So I had a one-on-one meeting with Rob Singleton, the technology manager behind the 1:World program, this past Friday morning. It was supposed to be a one-hour technical chat, but turned into two since it wound up encompassing bigger philosophical items.
Rob was going to demo what the AppTrak software could do, but we quickly ran into two significant problems.
First, Rob was about to activate a screen capture on an iPad that had been issued and sent home with a high school student, to which I asked him to stop – I’m not a school district employee, and I should definitely not see whatever is currently on the screen of said iPad. That event itself shows that “training” and “awareness” are going to be big issues for the school district. That said, I don’t particularly fault Rob here, he wasn’t looking at me as an outsider so much as a technical person he wanted to have a detailed technical conversation with about specific issues. I’m sensitized to these kinds of issues because of my job, which is constantly putting me through mandatory training on confidential and classified information, what you’re allowed to do, what you’re not, how to avoid trouble, etc.
This incident does raise a few questions . . . some already asked by us. Are there no written policies in place? Is there not adequate training? Without policy and training based on policy, the school district is essentially relying on the judgement of the user.
Second, he tried to switch to an iPad device he pulled aside just for showing me some features and issues, but that didn’t work because he couldn’t make the iPad device respond to the AppTrak central software commands, or else there were problems in the central software. While most technology systems are complex beasts, and carry all kinds of subtle problems of interaction, when a planned demo doesn’t run, that’s usually a sign a system isn’t production ready. For the district technical chief of the program to have this kind of problem (again, fully understandable), it’s a bit puzzling to think the school is happily sending thousands of devices “into the field” under these conditions . . . problematic software should not be the “security gateway” for devices issued to kids.
From there, we talked a lot about philosophical issues for what the program is doing, why it is doing it in a certain way, why parents are not given an “opt out” choice regarding taking the device home (or receiving the device at all), etc. It essentially re-hashed some of the highlights that I’ve already pointed out publicly here on this website, in emails to Rob and the entire School District Staff and Elected School Board, etc. No progress was made on convincing me of any factors involved, but Rob did say he would follow up immediately with Lyceum (vendor of AppTrak) on their lack of any security audit or plans in the AppTrak software design, how clients know they are talking to the right server, credential checks, etc.
In sort of a crazy twist, Rob mentioned that Lyceum provides a full API to their software, so people can write their own extensions and control scripts. An API is an Application Programming Interface, and it is a method to allow anyone to write custom software that uses the API vendor’s packages to do whatever is desired. It’s typical to look at the plug-in modules for your Web browser (ad blocker, search engine, etc.) as the type of custom software that is using a published API to achieve features beyond what the original software was designed for. That’s a benign case – much more interesting usage cases are when the APIs are so well wrappered, people cannot tell the difference between the “real” software (web browser) and a malicious interface logging everything typed or transmitted. This type of virus or malicious attack is common in software, but also in hardware – the bank ATM machine “card rippers” that you hear about in the news from time to time.
The existence of an API for AppTrak will almost certainly also be unaudited for security, credential checking, etc. So not only are all the other prior concerns still present, now there’s a new stack of questions with no answers. Rob is supposed to be investigating this, and we’ll see what (if anything) comes from such discussions with Lyceum.
That said, they are rolling out the iPads (and sending them home) as of Nov 14 this year at Cheldelin Middle School. Other schools here have already (or are right now in the process) rolled them out.
With all of these questions, issues, legal liabilities, etc. still wide-open and unanswered, it strongly suggests to me that the School District Staff and Elected School Board representatives are assuming personal liability – financial and criminal – in the results of this decision. They have been told publicly and privately about concerns regarding very large holes in their knowledge and system design, and they proceed regardless: it seems to us that they act not with an abundance of caution, but in a race to be acknowledged for their distribution of devices.