Post Process

Everything to do with E-discovery & ESI

What we have here, is a failure to communicate…

Posted by rjbiii on July 10, 2008

In three different interviews, and one post-mortem editorial, networkperformancedaily gets caught in the crossfire of differing interpretations of Texas’ new PI licensing statute. The amended statute, first noted by Post Process in July 2007, expands the definition of an “investigations company” so that it may include those tasks engaged in, not only by computer forensics technicians and intrusion detection experts, but computer repair shops as well. We have also posted on the law here and here.

The first interview is with the drafter of the bill, who acknowledges the law might need to be “tweaked,” and who has a fairly narrow view of the scope of the law’s reach:

NPD: I am not a… um… pretty good reader of bills. So, what I wanted to know… The claim is that people who repair personal computers would need to get a private investigator’s license in order to continue repairing computers.

Driver: Yeah, and that’s what they’re claiming. It’s interesting that they’re claiming all that, and they filed a lawsuit on the same day that they decided to open their Texas chapter. To me, I just felt it was a way they’re getting a lot of free publicity, and a lot of free press, and free TV time and free radio time, because the bill to me, it says what it says. There’s three words that describe somebody that repairs computers, and that’s if people retrieve or provide information, and there’s three words that somebody “reviews, analyzes, or investigates” that material, then, they do need to have some sort of security clearance because they’re delving into people’s private lives or private property on the computer.

NPD: The one thing that I noticed was that it seems very clearly that this is for personal computer investigators, like someone who does analysis to determine whether a crime has been committed or something has been stolen, or intellectual property has been violated. It doesn’t seem to me that this would apply to people trying to just recover information for the person’s wishes.

Driver: Right, and you’re correct. You used one of the key words in my opinion, which is “analyze.” “Review, analyze, and investigate” are the three key words, in my opinion, that drive the need for people to have some kind of license. Because if they’re doing some of that, then they don’t need to be – it doesn’t need to be just anybody able to do that – they need to have somebody that has a security license. But if someone’s just retrieving information and providing information for someone who is going to analyze, to use one of the words, then that’s just a regular computer repair person. And those guys are great, they’re good at what they do, and we never intended for them to get any kind of license other than have the ability to repair.

So, Mr. Driver subscribes to the theory that the lawsuit is merely for publicity, and that regular computer repair isn’t affected. The Captain of the Texas Private Security Board gives his interpretation:

NPD: So, maybe I could give you a couple scenarios and you could help – maybe you could explain whether or not it would be covered. For example, let’s say there was a network engineer who is trying to find the root cause of a slowdown on the network, and in the course of investigating that, they discover that the root cause is some sort of criminal activity, such as a virus infection, or someone engaging in massive intellectual property violation, in other words “piracy,” something like that. Would they then require a private investigation license? Would they have to stop their investigation at that point?

Bowie: Based on the scenario you gave it sounds like they’re performing a repair or support service, and they’re not – the intent was not to go in and do an investigation, they are just collecting information that they found, and that doesn’t, based on that scenario, doesn’t rise to that level of an investigation.

NPD: What about a PC repairman who is being asked to check for viruses on a person’s computer?

Bowie: That does not rise to that level either.

NPD: What if a parent brought in a computer that they owned, but which is primarily used by a son or daughter, and they wanted to find out, say, the browsing history?

Bowie: That’s just considered normal computer repair or support service.

NPD: What wouldn’t be considered normal computer repair – can you give me a very specific example where that line is crossed?

Bowie: No, it’s – when you read into 1702.104, there is some interpretation there that you have to consider. I can’t give you a specific example, I could probably use some type of scenario in the sense of, for example, if an individual is contracted to come in and say, for example, investigate your computer at your company – you have employees there, and you believe identity theft has occurred, that there’s been some issues and you want this individual to come in, inspect the computers, you want them to come in, perform an investigation relating to the identity, the habits, the efficiency, movement, affiliations or locations or transactions and acts, or the character of a person, or the location and disposition of lost or stolen property, or some type of damage to the system, then I think you’re moving more towards the spirit of the law, and falling into an investigations company.

NPD: Okay, so once you get to that point – this is something that’s considered now to be routine is, if a person is suspected of – well, you could say a number of different things. Not just illegal activity but also perhaps, unauthorized use of the network – recreational network use – would that speak to the character of a person if they’re browsing YouTube at work, and an investigation is made to determine if someone is browsing YouTube at work?

