Post Process

Everything to do with E-discovery & ESI

Archive for the ‘State Licensing Laws’ Category

The Law of Unintended Consequences Strikes over PI Licensing Law in Texas

Posted by rjbiii on January 9, 2009

In the wake of passing amendments to Texas PI licensing laws (see our posts here), cities hoping to issue traffic tickets using automated cameras have run into an unexpected barrier: a court’s interpretation of those licensing laws:

Do the collection and evaluation of electronic records for use in court require a professional license? In litigation a mistake on this question can surprisingly cause a party to lose a lawsuit.

A Texas judge ruled the company operating a red-light enforcement camera (Affiliated Computer Services (ACS)) was acting illegally because it did not have a private investigator license. As the operator of the system, the company was Jim3 involved in collecting and evaluating electronic records for the purpose of presenting findings in court. This case has spawned an uproar statewide, where motorists (such as Jim Ash, citizen of College Station, Texas) are challenging traffic tickets, demanding repayment of fines they’ve paid and complaining about police and politicians who support automated (robo-cop) traffic enforcement.

In response, the company that runs the camera and associated technology has appealed to the State’s Private Security Bureau to help. Sayeth our informed blogger:

The Texas Private Security Bureau issued an opinion saying it “generally” believes the operators of red-light cameras need not be licensed as private investigators. The opinion may help us interpret law on the licensing of computer forensics experts.

The Bureau’s rationale is that the camera operators are performing mere “ministerial” actions at the direction of municipal government employees. (By qualifying its opinion with the word “generally,”the Bureau implies there could be exceptions.) In other words, the Bureau seems to believe the operators are not conducting the investigations that trigger a licensing requirement; rather, the municipalities are performing the investigations.

Advertisements

Posted in Articles, State Licensing Laws, Technology, Texas | Tagged: , | Leave a Comment »

ABA ‘urges’ local governments to refrain from regulating Forensics Activities by means of PI Licenses

Posted by rjbiii on September 16, 2008

The full text of the Resolution (Adopted Aug. 11-12, 2008):

RESOLVED, That the American Bar Association urges State, local and territorial legislatures, State regulatory agencies, and other relevant government agencies or entities, to refrain from requiring private investigator licenses for persons engaged in:

• computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court; or

• network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.

FURTHER RESOLVED, That the American Bar Association supports efforts to establish professional certification or competency requirements for such activities based upon the current state of technology and science.

Link is here.

Posted in State Licensing Laws | Tagged: | 1 Comment »

What we have here, is a failure to communicate…

Posted by rjbiii on July 10, 2008

In three different interviews, and one post-mortem editorial, networkperformancedaily gets caught in the crossfire of differing interpretations of Texas’ new PI licensing statute. The amended statute, first noted by Post Process in July 2007, expands the definition of an “investigations company” so that it may include those tasks engaged in, not only by computer forensics technicians and intrusion detection experts, but computer repair shops as well. We have also posted on the law here and here.

The first interview is with the drafter of the bill, who acknowledges the law might need to be “tweaked,” and who has a fairly narrow view of the scope of the law’s reach:

NPD: I am not a… um… pretty good reader of bills. So, what I wanted to know… The claim is that people who repair personal computers would need to get a private investigator’s license in order to continue repairing computers.

Driver: Yeah, and that’s what they’re claiming. It’s interesting that they’re claiming all that, and they filed a lawsuit on the same day that they decided to open their Texas chapter. To me, I just felt it was a way they’re getting a lot of free publicity, and a lot of free press, and free TV time and free radio time, because the bill to me, it says what it says. There’s three words that describe somebody that repairs computers, and that’s if people retrieve or provide information, and there’s three words that somebody “reviews, analyzes, or investigates” that material, then, they do need to have some sort of security clearance because they’re delving into people’s private lives or private property on the computer.

NPD: The one thing that I noticed was that it seems very clearly that this is for personal computer investigators, like someone who does analysis to determine whether a crime has been committed or something has been stolen, or intellectual property has been violated. It doesn’t seem to me that this would apply to people trying to just recover information for the person’s wishes.

Driver: Right, and you’re correct. You used one of the key words in my opinion, which is “analyze.” “Review, analyze, and investigate” are the three key words, in my opinion, that drive the need for people to have some kind of license. Because if they’re doing some of that, then they don’t need to be – it doesn’t need to be just anybody able to do that – they need to have somebody that has a security license. But if someone’s just retrieving information and providing information for someone who is going to analyze, to use one of the words, then that’s just a regular computer repair person. And those guys are great, they’re good at what they do, and we never intended for them to get any kind of license other than have the ability to repair.

So, Mr. Driver subscribes to the theory that the lawsuit is merely for publicity, and that regular computer repair isn’t affected. The Captain of the Texas Private Security Board gives his interpretation:

NPD: So, maybe I could give you a couple scenarios and you could help – maybe you could explain whether or not it would be covered. For example, let’s say there was a network engineer who is trying to find the root cause of a slowdown on the network, and in the course of investigating that, they discover that the root cause is some sort of criminal activity, such as a virus infection, or someone engaging in massive intellectual property violation, in other words “piracy,” something like that. Would they then require a private investigation license? Would they have to stop their investigation at that point?

Bowie: Based on the scenario you gave it sounds like they’re performing a repair or support service, and they’re not – the intent was not to go in and do an investigation, they are just collecting information that they found, and that doesn’t, based on that scenario, doesn’t rise to that level of an investigation.

NPD: What about a PC repairman who is being asked to check for viruses on a person’s computer?

Bowie: That does not rise to that level either.

NPD: What if a parent brought in a computer that they owned, but which is primarily used by a son or daughter, and they wanted to find out, say, the browsing history?

Bowie: That’s just considered normal computer repair or support service.

NPD: What wouldn’t be considered normal computer repair – can you give me a very specific example where that line is crossed?

Bowie: No, it’s – when you read into 1702.104, there is some interpretation there that you have to consider. I can’t give you a specific example, I could probably use some type of scenario in the sense of, for example, if an individual is contracted to come in and say, for example, investigate your computer at your company – you have employees there, and you believe identity theft has occurred, that there’s been some issues and you want this individual to come in, inspect the computers, you want them to come in, perform an investigation relating to the identity, the habits, the efficiency, movement, affiliations or locations or transactions and acts, or the character of a person, or the location and disposition of lost or stolen property, or some type of damage to the system, then I think you’re moving more towards the spirit of the law, and falling into an investigations company.

NPD: Okay, so once you get to that point – this is something that’s considered now to be routine is, if a person is suspected of – well, you could say a number of different things. Not just illegal activity but also perhaps, unauthorized use of the network – recreational network use – would that speak to the character of a person if they’re browsing YouTube at work, and an investigation is made to determine if someone is browsing YouTube at work?

Bowie: I think what you have to do is take those on a case-by-case basis, and do a thorough investigation into the matter to determine whether a violation of the code has occurred. You just have to keep in mind that every scenario and case is different, and you have to take it on a case-by-case basis, and use the utmost discretion.

The problem, here, is that case-by-case means it isn’t easy to see what’s regulated and what isn’t. Also, what kind of investigation is required? Is mere statistical analysis over aggregate data exempt? If not, why not? Next comes, Matt Miller, the attorney from the Institute of Justice, who is leading the suit to have the law struck down:

NPD: Is the problem with the law or the interpretation of the law that the Texas Private Security Board has taken?

Miller: Well, it’s with both. Laws can be interpreted in a lot of different ways, and the private security board has chosen to interpret this law very aggressively. Since the law can be interpreted in that way, there are problems with the law itself. The interpretations that the board has issues, is the reason that this case has come to our attention, because they say specifically that computer repair shops should be aware that if they offer to provide these services they’ve committed a crime. And that kind of caught our attention, so we started looking into it, and the law itself is problematic because it is subject to such a broad and aggressive interpretation.

NPD: Would it also affect network engineers performing network analysis on their own companies’ computers?

Miller: Sure, and let’s talk about that because, it is complicated and there is quite a bit of nuance. It kind of leads to how this applies to these guys. We’ve gotten calls from people who say, “Well, if somebody’s switching out a hard drive, then that doesn’t apply to them, right?” And the answer to that is, yes. It doesn’t apply to them. But anyone who is analyzing data in a situation where that data points back to the actions of a third party – so, somebody who is not the computer’s owner, or someone who is not the owner of the company – anytime a third party is implicated by data analysis, this law is potentially triggered.

What the board came back and did was, they said that any analysis of non-public computer data to determine the causes of events or the conduct of persons is what they’re calling a regulated service. Of course, that is extremely broad. You know, for instance, if an employer went to a company and wanted to know how their employees were using the computer – that constitutes an investigation. The Board has said that when the service provider is charged with reviewing the client’s computer-based data, for evidence of employee malfeasance and a report is produced that describes the computer related activities of an employee, it has conducted an investigation and has therefore provided a regulated service.

NPD: So, other than the lawsuit, is your organization taking any other actions?

Miller: We’ve obviously tried to bring this issue to light in the media. Because it is somewhat technical, we’ve had to educate the media on how this works. And they’ve been very responsive. But the primary vehicle we’re taking here is this lawsuit and our goal is just to change the law. We’re not seeking monetary damages, this is not a personal lawsuit – we’re going to a judge and saying: “Judge, this is a bad law, and it stops our guys from practicing their profession – it stops a lot of people from potentially doing the things they do on a daily basis, and the law needs to be changed.” So we’re asking the judge to strike the law down.

Finally, there is an editorial based on the three interviews from interviewer Brian Boyko:

So, where did things go wrong? I think the man problem was a key misunderstood concept by Texas State Rep. Driver when he wrote the law. It is clear from the interview with him that he believes that there is a clear and well defined line between “retrieval of data” and “investigation.”

“’Review, analyze, and investigate’ are the three key words, in my opinion, that drive the need for people to have some kind of license. Because if they’re doing some of that, then they don’t need to be – it doesn’t need to be just anybody able to do that – they need to have somebody that has a security license. But if someone’s just retrieving information and providing information for someone who is going to analyze, to use one of the words, then that’s just a regular computer repair person.” – Rep. Driver.

But what Rep. Driver simply did not realize is that in the practical realities of IT, no such line exists. Any and every interaction that any IT person has with a computer requires some sort of “review, investigation and analysis,” whether it’s simple troubleshooting or complex network latency optimization.

Another issue here is that none of these people are judges. Once the law is drafted and passed, the legislator is disconnected, for the most part, and the bench takes over. It would seem that a little study of the industry might have been prudent. Even the best, most conscientiously drafted laws can’t foresee everything. The text of this law cries out for want of clarity and precision. Or, at the very least, “tweaking.”

Posted in Articles, Laws, State Licensing Laws, Trends, Vendor Liability | Tagged: , , , , , , | 1 Comment »

Michigan’s PI Licensing Law Puts the Bite on MediaSentry

Posted by rjbiii on July 9, 2008

MediaSentry, now known as SafeNet, has been working for the RIAA to catch those the Music Industry thinks have been pirating music. Apparently the defendant in one of those cases, UMG v. Lindor, filed an administrative complaint against SafeNet, alleging that the organization has violated Michigan’s statute requiring a license for “engaging in investigations.”

Although a little out of our normal terrain, we at Post Process take note of the action, due to the concern over the possible effects of such laws on the E-Discovery and Litigation Support industry. The state agency’s letter to SafeNet is here (pdf). Some discussion of the matter can be found here.

Posted in Laws, State Licensing Laws, Trends | Tagged: , , | Leave a Comment »