Mike Perbix. Write that name down, because it's sounding more and more like he might have to legally change his name after this mess, no matter what the outcome.
Four days after the story first broke, all hell has broken loose.
County prosecutors are investigating wiretap/privacy laws. Federal prosecutors are issuing subpoenas and the FBI is involved. The school district, meanwhile, has now admitted using the remote webcam spying system 42 times to locate lost or stolen laptops, has suspended the program and has retained outside counsel.
Oh, yeah, and the story now apparently involves Mike & Ike candy.
All of this you probably already knew if you've been following the story so far. However, there's more, so much more...
This guy is a computer security consultant who's done an excellent, in-depth investigation of his own into the technical side of just what exactly the IT people at Lower Merion actually did.
I'm not technically savvy enough to follow everything in this post, but I grok most of it, and...holy shit, Batman! The administration of that school district is screwed!
A few choice bits:
The Spy at Harriton High
The primary piece of evidence, already being reported on by a Fox affiliate, is this amazing promotional webcast for a remote monitoring product named LANRev. In it, Mike Perbix identifies himself as a high school network tech, and then speaks at length about using the track-and-monitor features of LanRev to take surreptitious remote pictures through a high school laptop webcam. A note of particular pride is evident in his voice when he talks about finding a way outside of LANRev to enable "curtain mode", a special remote administration mode that makes remote control of a laptop invisible to the victim.
...
Perbix discusses methods for remotely resetting the firmware lockout used to prevent jailbreaking of student laptops. A jailbreak would have allowed students to monitor their own webcam to determine if administrators were truly taking pictures or if, as the school administration claimed, the blinking webcams were just "a glitch."
...
his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration: "what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking"
What's the purpose of shutting down a camera for the user of the laptop but still making it available to network administrators? Ask yourself: if you wanted to convince someone that a webcam blinking was a glitch, would disabling the cameras help make your case?
...
In a strange twist, the makers of LANRev have come out with a statement saying that school network techs should never have used their software to engage in theft recovery:
"We discourage any customer from taking theft recovery into their own hands," said Stephen Midgley, the company's head of marketing, in an interview Monday. "That's best left in the hands of professionals."
Read the whole thing. It includes links to the video webcast and much, much more. While it's lengthy and some of it gets highly technical, it's a stunning example of just how much power an IT person really has, and just how little thought is given to privacy concerns by many people in a position of authority (sound familiar?).
Oh, and as an expansion of the statement by the maker of the spying software, it now looks like they're distancing themselves as quickly and strongly as possible:
Software maker blasts 'vigilantism' in Pa. school spying case
Absolute Software will update its LANRev to disable camera feature
Update: OK, this isn't really related to the main story, but check out this tech support call to Leo LaPorte, aka The Tech Guy; a woman calls in to complain that her Wi-Fi stopped working--but Leo quickly realizes that this is because she's been swiping her neighbors' totally unprotected wireless connection! It's a great clip, and he also gives some good insight into the security risks involved in doing this for both her and her neighbor:
I should also note that while the laptops in this particular case happen to be Apple MacBooks, this software--or similar--can be used just as easily on Windows or Linux-based laptops or desktops, depending on how the systems and networks are configured.
Update x2: Wow, rec list, thanks, yay, etc etc...ya know, I have no idea what this Mr. Perbix guy is like, but I'd like to think he's something like this guy:
Update x3: As a website developer myself, I thought about adding a more general list of cautionary info about just how easy it is to view all sorts of personal data online, but commenter Rei did a much better job; I highly advise checking out his comment below.
In the end, the simplest way to summarize this is that the moment the administration realized that they were talking about:
--Children
--Webcams
--Bedrooms
...they should've ran like hell away from this idea.
Update x4: Another development--this story is growing and mutating faster than I can keep up with it...
Lower Merion district can't discuss its cameras or other issues without alerting the plaintiff.
The next time Lower Merion school administrators want to talk to students and parents about their laptop-camera controversy, they will have to get a lawyer's blessing.
Not from their own lawyers, but the ones suing them on behalf of a Harriton High sophomore who claims the school invaded his home and his privacy by remotely snapping his image with the camera on his school-provided laptop.
The unusual order, signed by a federal judge yesterday, means those running the elite Lower Merion School District can't say a word about the laptop cameras or any other issues in the suit without giving the other side a copy of what they want to say - plus six hours' notice.
