Ordinarily, you might have a case, but here's the rub: It's a school.
That's the key. You don't have an expectation of privacy on a school network - at least not for anything below the college level. (And maybe not even there - see recent disputes between the RIAA and various colleges over filesharing students' identities.) They are expected to monitor your activities in order to maintain order and discipline in the school.
While it might seem to be a stretch to extend that to a keylogger, remember that the school provides a connection to the Internet for you to learn, not for you to conduct business on E-bay. There isn't any reason for you to be making payments with PayPal during school hours, either. So yeah, I can completely see them coming away clean on this. Remember that the wiretapping statute (which the keylogging rule is a subset of) is only applicable in cases where the other person has a reasonable expectation of privacy.
Consider this: Even at work (where I am now), the Internet connection is only supposed to be used for "business purposes". (Yeah, right.
) They know damn well that people go to Amazon and E-bay from time to time. But they *could* crack down on that behavior any time they wanted. (And no, just because they don't block it at the firewall doesn't mean it's OK to go there. The blanket policy of "business use only" covers them. Besides, some managers might be buying business-related stuff...)
Also, I know that *all* my e-mail messages from work are pre-scanned for profanity before they are sent, and anything that gets caught by the bot is automatically bounced back to me with the offending word(s) highlighted. I imagine some IT drone gets a copy as well, but so far I haven't heard anything about the couple messages that have been bounced so far. Still, there was *never* any mention of e-mail monitoring in the computer use agreement that I signed when I took the job. It's just one of those things that "the man" can do to you if he wants to be a prick. (And believe me I was damn surprised when that first message got bounced!) So there's a type of keylogger that is in use WITHOUT my explicit permission, but because it's a work computer that is supposed to be used for business purposes, there isn't a reasonable expectation of privacy. (I'm not supposed to be doing private things at work.) So they're in the clear...
In your case, I don't think you can claim that you had a reasonable expectation of privacy at school. In the post-columbine era, a school is expected to look out for the safety of the students, and I'll wager most parents would applaud the school's keylogging efforts. (I wouldn't, but I'm not "most parents".
) As for your client's information that may have also been compromised, I'd say they're going to fall back on the "don't use the network for non-school purposes" excuse. And again, I'll bet that most parents will agree with the school 100%.
Bottom line: do your business at home on your own Internet connection. There you *do* have an expectation of privacy, and if you could ever prove that your ISP is running a keylogger you would have an iron-clad case. But not in school.
Another work-around would be to purchase a cellular air-card for your laptop. You can get all-you-can-eat data-only plans for around $30 per month - maybe less even. (Talk to Allthatwhichis and see if he can hook you up with a deal; he works for Sprint/Nextel) Then you can surf all you want and be assured of privacy.
But really, if you're in school - even on your lunch break - you ought to be working on school work and not buying stuff on E-bay. If you want to snipe auctions that end during the school day, sign up for an account on auctionsniper.com.
My $.02 anyway... IANAL.
Adam
PS: Personally, I think it sucks, and I feel your pain.
But I also think you're fighting a loosing battle here. What do your folks think? (Or don't you want them to know about you surfing the 'net while you're at school?) Also, I'd be *very* careful about pointing out that the logs on the server are accessible to students... Granted, it means they have non-existent network security, but school administrators don't like to be told that by 16-year old students. Especially 16-year old students that have already been labeled "disruptive". Not saying it's right - just saying "watch your ass". Getting your parents involved (assuming they're technical enough to understand network security) will help your case a lot.