School Surveillance

Report: 'Overzealous and Questionable' Use of Technology in Laptop Spying Case

• By Dian Schaffhauser
• 05/07/10

A Pennsylvania school district under legal fire for using school laptops that captured images of students in their homes without disclosing the activity has issued a lengthy report that summarizes the findings of an investigation into the matter. The independent investigation performed for the Lower Merion School District in Ardmore concluded that while nobody in the district behaved in an intentional or manipulative manner, the school laptops performed inappropriate tracking activities that should have been turned off much sooner than they were.

As laid out in wide media coverage, including on THEJournal.com, the district faces a lawsuit by the family of a high school student, alleging that it had been "spying" on the students through Web cameras installed on personal computers issued by the district as part of a high school 1:1 program.

The investigation was handled by Ballard Spahr, a national legal firm retained by the district. Ballard Spahr, in turn, contracted with L-3 Services, a Horsham, PA computer forensic consulting firm. The resulting publicly issued report from the 10-week investigation consists of three documents: a 98-page report that summarizes 500,000 pages of documents and 42 interviews; a 48-page forensics analysis by L-3; and a 925-page appendix that includes copies of related board meetings minutes, correspondence, e-mail, help desk support tickets, litigation documents, news coverage, press releases, and congressional testimony.

According to the report, the district purchased LANrev in fall 2007 to disseminate software updates and patches from a remote and centrally controlled server. That application has since been rebranded to Absolute Manage after developer Pole Position Software was acquired by Absolute Software in December 2009--before the lawsuit filing. It included a feature called "TheftTrack," which, when activated, is "capable of recording at a set interval the Internet Protocol address at which the computer was connected to the Internet; a photograph taken by the computer's Webcam of whatever was in front of the Webcam; and an image reflecting whatever was on the computer's screen."

Unlike Absolute Software's products, Computrace and LoJack, which perform a similar function, LANrev could be turned on by users with proper authorization. At the district that consisted of two people in the IS department. (Computrace and LoJack both require Absolute personnel to activate the theft tracking features, and only after a police department has issued a case file.)

In the 2008-2009 school year, the district issued Apple MacBook laptops with Webcams and LANrev as part of a 1:1 program for about 2,300 high school students. Each student and his or her guardian was required to sign district guidelines regarding the use of the network, but the guidelines were dated and didn't specifically address the existence of TheftTrack. Also, each family had to pay insurance fees to cover potential damage or theft. In fact, none of these communications with students or parents referenced the existence of the software.

Nor did the district have policies or procedures to govern the use of the TheftTrack feature by staff. But as a general matter, the report said, "They activated tracking for a particular laptop only if they received an instruction to do so from a school administrator or IS staff member who received a report from the student that his or her laptop was missing or lost."

But practice varied from that unwritten policy. As the investigators found, in one instance, the tracking software was turned on for a laptop possessed by a student whose family had outstanding insurance fees. In other cases where theft or loss had occurred, frequently the tracking remained activated even after the computer had been recovered or found. In fact, according to the report, the "vast majority" of images--87 percent--resulted from a failure to deactivate TheftTrack. Activated tracking recorded up to 56,000 images in total over two years.

In a preliminary presentation to the district, Hank Hockeimer, a partner in Ballard Spahr and a participant in the investigation, said, "We have a handful of situations--in fact there are five or six situations that add up to 12,000 to 13,000 images--where on those five laptops those five students' tracking was on for clearly too long a period of time. We have not seen any intentional or manipulative behavior in connection with those, but clearly those trackings should have been turned off earlier."

Based on its findings, the report's authors could find no evidence that TheftTrack was used to spy on students. "Although there is no forensic method to determine with certainty how often images stored on the LANrev server were viewed, we found no evidence that any district personnel surreptitiously downloaded images from the LANrev server," the report stated. "Rather, the collection of images from laptops while they were in the possession of students resulted from the district's failure to implement policies, procedures, and recordkeeping requirements and the overzealous and questionable use of technology by IS personnel without any apparent regard for privacy considerations or sufficient consultation with administrators."

The report offers several recommendations to the district, including a policy prohibiting remote activation of Webcams on computers issued to students and development of policies and procedures to govern the use of the computers. The authors don't entirely eliminate the possibility of running some form of theft and loss tracking software; however, they emphasized that in choosing an alternative the district needs to use it for security purposes only, that its existence on a computer be fully disclosed, and that it be operated in a manner that doesn't compromise the privacy rights of students or their families. It also urged creation of a permanent log to keep track of each instance of remote access of a student computer and creation of regulations regarding retention of electronic data, including that related to student laptops.

"I accept its findings," wrote district superintendent Christopher McGinley to the community in response to the report. "We must learn, and we will learn, from our mistakes as we prepare for the remainder of this school year and look ahead to the next. Before moving forward, let me again offer an apology, both personally and on behalf of the district, for every mistake identified in this report. We are sorry that a vitally important instructional program was not handled appropriately. I am determined to address the technical issues as well as to improve the management and leadership of the school district."

While McGinley said the district is still reviewing the report, he added that it has already taken a number of steps in response to the allegations in the lawsuit. Those include scheduling of a series of high school meetings to answer student questions and hear their concerns; issuance of a request for proposal to hire a firm with expertise in technology and privacy to guide development of a "comprehensive action plan to address IT governance and policy development"; and calling for volunteers for an "expanded Technology Advisory Council" made up of teachers, parents, students, community members, and administrators to guide district technology initiatives.