Update 1: Responses from the school district staff

For those that didn’t read the comments to the earlier post about our concerns, here is a summary of the exchange that took place on October 1:

Further Responses from Cheldelin Assistant Principal, Lisa Krause

On October 1, 2013, I received an update on my inquiries from Asst. Principal Lisa Krause. In summary format, the key responses were:

• The school (and the district) will continuously identify additional apps to add or remove from the devices;
• The school (and the district) will do these updates without consulting with parents regarding any issues or concerns, and these updates will be silent and cannot be observed;
• The school (and the district) believe they will not have the ability to turn on cameras, or to see/record anything from the cameras on the devices – this is in direct conflict with the AppTrak vendor website claims;
• The school (and the district) believe they cannot get data remotely from the device – which also appears to conflict with the vendor website for AppTrak;
• And the school (and the district) will not provide administrative controls to parents. The district maintains total control (and thus responsibility) for the devices.

Reading through these responses, I concluded that I should personally call the vendor to sort out the truth of the matter. What the district believes to be true does not agree with the vendor’s public website.

Momentarily setting aside the issues regarding the camera, privacy, and so forth, the additional stance that the parents will not be consulted about the installation (or removal) of apps on the device is very troubling. If even the most basic of applications can raise privacy and security concerns and app installations can happen without our knowledge, how will we know if our children are facing additional risks?

We cannot expect our children to recognize or understand the issues involved, but as parents we should think carefully about whether the school district has the right to send a device into our homes, while retaining the ability to modify that device, without any discussion or consent from the adults living in that home. The privacy, security, and liability issues are too involved to for us to simply transfer trust to a third party for what happens in our home.

A Conversation with Lyceum Regarding AppTrak

The following information is from an October 1, 2013, conversation I had with Lyceum, the AppTrak vendor, regarding the behavior and design of their software.

Unlike the responses I have received from the school district administrators, Lyceum did not dismiss any of my critical concerns by saying “that concern does not apply to this software” or “the iPads cannot do that.” Insead they explained the AppTrak software mechanisms and answered my questions directly and easily.

AppTrak comes in two pieces: a client piece installed on the iPad device and a central piece that runs on school servers. The interface for control of the devices is a standard web page system. Users of the software select which iPads to manipulate, and what to do with those devices.

Yes, the software does allow the enabling or disabling of the camera (and other features). No, the software does not directly allow launching of Apple based applications as part of the iPad operating system iOS, except for the web browser, Safari. These restrictions on the iOS default applications are enforced by Apple, and only apply to the Apple iOS applications. It is important to note, however, that with AppTrak, third-party software (not Apple iOS software) can be launched and activated.

In discussing how their product works from a security perspective, Lyceum sales staff said that they had no security people on staff, nor had they contracted or consulted with external security people. There is no security assessment of their system, or of how hard it would be for an attacker to override their design.

The basic model of operation is that school district staff can use the web interface to change applications, enable or disable features, and then tell the system to activate those changes. This set of activities could include enabling cameras, launching FaceTime (a video chat system), or manipulating other third-party software – as well as installing new software. When district staff make changes, the servers at the school district trigger a notification that tells the iPads to update. The iPad then “phones home” to the server.

When the iPad “phones home” it connects to the same web interface that the school employee used, and then executes whatever changes were asked of it. Nominally, this uses a SSL-based “secure” web communications. Unfortunately, there is decreasing confidence that SSL is actually “secure” given all of the recent revelations about NSA surveillance. This implies that SSL security can also be breached by large-scale malicious attackers, of which there are many.

Regardless of the security of SSL communications, the fact that Lyceum did not consult with any security experts in the AppTrak design, either on their own staff or through outside consultants, leaves many questions about the vulnerability of the system. For instance, how hard is it for an attacker to route the app to a different website for a list of commands? Or how hard is it for someone to break a school employee’s password and control a device without bypassing AppTrak network message security at all? Why has the school district purchased software to protect our children that has not itself been audited for security purposes?

In summary, the remote control nature of AppTrak, coupled with how it can manipulate iPads, leaves all of the key privacy questions and liability issues open. While the school district is telling us that the software cannot enable cameras or launch these types of applications, a simple, direct phone call to the vendor reveals otherwise. I made the phone call to Lyceum during my lunch break and after 10 minutes of speaking to the courteous sales staff I had all the information that I have written here.

You can easily call them and check for yourselves. From the Lyceum website:

Our Sales-team is available Monday through Friday, 8:00a.m. to 5:00p.m., Alaska Time. Please feel free to call us toll-free at 1-855-999-8765 if you have any questions or comments, or would like to contact us for a quote.

Leave a Reply