How to Write, Interpret, Enforce a Contract for Bitcoin

Stated Terms and Conditions Influence Legal Result.

Suppose John offers to sell a valuable widget to Betty in exchange for Betty agreeing to “pay 5 bitcoin” and Betty accepts the offer. They agree by recorded audio:

 [In regards to audio contract, see footnote below.]

Then suppose John delivers the widget to Betty, but Betty fails to deliver the bitcoin.

What are John’s legal rights?

Mutual Consideration Supports Contract.

Under US law it appears John and Betty have formed a legally enforceable contract. The parties made mutual promises for valuable consideration. The widget is valuable, and the bitcoin is valuable under current market conditions.

But the novelty of Bitcoin could make the precise outcome of a lawsuit by John against Betty hard to predict.

The “Money” that Is Not Money.

Although some people use the word “currency” to describe the phenomenon popularly known as Bitcoin, Bitcoin might not actually be a “currency.”  Unlike dollars, it has not been deemed in US law as legal tender that can be used to extinguish a debt.

Further, the Internal Revenue Service views bitcoin as property – which is subject to capital gains taxes – rather than currency -- which normally is not subject to capital gains taxes.

What Are the Remedies for Breach of a Virtual Money Contract?

So if John sues Betty for breach of contract, it seems he could succeed in showing he is the victim of a breach and he is entitled to remedy under contract law.

But it could take some effort for a court to understand the contract.

Bitcoin is a specific example of a general idea. The general idea is trading by way of a distributed cryptographic ledger. In Bitcoin the distributed ledger is called the "block chain."

If a distributed ledger is competently designed and implemented, it inherently follows the rules programmed into its software. As people use the software, they adopt "customs" of trade that can be understood without a lot of explanation by contract for each trade. For example, by Bitcoin custom the term "to pay" five bitcoin arguably means to modify the block chain to indicate as follows:

1. debit five bitcoin from the payer's address identified in the block chain; and

2. credit five bitcoin to the payee’s address identified in the block chain.

Industry Custom May Resolve Some Ambiguity.

Thus, John and Betty’s contract say she will “pay” 5 bitcoin to John. The custom around Bitcoin suggests that Betty is required to interact with the block chain to debit 5 bitcoin relative to her address and credit 5 relative to his address.

However, bitcoin and similar technology are evolving so quickly that clear custom may not have had time to coalesce. A full review of the interaction with block chain around the world may show confusion or ambiguity about what is customary and what is not customary. (See story about a failed Bitcoin transaction.)

In contract practice, if there might be confusion about custom, the draftsman of the contract can employ words to reduce the confusion. He might for instance write out a long statement of steps that Betty will follow to cause and confirm a 5 bitcoin credit to appear relative to John’s address.

Alternatively, he might refer to an authoritative statement of Bitcoin custom. He might say in the contract, “This contract will be interpreted under Bitcoin custom as articulated in ." That sentence might resolve many questions about custom, but probably not all questions.

What Should Happen in a Court of Law?

However, neither block chain software nor Bitcoin custom explain what should happen in a court of law if a party fails to execute a trade (e.g., Betty fails to “pay” the five bitcoin).

The software and the custom fail to explain what the consequences should be if Betty does not control the agreed amount of bitcoin at the time in question. Is she required to purchase five bitcoin and then transfer it to John?

Or can she satisfy her obligation by delivering to John a quantity of pork bellies (a valuable commodity) equal in value to five bitcoin? That particular outcome does not seem right because we have no evidence that John is easily able to accept pork bellies.

What Should Be the Remedy for Breach of Contract?

If a court forced Betty to render to John 5 bitcoin using the block chain process, that outcome could be called “specific performance” under contract law. Specific performance means Betty must literally do what the contract says.  But commonly US courts disfavor specific performance.

Specific performance requires the court to understand what is going on.

In order for a court clearly to understand specific performance in Bitcoin, the court might need to digest quite a bit of testimony from experts. The experts would have to explain to the court how the block chain works and so on. That would be a lot of work for the court.

Courts Prefer Money Judgment Rather Than Specific Performance.

Instead, a court is likely to prefer to give to John a “judgment” for an amount of legal-tender-money equal to the value that Betty failed to deliver to John. This remedy is called a “money judgment.” A judgment is a ruling that enables John to take action relative to Betty and her property. A money judgment is easier for a US court to understand and oversee.

In the US legal system, money judgments are rendered and enforced all the time. Our system has managed money judgments for centuries.

In contrast, to require Betty specifically to execute some performance relative to the so-called “block chain” would be – for a court – a new and complex exercise.

Money Judgment Means Greenback Dollars.

Typically, in a US court, the amount of money in a judgment would be stated in US dollars. If John does obtain a court judgment, he can use regular  court procedures to enforce the judgment. Enforcement can include an array of actions by John, including placing and foreclosing a lien on Betty’s property, like

  • her house, 
  • her car, 
  • her bank account which is denominated in dollars or euros, 
  • her pork bellies, 
  • her intellectual property such as a patent, . . . or 
  • (theoretically) her bitcoin.

But typically the calculation of satisfaction of the judgment would be made in dollars.
legal tender
Court Judgment
Calculated in US Dollars.

For example, if John’s judgment is in the amount of $2500, then the value of his lien on Betty’s house would be up to $2500. When Betty sells her house, John would be entitled to $2500 of the proceeds.

Typically Betty could satisfy the judgment by paying John the requisite number of dollars.

But What If John Wants Specific Performance?

Let’s say John is really serious, at the outset of the contract, about wanting 5 bitcoin, rather than dollars. He could write the contract to state in detail something like the following:

(A) Betty represents that she controls a Bitcoin address with at least 5 bitcoin of credit.

(B) Betty will execute specific steps to credit 5 bitcoin to the Bitcoin address identified by John.

(C) If Betty fails to follow the steps, then John “will suffer irreparably harm and significant injury the degree of which may be difficult to ascertain.”

(D) John is entitled to an order from court requiring Betty specifically to execute the steps articulated under (B) above.
bitcoin symbol

Written Contract Details Add Certainty.

The contract as stated in the audio above leaves open to interpretation questions like:

  • when Betty must pay the bitcoin;
  • whether interest will accumulate if Betty fails to pay on time;
  • which jurisdiction’s law governs the transaction (e.g., Texas . . . or Alberta);
  • whether the party enforcing the contract in court receives compensation for the cost of enforcement, such as attorneys’ fees;
  • how the widget will be tendered or delivered.

Details like these can be specified in a well-written contract, and can help John with his enforcement.

Analysis of Example Agreement

Let’s look at a well-known contract that refers to Bitcoin practice, Coinbase’s User Agreement. Coinbase is a well-known Bitcoin wallet and platform.

Section 2.4 of the agreement says,  “Coinbase securely stores 100% of all bitcoin associated with your Coinbase Account in a combination of online and offline storage.”

