Privacy and freedom: World Gone Mad Part 1

Last week, a story broke in the US concerning invasion of privacy and has become a huge talking point globally. The Lower Merion School District provided Apple Mac laptops to students ( no private machines were allowed ) and installed remote control software on these, allowing the school to remotely activate web-cams in an apparent attempt to curb theft.

Unfortunately it appears that these web-cams have been used for a little more than that, as students with perfectly legal laptops indicated that their web-cams seemed to operate at times when not expected ( check many of the comments in this link ).

One of the students, Blake Robbins, and his parents, have filed a civil rights lawsuit against the school district accusing the school of turning on the web-cam in his computer while it was inside their Penn Valley home, which they allege violated wire-tap laws and his right to privacy. The suit, which seeks class-action status, alleges that Harriton vice principal Lindy Matsko on Nov. 11 cited a laptop photo in telling Blake that the school thought he was engaging in improper behaviour. He and his family have told reporters that an official mistook a piece of candy for a pill and thought he was selling drugs.

Of course the school district is claiming innocence … But things have got a lot more murky with some detailed investigation by Stryde Hax, a security consultant. Some of his findings:

  1. Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large on-line web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.
  2. In a promotional web-cast, Mike Perbix identifies himself as a high school network tech, and then speaks at length about using the track-and-monitor features of LanRev to take remote pictures through a high school laptop web-cam. A note of particular pride is evident in his voice when he talks about finding a way outside of LANRev to enable “curtain mode”, a special remote administration mode that makes remote control of a laptop invisible to the victim.
  3. Perbix discusses methods for remotely resetting the firmware lockout used to prevent jail-breaking of student laptops. A jailbreak would have allowed students to monitor their own web-cam to determine if administrators were truly taking pictures or if, as the school administration claimed, the blinking web-cams were just “a glitch.”
  4. In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration

There’s even more information coming from the students themselves:

  1. Possession of a monitored Macbook was required for classes
  2. Possession of an unmonitored personal computer was forbidden and would be confiscated
  3. Disabling the camera was impossible
  4. Jail-breaking a school laptop in order to secure it or monitor it against intrusion was an offence which merited expulsion

So there are a few questions to ask here:

  1. was the school district aware of the potential for misuse of this system and the abilities?
  2. did the school district know about Perbix’s delusions of grandeur?
  3. if not, how could they be so stupid as to not inform of the students of this monitoring system?

No matter the outcome, this appears to be a simple case of invasion of privacy. Under no circumstances should anyone be allowed to remote view a machine without the user’s consent no matter whether that equipment is the user’s or not.

Perhaps it’s a matter of bravery on the school district’s part as anti-terrorist laws in the USA have increasingly encroached on citizens’ personal freedoms and civil liberties. If the government can do it, why shouldn’t we?