans of the district, were put on paid administrative leave last February, shortly after the Robbins filed their lawsuit.
The report, which was released to the public late Monday by Lower Merion, can be downloaded from the district's Web site (download PDF).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Privacy in Computerworld's Privacy Knowledge Center.