What does that sentence mean? The words “store” and “storage” are metaphors for complex, and possibly ambiguous ideas. They mean something other than simply:

(a) keeping physical objects in a three dimensional place (e.g., keeping in a box a sheet of paper bearing the words “one bitcoin”); or

(b) the retention of specific data that expresses bitcoin (Example: It’s not like storing the content of a distinct Excel spreadsheet – which says, “Ben has 6 bitcoin” -- on a hard drive.)

If a customer wanted to reduce the ambiguity of those words “store” and “storage,” then the customer could insist that the agreement provide much more detail. Alternatively the customer might insist that the agreement say that terms like “store” and “storage” will be interpreted under Bitcoin custom as articulated at a place like .

So a general message to readers is that a contract for bitcoin can be written with details that help to reduce risk and misunderstanding. A talented draftsman uses judgment to know how much detail is enough and how much is too much.

This is an intriguing topic, and I’d like to talk about it. Please comment. If I’ve made any mistakes, please let me know.

By: Benjamin Wright

You might also like: How to capture legal and accounting evidence of a bitcoin transaction.

*Footnote: Under the Statute of Frauds, this contract might need to be evidenced by a “signed writing” to be enforceable. An audio recording can constitute a “signed writing.” Ellis Canning v. Bernstein, 348 F. Supp. 1212 (D. Colo. 1972).

How to Talk Publicly about Data Security Breach

Major data security breaches are becoming more common. Among the many that have unfolded in 2014 are Target stores and Community Health Systems (the second-largest for-profit U.S. hospital chain).

Now Home Depot, another major retailer, is in the throes of a substantial payment card breach, apparently involving both credit cards and debit cards.

Home Depot is making some limited public statements. The Home Depot story is only beginning.
Press Releases Matter
Home Depot’s public communications will influence the final outcome of this data breach in terms of law, reputation and customer relations.

I teach a technology law course at the SANS Institute. A key topic is how to communicate publicly about information security, including data breaches and other infosec incidents. In that course students and I review the (in)famous TJX breach (2007). We compare the experience at TJX with the lessons from Target and Sony Playstation Network (2011 breach).

Now, early September 2014, Home Depot’s crisis is playing out. So . . . as of the live delivery of the SANS course October 2014, we will also compare Home Depot’s public and legal response.

The title of the course I teach is Law of Data Security and Investigations. The course is unique in the world.

The goal of the course is to equip professionals with the skill and knowledge necessary to respond to future events in computer security and investigations.

By: Attorney Benjamin Wright

How to Record Evidence from a Mobile Device

Dual-camera video recording on a smart phone can be very handy for a professional investigator such as a financial auditor or a forensics expert.

believable memory
Video Affidavit
The video below demonstrates how an investigator can use a dual-camera video (on a smartphone) to record evidence displayed on a second mobile device. In this case the second mobile device is an e-ink reader.

The video evidence shows how the e-ink reader works as it renders data from the cloud. The “data from the cloud” in this case is just the content from one of my web sites. The e-ink reader features an odd web browser; it blinks as the user scrolls. The point of the demonstration is that the video records exactly:

  1. how the e-ink reader worked (or didn't work) at the time of investigation; and
  2. what information rendered from "the cloud" on the e-ink reader's browser client.

This video is the latest in a series of videos and blog posts I publish to demonstrate how to capture and preserve legal and audit evidence from social media or the Internet of Things.

A Legal Affidavit Confirms Validity by Placing Investigator's Professional Reputation on the Line.

My publications showcase the idea that evidence is more legally useful if it is formally “signed” in realtime by the investigator via webcam or microphone. The realtime signature by the investigator makes the whole record a kind of affidavit. The affidavit could be powerful in court years later when the investigator might not be available to testify about what he witnessed at the time of investigation.

The realtime signature of a record by an ethical and responsible investigator lends credibility and authenticity to the record.

What’s new about this video is that it uses the dual-camera recording capability of an advanced Android phone. The phone I used was an HTC One M8.

Investigator Records His Face, Lips and Voice.

In the video above, the investigator appears in the small window at the top. As the investigator uses the back-facing camera to record what appears on the e-reader, he records himself with the front-facing camera. The recording of the investigator himself serves two purposes:

1. It narrates the evidence. It explains to the future viewer, such as a jury, what is happening as he manipulates the evidence source -- that is, the browser app on the e-ink reader.

2. It authenticates the whole compilation of video evidence. The investigator says, "I hereby sign and affirm this video . . . ". That is a legal signature, binding on the investigator. It is probative to a viewer such as a court who tries to evaluate the credibility of the video as evidence later.

Video of Forensic Examiner Reveals Too Much?

Some professional investigators are hesitant to create video of themselves or the labs in which they collect and assess evidence. They worry they may inadvertently capture a record of their identity, behavior or surroundings that might be misused by an adversary, such as a defense attorney who cross examines an investigator in a criminal trial and tries to discredit the investigator's work or the investigator's ethics.

For example, a video might inadvertently show a can of soda in the lab; food and drink are often forbidden by policy in a forensics lab because they can contaminate evidence. The appearance of the can could raise questions about the competence of the investigator's lab and the ethics of an investigator who has testified that she adheres to high standards of quality.
lab contamination
Unexpected evidence of policy
violation in forensics lab!
If the investigator is concerned that video of his/her face reveals too much, then the investigator might record only audio of his/her vocal narration of the video of what s/he observes. See an example of that idea:

I Publish Many Blog Posts on Video-Recorded Legal and Accounting Evidence.

For more detail on these ideas, including analysis and evaluation of alternative forensic tools, please see:

I am keen to hear your comments.

P.S. Although the video above shows how to capture evidence flashing on a computing device (that is, the e-reader), it could also be applied to the recording of physical objects such as papers or a crime scene. The investigator could use the back-facing camera on her phone to record "the evidence," while simultaneously using the front-facing camera to record her face as she vocally describes and authenticates what she witnesses with her visual, auditory, tactile and olfactory senses.

What is the Legal Definition of a Virtual Currency?

The way we use language affects legal outcomes. Language is causing legal controversy around so-called “Bitcoin” and “virtual currencies.” Let’s assess the language applicable to the phenomenon popularly known as “Bitcoin.”

What Would a New York BitLicense Cover?

The New York Department of Financial Services proposes to license and regulate virtual currency businesses under a program commonly known as “BitLicense.”  Some people welcome this proposal as an advance for Bitcoin. Others denounce it as a threat to privacy and freedom because it requires a virtual currency business to collect much identifying information about customers.

What exactly does the proposed regulation cover? Section 200.2 Definitions includes this first sentence:

“(m) Virtual Currency means any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.”

How to Interpret the Definition “Virtual Currency”?

The quoted sentence of Section 200.2(m) is a definition of cosmic breadth. Let’s parse it.

First, it covers digital stuff. But in 2014 a lot of stuff is “digital.”

Second, it covers a “unit.” But it does not define the word “unit.” The word “unit” is so broad, especially when we are talking about digital stuff, it more or less covers anything. The word “unit” could mean a number, a word, a song or most any other digital expression.

If the word “unit” includes any expression of any idea, then the draft BitLicense (strangely) starts to raise First Amendment freedom-of-speech issues.

Third, Section 200.2(m) is limited to a digital unit . . .

