Whichever side of the infosec coin one is on, a jargon we use to refer to the control of a system is ownership. We refer to a system as “compromised” or “owned” or “pwned” if the person who owns it isn’t also the person who owns it in the legal sense of the term. Most information security practice is concerned with preventing and detecting inappropriate changes in ownership-with-a-p. (I try not to write “pwn” and associated formulations very often, but it’s a temporarily useful distinction to draw out.)

So you own your computer, and do all the right things to make sure no one pwns it, but what about when you’re using a system you don’t own? Many of us have the legal use of a computer in our home that we don’t actually own. Your employer may have issued it to you so that you can do your job. Your school may have issued it to you so that you can do your schoolwork. A friend may have lent you a spare because yours is broken. Some companies insist that its employees work on asset machines to ensure control of company information is never outside company hands.

Privacy on these machines doesn’t work quite the way privacy on your own system works. If you have a computer from your employer, you likely signed something that says you recognize you have no expectation of privacy over that computer. The policy is probably that the company’s staff has the right to look at everything on that computer whenever they like. This just got a bit hairier.

Via Gizmodo, A Principal of a Philadelphia school had the IT staff spying on students at home using the cameras on their school-issued laptops. This came to light in two ways.

First, students noticed as early as 2008 that the light on the camera was turning on at random times. That light is a security feature. The reason cameras on laptops have lights is to alert the person being viewed that the camera is operational. The children who observed the alert did the right thing and called the IT department to report the matter. Unfortunately, the IT department appears to have been on it and told them nothing was wrong.

Second, the Principal had the temerity to discipline a child for “improper behavior in his home,” and produced a photograph taken from the camera to document the incident.

Students are now suing the school and principal, and that’s a good start. There should also be a criminal investigation of the Principal, the IT staff, and anyone else who knew this was going on. Did the children’s parents sign a document indicating that they understood and approved this surveillance? If not, a federal law has been broken. Did anyone with access to these cameras use the images captured for additional criminal purposes, such as extortion or child pornography? We need to know, and it is not merely a civil matter.

The question remains, what to do about the computers in your home that you don’t own? This is the first incident of this type of illegal surveillance I’ve seen hit the news, but we’vetalking about the possibility since the 1990s. In a future article, I’ll talk about the risk management process of deciding how much effort to spend safeguarding yourself and your family from this threat and some practical steps to reduce the risk.

*** This is a Security Bloggers Network syndicated blog from Defense Rests authored by Dan Holzman-Tweed. Read the original post at: http://defense-rests.blogspot.com/2010/02/school-principal-spys-on-children-at.html