By PATRICK DI JUSTO
Published: February 24, 2005
ACCORDING to the complaint filed in United States District Court in Nashville, members of a girls' basketball team visiting Livingston Middle School in Tennessee spotted the camera right away. ''It was high up in a corner, near a ceiling tile in the visitors' locker room,'' said the girls' lawyer, Mark Chalos. ''It seemed to look out over the changing area.''
The girls were wary at first, Mr. Chalos said, but ultimately didn't believe the camera would be recording them, so they continued changing their clothes. Later, one girl mentioned the camera to her coach, who confronted Livingston's principal. The coach was told that the camera was not positioned to observe dressing and undressing, the court papers contend. But after parents pressed the point, a school district official reviewed the video and reported that it showed the girls in ''bras and panties.''
That was enough to enrage the parents. But what they learned as they questioned school authorities outraged them even more. Logs from the server holding the school's video show that the images were available, unsecured, over the Internet, Mr. Chalos said, and indicate several instances of access by unknown outsiders.
With the proliferation of surveillance cameras in everyday life and Webcams at home computers, the ease with which unsecured cameras can be detected on the Internet has become an increasing cause of concern. Last month bloggers began reporting on the ability to tap into thousands of raw Webcam feeds with a few simple Google searches, and the Spanish police arrested a suspect on charges of developing a computer virus that can activate a Webcam without the owner's permission.
The Yankee Group, a market research firm, estimates that as many as 13 percent of American households have a Webcam attached to one of their computers, often sitting on top of a monitor in a living room or a bedroom.
Like each Web page, each camera on the Internet has an address, and unless the cameras have been concealed behind software firewalls, their addresses make them specifically searchable and identifiable.
A Google search one day last week indicated more than 10,000 such Web cameras, showing everything from bedrooms and living rooms to coin-operated laundry businesses and shoe stores to plasma reactors and mountain ranges. (Some of the cameras required passwords for access to the video.)
Other video sources are mostly security cameras that have been fed onto the Net, either deliberately to make them available to the public, like traffic or weather cams, or simply because putting the camera online was the easiest way to get the video signal into the building's security office.
If a Webcam image is deliberately displayed as a part of a public Web site, then the image is obviously intended to be seen by whoever visits that site. But a search for specific video camera signatures allows users to skip the Web site and view the camera image outside its intended context.
It is illegal to gain access to a secured computer without the proper authorization, even if the computer's password is publicly known. But is it legal to look at unsecured Webcams discovered as a result of a Google search, through the back door, so to speak? ''It's probably not illegal, but you never know,'' said Annalee Newitz, policy analyst at the Electronic Frontier Foundation, a digital rights advocacy group. ''That would be the court case -- would a reasonable person consider these cameras to be public?''
Jennifer Stisa Granick, executive director of the Stanford Law School Center for Internet and Society, agrees that it is a gray area. ''The law states you have to know that you're not authorized to look at this information,'' she said. ''But if it's available through Google, most people would reasonably think that it was all right. But what if a person didn't realize that their Webcam image was going out over the Internet? Do they have an expectation of privacy?''
That, Mr. Chalos said, is the crux of the case that the Tennessee girls' families brought against the Overton County school board, which administers the Livingston school. ''You should never, ever, ever put cameras in locker rooms, period,'' Mr. Chalos said. ''Any student undressing in a locker room has the right to privacy. And the school has to protect that.''
But not everyone understands the difference between installing a ''secure'' camera system and making it truly secure. Axis Communications of Sweden specializes in establishing and maintaining Internet-based surveillance camera systems around the world. Fredrik Nilsson, Axis's general manager for the United States, points out that Axis cameras are installed with a default password, and it is up to the owners to make the cameras more or less secure.
''Just to give some perspective, we have delivered close to half a million cameras, and a Google search produces only a few hundred of them,'' Mr. Nilsson said. He acknowledges that default passwords to many camera systems, including those of Axis, are frequently traded over the Internet. Nevertheless, he maintains, Axis cameras are secure against accidental intrusion.