1. that is used as . . .

A. a medium of exchange; or 

B. a form of digitally stored value;


2. that is incorporated into payment system technology.

Wow. That embraces a lot of territory.

Is an Ordinary Electronic Contract a Virtual Currency?

Let’s consider an example.

Suppose Bob sends a message via Gmail to Sally that says, “I promise to pay $100 for a widget.” And Sally replies, “OK.” That email is (more or less) a legally-enforceable contract.

Under contract law, Sally could then via Gmail assign her rights of contract with Bob to Jack in exchange for a gadget. Further, Jack could hold on to the rights for a while (because they are valuable), storing the emails in Gmail.

Finally, using Gmail, Jack could assign his rights to Maria in exchange for a whats-it.

Thus, arguably, the $100-for-a-widget contract is covered by Section 200.2(m). The contract is – at least arguably – a virtual currency because it is “a digital unit that is used as a medium of exchange or a form of digitally stored value.” It is a set of valuable, stored rights that went digitally from Bob to Sally to Jack to Maria.

Would Google Need a BitLicense?

Furthermore, if Bob, Sally, Jack or Maria has a New York connection, then the operator of Gmail, i.e., Google, would arguably be engaged in a “Virtual Currency Business Activity” for which Google must have a license. Section 200.2(n) of the draft BitLicense regulation defines “Virtual Currency Business Activity” as “the conduct of any one of the following types of activities . . . : (1) receiving Virtual Currency for transmission or transmitting the same; (2) securing, storing, holding, or maintaining custody or control of Virtual Currency on behalf of others”.

Hmm. So a plain reading of the draft regulation results in Google needing a BitLicense. How strange.

Expansive Language is Common in Cyber Law.

It is not unusual in the Internet age for lawmakers to write laws of such immeasurable scope that they arguably lead to strange interpretations.

The state of Connecticut for instance proclaims: “Any person in possession of personal information of another person shall safeguard the data . . . containing the information from misuse by third parties . . .”  Connecticut goes on to define “personal information” as pretty much any data that could be connected to a particular human. Arguably, “personal information” could include any statement, photo, mouse-click or metadata roughly connected to a person.

But to expect absolutely everyone to protect absolutely every iota of personal information of any other person seems a strange and impractical result. Arguably for example it expects great-grandmother to secure the personal information (photos, names, comments, metadata and so on) about her friends that her computer automatically collects in her browser’s cache as she logs onto Facebook.

Enforcement Limited to the Spirit of the Law?

Now, an advocate for New York’s proposed BitLicense regulation might argue it is not the spirit of the law to regulate the provision of email services like Gmail. The spirit of the law is to regulate some other activity that is hard to define.

Likewise an advocate for Connecticut’s data privacy law might argue it is not the spirit of the law to cover every speck of data in the cache of great-grandmother’s browser.

Other computer laws that use expansive words are interpreted according to their spirit. The federal Computer Fraud and Abuse Act for example hinges on "access" to a computer. In 2014 the expansive word “access” to a computer leaves much room for interpretation. In difficult cases authorities interpreting the word “access” strive to find and apply the spirit behind the CFAA.

However, leaving e-commerce laws -- like the proposed BitLicense regulation -- to be interpreted according to their spirit rather than their actual words is problematic.  Imprecisely-worded e-commerce laws (albeit well-meaning) cause confusion.*[See Footnote]

What is the Legal Definition of “Bitcoin”?

So how do the words of the draft BitLicense regulation apply to Bitcoin (or Dogecoin)?

The phenomenon popularly called “Bitcoin” might be described by lots of words. The phenomenon is new and rapidly evolving. It was not created by government. The phenomenon is not necessarily locked into words like “currency,” “unit,” “medium,” “exchange,” “value,” “transmission” or “storage.” Even though some people use words like that in relation to the phenomenon, that does not mean those words are binding on all people who observe and dance with the phenomenon.

Disclaim the Regulated Concepts?

When law like the draft BitLicense regulation relies on spirit rather than precise words to define the novel technology it is regulating, people have room to define their activity relative to that law.

For instance, people and businesses who observe and converse within the “Bitcoin” phenomenon could declare words like these:

We are engaged in a computing relationship. The relationship is evolving. It has not settled into maturity. We declare that said relationship does not involve any “currency,” “unit,” “medium,” “exchange,” “value,” “transmission” or “storage” as those words are enforceably used by the New York Department of Financial Services. We further declare that our computing relationship . . . our communication . . . disclaims the following words and the spirit behind them: "currency," "unit," "medium," "exchange," "value," "transmission" or "storage" as those words are enforceably used by the New York Department of Financial Services. We compute and communicate in the spirit of free speech, but we don’t engage in the activities regulated by the Department of Financial Services.

No Guarantee

Would a declaration like the foregoing guarantee that law will abstain from enforcing the draft BitLicense regulation against people? No.

However, a declaration like that does no harm.

What’s more, for some people a declaration like that could be constructive, especially given that the draft BitLicense regulation (if adopted) is subject to strange interpretation.

Further, those people would be safer from enforcement if they avoid tricking, deceiving or defrauding anyone.

What do you think?

By: Benjamin Wright

Notice: Statements like the above by Benjamin Wright are just public discussion; rely upon them at your own risk. They are not legal advice for any particular situation. If you need legal advice, you should consult a lawyer who has explicitly agreed to provide you advice.

*Footnote: In the mid-1990s Utah adopted legislation to promote cryptographic e-commerce by licensing public-key-infrastructure certification authorities. The legislation was ill-conceived and caused much confusion. Utah eventually repealed the legislation.

Mr. Wright submitted the foregoing as a formal comment to the NYDFS.


1. More analysis of the definition of "Virtual Currency" under NYDFS's proposed BitLicense regulation.

2. Valid questions raised by the imprecise language in draft BitLicense regulation.

Related: How to interpret a contract for payment by Bitcoin.

How to Prove Bitcoin Evidence

Evidence is fundamental to the use and regulation of cryptocurrencies like Bitcoin. This blog post demonstrates one way to collect and preserve evidence about cryptocurrency transactions, technology and businesses.

Bitcoin evidence might be used as follows:

  • in a court of law to enforce a contract for sale of a product purchased with Bitcoin
  • by a tax authority to calculate tax (The IRS says Bitcoin is property on which capital gains taxes must be paid.)
  • by an accountant to audit the financial condition of a company that owns Bitcoin
  • by a regulator to monitor a Bitcoin exchange (The New York Department of Financial Services proposes to license and regulate virtual currency businesses under a program popularly known as BitLicense.)
  • by a compliance officer at a licensed Bitcoin business to show she checked the function of Bitcoin software at a specified time

Example Evidence in Failed Transaction

Cryptocoinsnews recently reported how evidence was captured and shared regarding a failed purchase purchase of goods paid with Bitcoin. The author says he tried, unsuccessfully, to make a purchase at Tiger Direct, which uses Bitpay to accept
Bitcoin payments. In connection with the author’s research of the failed transaction, “BitPay has sent [the author] the screenshot showing the proper amount paid . . .” In other words Bitpay proffered the screenshot that it made as probative evidence of Bitpay's proper performance in the transaction.

