Tornado Alley (PROG)

[arizona1]

Has anyone been following this story out of PA?

[Update x4] WebCamGate Report Released. Conclusion? They're screwed.
by Brainwrap

Mon May 03, 2010 at 08:59:59 PM PDT

LET'S REVIEW, SHALL WE???

So far in the As the WebCam Turns®, we've learned that:

--They never informing the parents or students of the remote surveillance program

--The Lower Merion School District first denied that the program existed

--They then denied that it was ever used to monitor students...

--They then admitted that it was activated "only 42 times"

--Then admitted that it was activated "80 times"

--Then, that it was activated ""about 146 times"

--Then, they admitted that over 56,000 images--many of which depict underage teenagers' bedrooms, and all of which were taken without the students' knowledge--were uploaded to the schools' servers over a 2-year period.

--The IT director then claimed that the school has the legal right to spy on your kid in their bedroom if they fail to pay a fee...

--We learned that it wasn't just photos which were taken, but screen shots of the laptops as well, including instant messages or video chats [he] had with friends...

--We learned that the administrator in charge of the program, Carol Cafiero (the same one who took the fifth in her deposition), who had previously refused to turn over her home personal computer, finally agreed to do so...

--We learned that Cafiero "Loved" the "little LMSD soap opera" that she and her IT colleagues had an exclusive audience to for the past 2 years...

--We learned that:

--Mrs. Robbins supposedly tried repeatedly to get school officials to give her some direct answers about why they were taking pictures of her son in his bedroom before filing the lawsuit as a last resort.

--Some of the pictures which the Daily News confirmed seeing included shots of the son, Blake, shirtless after getting out of the shower, pics of his father, pics of his friends, and screenshots of video chats and instant message conversations between Blake and third parties.

--The mother, Holly Robbins, thinks that pics of her daughter may have also been taken by the school--but can't be sure, since there's a weeks' worth of images that the district "hasn't been able to recover".

--The school district admitted that not telling the parents about the remote surveillance was "a colossal screwup" (their words)

--Carol Cafiero, the woman charged with running the program, told her side of the story...and did herself no favors in doing so. Her defense is filled with all sorts of "I was powerless to do anything" crap:

"she asked her bosses at least three times to clarify the rules"

""I tried to get the administration to look closely and get a policy on several occasions," Cafiero said in her first interview since the district put her on paid leave. "There was only so much I can do. They did nothing. It fell on deaf ears."

According to Cafiero, Frazier said he opposed activating the Web cams on students' laptops, but other administrators wanted to keep using the feature..."There was some back-and-forth discussion amongst them and the final decision was to keep doing what we were doing," she said. "I was a little surprised, but, again, I wasn't the policy maker."
...

Two days after the thefts, Cafiero e-mailed DiMedio. "Can we please get a procedure or some chain of command together next week?" she wrote.

But no such meeting was ever held, Cafiero said.

...notes that she said were from the meeting describe the outcome. Next to "Establish Computer Tracking Guidelines," she typed: "Discussed but no decision was made."

As one comment in the article put it:

"Cafiero accepts her $100,000+ salary but wants to portray herself as a simple clerk who had no ability to affect or create policy."

As another commenter put it,

This level of acquiescence of Cafiero's is hard for me to understand. Had I been in Cafiero's position, I would have emailed DiMedio "Until the formal policy is established, I would like to confirm that I am to initiate tracking of the laptops under the following circumstances:

.

++++++++++++++++++++++++++++++++++++

ALL OF THIS LEADS UP TO TODAY'S REVELATIONS: ie, the official report on the whole mess (pdf) by the law firm of Ballard Spahr and L3 Communications, which was brought in to assist in the investigation. However, before I continue, I should note that as bad as this report makes the LMSD administrators and IT staff look, Ballard Spahr is THEIR law firm.