But protecting against accident is not the same as protecting against a deliberate invasion, Mr. Chalos said. ''The images were protected only by the software's default username and password, which the school had never changed,'' he said. Lists of default passwords for many different types of computer systems are available on almost any ''hacking'' site on the Internet. ''You've got to believe that pedophiles prowling the Internet, they're going to know that password,'' Mr. Chalos said.
The cameras at Livingston were installed over the summer of 2002 by EduTech of Dyersburg, Tenn., a company specializing in school security cameras. Twice every second, the cameras took high resolution color images of the school's hallways, exits and, as it turned out, the changing area of the visitors' locker room. The school's lawyers maintain that their clients wanted the locker room camera to face the door and that the camera was mounted incorrectly. EduTech maintains that it put the camera where it was told.
Images from the system, including those of the locker room, were fed into a video server that sat in an assistant principal's office. That server was a part of the school's internal network, which was in turn plugged into the Internet.
A lawyer for the school acknowledged in court papers that school officials never changed the video server's password from its default setting. But the lawyer said school officials had ''insufficient information either to admit or deny'' whether there was access to the images over the Internet.
Mr. Chalos's complaint, originally filed in District Court in June 2003, five months after the initial incident, asserts that someone outside the school gained access to the video server over the Internet several times over a six-month period. There is no way to tell precisely which video images might have been viewed by outsiders, but Mr. Chalos appeals to common sense.
''In theory, whoever broke in could have gotten onto the server, looked at pictures of hallways and classrooms, and that's it,'' Mr. Chalos said. ''But my suspicion is, if they kept coming back, they had a more directed purpose.''
The Internet visits, through computers in Clarksville, Tenn., Gainesboro, Tenn., and Rock Hill, S.C., came late at night or early in the morning, Mr. Chalos said. But the server holds not only live video, but also archived files as well. The unknown viewers are named in the suit as John Does and are cited for having potentially violated federal law on sexual exploitation of minors, Mr. Chalos said.
The original complaint listed 17 students and their parents as plaintiffs. Since then, Mr. Chalos said, he has determined that at least two other visiting teams had been captured on the locker-room camera, which was dismantled within days after the initial complaint. He filed a modified complaint last week on behalf of 34 students, seeking millions of dollars in damages.
Whether or not the cameras' video had been made available on the Internet by negligence, it has long been understood that people in the workplace or schools have little or no expectation of privacy from their teachers or employers. Having a supervisor monitor one's workplace activities, sometimes by video, has become a way of life for many Americans. But can employers, either deliberately or through neglect, make those images accessible for the world to see?
''The real scandal is why these Webcams are insecure,'' Ms. Newitz of the
Electronic Frontier Foundation said. ''This is just really, really sloppy. It is
one thing for an employer to place employees under surveillance, but to take no
effort to keep the Webcam access limited just to the workplace is really
WHAT steps can you take to make sure the images from your Webcams and home security cameras are being watched by you alone?
Dr. Joseph Freeman, chief executive of J.P. Freeman Company, a security consulting firm based in Newtown, Conn., suggests that the most effective method of securing an Internet camera is to hide it. The most common methods are to use a software firewall, which prevents others from gaining access to your network; an encryption package, which scrambles your data for anyone without the proper decoding key; or a unique password, which limits access to only those you choose.
Many firewall packages can be paid for and downloaded directly from their manufacturer's Web site, and can be set up in a few minutes. Popular firewalls for Windows are ZoneLabs' Zone Alarm Pro, $49.95 at zonelabs.com, or Symantec's Norton Personal Firewall, for Windows or Macintosh, also $49.95, from symantec.com/sabu/nis/npf/.
''Depending on just how worried you are, you might use a two- or three-level process,'' Dr. Freeman said, although for most home users a unique password will suffice.
On the other hand, Terry Halsch, president of a security consulting firm based in St. Paul called CitizenObserver, offers a counterintuitive scheme for security: make access to your outdoor cameras completely open, allowing anyone to look at what's happening on your street, to create a kind of global neighborhood watch. Visit citizenobserver.com for more information.
''We're trying to bring back something of the old feeling of neighbors
watching out for each other, combined with new technology,'' Mr. Halsch said.
Patrick Di Justo