February 21, 2010    /    by

Pa School Laptops: Reasonable Security or a Privacy Violation?

Many schools around the nation issue student laptops. But what activities are allowed with those laptops by students or family members? What policies apply? What ...

Many schools around the nation issue student laptops. But what activities are allowed with those laptops by students or family members? What policies apply? What happens if a laptop gets lost or stolen? Equally important, what can be done if policies are broken?  How are policies enforced? What privacy rights do students have? What if network or security staff use these tools inappropriately?

These are just a few of the questions being asked by students, parents, lawyers and school administrators around the nation after a student claimed that his school spied on him with a webcam . In case you're not familiar with the case, here's an excerpt from philly.com :

"A Lower Merion (PA) family has set off a furor among students, parents, and civil liberties groups by alleging that Harriton High School officials used a webcam on a school-issued laptop to spy on their 15-year-old son at home.

In a lawsuit filed Tuesday in federal court, the family said the school's assistant principal had confronted their son, told him he had "engaged in improper behavior in [his] home, and cited as evidence a photograph from the webcam embedded in [his] personal laptop issued by the school district."

The suit contends the Lower Merion School District, one of the most prosperous and highest-achieving in the state, had the ability to turn on students' webcams and illegally invade their privacy."

To be fair, the facts of this case are not known at this time. The PA school district denies spying on students . Here is an excerpt of the statement that was made by Dr. Christopher McGinley, who is the Superintendent of the Lower Merion School District:

"Last year, our district became one of the first school systems in the United States to provide laptop computers to all high school students. This initiative has been well received and has provided educational benefits to our students.

The District is dedicated to protecting and promoting student privacy. The laptops do contain a security feature intended to track lost, stolen and missing laptops. This feature has been deactivated effective today."

The letter goes on to describe their policy and reasons for using this security feature - mainly for situations that involve lost or stolen laptops.

So why highlight this issue for government technology professionals? No doubt, some readers have authority and/or oversight responsibilities for school networks, laptops and other technology. In those situations, this case has a direct impact on any student laptop program you are administering. 

And yet, related issues could, and in my personal opinion probably will, surface for government laptops (and other portable devices). That is, the same questions that I asked at the beginning of this blog also apply to adults at work for state and local governments. No, you don't need webcams for similar questions to arise. What about any type of personal use or conversations or activities that you users feel are private?

The vast majority of governments have an acceptable use policy which states that employees should have no expectations of personal privacy protection when using government owned IT resources. While there are many good reasons for these types of policies, turning on laptop webcams to monitor user activity is certainly not a behavior that anyone that I know would condone or implement. In Michigan, we don't even issue webcams on standard state government-issued laptops.

So while we may not have this specific issue, all of us can still ask similar "what if" policy questions about use of government laptops both now and in the future. Questions will also arise for mobile devices (such as blackberries) or cell phones with cameras. For example: Are pictures you take on work cell phones the property of your employer? Most lawyers I know would probably say, "It depends."

A different aspect of this case (or future cases) may involve the potential unauthorized monitoring by technology staff. For example, even if the policy is correct, fair, and proper, what if someone working for a government or school turned on those webcams remotely in violation of the stated policy?  This would be similar to the police misusing their authority and/or weapons to do harm instead of good. Is the school responsible for an employee's unethical behavior? What safeguards are in place?

Meanwhile, technology executives will continue to make decisions on what technology tools should be used for monitoring and accountability with work-issued PCs, laptops or other devices. This CBS News video describes how some private companies are cracking down on those who surf the web on the job while others encourage monitoring with accountability software - where every website and keystroke is captured.  Of course, every situation is different, but some people tend to lump all of these topics together under "spying"- which is an extreme response. Building trust between employees and management is the key, and the employees shown in this video appreciate the fact that they can surf the web within reasonable limits.

There is no doubt that these monitoring tools can be used for good or evil. Remember that malicious hackers could even take control of these same web cams or other devices and use the computer for their own purposes.  The issue of illegal hacking of web cameras is not new, since Bruce Schneier blogged about this topic back in 2005 .        

From a simplistic point of view, this particular school laptop case may seem like an obvious violation of decent behavior. Spying on kids via school laptops with webcams in homes is clearly wrong and a violation of personal privacy. Nevertheless, that may not be what truly happened. Time will tell on this case, and the courts will decide whether this activity was appropriate security or illegal spying on children at home.             

Regardless of the outcome, there will be more cases and similar questions for all of us in government technology. In fact, the same questions also apply to the private sector. We need to ask: what is the right balance between security and privacy. How often should we update our policies? And, what if proper security technology tools are used to violate personal privacy or to do harm to staff?

What are your thoughts on this case or on monitoring software?