there was no evidence of any laptops being stolen therefore the system shouldn't have been turned on to begin with. The only reason the camera's were turned on would be for misuse.
That's not true, because the school's policies did not require evidence that the laptop was stolen. For instance, officials were permitted to activate the system "to find missing, lost or stolen computers, which would include a loaner computer taken off campus against regulations." See here among other stories. I've seen multiple stories that indicate the system was activated 42 times, 18 of which did help to recover lost or stolen systems.
They could get out of this much easier if they simply fired a couple of people and blamed those directly responsible, and their bosses for the policy.
It's a bit more complicated than that. Whomever you pick to fire, you must make sure that it is justified. If you fire the official that took the picture, you need to find appropriate grounds to do so. Otherwise, they could (rightfully) claim that they violated no policy and were being made a scapegoat. Then you'd be looking at a wrongful termination lawsuit, and possibly paying lost wages. Similarly, the administrators can argue that the policy was put into place to protect assets owned by the school district. So if you want to fire someone, you had better be sure that you can justify it.
One aspect that I haven't seen clarified is whether or not the student was actually disciplined. If he was just confronted and presented with a warning, he is going to have a much more difficult time proving damages in a court. If he was suspended without due process and without proof of wrongdoing, then they're screwed. Either way, though, I would be surprised if this is allowed class action status.
As much as I value privacy, I think this story has become a bit sensationalized. Based on the numerous reports I've seen, I believe this is more an example of scope creep than anything nefarious. Basically, to paraphrase a common aphorism, if I must attribute either malice or incompetence, I go with the latter. The possibility of theft does provide a legitimate purpose for the ability to remotely activate the web cam. Where the school screwed up was that they did not have any precise controls over when and how this activation can occur. My guess (I fully admit I have no proof) is that the camera was activated according to district policy, then the official panicked because they thought they saw something. To make it worse for the official, the policy probably did not offer any guidance for what to do in that situation. What if they were trying to locate a stolen laptop and witnessed a rape or murder instead?
The problem comes down to the possibility of secondary use of technology. Whenever technology is deployed that has the potential of violating the privacy of others, the policy should explicitly state under what conditions the technology can be used, including a list of the situations that officials are allowed to document based on their observations. The policy should also default to complete destruction of observed data that does not match the intent of the policy. Hence, the school district should have made the following policy:
- Activation of the remote monitoring system will only be done after informing the student and parents in writing.
- Activation of the remote monitoring system will never occur unless there is documentation indicating a good faith belief that the laptop has been stolen or is missing.
- Data collected during activation will be restricted to the goal of recovering the lost or stolen laptop. The only exception to this rule would be if an operator, while attempting to recover a lost or stolen laptop, observes behavior that constitutes a felony; in such a case, the data will be handed over to the appropriate authorities. In all other cases, any data collected during activation will be immediately destroyed.
But, of course, I'm a researcher that specializes in security. I have quite a bit more expertise than these school administrators. And there are too many similar administrators out there that do not have a strong enough background in security and privacy to get these subtleties. Absent federal legislation governing secondary use of private data, I do not think this will be the last case that we will see like this.