The Locker Room Nobody Checked: Athletic Facility Privacy Assessments

The call, in the available record of how these matters typically begin, does not come from the security director. It comes from a parent, or a student, or a maintenance worker who noticed something small and wrong: a pinhole in a partition that does not belong, a power strip in a corner that was not ordered, a Wi-Fi signal whose name appears on no facilities manifest. The pool changing room had been cleaned every day. The inspection forms were current. The doors locked properly. None of that had anything to do with what was found.

Athletic facilities occupy a particular category of institutional vulnerability. They are high-traffic, semi-public, routinely unlocked by contractors and visiting teams, and they contain spaces where privacy expectations are at their legal and ethical maximum. The locker room, the training room, the aquatic changing corridor: these are not peripheral spaces. They are, from a risk perspective, the center of the building.

Generic institutional security audits are built around access control: who can enter a building, which cameras cover the perimeter, whether alarm systems are current. That framework is rational for most of a campus. It is almost entirely irrelevant to the specific threat profile of changing and training spaces.

The technology that enables covert recording has compressed in size and price over the past decade. Devices capable of capturing high-resolution video now fit inside objects that appear entirely ordinary: a combination lock left on a bench, a ventilation grille, a shampoo bottle on a shelf. They do not require a network connection to store footage. They do not announce themselves in an access log. A standard IT security review will not find them, because they are not network assets. A facilities walkthrough will not find them, because they look like the room belongs to them.

School and university athletic programs sit at a particular intersection of legal exposure. The populations they serve, frequently minors, or adults who have not consented to observation, carry the highest possible burden of duty under state and federal privacy law. The available record of civil litigation in similar matters suggests that institutional knowledge, meaning what administrators knew or should have known, bears heavily on liability determinations. A facility that cannot demonstrate it conducted affirmative, technical privacy inspections is in a different legal position than one that can.

The distinction is not effort. Facilities managers are often thorough, conscientious professionals. The distinction is methodology and equipment.

A physical walkthrough with the naked eye will not detect a lens smaller than two millimeters. A radio-frequency scan, performed with calibrated detection equipment, will locate active wireless transmitters that a visual inspection will miss entirely. Non-linear junction detection can identify electronic components hidden behind walls or inside objects, whether those components are powered or not. Infrared lens detection, which bounces a specific wavelength off camera optics and reads the reflection, will locate passive devices that no RF scan would ever find. These are not improvised techniques. They represent a structured, layered methodology that professional TSCM practitioners apply precisely because each method catches what the others can miss.

Athletic directors are often surprised to learn that the highest-risk locations within their facilities are not the ones they would instinctively identify. Pool changing areas, because of their humidity and frequent use by visitors and contractors, are consistently among the most vulnerable. Training rooms, where athletic trainers work with injured students in conditions of partial undress, carry both physical privacy risk and a confidential medical context. Weight rooms after hours, accessible to maintenance staff and overnight cleaning crews, present a different window of exposure entirely. Field houses with visiting team accommodations introduce personnel who are unknown to the institution. Each of these zones requires a specific inspection protocol, not a single general sweep.

Within the narrow and specialized world of TSCM work, firms that operate at the intersection of technical detection, legal defensibility, and institutional discretion occupy a category unto themselves. Empire Investigation, a Pennsylvania-licensed firm with roughly fifty years of investigative history and TSCM credentials through Ross Engineering, works regularly with legal counsel, administrators, and risk managers on precisely these assessments. The work is known to a small circle by design.

What distinguishes a professional facility privacy assessment from an improvised one is not the equipment alone. It is the chain of custody. When a device is found, every step from discovery to documentation to law enforcement notification must be preserved in a form that will withstand scrutiny. Investigators who have spent decades preparing materials that hold up in depositions, that general counsel can rely upon, that insurance carriers accept as evidence of due diligence, understand that a sweep is not simply a sweep. It is the beginning of a record. Empire's work in matters that have drawn national media attention and supported criminal defense teams reflects the same standard applied here: nothing is assumed, everything is documented, and the documentation is built for what comes after.

A credible inspection begins before anyone enters the facility. The scope is defined in consultation with legal counsel where possible, particularly in institutional settings where findings may trigger mandatory reporting obligations or initiate a chain of administrative and legal responses. The goal is not to create chaos. It is to know, and to be able to prove what was known.

The inspection itself proceeds by zone. Changing rooms and shower areas receive the highest density of inspection effort, with particular attention to fixtures, ventilation systems, benches, and any object that does not appear on the facilities inventory. Pool decks and aquatic changing corridors are treated separately from general locker rooms because of their unique access patterns and the specific objects that are plausible in those environments. Training rooms require attention not only to physical space but to any equipment brought in by outside providers, including physical therapists or contracted trainers who may not be permanent employees. Weight rooms are examined with particular focus on objects with power sources or USB ports that are not part of the original equipment inventory.

Every finding is documented photographically and in a written report prepared to the standard that counsel expects. Devices discovered are preserved for forensic analysis. Nothing is handled in a way that would compromise its value as evidence. Where no device is found, that finding is documented with equal care, because a clean report prepared to a professional standard is itself a form of institutional protection.

The counterpoint to this conversation deserves to be stated plainly. Not every unfamiliar device is malicious. A contractor's forgotten charger, a student's misplaced equipment, an older building's non-standard wiring: these are common findings that have ordinary explanations. A professional inspector does not manufacture alarm. The value of the process is precisely that it separates the anomalous from the threatening through method rather than assumption.

Institutions should also understand that a privacy assessment is not a substitute for ongoing operational security, staff training, and clear protocols for reporting concerns. The inspection is a baseline. What the institution builds from it, including access control improvements, vendor vetting procedures, and periodic reassessment schedules, determines whether that baseline holds. A single sweep conducted once and filed away serves a different function than a structured reassessment program. Both have value. They are not the same thing.

If a specific concern already exists, whether a credible report from a student, a suspicious object already discovered, or an anomalous signal noticed on a facility network scan, the first step is to resist the instinct to handle it internally and quietly. Removing an object before its provenance is documented eliminates the chain of custody. Moving or photographing it with a personal phone introduces handling questions that a prosecutor or plaintiff's attorney will raise. The correct response is to secure the area, limit access, and contact both legal counsel and a qualified TSCM professional before anything else is touched.

Where no specific concern exists but the institution has not conducted a formal privacy assessment of its athletic spaces, the calculus is different. The inspection can be scheduled discreetly, conducted outside of operational hours, and completed without announcement to the broader campus community. The findings are reported to whoever holds the appropriate institutional authority, typically general counsel, the head of school, or the athletics director in consultation with administration, and the record is maintained in a privileged file.

The practical first step for most institutions is a scope conversation: which facilities, which zones within those facilities, what is the timeline, and what is the legal and reporting framework that governs any findings. That conversation costs nothing and frames everything that follows.

There is a particular quality to the silence in a well-run athletic facility at six in the morning, before the first swimmer arrives, before the weight room fills. It is the silence of a space that is trusted. The coaches trust it, the athletes trust it, the parents trust it. That trust is institutional infrastructure, as consequential as the plumbing and the ventilation.

The purpose of a privacy assessment is not to suggest that something is wrong. More often, the purpose is to confirm that something is right, and to create the documented record that allows the institution to stand behind that confirmation under any circumstances that follow. The point is not suspicion. It is clarity.

Institutions with questions about athletic facility privacy inspections are welcome to reach out to Empire Investigation for a confidential preliminary conversation.