That's right, the following revelations are part of the DEFENSE ATTORNEYS in the case. One can only begin to imagine what the prosecution (or the FBI, which is also doing their own investigation) might come up with:

--Officials knew that the student had taken his school-issued laptop home, but activated the remote webcam anyway, taking hundreds of secret photos and screenshots, including him sleeping, partly dressed, his father, and IMs/photos of friends of his.

--The total number of pics secretly taken from the students' computers has gone up from 56,000 to 58,000...at a minimum; 50,000 of which were taken after the laptops had already been found and re-issued to students, showing the students, their friends and families.

And this is just what's been reported so far, an hour or so after the report was released.

Feel free to peruse it yourself to see what other lovely eye-grabbers come to light (pdf)

For example, here's the section describing the photos taken from Blake Robbins' laptop (he's the student who busted this whole story open in the first place):

On October 20, 2009, Blake J. Robbins brought his One-to-One laptop to the HHS Help Desk with a broken screen and was issued a loaner laptop. Later that morning, Building-Level technician Kyle O’Brien, Desktop Technician Chuck Ginter, and Rhonda Keefer, the teacher liaison to the One-to-One program, conferred and agreed that Mr. Robbins should not have been issued a loaner laptop in light of outstanding insurance fees.

Mr. Ginter then e-mailed Ms. Matsko and informed her that “we need to retrieve the laptop ASAP.”

There is a conflict between HHS Assistant Principal Lindy Matsko and Mr. O’Brien about who directed Mr. O’Brien to have tracking activated: Mr. O’Brien testified at his deposition in the Robbins lawsuit that Ms. Matsko instructed him to have TheftTrack activated; Ms. Matsko testified at her deposition that she did not authorize tracking.

In any event, at 1:10 p.m. on October 20, 2009, Mr. O’Brien e-mailed Mr. Perbix and directed him to activate TheftTrack on Mr. Robbins’s loaner laptop.

At 3:55 p.m., Mr. Perbix advised Mr. O’Brien by e-mail that the laptop was “[n]ow currently online at home."

The next day, Mr. Perbix asked Mr. O’Brien whether he should continue tracking the laptop.

Mr. O’Brien responded “yes.”

Mr. O’Brien told us that he believed that he needed authorization from Ms. Matsko, which he never requested or received, to terminate tracking. Consequently, the loaner laptop was tracked from October 20, 2009 to November 4, 2009, resulting in the capture of 210 webcam photographs and 218 screenshots that were recovered in the investigation.

On or about October 26, 2009, Mr. Perbix observed a screenshot from the loaner laptop. The screenshot included an on-line chat that concerned him.

On or about October 30, 2009, Mr. Perbix showed that image to Mr. Frazier. After consulting with Mr. Frazier, on October 30, 2009, Mr. Perbix set up a folder in the LMSD network home directories of HHS
Principal Steve Kline and Ms. Matsko to enable them to view the images captured from the laptop issued to Mr. Robbins.

On November 2 or 3, 2009, Ms. Matsko and Mr. Kline, in a meeting also attended by HHS Assistant Principal Lauren Marcuson, discussed certain images captured from Blake Robbins’s loaner laptop. According to Ms. Matsko, Mr. Kline advised her that unless there was additional evidence that gave them a contextual basis for doing so, school officials should not discuss the images with the student or his parents because they involved off-campus activities.

Ms. Matsko ultimately decided, about one week later, that it was appropriate to discuss certain seemingly troubling images with Mr. Robbins and/or his parents. The substance of the conversation or conversations in which she did so is disputed. In that regard, it bears noting that the Robbinses have not been interviewed or deposed.

It's absolutely crammed full of damning stuff like this. The kid hadn't paid the insurance fee, but they issued him a new laptop anyway. Then, when someone realized that they shouldn't have done so, instead of doing what any rational person would have done--called the kid up and told him to return the laptop, which they knew he had, since they're the ones who had given it to him--they turned on the f*cking webcam and spied on him for two weeks. Note that this had started because they "needed to retreive the laptop ASAP" but they never bothered to ask for it back for the next 15 days, instead choosing to spy on the kid.

