A 14-year-old Florida boy has been charged with trespassing on his school’s computer system after he shoulder-surfed a teacher typing in his password, used it without permission to trespass in the network, and tried to embarrass a teacher he doesn’t like by swapping his desktop wallpaper with an image of two men kissing.
The Tampa Bay Times reports that the eighth-grader was arrested on Wednesday for “an offense against a computer system and unauthorized access”, which is a felony.
Sheriff Chris Nocco said that the teen logged onto the network of a Pasco County School District school on 31 March using an administrative-level password without permission.
Many who read the news have expressed outrage at the idea of overreach by the school and law enforcement.
But it turns out that there’s less overreach here than meets the eye.
In fact, it sounds like the boy has been treated as befits a kid doing dumb things.
It’s not like he was flung into jail, though initial news accounts mistakenly reported that the boy was brought to a nearby juvenile detention center.
In fact, a spokesman for the Pasco County Sheriff’s Office told Network World that the student was not detained. Rather, he was questioned at the school before being released to his mother.
His sentence remains to be seen, but at this point, it’s looking like the boy isn’t going to suffer much more than a 10-day school suspension and what sheriff’s detective Anthony Bossone says is likely to be “pretrial intervention” by a judge with regards to the felony charge, the Tampa Bay Times reports.
When the newspaper interviewed the student at home, he said that he’s not the only one who uses that password. Other students commonly log into the administrative account to screen-share with their friends, he said.
It’s a well-known trick, the student said, since the password was a snap to remember: it’s just the teacher’s last name, which the boy says he learned by watching the teacher type it in.
The sheriff says that the student didn’t just access the teacher’s computer to pull his wallpaper prank.
He also reportedly accessed a computer with sensitive data – the state’s standardized tests – while logged in as an administrator.
Those are files he well could have viewed or tampered with, though he denies having done so.
Nocco says that’s the reason why this can’t be dismissed as being just a bit of fun:
Even though some might say this is just a teenage prank, who knows what this teenager might have done.
The boy says he was on the computer with standardized tests because he didn’t realize it lacked a camera, so he hopped onto another computer:
I logged out of that computer and logged into a different one and I logged into a teacher's computer who I didn't like and tried putting inappropriate pictures onto his computer to annoy him.
He told the newspaper:
If they'd have notified me it was illegal, I wouldn't have done it in the first place. But all they said was 'You shouldn't be doing that.'
But here’s the thing: this is actually the second time he’s been caught.
Last year, the boy was one of multiple students who got in trouble for inappropriately accessing the school’s system. He was suspended for three days.
Should the school be taken to task for being lax on security?
A commenter on Ars Technica’s writeup of the story who identifies themself as a school’s systems administrator – “friblo” – said that there’s nothing surprising here, given tech understaffing:
Schools are generally extremely understaffed technically which makes it difficult to put fires out, much less enforce good password policies. Most schools in my area (rural, decently well funded) have 1 tech for every 750-1000 computers.
It’s not fair to blame schools for a lack of technical savvy when tech troops are so thin on the ground.
But picking a secure password isn’t all that hard, and it doesn’t require calling in IT ninjas.
In fact, it doesn’t cost schools one measly nickel of their already strained budgets to watch this short, jargon-free video on how to pick a proper password.
Yes, the school’s staff are obviously guilty of using feeble passwords. But that doesn’t excuse this student for repeated naughtiness.
Knowingly using a prohibited system for his own kicks is unacceptable, just as it’s wrong to pick up a colleague’s phone and send a bogus message, or to “borrow” a friend’s credit card number to buy something that will look embarrassing on his or her statement.
Accessing a prohibited system is illegal for good reasons.
It can lead to the theft of security or trade secrets, software piracy, economic espionage, financial institution fraud, or to knocking essential systems offline, which can jeopardize public safety and/or cause millions in damages.
School is where kids should be learning not only that accessing off-limit data is illegal, but why.
They should be learning both what ethical computer behaviour looks like, and what happens to those who choose to act unethically, whether it’s by changing their grades to straight As, or writing taunting messages on a rival school’s calendar – both which resulted in felony charges, in spite of sounding like mere schoolboy pranks.