A Screencast Video Is Sometimes Better than a Screenshot.

A screenshot is a common form of evidence for online data and transactions. Screenshots are commonly relied upon in court and in financial audits. They are commonly retained as archives of online events, including contracts or statements of account.

But a problem with a screenshot is that it misses the interactivity of software or an online event. It misses audio feedback. If an investigator wants evidence that after he clicks X then Y happens, he can try to make multiple screenshots and explain them in a written report. But compiling multiple screenshots into a detailed written report is awkward and time-consuming.

A screencast video (including audio), on the other hand, can be worth 10,000 words. Here is a screencast video of a hypothetical review by a compliance officer of a web-based Bitcoin wallet. Notice the audio beeps and the brief notices that blink in the upper right-hand corner and then go away; these would be hard to represent with screenshots stitched into a written report.
(I use the demo wallet at, which is described as “Free. Open Source.”)

Video Freezes Evidence at a Point in Time.

Software and other technology change constantly. This video documents precisely what the investigator sees at a particular time. It also records the audio “beeps” he hears, and it shows precisely when he heard them.

Could the investigator forge or manipulate this video record? Yes, just as investigators can forge other evidence like screenshots or old-fashioned paper documents.

The value of the screencast video evidence depends on the reputation of the investigator.

I have previously analyzed video evidence like this.

The credibility of the video could be enhanced if it were created and signed by more than one investigator.

The statement of date and time by the investigator via webcam makes it more difficult for anyone to manipulate the video, especially if date and time are corroborated by an outside source, such as email to which the video is attached or a cloud service to which the video is uploaded.

For instance, the Youtube (i.e., cloud computing) page for the video above shows the video was uploaded July 17, 2014. I (the Youtube subscriber who controls the page) am not able to manipulate that date. Thus, if six months from now I wanted to create a fake video and claim the date was July 17, 2014, I could not use Youtube to corroborate the date for the fake video.

Legal Signature Supports Authenticity.

A crucial aspect of the video is the webcam signature of the investigator at the end. The webcam-recorded words “I Ben Wright hereby sign and affirm this video as my official work,” make clear the investigator is putting his professional reputation on the line. He is going so far as to record his face and moving lips as he speaks the words. He is making a form of legal affidavit.

The signature potentially opens him to legal and professional punishment if he is lying or cheating. (If he is licensed like a certified public accountant, he could lose his license. He could jeopardize his ability to ever get professional employment again in the future.)

This signed video record could even be valuable years later when the investigator is no longer available or willing to vouch for it. His employer (in the hypothetical video the employer is Acme Virtual Currency Brokerage) may need his evidence long after he leaves employment.

Deeper Evidence Might Be Available.

The video above of course records the function of a wallet at the level of user interface. This record may be adequate for many audits and regulatory reviews. But sometimes deeper evidence may be necessary. Records of logs, ledgers, journals, meta-data, audit trails, and the like may be necessary . . . assuming the investigator has access to them, as well as the time and expertise to make use of them.

In any case, the application of a legal signature by the investigator who collects and authenticates such evidence can contribute to the long-term credibility of the evidence. Often a webcam signature (stating date and time) would be practical, reliable and persuasive to legal authorities like juries.

What do you think?

Related: How to verify online forensic evidence.

How to Find Legal Evidence in Backups

Copies of legal and audit evidence are spreading everywhere. The “syncing” of digital devices and services is revolutionizing the forensic collection of electronic evidence.

Discoverable evidence is no longer confined to islands like an email archive or a hard drive. The evidence is multiplying. It is being copied and copied again. It is backed up here, it is automatically shared there, and it is accessible some other place.

Hence, if relevant text messages have been deleted from a phone, they may still be recoverable from a synced backup on:

  • PC hard drive 
  • enterprise email account
  • cloud storage account like Dropbox or Gdrive (cloud storage often enables automated copying to multiple devices; something copied to Gdrive may automatically be copied to your home PC hard drive and the hard drive of your personal laptop)
  • wearable device like a smart watch
  • dedicated local storage device (a “cloud in your home”)
  • television in the living room
  • soon . . . your Internet-of-Things refrigerator!

Can You Remember All the Services Enabled on Your Smartphone?

Today, when a consumer or a business professional sets up a new device like an Android phone, they are encouraged to sync their
contacts and photos with cloud services and with other devices. Many people do not deeply understand what this means.

Recently I witnessed the surprise of an iPhone user who lost her phone and bought a new one. All of her details, like photos and settings emerged like magic on the new phone. Why? Because they were backed up in the iCloud . . . even though she did not realize they were stored there.

Many modern cell phones automatically back up data to the cloud so that the data can be restored if the user "resets" the phone. See this image from an HTC One phone.

Such cloud backup service is a relatively new development in the smartphone universe. The full implications of this service can vary from one situation to the next and from time to time. Can texts be recovered from this backup? Photos? Log-on credentials for mobile apps like Snapchat? Contents of mobile apps, which may themselves contain sensitive messages, images, geolocation data etc., etc.?

An investigator may need to research and play around with a service to learn what evidence can be recovered from it in any given situation. The investigative process is unpredictable and labor-intensive. Therefore it may be expensive if you are paying an investigator to work by the hour.

The backup functionality can be complex, and hard for even a reasonably educated person to understand. I have been working with a new HTC One phone (July 2014). I've enabled automatic backup, but I am still puzzled about precisely what the backup does. I see this explanation on HTC's web site:

It says my data is at my "Dropbox storage" . . . but I am not aware that I have ever set up a Dropbox account. So far I've not been able to ascertain whether I can access this "Dropbox storage" by any means other than "resetting" the phone . . . or possibly duplicating the contents of the phone onto a different HTC phone.

(I am guessing that somewhere in the setup of the phone and the setup of the backup function HTC created a Dropbox account for me . . . but that is just a guess. I did not notice this happening. I have not noticed a "welcome" message from Dropbox.)

Many people come to this blog seeking to get texts and photos from a telecommunications carrier like AT&T. However, the carriers are often uncooperative. The better path for recovering data may be from the cloud backup, such as HTC's Dropbox storage or Apple's iCloud.

Did You Automate and Then Forget?

Some cloud services encourage you to make automatic backups because they want you to become dependent on them. Microsoft’s OneDrive gave me three extra free gigabytes of space if I’d set up the CameraRoll on my Windows laptop to upload its contents automatically to OneDrive. Microsoft is hoping I will upload so much (perhaps without thinking about it) that I will need to purchase additional storage.

HTC and Apple provide backup as an incentive for the customer to come back to them when the customer purchases a new device.

Many users will forget about their various backups. Therefore, if they were asked in a legal deposition or interrogatory whether they had backups they’d honestly say no. However, a diligent investigator could find the backup(s).

Does Investigator Need Training?

An effective investigator does not necessarily need special equipment or high technical skills to find the backed up data. Instead, the investigator needs patience and an inquisitive disposition. Computer devices like tablets and online services like OneDrive are emerging and changing constantly. No one can know everything about them. However, their features and behaviors can be researched and intuited by a persistent investigator.