Then, while spying on him, they eavesdropped on "an online chat that concerned them" (of course, it didn't concern them; the choice of terminology is ironic).

And again, remember that this report was released by the school district's attorneys.

By an amazing chance, not a single photo showed a student in a "compromising position", according to the school.

By another amazing chance, at least a weeks' worth of photos still haven't "been able to be recovered", according to the earlier reports.

I'm sure those two facts have no connection whatsoever, right?

Oh, and as Steve Jobs would say, "One More Thing..."

A high school student sent it to the Lower Merion School District's top technology administrator in 2008, weeks before the district began handing out laptops to students.

The teenager had done his homework, researching the software the district planned to load on every machine. He discovered the system would allow employees to remotely monitor students' laptops, and called it "appalling" that the district hadn't told anyone.

"I could see not informing parents and students of this fact causing a huge uproar," said the student's e-mail, which The Inquirer has reviewed.

In her reply, information systems director Virginia DiMedio told the student not to worry.

"If we were going to monitor student use at home we would have stated so," her e-mail said. "Think about it - why would we do that? There is no purpose. We are not a police state."

DiMedio ended her reply: "I suggest you take a breath and relax."

Ut-oh.

Didn't someone once say something about "the smoking gun turning out to be a mushroom cloud"?

Oh, and one final eye-rolling quote:

As for DiMedio, she has not forgotten the years of work she and others devoted to launching the laptop project with the best of intentions for the district's 2,300 high school students. In a few weeks, she said, all that has been "just sullied by the kinds of things I've read in the newspaper."

She said no one who had worked on the project could have foreseen all this.

F*ck me. She actually used the "no one could have predicted..." defense.

Update: Thanks for the Recs; I know there's a ton of more important stories going on--the entire Gulf of Mexico being destroyed, the entire state of Arizona losing its' f*cking mind, etc--but this story strikes close to home for me, not because I live in Pennsylvania (I'm a Michigander), but because I'm a web developer who's seen too many of my clients shockingly unaware of just how vulnerable they, their staff, and/or their customers' information can be online.

Um...of course, if any of my clients are reading this, naturally I'm not referring to you lol...

Update x2: I just wanted to clarify something that keeps coming up in the comment threads on the diaries about this case, on the subject of potential child porn showing up.

On one level, there's a distinction between intending to get pics of kids in their underwear/naked/whatever, and pics like that being captured at random. I don't think that any of the IT people here were trying to get nudie pics.

However, on another level, the very fact that they couldn't control whether nudie pics showed up or not IS THE ENTIRE POINT. There's no way of controlling what shows up on a webcam--ask anyone who's ever visited ChatRoulette and they'll confirm that much.

In addition, I'm not a lawyer, and I believe laws vary from state to state, but in many cases, I don't think "intent" matters when it comes to child porn. If you have pictures of a naked 15-year-old girl/boy on your computer, you're in deep shit even if you didn't mean for it to be there. Hell, even if it was placed there via a malicious virus or whatever, you're still gonna have to go through a hell of a lot of trouble to convince the powers that be of it. There've been several cases along those lines, with varying results.

The report repeatedly claims that there were no "salacious" photos taken--but the district has also admitted that not all of the photos "could be retrieved" for as-yet unexplained reasons. This doesn't prove anything--but the districts' pattern of lying/changing their story up until now doesn't exactly give any confidence that the mysteriously missing photos aren't "salacious". Perhaps they aren't, but we'll never know, will we?

The bottom line is that they had no way of being sure that activating the camera wouldn't display an underage kid taking a dump, getting out of the shower, getting dressed/undressed, jerking off, having sex, etc etc, which are all things that, you know, people generally do on a daily basis in their own homes, after all.

Hell, even if they'd restricted the remote activation to within the school's network, there's still the possibility of the kids taking the laptop into the school bathroom with them. A much lesser chance of an ut-oh photo, sure, but it's still there.

Again, the instant that they put the phrases "underage teens", "private bedrooms" and "hidden cameras" in the same sentence, they should've run like hell in the other direction.

