On 18 February 2010, the Lower Merion School District, in Pennsylvania, announced that tracking software installed in notebook computers supplied to students has been disabled. A lawsuit filed on behalf of a Lower Merion student alleges that the software was used to turn on his school-supplied computer's webcam remotely, violating his privacy. The suit alleges that a school official accused the student of "improper behavior" and showed him a photograph apparently by the webcam. The school district stated that the software was intended to be used only to locate stolen, lost or otherwise missing computers, but has nonetheless discontinued its use and promised a review of its computer security policies.

The Lower Merion lawsuit has not been adjudicated, and many details of the case remain unclear. However, there have already been many examples of unplanned, unwanted consequences of webcams being installed in computers, including reports of students being spied on through webcam malware. Some court buildings intent on preventing any photography have begun to lock up smartphones and other camera-enabled devices. The option of using webcam surveillance for asset retrieval — the stated objective of the Lower Merion program — has been available in commercial products for several years, and webcams have been used successfully in theft investigations. However, the use of webcams carries severe risks of reputational damage, violation of privacy regulations and legal liability.

Enterprises using these technologies must inform end users and establish and communicate clear, defensible policies that require reasonable cause for surveillance and avoid situations where individuals' legal privacy rights are violated. The webcam is simply another class of addressable device, and the operating system is incapable of making crucial cultural or behavioral distinctions concerning how the camera should be used. Without effective controls, webcams are likely to have dangerous consequences for both end users and enterprises, and they should be managed as sensitive data sources.

Enterprises deploying integrated webcams in notebook computers and other devices:

• Develop and communicate a policy for the use of webcams for surveillance, so that if this practice is used, it can be properly controlled and activated only by due process.
• Disable webcam drivers when not in use, and block the installation of new drivers.
• Include webcam application control policies in workstation/phone firewall settings, including disabling "auto-answer." Do not rely on "solutions" such as manual shutters and duct tape.
• Create a "whitelist" of applications authorized to use webcams, but recognize that blocking some tacitly accepted but unsupported applications (for example, Skype) may cause problems for business processes.
• Scan for webcam devices and webcam activity on enterprise networks. Block unauthorized traffic using firewalls and intrusion prevention systems and block unauthorized users via network access control.

Recognize that other sensitive input systems — for example, integrated microphones — require similar protections and policies.

• "Webcam Security: Who's Looking at You?"— Webcam privacy concerns are growing as personal video and business Web conferencing become more popular and computers and telephones increasingly ship with embedded cameras. By John Girard
• "Business Leaders Must Prepare for a Surveillance Society"— Modern technology and empowered communities have eroded enterprises' ability to keep secrets. By Steve Prentice

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)