Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Tuesday, February 23, 2010

If allegations are true, Pa. school district is on the wrong side of a lot of privacy rules

With a lawsuit filed in federal court last week , school officials in Lower Merion, Pennsylvania are on the defensive over the alleged illegal use of remotely activated webcams in laptop computers issued to students. It seems the Macbooks include software that allows administrators to turn on the webcam to try to help recover a laptop should it become lost or stolen; the security feature has been used several dozen times in such situations, apparently without raising any objections from students or their parents. In the case that prompted the laptop, however, a Harriton High School student was accused of engaging in "improper behavior" after school administrators recorded and viewed images of the student putting small object in his mouth — the school said they were drugs; the student says they were candy. Despite using the photographic "evidence" to support its claim against the student, the school district maintains that it would never use the remote webcam activation for any purpose other than recovery of a lost or stolen laptop. The Lower Merion district superintendent went so far as to claim, "The district has not used the tracking feature or webcam for any other purpose or in any other manner whatsoever." He did not address how a Harriton assistant principal came to be in possession of images from the accused student's laptop webcam, since there was no suspicion that the laptop was missing. There doesn't appear to be any claim of probable cause (not that a school official is legally justified in determining probably cause) with respect to the student's alleged behavior, but instead the claim is based on visual observations made using the webcam.

The most thorough (the term "thorough" doesn't quite do justice to it) accounting of the technical tools involved and the actions and opinions of school network technicians comes from Intrepidus consultants Stryde Hax and Aaron Rhodes in a lengthy blog post.

With the attention now focused on the situation, it is becoming clear that while the alleged practice of remotely monitoring students in their own homes violates a number of federal laws, the school district appears to have acted inappropriately from the outset by not informing students or parents that the webcams in the laptops could be activated remotely. Even if it had provided notification and obtained consent for the explicit purpose of remote activation to aid in recovery of lost or stolen computers, the apparent use of the webcam for routine monitoring would be illegal. Many state and federal laws covering monitoring of employee behavior in the workplace such as the Electronic Communications Privacy Act require notification and consent prior to monitoring, so the fact that this monitoring took place in private homes and that minors were surveilled adds a host of other legal and regulatory protections that the school district appears to have ignored. In addition to ECPA, the lawsuit claims violations of federal laws including the Computer Fraud and Abuse Act, the Stored Communications Act, a section of the Civil Rights Act; the Pennsylvania Wiretapping and Electronic Surveillance Act and Pennsylvania common law; and the Fourth Amendment.

No comments:

Post a Comment