WASHINGTON, D.C. — Managing school-issued laptops via tracking software can be a tricky proposition rife with privacy concerns.
At the Consortium of School Networking conference on Wednesday, March 7, technology directors learned what not to do from a school district that gained international attention for all the wrong reasons.
Lower Merion School District outside Philadelphia made headlines after a high school student's family sued in February 2010. The lawsuit alleged that IT employees employed by the school district remotely controlled the built-in webcam on a loaner laptop and surreptitiously took screenshots of the student in his home. The plaintiffs claimed the same action had been taken against other students.
The district took immediate action as it sought to control the damage. It turned off the tracking module in a software client management program called LANRev. The district called an independent investigation of the incident. And it communicated to parents what was going on until a court order limited that communication.
In August 2010, the two parties settled, with the district paying over $1.6 million in legal costs and payment to two students, Philly.com reported. An internal investigation showed that the district wasn't spying on students. But lack of procedures that mapped to policies as well as a lack of communication caused the district to stumble.
To comply with a court order, the school district made a number of changes in its policies and procedures. And at the conference, Director of Information Systems George Frazier told IT directors what they can do to keep from repeating his district's mistakes. Frazier was hired by Lower Merion July 2009, after the district had purchased the laptops and tracking software.
Through the court proceedings, Frazier said he realized that the school district was part of the government. Educators typically may not think of themselves as government. But school boards are considered government bodies.
And just like state, county and local governments have to conduct risk assessments, so do school districts.
"I think in education we don't spend enough time doing risk assessment. We don't stop and ask the 'what if,'" Frazier said.
While Lower Merion had policies in place, none of the agreements that students and parents signed said anything about theft tracking software. In fact, before Frazier came to the district, the software was purchased, but few people knew about it, even administrators.
Had Lower Merion created procedures that mapped to the school board's policy, the network technicians would have known when to activate the theft tracking module and what steps to take.
"Much of this would have been resolved if there had been two things: One, communication. And two, solid written procedures on how that software tracking would be used," Frazier said.
If the district had communicated that it was using the software and had established procedures, Frazier said he doesn't think the school would have sparked an incident that made headlines around the world.
"They had a concern that laptops would be stolen; they started using theft tracking software, but they didn't communicate it to anyone," Frazier said of actions taken by the district's IT employees.
Frazier mentioned a number of things that school districts should do to avoid making the same mistakes:
A year after the initial lawsuit was filed, Lower Merion has revamped its policies and procedures, which are published on its website. By learning from Lower Merion's mistakes, school districts can emphasize communication, risk assessment and procedure development for both district-provided laptop and bring-your-own-technology initiatives.
"Take what I learned the hard way and take it back and give it some thought," Frazier said.