a) installed the spying software

b) never informed the students or parents about it

c) never checked with any attorneys or legal authorities to see if it was legal to use such software

d) the IT director took the 5th during their deposition, even though she hadn't been directly charged with anything, and even when asked whether she had downloaded pics of the kids on her home computer

e) activated it (at least) 42 times, in one case even sending the police to the wrong house:

As a prime example, we initially attempted to recover a stolen laptop that reported back to us it's internet address and DNS name. The police went to the house and were befuddled to find out the people we knew had the laptop was not the family that lived there...well, we eventually found out that they were the neighboring house and were borrowing the unsecured WI-FI.

Well, guess what?

Lower Merion report: Web cams snapped 56,000 images

Lower Merion School District employees activated the web cameras and tracking software on laptops they gave to high school students about 80 times in the past two school years, snapping nearly 56,000 images that included photos of students, pictures inside their homes and copies of the programs or files running on their screens, district investigators have concluded. ...in at least five instances, school employees let the Web cams keep clicking for days or weeks after students found their missing laptops, according to the review. Those computers - programmed to snap a photo and capture a screen shot every 15 minutes when the machine was on - fired nearly 13,000 images back to the school district servers.

Of course, the school--which initially denied that the system existed, then denied using it, and then claimed that it had "only" been used 42 times (although, of course, they never said how long the surveillance was kept running after those activations) now claims that:

"none [of the photos] appeared to show "salacious or inappropriate" images

Oh. Well, I guess he must be telling the truth this time.

About 38,500 images...came from six laptops that were reported missing from the Harriton High School gymnasium in September 2008...The next biggest chunk of images stem from the five or so laptops where employees failed or forgot to turn off the tracking software even after the student recovered the computer. In a few other cases, Hockeimer said, the team has been unable to recover images or photos stored by the tracking system....And in about 15 activations, investigators have been unable to identify exactly why a student's laptop was being monitored. Hockeimer said that the investigation found that administrators activated the tracking system for just one student this year who failed to pay the $55 insurance fee.

...

But the requests were loose and disorganized, he said, sometimes amounting to just an brief e-mail. "The whole situation was riddled with the problem of not having any written policies and procedures in place," Hockeimer said. "And that impacted so much of what happened here."

And this is just what the DISTRICT'S lawyer and investigation are admitting.

I can't begin to fathom what the objective investigation by the FBI and county prosecutors will reveal.

Update: I linked to this guys' blog when I posted about the story back in February, and felt it a good idea to re-post it again; he's an IT security pro who's done a stellar job of analyzing the dirty underbelly of this whole story.

A few choice cuts:

The Spy at Harriton High The primary piece of evidence, already being reported on by a Fox affiliate, is this amazing promotional webcast for a remote monitoring product named LANRev. In it, Mike Perbix identifies himself as a high school network tech, and then speaks at length about using the track-and-monitor features of LanRev to take surreptitious remote pictures through a high school laptop webcam. A note of particular pride is evident in his voice when he talks about finding a way outside of LANRev to enable "curtain mode", a special remote administration mode that makes remote control of a laptop invisible to the victim. ... Perbix discusses methods for remotely resetting the firmware lockout used to prevent jailbreaking of student laptops. A jailbreak would have allowed students to monitor their own webcam to determine if administrators were truly taking pictures or if, as the school administration claimed, the blinking webcams were just "a glitch." ... This script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration: "what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking" What's the purpose of shutting down a camera for the user of the laptop but still making it available to network administrators? Ask yourself: if you wanted to convince someone that a webcam blinking was a glitch, would disabling the cameras help make your case? ... In a strange twist, the makers of LANRev have come out with a statement saying that school network techs should never have used their software to engage in theft recovery: "We discourage any customer from taking theft recovery into their own hands," said Stephen Midgley, the company's head of marketing, in an interview Monday. "That's best left in the hands of professionals."

Here's the actual webcast that Mike Perbix, the Lower Merion IT guy who installed and administered the whole surveillance system, made in which he openly bragged about his capabilities:

And here's an excerpt from PBS's "Digital Nation" in which an unrelated school administrator does a live demonstration of how this sort of software works: