Mickey Spillane Versus Wiley Hacker

From Mickey Spillane's Mike Hammer and Dashiell Hammett's Sam Spade to Garrison Keillor's Guy Noir, the private eye is part of American mythology. But a January article in Baseline magazine broke a story that pits computer guys against private eyes. The question raised was who is qualified to conduct computer forensics: computer jocks or private eyes? A number of states are answering that question private investigators.

Can of Worms No. 1: Jurisdiction
Computer forensics involves investigating and analyzing information found on computers and digital storage devices, frequently in developing evidence admissible in a court of law. For example, under pending legislation in South Carolina, gathering digital forensic evidence for use in a South Carolina court of law must be collected by a person with a private investigator license in the state of South Carolina.

Unfortunately, since the Internet is a global phenomenon, cybercrime and the various forms of malware--software designed to infiltrate or damage a computer system--have become global as well. Computer forensic investigators routinely jump state and national boundaries in their quest for digital evidence. What happens if the investigation an in incident in South Carolina involves someone in another state that has similar law to the proposed South Carolina legislation? Do you have to have a PI license in both states? What happens if a South Carolina organization were to engage an out-of-state firm to conduct an investigation?

And South Carolina isn't the only state seeking to regulate digital forensics and restrict the practice to licensed PI's. Georgia, New York, Nevada, North Carolina, Texas, Virginia, and Washington, among others, are considering or have passed such legislation.

State laws regarding licensing vary widely. Michael Kessler, a forensic accountant and computer forensics expert, asked various state agencies two questions: Does a computer forensic technician engaged in providing computer forensic services to the general public have to be licensed as a private investigator? And, does a firm offering computer forensics services to the general public have to be licensed?

Michigan requires that the technician be a licensed PI, but a business offering computer forensic services would only have to be a licensed agency. Nevada requires that an individual or a firm be licensed. Missouri does not require licensing for private investigation, but some cities within the state may.

The requirements for becoming a licensed PI can be considerable, often requiring three years of experience working for another private investigator, licensing fees, and in some states maintaining an office in state.

Can of Worms No. 2: Qualifications
Who is qualified to conduct digital forensics? Although digital forensics has been around for a number of years, it has largely been practiced by computer and network professionals who have accumulated years of highly specialized technical experience. They may not, however, understand what needs to be done to protect and preserve the integrity of evidence for use in judicial proceedings. That is the reason frequently given for requiring that investigations be done by licensed PIs. Lapses in the chain of custody of evidence and poorly documented evidence collection can be exploited by defense attorneys. (Conversely, many defense attorneys don't know enough about digital forensics to challenge sloppy work by prosecutors.)

The problem, of course, is that the requirements for becoming a private investigator generally do not even include a basic grounding in computer forensics. Imagine engaging Guy Noir to investigate a complicated rootkit attack.

Can of Worms No. 3: Overreach
But surely the agencies charged with enforcing these laws will use a little common sense? Not necessarily. Last month blogs and online newsletters were abuzz with reports that computer repair guys in Texas were going to have to get a Private Investigators license or face a year in jail and a $14,000 fine.

At the center of the controversy were regulations from the Texas Private Security Bureau (PSB), which were passed into law in the Private Security Act, that bring computer investigations under the regulations of the PSB and require a private investigator's license. The relevant sections of the bill include:
Sec. 1702.104. INVESTIGATIONS COMPANY.

(a) A person acts as an investigations company for the purposes of this chapter if the person:

(1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to: ...

(B) the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person; ...

(D) the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property; ...

(b) For purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.
In August of last year the PSB issued a clarification of their position regarding their regulation of computer forensics. Some key points include:
  • Computer forensics refers to the analysis of computer-based data and is distinguished from mere scanning, retrieval, and reproduction of data....
  • For example, reviewing a client's computer-based data for evidence of employee malfeasance in which a report is produced is a regulated service. Simply collecting and processing the data is not regulated...
  • An investigator is one who obtains information related to the "identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person ... or for the purpose of securing evidence for use in court.
With respect to the statutory reference to "securing evidence for use in court," we would suggest that the mere accumulation of data, or even the organization and cataloging of data for discovery purposes, is not a regulated service. Rather, in this context, the Bureau would interpret the reference to "evidence" as referring to the report of the computer forensic examiner, not the data itself.

Confused? You should be. At first glance it seems that the PSB is saying if you do analysis, then you need a private investigator's license. Not everyone agrees with this interpretation.

The Institute for Justice has filed a lawsuit on behalf of a group of computer repair companies including AustinPCTech and Citronix Tech Services arguing that the new law unconstitutionally denies computer repair companies the right to work in their chosen profession, in violation of the Texas Constitution.

The author of the law said the plaintiffs are misinterpreting the law and that it only applies to those who retrieve data, analyze it, and create a report for a third party that could be used in a civil or criminal case.

Attorneys for the Institute of Justice argue that the law is so vaguely worded that it could be more broadly enforced. They argue that the law would apply to a technician who searches for the source of a computer virus; to parents seeking to find out the names of people their child is messaging; or to companies trying to find out what their employees are doing on company computers.

Is this a reasonable law designed to preserve a chain of evidence, or is it an attempt by a declining cartel (PIs) to move into more activities. We may have to wait for the courts to decide.

Can of Worms No. 4: Non-profit Consortiums
Higher education has a long history of creating non-profit consortiums that provide services to their members. State networks are a prime example. Many of those networks also provide cybersecurity, including computer forensics, services to their members--something that would clearly fall under the purview of the PI laws in many states.

What's a Campus to Do?
I asked some campus security colleagues what all this means to higher education. There was only one piece of advice that was consistent after the obligatory "I am not an attorney" disclaimer: Check with your campus attorney, and stay up to date on laws in your own state.

Beyond that the answers varied widely. One from within the State of Washington was:

"Any incident, whether it ends up in civil or criminal court, should be treated and processed as if it will from the beginning. That means that your staff should have specific training and/or certifications to perform in a manner that will preserve evidence and not corrupt the 'crime scene.' If your state requires that a certified forensic specialist or analyst who will conduct investigations and provide expert testimony in court must also be licensed as a private investigator, then your staff who are expected to perform this role as forensics specialists will also need to be licensed as private investigators. It is even possible that the office they work out of will need to be a licensed agency--depending on the various state regulations."

Another response from within the State of Illinois was:

"To my knowledge internal staff should be fine as long as forensics is part of your job duties and you are limited to authorized systems. If you do forensics for external parties you will be in trouble. Remember that 'forensic' means 'of or pertaining to law.' If the end goal of an investigation is to be presented in court (as is implied by the term 'forensic') you should be okay as long as it is your actual job and you are investigating university systems. Regular non-forensic work (investigations not for court but for internal incident response) should be fine."

I'm not an attorney, but with the divergent views I've heard, my advice would be: Check with your campus attorney and stay up to date on laws in your own state.

Featured