School laptop spy case prompts Wiretap Act rethink
When Pennsylvania's Lower Merion school district installed remote control anti-theft software on student laptops, it had no intention of dragging Congress into a national debate about wiretapping laws and webcamsbut that's exactly what it got (in addition to some unwanted FBI attention and a major lawsuit). The key question: should the school's alleged actions be made illegal under US wiretap law?
The Senate Judiciary Subcommittee of Crime and Drugs schlepped out of DC today and wound up in Philadelphia's US District Court, Courtroom 3B, to hold a field hearing on "video laptop surveillance." The trigger issue was Lower Merion, which stands accused of using the anti-theft software to remotely peep on students using their own webcams, even outside of school hours.
The existing Wiretap Act already bans oral, wire, and electronic communications gathered without consent (unless a court orders it). "Oral" communication is clear enough, but "wired" communications also need to have an aural component, according to the law. And "electronic" communications only include data such as e-mails.
The upshot is that the Wiretap Act does not currently regulate silent video communication. Lower Merion's actions are not alleged to include the use of a laptop microphone and therefore would not be covered by the Wiretap Act. In an age of webcams, wireless CCTV cameras, and cell phones that can take video, the law is badly out of date. Congress and the states have both taken some very limited steps to rein in abuses, but nearly all focus only on voyeurism.
Robert Richardson, head of the Computer Security Institute, noted that "the modus operandi of today's sophisticated malware is not at all unlike that of the software deployed by some organizations to monitor their notebook computer assets. Both with tracking software and malware, a fundamental level of direct control of the device is transferred to a third party at a distance."
EFF lawyer Kevin Bankston blasted the current law in his testimony, telling the subcommittee this morning, "It makes no sense that if the Lower Merion School District's administrators had eavesdropped on students' conversations at home using the laptop's microphone, or had intercepted a student's private video chats, they would clearly be guilty of a felony violation of Title III, but surreptitious video surveillance is not regulated by the statute at all."
Bankston called for an immediate change in the law, saying that webcams were "awesomely useful" but that "surreptitious video surveillance has become a pervasive threat."
Former Justice Department prosecutor Marc Zwillinger urged caution with any law change that would make all silent video communications subject to Wiretap Act rules. While he detailed numerous abuses of silent cameras ("Casino employees were suspected for using casino surveillance cameras to focus on the breasts of women in the casino... A police officer was suspended for allegedly using a surveillance camera to ogle women at San Francisco Airport."), Zwillinger pointed to other cases where "we are comforted by the notion that video surveillance helps keep our children safe."
Nanny-cams are one example; CCTV surveillance is another. The second example could probably be fixed by making clear that the Wiretap Act applies only to places where one has a reasonable expectation of privacy, but Zwillinger still worries that a law change might "create more problems than it would solve."
As for the Lower Merion case in particular, the Senate also summoned John Livingston, CEO of Absolute Software. Absolute owns the LANRev software that Lower Merion used on its computers.
Livingston noted that his company thought a "managed recovery" model was the best one; when a laptop is reported stolen, and a police report number is provided, Absolute's investigators track down the machine. The company claims 100 recoveries a week, or 13,500 since 1994.
LANRev was a competing product, one that could be accessed by end-users, such as the Lower Merion IT staff. In Livingston's view, this approach was a poor one compared to the "superior managed recovery model." When Absolute bought LANRev last year to get access to its inventory software, it offered a patch to existing LANRev customers to disable the remote webcam feature at issue in this case. (http://arstechnica.com/tech-policy/news/2010/03/school-laptop-spy-case-prompts-wiretap-act-rethink.ars