Update x5: Take a look at the official Lower Merion School District 'Getting Started Guide for Student Laptops' (warning: PDF link):
Do not remove the ID label or place any stickers or marking on the laptop. When you return your laptop at the end of the school year, it should look as it did when you received it.
Normally this would be a pretty reasonable (and standard) policy for any school equipment, but under the circumstances this takes on a slightly different tone...
Also, in weird coincidence-land, guess who graduated from Lower Merion?
Yep, Al "I'm in charge!" Haig, Class of '42!!
The real shame of it is that aside from the whole "potentially-spying-on-kids-in-their-bedrooms-without-them-or-their-parents-knowing-about-it" side of the project, the 1-to-1 laptop initiative itself at Lower Merion appears to be extremely well implemented, with tons of thought given to the implementation, policies, procedures and so forth.
Meanwhile, Apple must be absolutely livid that their good name is being sucked into this mess. Just to reiterate, any laptop (or desktop) system with a built-in webcam or microphone (or, for that matter, an external one that's plugged in) is subject to the same (or similar) remote shenanigans.
Update x6: Thanks to skatenyc for this YouTube link to a relevant clip from the PBS documentary "Digital Nation". While the clip in question is from a different school, the principle is the same (although the principal is different--ba-dah-boom!!):
Now, in the example video above, there's an important distinction: The students are ON THE SCHOOL GROUNDS, DURING SCHOOL HOURS. However, even in this case, by the Asst. Principal's own admission, ""They don't even realize we're watching".
I don't know if he means that, at this particular school, the students & parents were explicitly told that everything they do could be monitored (including the webcam) and simply blow that warning off, or that the school specifically never told them (or their parents) about the monitoring capability in the first place. If the former, then I'd side with the school for the most part--as long as the monitoring can only be done on school grounds. If it's the latter, then that's still unacceptable.
Update x7: Thanks to Mother of Zeus for providing the link to Lower Merion's latest update to their FAQ on the mess:
- Did an assistant principal at Harriton ever have the ability to remotely monitor a student at home? Did she utilize a photo taken by a school-issued laptop to discipline a student?
No. At no time did any high school administrator have the ability or actually access the security-tracking software. We believe that the administrator at Harriton has been unfairly portrayed and unjustly attacked in connection with her attempts to be supportive of a student and his family. The district never did and never would use such tactics as a basis for disciplinary action.
Hmmm...the wording of this is awfully tricky. It could technically be true that the Asst. Principal herself never actually "accessed" the software--or even any photos. It's possible that the IT person (presumably Mr. Perbix) used the software, took the pic of the kid, and then just told the Asst. Principal that he caught the kid popping pills or whatever.
Of course it's also possible that the specific allegations in the lawsuit are false. Maybe the kid really was doing drugs. Maybe he planted the pic himself. Maybe there never was a pic taken, or if it was, it was on school grounds. Lots of maybes here--but even if that's the case, the school admin is still in a heap of trouble over the rest of the elements involved, and all of the evidence so far certainly points towards them doing a LOT of "inappropriate behavior" themselves.
- Are students allowed to cover the camera on their school issued laptops with tape?
Yes. There is no requirement that a student use the camera's standard webcam feature.
Well, this obviously addresses their previous policy against "any stickers or markings", and for obvious reasons.
Final Update: OK, I do have to actually get some work done, so I'm gonna make this my last update (at least for today).
Just a parting personal thought on this mess: I happen to be a website developer who also provides hosting myself. As such, I often am personally responsible for creating my clients' email accounts, including issuing them their passwords.
Once in a while, if they're reporting some issue with their email, I'll ask their permission to check their account in order to troubleshoot the problem. While they're usually fine with this, once in a great while a client will respond with some amount of shock, as they had no idea that I was even capable of viewing their email.
At which point I have to remind them that I'm the one who told them what their password was in the first place.
Now, obviously I never actually do spy on their email--not only is it immoral, unethical and probably illegal, it would also destroy my business reputation if I did so. Furthermore, it's likely to be deathly boring for the most part--I have no desire to review how many widgets a client shipped to Butte, Montana last month (or whatever).
The point is, of course, that it is possible that Mr. Perbix and/or the rest of the Lower Merion administration had the best of intentions here; having the ability to spy on the kids at home doesn't necessarily equal having done so. Having said that, however, it sure isn't looking good for these folks, and even if they never actually did "inappropriate" spying, they certainly deserve a massive smack in the face for, at the very least, not informing either the students or the parents--about the spying capabilities up front.