With that said, a trained investigator will know how to order and document his work so it can more readily be established as reliable in court. In a criminal prosecution, a court may expect proof of the “chain of custody” for the evidence. Further, the work of a licensed and/or certified investigator may be perceived as more credible.

What’s more, sometimes special forensic tools are critical to recovering data. For example, a forensic specialist reports he recently used forensic tools to recover deleted email by accessing the “shadow” copy maintained for disaster recovery on the hard drive of a Windows PC.

Is the User Given Good Legal Disclosure?

When a user syncs a device with something else, there’s never a sensational notice like this: “Warning. By syncing your phone, you are creating backup records of photos and text messages that can be discovered by the police or your ex-spouse in a legal investigation.” Users are often presented lengthy (boring) terms and conditions, but few users scroll screen-after-screen on their mobile devices to read and absorb the
implications of the terms. As the adjacent photo shows, the terms may say that nonspecific, neutral-sounding “content” will be stored, but rarely do users cogitate over that word.

When a user sets up syncing, they may create a password that they then forget. Sometimes the only practical way to access the synced backup records is by using the device from which the records originally came. For instance, an app on a phone may be causing records to be stored on a social media or cloud site. The only practical way for the investigator to get credentials for logging onto the site might be to use the app as it is installed and configured on the phone.

With appropriate authority, a talented investigator can reset passwords and recover forgotten accounts. Authority might come from, for example, user consent, a court order or a BYOD agreement between the user and her employer. 

iCloud and iPhoto Pitfalls

Apple's iCloud is notorious for storing records in ways that confuse iPhone or iPad users. This confusion has contributed to a scandal around nude celebrity photos.  Remarkably, a user (like a celebrity) can delete photos from his/her iPhone but not realize they are still stored in iCloud, waiting to be discovered by an investigator . . . or a hacker.
Data that won't disappear
Further, even if the user has figured out how to delete the photos from iPhone/iPad and iCloud, they can still be backed up in iPhoto on the user's Mac desktop or laptop. Getting rid of all the data requires extraordinary diligence!

By: Benjamin Wright

Professional Standard of Responsibility for Data Security

The CEO of retail merchant Target lost his job owing in part to a data security breach. The Chief Information Officer lost his job too. Target is a turning point in the history of data breaches. It is changing the way enterprises approach data security.
Target breach is legal milestone
Lessons from Target

Insecurity Is a Fact of Life

To prevent data from leaking out is very hard – in fact, super hard – for an enterprise to achieve. To explain that point, journalist Quinn Norton publishes an article titled “Everything Is Broken.”  Although she speaks in terms I would not use (she says computers are “broken”; I say our expectations for computer security are unrealistic), I subscribe to her basic message: typical computers and software are inherently insecure. They are riddled with holes. They were not designed, they were not created, they are not deployed like M1 tanks.

Encryption Exemplifies Security's Unachievability

Take encryption. The public discussion about security often assumes that “encryption” is an achievable solution to much of the data security problem. But sustained use of encryption in a functioning enterprise – or by a reasonably careful individual – is a nightmare that is rarely acknowledged. To quote Norton: “Managing all the encryption and decryption keys you need to keep your data safe across multiple devices, sites, and accounts is theoretically possible, in the same way performing an appendectomy on yourself is theoretically possible.”

She goes on to explain that so often encryption programs can be circumvented because – for example -- they sit on top of code written in the C programming language, which is often written by sloppy developers who fail to use secure coding practices. Secure coding in C requires a lot of discipline. According to knowledgeable expert, "C is unforgiving if you are lax in secure coding practices."

An example of a C programming vulnerability is the catastrophic Heartbleed bug that attracted so much attention when news of it broke April 2014. Security guru Bruce Schneier said that on a scale of 1 to 10, Heatbleed is an 11 in its magnitude!

Think about Schneier’s comment from a public policy perspective. Heartbleed had been sitting out there for years, unknown to the community, as loophole in commercially-popular encryption (OpenSSL). But the public policy conversation assumes “encryption” is good, practical, achievable.

Norton argues there are more Heartbleeds out there; the community just hasn’t identified them yet.

Another recent controversy demonstrates how impractical encryption can be. For years, many smart people have relied on TrueCrypt to encrypt records. Then suddenly TrueCrypt's developers announced the program is insecure and everything encrypted with it needs to be re-encrypted with something else. Even though the community is debating whether TrueCrypt is in fact insecure, the controversy compounds the nightmare for many enterprises that in good faith have devoted resources to encryption.

When we consider encryption as solution, we must acknowledge that the practical application of encryption is destined to fall short.

Breaches Are Normal

In data security, everyone makes mistakes, even the best experts. RSA itself – the gold standard among infosec vendors – suffered a major security breach in 2011. Hackers used spear phishing against RSA employees to compromise the company’s SecurID authentication tokens. ( “The 15 worst data security breaches of the 21st Century,” February 15, 2012)

What about the National Security Agency? It is reputed to employ the best computer security team in the world. It devotes a massive budget to computer security. But it suffered a cataclysmic breach. Edward Snowden stole the NSA blind.

No one is immune to data security breaches, even when they have very qualified people working for them and they devote tremendous resources to the problem.

Data security is a highly adversarial contest, similar to high-stakes litigation. The enterprise faces very smart, capable and persistent adversaries, like Mr. Snowden or like talented opposing counsel.

Losing the data security contest is normal, just as losing a lawsuit is normal and losing a football game is normal.

CISO Emerges as a Peer to General Counsel

It is in this harsh, unpredictable environment that enterprises like Target must manage sensitive data like payment cards and healthcare records.

For an enterprise, managing data security has become like managing legal rights and liability. The enterprise will never get close to perfection. It will never know whether it made all the correct decisions. But it can devote professional attention to the problem.

Historically the infosec team at the enterprise was composed of technical staff under direction of the Chief Information Officer. Infosec guys often complained that their guidance did not get the needed respect. They’ve had a reputation for writing long, highly prescriptive security policies that say this “will” be done and that “must” be installed. Even though their policies often would not be followed, they felt it necessary to use unrealistic, compulsory policy language just to be heard. They spoke in simplistic, black and white terms.

The historical practice out of the infosec team is markedly different from the practice out of general counsel’s office.  Business lawyers eschew directives like you "must" do this and you "will" do that.  Often such absolute mandates are too simplistic to address the challenges the enterprise faces. Rarely do lawyers say something like, “The enterprise must file this lawsuit because the enterprise is guaranteed to win a bunch of money in the lawsuit.”

But when lawyers talk, executives listen. Corporate lawyers are esteemed, pretty-well paid professionals. General counsel is an executive.

Though lawyers can speak in soft tones, their “advice” and “recommendations” carry weight. Their advice and recommendations are perceived as having serious impact, even if the advice and recommendations are not always followed or not perfectly followed.

