Security Lessons From Pa. Webcam Spying Case

Investigators have concluded a 10-week probe of southeastern Pennsylvania's Lower Merion School District and found no evidence that school officials used the LANrev Theft Track solution, which is designed to remotely track lost or stolen notebook PCs, to intentionally spy on students via Web cam, the Philadelphia Inquirer reported Tuesday.

However, in a report released Monday, investigators criticized school officials for their "overzealous and questionable" use of the technology and for failing to implement policies and procedures governing its use, according to the Philadelphia Inquirer report.

The LANrev software snaps a Webcam image every 15 seconds to assist authorities in theft investigations and can also grab screen shots. LANrev and its parent company Pole Position software were acquired by Vancouver-based Absolute Software in December, and that company has decried the school's use of the product as "vigilantism".

The case shows how easy it is for organizations to abuse technology and access in the name of security, says Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based security solution provider.

"This highlights a lingering problem with security: Simply because you can do something doesn't mean you should," he said. "The ethics of security rarely gets attention among IT staff, particularly among immature or amateur security professionals."

School district officials activated the built-in Webcam on students' school-issued notebooks whenever they were reported lost or stolen, but investigators found that in many cases, officials failed to turn off the tracking software once the laptops had been found. As a result, the LANrev software captured around 50,000 Webcam images of students and their family members that had nothing to do with any investigation.

The case began when a school vice principal confronted 15 year old student Blake Robbins about Webcam images the tracking software took of him in his home. School officials believed the images were evidence of drug related activity, but Robbins claims the images showed him eating Mike & Ike candies. Later, it was revealed that school officials also used the software to capture screen shots of Robbins' IM conversations.

Security should be focused on protecting valuable assets and reducing risks, and the school officials' actions here are unacceptable, says Plato.

"Laptops are not high value items that warrant recovery methods like this. Laptops go missing -- this is a fact of life," he said. "As long as sensitive data is secured, hardware is replaceable. And laptops handed to school kids are not going to contain a lot of sensitive data."

NEXT: School Blasted For Lack Of Policies…

As noted by investigators, school officials failed to implement policies covering usage of the tracking software. Had those been in place, this entire mess probably could have been avoided, in the opinion of some solution providers.

"Policies are integral to comprehensive information security and IT as a whole," said Eric Anderson, CTO of Netanium Network Security, based in North Chelmsford, Mass. "While engineers may not like it, it is essential for the more technical departments to leverage and work with the less technical groups like legal and HR in developing, communicating, and overseeing the enforcement of these policies."

Added Anderson: "Had the district's lawyers been involved, they would likely have identified the privacy concerns and either disclosed it to users or overseen the utilization of the tool. Either way the liability would have been reduced or eliminated."

Robbins' parents have filed a class action lawsuit against Lower Merion School District on behalf of their son and all 2300 students in the district. The case has also become the focus of an FBI probe and a Congressional debate on whether U.S. wiretapping law needs to be changed. And if this does come to pass, there would be implications for other security technologies such as data loss prevention.

David Sockol, president and CEO of Emagined Security, a San Carlos, Calif.-based solution provider, says some organizations haven't taken full account of the legal aspects of DLP technology.

"People still have a reasonable expectation of privacy when they're in an SSL-encrypted tunnel like the ones used in online banking," he said. "But DLP tools have the ability to proxy those SSL connections and check for data loss within the SSL channels."

Changes to wiretapping law could prompt companies to rethink how they handle the task of protecting sensitive data, according to Sockol.

"Every time I have a DLP discussion with a customer, I remind them to be very careful about looking into encrypted data streams," he said. "Make sure legal has made a determination because there is risk associated with that."