Computer Investigator Arguably Crosses Line | Breaks Eavesdropping Law?

In computer investigations, the difference between legal and not legal can be subtle. Our computer crime laws are written so broadly that they leave much to subjective interpretation.

Technology is changing so quickly that bright-line rules about what is permitted and what is not are rare.

Legal compliance requires computer investigators to exercise good judgment. Smart investigators will take proactive steps to increase the probability that their actions will be interpreted as legal and ethical.

Justified Investigation May Have Gone Too Far.

A case in point involved Absolute Software. A school installed Absolute Software’s tracking software on its laptop. Thief stole laptop, sold it to an intermediary, who sold it for $60 to an unsuspecting party, Susan Clements-Jeffrey. Ms. Clements-Jeffrey used the laptop at home to engage sexually explicit text and webcam conversations with her boyfriend over the Internet.

By Legal Standards Technology is Advancing at a Blistering Pace.

Let’s pause and reflect before we dig deeper into the facts of this case. In 2014 it does not seem like a technological feat that two ordinary computer users could use webcams to engage in private, sexually explicit conversation. Webcams have come as standard equipment on low-cost laptops for about five years now.

But the computer crime laws that (as we will see) apply to this case date back to the 1980s. In the 1980s, nobody knew what a “webcam” was; no one even knew what the “world wide web” was!

Furthermore, the handful of years in which webcams
have been available to the masses is just a flash in time by legal measures. There has been little opportunity for meaty legal cases – like this one – to tell us how computer crime laws should be interpreted in the “Age of the Webcam.”

Investigation Starts with Justified Objective.

Let’s go back to the facts of the Clements-Jeffrey case. Absolute Software was paid by the school to track down the stolen laptop. Absolute’s software pre-installed on the laptop was capable of invasively, surreptitiously collecting loads of evidence from the laptop – IP address, keystrokes, electronic mail, webcam images and so on.

This is Like Science Fiction, From the Perspective of the People Who Wrote Computer Crime Laws!

Again, I pause in my recitation of the facts in this case to reflect. In 2014 many people have heard of spy software, keystroke loggers and the like. But ladies and gentlemen this technology is bizarre from the perspective of the mid-1980s. In the 1980s the use of this kind of powerful surveillance to resolve petty crimes happened only in a few science fiction novels.

Thus, as we try to interpret these old laws for relatively new technology, surprises are inevitable.

Do the Right Thing: Give Evidence to the Police.

Absolute went to work collecting evidence after the school reported the laptop was missing. In the course of this work, Absolute collected IP address and sexually explicit content and images from the laptop, as Ms. Clements-Jeffrey used it.

Absolute did not publish this evidence on Facebook. No. It turned the evidence over the local police. That’s good behavior on the part of Absolute, right?

However, when the police arrived at Ms. Clements-Jeffrey’s residence to further the investigation and recover the laptop, they allegedly made remarks about the evidence that embarrassed her. That may not have been perfectly professional behavior on the part of the officers, but allegedly it happened. Police officers are human and fallible.

Ultimately the police investigation determined that Ms. Clements-Jeffrey was innocent. She genuinely did not realize the laptop was stolen.

Civil Lawsuit Filed Against Absolute Software.

But then Ms. Clements-Jeffrey and her boyfriend sued Absolute Software in civil court, claiming the software company and its investigator violated their privacy under eavesdropping laws such as the Stored Communications Act (which is part of the Electronic Communications Privacy Act of 1986).*

The crux of the argument was whether Absolute Software – a legitimate investigator – went too far.  Arguably it was OK for Absolute to collect IP address and give that to police. But arguably when it saw the sexually explicit material it should have stopped looking and stop recording.

Now, in Absolute’s defense, it could be argued that a good investigation needs more than IP address. IP address by itself does not tell the police very much. If Absolute gave the local police no more than IP address, the police may drop the investigation because there is too much more work to do to ascertain who has the laptop and what the circumstances are.

Hence, this case takes us to a gray area of law, involving technology that has not been around very long. Few if any good prior cases tell Absolute what it should or should not be doing here.

Gray in Law Is Often Resolved by Juries.

The judge ruled that a trial before a jury was needed.  The judge said a jury that hears all the facts might reasonably conclude that Absolute had violated eavesdropping law and therefore owed money to the woman and her boyfriend. But, on the other hand, the jury might conclude that Absolute did the right thing under these difficult circumstances and therefore owes no money. Who knows?

This ruling was a problem for a business like Absolute. The ruling is not a conclusion that Absolute violated the law, but it sets the stage for a lengthy, expensive and uncomfortable trial for the company. The publicity around such a trial would probably be damaging for a company like Absolute.

Often when companies are faced with the prospect of such a trial they settle quietly and pay money to the plaintiffs. (Absolute Software did settle.) In such a settlement, there is no final decision or admission that the company was wrong, but the company pays money.

What Proactive Steps Could Reduce Risk?

Unfortunately modern, ethical investigators face conundrums like this case every day. These conundrums are a symptom of our fast-paced world of technology.

For these conundrums, I have no perfect solutions. But companies like Absolute can take proactive steps to reduce risk, such as:

1. Place physical and virtual warnings on protected computers explaining that they are under surveillance and that users consent to such surveillance and consent to all data being turned over to police.

2. Train investigators to exercise good judgment. Good judgment is like beauty; it is in the eyes of the beholder. But wise cyber-investigators should be aware that risk lies around every corner. If they encounter sensational evidence that is not absolutely critical to the investigation, they are wise to back away from it and/or redact it.

3. Good investigators work in teams. They deliberate among themselves about difficult questions, and they document their deliberation. Documented deliberation can reduce the risk of bad judgment and can help to make decisions more defensible.

4. Good judgment may dictate that an investigator warn authorities about privacy and controversy. For example, Absolute Software could have told the police the following, in writing: "In the course of our investigation, we inadvertently encountered very sensitive, sexually explicit communications (which are not necessarily illegal) on  the part of the suspect and another, apparently innocent party. At this time, out of respect for privacy of people who have not yet been proven to be guilty of anything, we refrain from including records of these explicit communications in the evidence we are now delivering to the police."

*The ECPA/Stored Communications Act are criminal laws that forbid computer eavesdropping. Often they are enforced by a government prosecutor in criminal courts. However, like some other computer crime laws in the US, they can also be enforced by an aggrieved citizen (the "plaintiff") in a lawsuit in civil court seeking money damages from the perpetrator (the "defendant").

P.S. See more tips for how investigators can stay within the bounds of privacy law.

No comments:

Post a Comment