For that matter, while the nude/sexual stuff is the most obvious concern, it doesn't even have to go that far--would you want people spying on you while you're picking your nose, scratching your ass, or just doing any of the other thousand embarrassing little things that everyone does on a daily basis?

So, again, my personal take is that none of the admin/IT people were "perverts" in the sense of hunting for child porn--but at least a few of them certainly appear to have let themselves be swept up in the "soap opera" feel of the whole thing. Voyeurism doesn't necessarily require nudity or a sexual angle to be wrong, after all.

(title tightened up a bit--and for the infamous "Billy3", no, I didn't do it because I was "shamed" into removing the JAW-DROPPING part, since the report is jaw-dropping; I did it because the "Update" part was making it a bit too wordy).

Update x3: As a counterpoint to Update #2, witness the utterly absurd AP story headline and lede about the report's findings:

Report: No spying in Pa. school laptops case

There's no evidence a suburban school district used school-issued laptops to spy on students despite its questionable policies and its lack of regard for students' privacy, according to a report issued Monday by attorneys hired by the district.

...followed almost immediately by:

The report says Robbins turned in his laptop with a broken screen and was issued a loaner on Oct. 20, but school officials quickly moved to retrieve it due to outstanding insurance fees. So the tracking program was activated from Oct. 20 to Nov. 4 and captured 210 webcam photographs and 218 screen shots, the report said.

Although a technician confirmed on the first day of tracking that the laptop was "now currently online at home," another official in the same department instructed him to keep the tracking on and later told investigators he thought he needed authorization to terminate it, the report said.

On Oct. 30, the report said, a technician saw a computer screen shot that "included an online chat that concerned him." After consulting with a superior, he allowed school officials to look at the images.

Apparently, to the district and the AP, this is a matter of semantics and/or interpretation.

The cameras were only supposed to be used to help recover lost or stolen laptops. The laptop in question was neither lost (they knew where it was) nor stolen (they had issued it as a loaner to the kid--mistakenly, but that's not a case of theft on his part, that's a case of stupidity on their part). Instead, they activated the camera and left it running for two weeks before calling the kid in due to "concerns" they had about something they saw.

On what planet is that not considered "spying"? I guess the angle that the defense is playing is that because they weren't manually timing the camera to take pics whenever there was a naked kid on screen, that somehow means they weren't "spying".

But that's just me...

Update x4: This is only partially on-topic, but for those of you who aren't aware of just how much personal information is already easily available, I just wanted to give a quick example.

About 1 1/2 hours ago, someone visited my own business website. Thanks to the web traffic statistical software that I use, I now know--without requiring any "special" software or taking any measures beyond a few lines of code embedded into my website--the following, at the click of a link:

--I know their IP address (which I won't publish here, for obvious reasons).
--I know that they use Verizon.net as their ISP
--I know they're in Philadelphia, Pennsylvania (Lower Merion is a suburb of Philly)
--I know their exact Latitude and Longitude
--I know they're running Firefox 5.x on an English-language version of oWindows XP, with a 1024x768 pixel resolution monitor and 32 bit color.
--I know they first visited the site at 1:19:41 pm EST, using the link in my dKos profile to get to my site. They spent 12 seconds on the home page, 139 seconds on my FAQ page, returned to the home page of the site and then went elsewhere, leaving at exactly 1:22:14pm EST.

Is this someone who admirers my diary, or someone who thinks I'm slime for it? No way of knowing, but obviously it was someone who lives in the area of the scandal who wanted to find out more about me, for good or ill purpose.

Now, no one in the web development/design/hosting/sys admin fields will be impressed or surprised by this information, but again, this was gleaned automatically, without making any special efforts. You can imagine what sort of info can be found if someone is really trying (as the LMSD people were doing).

Just some food for thought in todays' "ID-theft/Facebook-privacy-outcry" environment.
http://www.dailykos.com/storyonly/2010/5/3/863299/-%5BUpdate-x4%5D-WebCamGate-Report-Released.-Conclusion-Theyre-screwed.