Seeking Higher-Caliber Security Advice

The world is changing. Target is rumored to be shopping for a Chief Information Security Officer who will not be a subordinate of the CIO.  Rather, the CISO will be a peer of the CIO. According to Business Insider, this elevation of the CISO (and therefore the elevation of the infosec team) is an emerging trend among enterprises. “This Week In Payments News: Target Undecided On Who Will Be In Charge Of Stopping Hackers,” May 25, 2014.

Here is my interpretation of the trend: Management of data security has become mission critical for the modern enterprise. But management of security involves tradeoffs and unknowns akin to those applicable to the management of legal rights and liability.

The modern enterprise seeks sage leadership on data security. The enterprise will never achieve perfection; it will never know whether its decisions were the best. But the enterprise wants to get the kind of guidance from its security staff that it gets from its legal staff.

The implication is that the modern enterprise is seeking sharper, better-qualified security staff, and it is willing to pay higher salaries to get it. The modern enterprise is in the hunt for a more professional infosec team, lead by an executive-level CISO.

Legal Motivations for Professional Attention

When a patient visits a doctor, there is no guarantee the patient will get well. When a client retains a lawyer, there is no guarantee the client will win its lawsuit or achieve a desirable legal outcome.

The risk of an unhappy outcome is recognized in professional malpractice law.

So long as the doctor or lawyer exercises diligence and care, the professional is not liable for malpractice, even though the outcome is undesirable. Law motivates the professional to work and even be creative and take educated risks, but it recognizes that the task at hand can be unwinnable. It leaves much room for imperfection, mistakes in judgment and plain old bad luck.

I argue similar motivation should apply to data security in an enterprise. The enterprise should be motivated to seek qualified security expertise. But very commonly a diligent application of that expertise will fail to a greater or lesser degree. Qualified people will make mistakes. The possibilities for error and surprise are infinite.

Moreover, data leakage is like a serious disease. Often it is simply not curable. Law should motivate good work, but it should not punish a failure to cure.

Hence I argue that the law of data security should not hold an enterprise liable for a data leak if the enterprise meaningfully employs qualified staff.

I don’t anticipate infosec staff will be licensed like doctors or lawyers anytime soon. But I do think law can recognize the difference between qualified, vigilant staff and the absence of the same. And the law should recognize that even with qualified, vigilant staff, bad outcomes are normal, par for the course.

By: Benjamin Wright, attorney and teacher of Law of Data Security and Investigations at the SANS Institute.


Target's new CISO will report to the CIO. However, I'll bet that the new CISO will be treated as a trusted professional whose recommendations are given weight.


1. Floods of data breach notices

2.  Putting a Professional Standard of Care into Infosec Practice

How to Conduct a Private Internet Investigation

The online universe brims over with data and evidence about firms, people and events. But effective access to it can require hiring a private researcher or private investigator. In some cases a lawyer should be the first professional consulted.

Trend: Evidence Exists, But It is Hidden

A growing trend is that the data you want is hidden from easy public access. There are three reasons for this trend:

1. Right to Be Forgotten. The first reason is the recent ruling in the European Union that search engines like Google and Bing must respect the “right to be forgotten” and remove links to some data about a person when the person requests. The data -- which might relate to an old debt or crime -- may still be publicly accessible on a web site, but easy-to-use search engines (Google/Bing) can’t point to it. It exists in the so-called "Deep Web."

2. Closed Apps and Sites. A second reason for this trend is the rise of apps and web sites that disallow indexing by Google/Bing. Most Facebook content, for example, is not indexed by Google.  Much of the content collected by a mobile app – like the health apps published by Noom -- is not indexed by Google.

Many services not indexed by Google do collect loads of valuable information and make it available to subscribers/customers, whether paying or otherwise.

3. Inhospitable Terms of Service. This is the third reason for the trend that data is inaccessible. Legal terms of service that impede investigation are becoming more common. For example, Facebook’s terms say, “If you collect information from users, you will: obtain their consent . . .”

Huh? Those terms seem to say that before you get “public” Facebook info about the target of an investigation you must get the target’s consent. But you may not to do that because you don’t want the target to know you are investigating.

Although terms like this can be subject to interpretation, they can restrict the collection of data or limit its use as evidence in court.

A Professional Can Uncover Scattered Recorded Evidence

The upshot of the foregoing trend is that recorded information is becoming more fragmented, even as it becomes much, much more plentiful. It is scattered around. Finding it and making sense of it can require the payment of fees and the expenditure of much labor – more money and more labor than was perceived to be true a few years ago when Google/Bing seemed like the universal gateway to the web.

This means professional researchers and investigators are becoming more valuable. Professionals have training and experience. Better ones are creative. They have access to and know how to use many databases and search services, including less-conventional ones like Tineye, an image search engine, or Yandex, a Russian search engine, and fee-based databases like Proquest Obituaries or

They are skilled in searching the Deep Web using tools like Biznar, though no one knows how to use every online investigative tool.

Skilled investigators know how – or can quickly learn how -- to use Worldcam   to find recent Instagram photos near a certain location. Or they can find and apply new tools, such as Ready or Not, which maps
Map Location of Recent Social Updates by the Target of Investigation!
a person’s recent physical location based on where they were at the time they broadcast a tweet or Instagram post.

New search tools emerge every day!

Good research might involve a lot of trial and error. For instance, suppose a researcher is collecting information about Courtney. The researcher sees that Courtney talks on Facebook about using the Noom Weight Loss Coach mobile app. The researcher might look up the Noom app, subscribe to it and pay for premium service so as to have access to user forums, where – maybe or maybe not – Courtney would have posted something relevant.

The number of mobile apps is endless; apps come and go like Texas weather.

Sometimes, when a professional gathers research, s/he must be licensed as a private investigator. For example, Texas law broadly requires independent businesses that collect sensitive information to be licensed as a PI.*

An Attorney’s Role in Five Parts

When seeking information, the services of attorney may be helpful.

For one, an attorney may possess the necessary skills and license to conduct the investigation himself.

Two: An attorney’s interpretation of terms of service or end user license agreements (EULAs) may be necessary. Terms of service can be confusing or ambiguous. Competent interpretation of the terms may direct an investigation to pursue one course of action (e.g., just taking written notes about what the investigator encounters on a site) while avoiding another course of action (e.g., making copies of material the investigator encounters on the site).

An attorney might recommend a non-obvious method for an investigation to obtain permission before proceeding.

Similarly an attorney can analyze the ethical implications of pursuing one investigative path versus another path. For instance, one path may smack of unethical deception (e.g., pretending to be a former classmate); whereas, an alternative path of investigation may be just as effective but involve no deception.

Attorney Can Invoke Powerful Confidentiality

Moreover, an attorney may be able to cloak the investigation in confidentiality. The “attorney work product doctrine” says that when an attorney does work in preparation for a dispute the attorney’s work is confidential and cannot be discovered by legal means such as a deposition or subpoena.

The work product doctrine is powerful. It is a sibling to “attorney-client privilege” which protects the confidentiality of communications like email or phone calls between a lawyer and his client.

The work product doctrine can protect the attorney’s notes, his research and investigations he preforms or directs others to perform. Thus, if the doctrine applies, the attorney can direct a private investigator to gather evidence from social media or online databases, and the investigation itself would remain legally confidential. This means that an adversary, such as a tax authority or an ex-spouse, could not legally force disclosure of the existence and mechanics of the investigation.

In practice, when an investigation is undertaken, many kinds of potential legal disputes could be present. The potential disputes could cover, for instance:

  • defamation
  • heirship
  • divorce
  • child custody
  • control of a corporation
  • property ownership
  • employment discrimination
  • tax evasion
  • much more

Attorney’s Analysis Can Guide Investigation

Here’s a fourth reason for engaging a lawyer. A savvy attorney can analyze and articulate the need for and purpose of an investigation. A well-reasoned mission-statement for an investigation can help guide the scope and methods of the investigation. It can determine what evidence is required and what is not.

An attorney might rationally document that an investigation is needed, for example, for the purposes of

  • personal safety, or
  • defense of property in a manner that is proportionate to the threat, or
  • confirmation of compliance with law

The attorney might then know which private investigators are best suited for the job.

Fifth role of attorney: A sharp lawyer may be able to develop a strategy for collecting hard-to-get evidence in a way that will stand up in court.

What are your comments?


*Footnote: Texas Occupation Code Section 1702.104 reads: "(a) A person acts as an investigations company [which must be licensed] if the person: (1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to . . . the cause or responsibility for . . . loss, accident, damage, or injury to a person or to property. . . . (b) For purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public." Arguably one way that online data may not be available to the public is that terms of service forbid access to it. 

Therefore online data that you want as evidence for lawsuit may appear to be public.  But if terms of service restrict the collection of it for purposes of a lawsuit, then you may need help from a licensed professional to collect it.


Related: PI License for Computer Forensics Expert

How to Obtain a Subpoena . . . or Results Equivalent to One

You want legal evidence – such as a photo, a text message, a utility log or a surveillance video -- that is in the hands of some other person.* A subpoena might be a legal way to get that evidence.

But to reach your goal, you may have many alternatives. You are wise to consider alternatives, possibly with the advice of legal counsel. Creative, analytical thinking may be more effective than you expect.

The proliferation of digital devices, and the networking of computers, give rise to a cornucopia of data and evidence about any given event:

  • burglary
  • traffic accident
  • breach of contract
  • sale of property
  • extramarital affair
  • bribery
  • act of good Samaritan

This expanding cornucopia may be richer and more detailed than you image. Simply put, there is always more data, always more evidence.

A Simple Letter Might Work

Traditionally a subpoena uses demanding, adversarial language to request information. But that type of language can be counterproductive and can make people cautious and defensive.

One option might be just to write a polite letter requesting the evidence . . . or information about the evidence. For example, the sheriff in Howard County, Indiana, used a polite letter to get information about a fugitive from the operator of the online game World of Warcraft. The letter was not a legally enforceable order. It was an explanation for why the sheriff needed the information about a particular WoW user. The WoW operator responded with a letter providing details about the geographic location of the fugitive in question.

You, the reader may not be a sheriff or a government officer. However, if you have a good justification you may be able to persuade an authority to write a letter on your behalf. That authority might be your local sheriff. Or it might be a politician, such as your state representative in your state legislature.

Although large Internet Service Providers like Facebook can be uncooperative and bureaucratic with requests for information, smaller service providers may be different. For instance, today many mobile apps are operated by small companies. A sympathetic appeal to them for help can sometimes work.

Appeal to a Foreign Official

Surprisingly, the person who might issue a letter on your behalf (if not an official order or demand) is a foreign government official. The Internet has changed the way many government officials view their responsibilities. Legal jurisdiction is not perceived to be as territorial as it once was. For instance the Canadian Privacy Commission is known for taking action against data brokers located outside of Canada . . . when they are handling data about Canadian citizens incorrectly. Thus a US citizen might be able to get help from a Canadian official if the US citizen can show a Canadian connection to the problem.

Subpoena By Way of Bankruptcy

A legal process that enables issuance of a subpoena may not be pleasant. Example: Douglas Himmelfarb has long believed he owns a valuable painting by famous artist Mark Rothko. He has been working for years to prove the painting's authenticity.

15 years ago Himmelfarb learned that Rothko’s family may possess a photograph that would lend credence to the claim of authenticity. Himmelfarb could not persuade the family to release a copy of the photograph.

Then, unfortunately, Himmelfarb went into bankruptcy. An interesting by-product of bankruptcy proceedings is legal power to issue subpoenas for the purpose of ascertaining the value of assets, such as this painting. A bankruptcy subpoena at long last forced the Rothko family to release a copy of the photograph to the court (though the family’s lawyer included with it a written warning that it should not be assigned undue weight in evaluating whether the painting is authentic). “Is This Rothko Real?” Wall Street Journal, April 25, 2014.

How to Write a Subpoena

Please refer to my earlier blog post on how to write a subpoena for computer records. It contains numerous suggestions on how to obtain a subpoena, such as through a police investigation or proceedings in small claims court.

Analyze Your Interest and Your Public Appeal

When you want information from another person, think carefully about why you want it and why you are entitled to help. It may actually be that you have a property interest in the information, or a moral right to it because it affects your safety or privacy or it belonged to deceased relative.

A well-articulated statement of your interest may go farther than you expect. Companies and institutions are sensitive to public perception. A well-formulated campaign on Twitter, on Kickstarter (a crowfunded public petition) and/or on a blog can persuade a larger organization that it should, in the interest of its community, cooperate with a fact-gathering effort.

For example: Facebook released a one-minute "Look Back Video," composed of posts by a deceased user, after the user's father posted a compelling plea on Youtube. (The father, John Berlin, could not access his son's account.)

You Never Know What the Owner of Information Might Do.

The owner may decide, for example, to reveal the information to a neutral third party, who can assess it and report to the public.  It may reveal some information, with sensitive parts redacted. It may decide to reveal only meta data about the information, such as
digital record-keeper
Internet of Things

  • when the information was collected, 
  • how it was collected (smart grid meter? surveillance microphone? navigation system on-board a moving vehicle),
  • what format it exists in (spreadsheet? mp3? video?),
  • whether it has been deleted 
  • and so on.

The information owner very possibly does not even realize what evidence it possesses or the significance of the evidence!

When a firm or a responsible person is faced with a public request for help that appeals to the sympathies of popular opinion, surprising things can happen. You might point out that generosity on the part of the other party might lead to positive publicity and a positive public image.

A similar public appeal might nudge a government entity – like a state attorney general, a school board or a county commission – to open an investigation that would cause a subpoena to be issued. It might cause a public hearing to be scheduled, which could require a party holding information to appear and explain the status of the information and explain why the information is being withheld.

It might cause a local TV station to broadcast a news report.

Ask the Public for Help

Interested members of the public will tell you secrets you don’t know. They might for instance explain to you that the information you seek is backed up in a place you can access.

I recently helped a client who believed certain government employees were harassing him. We blogged about the harassment. This publicity caught the attention of allies, who gave us tips on how to get more information.