Bowie: I think what you have to do is take those on a case-by-case basis, and do a thorough investigation into the matter to determine whether a violation of the code has occurred. You just have to keep in mind that every scenario and case is different, and you have to take it on a case-by-case basis, and use the utmost discretion.

The problem, here, is that case-by-case means it isn’t easy to see what’s regulated and what isn’t. Also, what kind of investigation is required? Is mere statistical analysis over aggregate data exempt? If not, why not? Next comes, Matt Miller, the attorney from the Institute of Justice, who is leading the suit to have the law struck down:

NPD: Is the problem with the law or the interpretation of the law that the Texas Private Security Board has taken?

Miller: Well, it’s with both. Laws can be interpreted in a lot of different ways, and the private security board has chosen to interpret this law very aggressively. Since the law can be interpreted in that way, there are problems with the law itself. The interpretations that the board has issues, is the reason that this case has come to our attention, because they say specifically that computer repair shops should be aware that if they offer to provide these services they’ve committed a crime. And that kind of caught our attention, so we started looking into it, and the law itself is problematic because it is subject to such a broad and aggressive interpretation.

NPD: Would it also affect network engineers performing network analysis on their own companies’ computers?

Miller: Sure, and let’s talk about that because, it is complicated and there is quite a bit of nuance. It kind of leads to how this applies to these guys. We’ve gotten calls from people who say, “Well, if somebody’s switching out a hard drive, then that doesn’t apply to them, right?” And the answer to that is, yes. It doesn’t apply to them. But anyone who is analyzing data in a situation where that data points back to the actions of a third party – so, somebody who is not the computer’s owner, or someone who is not the owner of the company – anytime a third party is implicated by data analysis, this law is potentially triggered.

What the board came back and did was, they said that any analysis of non-public computer data to determine the causes of events or the conduct of persons is what they’re calling a regulated service. Of course, that is extremely broad. You know, for instance, if an employer went to a company and wanted to know how their employees were using the computer – that constitutes an investigation. The Board has said that when the service provider is charged with reviewing the client’s computer-based data, for evidence of employee malfeasance and a report is produced that describes the computer related activities of an employee, it has conducted an investigation and has therefore provided a regulated service.

NPD: So, other than the lawsuit, is your organization taking any other actions?

Miller: We’ve obviously tried to bring this issue to light in the media. Because it is somewhat technical, we’ve had to educate the media on how this works. And they’ve been very responsive. But the primary vehicle we’re taking here is this lawsuit and our goal is just to change the law. We’re not seeking monetary damages, this is not a personal lawsuit – we’re going to a judge and saying: “Judge, this is a bad law, and it stops our guys from practicing their profession – it stops a lot of people from potentially doing the things they do on a daily basis, and the law needs to be changed.” So we’re asking the judge to strike the law down.

Finally, there is an editorial based on the three interviews from interviewer Brian Boyko:

So, where did things go wrong? I think the man problem was a key misunderstood concept by Texas State Rep. Driver when he wrote the law. It is clear from the interview with him that he believes that there is a clear and well defined line between “retrieval of data” and “investigation.”

“’Review, analyze, and investigate’ are the three key words, in my opinion, that drive the need for people to have some kind of license. Because if they’re doing some of that, then they don’t need to be – it doesn’t need to be just anybody able to do that – they need to have somebody that has a security license. But if someone’s just retrieving information and providing information for someone who is going to analyze, to use one of the words, then that’s just a regular computer repair person.” – Rep. Driver.

But what Rep. Driver simply did not realize is that in the practical realities of IT, no such line exists. Any and every interaction that any IT person has with a computer requires some sort of “review, investigation and analysis,” whether it’s simple troubleshooting or complex network latency optimization.

Another issue here is that none of these people are judges. Once the law is drafted and passed, the legislator is disconnected, for the most part, and the bench takes over. It would seem that a little study of the industry might have been prudent. Even the best, most conscientiously drafted laws can’t foresee everything. The text of this law cries out for want of clarity and precision. Or, at the very least, “tweaking.”

Advertisements

One Response to “What we have here, is a failure to communicate…”

  1. […] Process has previously blogged on this issue (here, here, here, here, here, and […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: