IT Staff get blamed for spying

While they clearly deserve their fair share I think the situation is far more complex.

One of the better articles I have seen on the Lower Merion school district mess is here (http://www.computerworld.com/s/article/9176293/Report_blames_IT_staff_for_school_Webcam_spying_mess)

There are a few things that I think can be learned from this mess.

First and foremost, just because you can do something, it does not mean you should! It may even be useful, but it still does not mean you should do it. One thing that comes through here is that no one in a decision making capacity ever thought to question whether they should be doing this! Very, very bad decision making.

Secondly, when making decisions that can have legal, ethical or even pr implications, do not just think about the technical and technological issues. Think about the legal and ethical issues. Equally importantly, think abut the people issues - human nature, policies and procedures, that kind of thing. Although I find the use of the web cams offensive under any circumstances, I could see a limited policy of turning on the web cams, assuming parental consent, for cases where laptops are clearly missing. But, that is not what happened here. The laptop that precipitated the lawsuit was not missing; all staff had to do was ask the kid for it back the next day! And the report documents a dozen cases where there is no proper reason for turning on the cams. They say they are "baffled"; I'd use far stronger language. As bad is the fact that the cams were often left on for weeks (as in this case, where the school found out that the laptop was in the boy's home, but continued taking pictures instead of taking action), Taking pictures every 15 minutes. That helps to explain the insanely high number of pictures - and the fact that they definitely got shots of kids sleeping etc. (If it's true that they never got anything really problematic, the school got really lucky.)

Talking of consent, I don't know how anyone thought that this could fly. The school district was apparently requiring the students to have one of these laptops, which would mean that any parent who signed a consent form could definitely make the argument that their signature was coerced. After all, what is a parent supposed to do? Pull a child from school? Maybe if they had put it as informing parents and students about this so they could take appropriate measures to safeguard their privacy (eg turning off and covering the laptop when not in use), it might have passed muster. I'm not sure, but it has to be better than what happened here. We love to bash lawyers, but it seems to me that thinking like a lawyer for a potential plaintiff might have been a god thing here. In any case, clearly there was a failure to think through some serious, and totally non-technical issues.

Which brings me to my last point. Just because a decision is technology based, it does not mean that it should be left solely to technologists. What happened here was not a failure of technology. It was an abysmal failure of basic governance! Obvious questions were left unasked. Worse, information that non-technical staff did have was not followed up on. And, no one seemed to be concerned with the fact that the IT department was clearly working with technology that has clear privacy (and legal) implications. After all, the principal and assistant principal who eventually made the decision to call the student in obviously knew that the photographs were being taken. And they even knew enough to talk to a lawyer about what they should be doing - and the lawyer told them to back off because this was off campus activity! So, they knew perfectly well that something was going on, and that there were real potential repercussions. But, there is absolutely no evidence whatsoever that anyone did as much as write an email expressing concern.

I would say this. If you have to talk to a lawyer about the results of a policy in place - or lack of policy in place - it's high time to rethink the situation. Either change the policy, or make sure that there are clear and effective guidelines and ancillary policies in place to prevent abuses. Do NOT let it slide.

If you are on the management side, don't let yourself be seduced by the idea that you can let "the IT guys handle it" and if something goes wrong you'll just point a finger in that direction. And, if you are on the IT decision making end of it, don't let yourself become the scapegoat. Don't just accept appropriate governance, court it. Think about the ethical and legal ramifications of what you do - and make sure that you've got someone else from outside of IT at your side looking at what you are doing. It could keep from insanity like this. And if something really goes wrong, and you've done your part, at least you won't be the one taking the blame.