*Footnote: A dramatic example of third-party evidence is a surveillance video that surprised Los Angeles prosecutors in a criminal drug trial against Guillermo Alarcon, Jr. Unbeknownst to police officers a camera on an apartment building recorded their arrest of Alarcon. Management at the building was sympathetic to Alarcon and gave the video to his defense lawyer, without telling police. Then at trial Alarcon's defense lawyer produced the video, Perry Mason-style, after the police officers delivered sworn testimony that was inconsistent with the video.  The charges against Alarcon were dismissed. The police officers were convicted of perjury.

Related: Retain Licensed Professional to Follow Online Footprints

Computer Investigator Arguably Crosses Line | Breaks Eavesdropping Law?

In computer investigations, the difference between legal and not legal can be subtle. Our computer crime laws are written so broadly that they leave much to subjective interpretation.

Technology is changing so quickly that bright-line rules about what is permitted and what is not are rare.

Legal compliance requires computer investigators to exercise good judgment. Smart investigators will take proactive steps to increase the probability that their actions will be interpreted as legal and ethical.

Justified Investigation May Have Gone Too Far.

A case in point involved Absolute Software. A school installed Absolute Software’s tracking software on its laptop. Thief stole laptop, sold it to an intermediary, who sold it for $60 to an unsuspecting party, Susan Clements-Jeffrey. Ms. Clements-Jeffrey used the laptop at home to engage sexually explicit text and webcam conversations with her boyfriend over the Internet.

By Legal Standards Technology is Advancing at a Blistering Pace.

Let’s pause and reflect before we dig deeper into the facts of this case. In 2014 it does not seem like a technological feat that two ordinary computer users could use webcams to engage in private, sexually explicit conversation. Webcams have come as standard equipment on low-cost laptops for about five years now.

But the computer crime laws that (as we will see) apply to this case date back to the 1980s. In the 1980s, nobody knew what a “webcam” was; no one even knew what the “world wide web” was!

Furthermore, the handful of years in which webcams
have been available to the masses is just a flash in time by legal measures. There has been little opportunity for meaty legal cases – like this one – to tell us how computer crime laws should be interpreted in the “Age of the Webcam.”

Investigation Starts with Justified Objective.

Let’s go back to the facts of the Clements-Jeffrey case. Absolute Software was paid by the school to track down the stolen laptop. Absolute’s software pre-installed on the laptop was capable of invasively, surreptitiously collecting loads of evidence from the laptop – IP address, keystrokes, electronic mail, webcam images and so on.

This is Like Science Fiction, From the Perspective of the People Who Wrote Computer Crime Laws!

Again, I pause in my recitation of the facts in this case to reflect. In 2014 many people have heard of spy software, keystroke loggers and the like. But ladies and gentlemen this technology is bizarre from the perspective of the mid-1980s. In the 1980s the use of this kind of powerful surveillance to resolve petty crimes happened only in a few science fiction novels.

Thus, as we try to interpret these old laws for relatively new technology, surprises are inevitable.

Do the Right Thing: Give Evidence to the Police.

Absolute went to work collecting evidence after the school reported the laptop was missing. In the course of this work, Absolute collected IP address and sexually explicit content and images from the laptop, as Ms. Clements-Jeffrey used it.

Absolute did not publish this evidence on Facebook. No. It turned the evidence over the local police. That’s good behavior on the part of Absolute, right?

However, when the police arrived at Ms. Clements-Jeffrey’s residence to further the investigation and recover the laptop, they allegedly made remarks about the evidence that embarrassed her. That may not have been perfectly professional behavior on the part of the officers, but allegedly it happened. Police officers are human and fallible.

Ultimately the police investigation determined that Ms. Clements-Jeffrey was innocent. She genuinely did not realize the laptop was stolen.

Civil Lawsuit Filed Against Absolute Software.

But then Ms. Clements-Jeffrey and her boyfriend sued Absolute Software in civil court, claiming the software company and its investigator violated their privacy under eavesdropping laws such as the Stored Communications Act (which is part of the Electronic Communications Privacy Act of 1986).*

The crux of the argument was whether Absolute Software – a legitimate investigator – went too far.  Arguably it was OK for Absolute to collect IP address and give that to police. But arguably when it saw the sexually explicit material it should have stopped looking and stop recording.

Now, in Absolute’s defense, it could be argued that a good investigation needs more than IP address. IP address by itself does not tell the police very much. If Absolute gave the local police no more than IP address, the police may drop the investigation because there is too much more work to do to ascertain who has the laptop and what the circumstances are.

Hence, this case takes us to a gray area of law, involving technology that has not been around very long. Few if any good prior cases tell Absolute what it should or should not be doing here.

Gray in Law Is Often Resolved by Juries.

The judge ruled that a trial before a jury was needed.  The judge said a jury that hears all the facts might reasonably conclude that Absolute had violated eavesdropping law and therefore owed money to the woman and her boyfriend. But, on the other hand, the jury might conclude that Absolute did the right thing under these difficult circumstances and therefore owes no money. Who knows?

This ruling was a problem for a business like Absolute. The ruling is not a conclusion that Absolute violated the law, but it sets the stage for a lengthy, expensive and uncomfortable trial for the company. The publicity around such a trial would probably be damaging for a company like Absolute.

Often when companies are faced with the prospect of such a trial they settle quietly and pay money to the plaintiffs. In such a settlement, there is no final decision or admission that the company was wrong, but the company pays money.

What Proactive Steps Could Reduce Risk?

Unfortunately modern, ethical investigators face conundrums like this case every day. These conundrums are a symptom of our fast-paced world of technology.

For these conundrums, I have no perfect solutions. But companies like Absolute can take proactive steps to reduce risk, such as:

1. Place physical and virtual warnings on protected computers explaining that they are under surveillance and that users consent to such surveillance and consent to all data being turned over to police.

2. Train investigators to exercise good judgment. Good judgment is like beauty; it is in the eyes of the beholder. But wise cyber-investigators should be aware that risk lies around every corner. If they encounter sensational evidence that is not absolutely critical to the investigation, they are wise to back away from it and/or redact it.

3. Good investigators work in teams. They deliberate among themselves about difficult questions, and they document their deliberation. Documented deliberation can reduce the risk of bad judgment and can help to make decisions more defensible.

4. Good judgment may dictate that an investigator warn authorities about privacy and controversy. For example, Absolute Software could have told the police the following, in writing: "In the course of our investigation, we inadvertently encountered very sensitive, sexually explicit communications (which are not necessarily illegal) on  the part of the suspect and another, apparently innocent party. At this time, out of respect for privacy of people who have not yet been proven to be guilty of anything, we refrain from including records of these explicit communications in the evidence we are now delivering to the police."

*The ECPA/Stored Communications Act are criminal laws that forbid computer eavesdropping. Often they are enforced by a government prosecutor in criminal courts. However, like some other computer crime laws in the US, they can also be enforced by an aggrieved citizen (the "plaintiff") in a lawsuit in civil court seeking money damages from the perpetrator (the "defendant").

P.S. See more tips for how investigators can stay within the bounds of privacy law.