July 7th, 2008, 04:24 AM
I'm not gonna get too wrapped up in Texas laws. Look at what Texas has already given us: George W and the "Leave no child's behind" sorry "Leave no child behind" education package.
Like I said however, if they ever actually charge someone the ACLU or the EFF can pick up the case and take it to the Supreme Court.
"Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot
July 7th, 2008, 05:41 PM
Hey don't blame us. Blame the electoral college.
Originally Posted by fourdc
Wow what a load of crap this could turn into. I run my own repair shop and this could turn into a bit if a headache. If I catch any heat I will be touching base with the ACLU on this. FWIW I know that I have done investigations for customers when they thought their husbands were cheating on them for example... but it was only between the customer and myself. But for regular computer repair, my plan would be to play ignorant and avoid mention of any delving into the OS. Like was previously mentioned though, those of us who are busy rarely will take a look at any info on the drive, as we want to get to the next thing.
July 7th, 2008, 10:06 PM
Hi Tex, and welcome to AO.
It is interesting to hear your personal take on this as you are certainly in the firing line, so to speak.
I guess that is the scenario that this legislation was really aimed at? As I see it, you are supposed to be doing it under the supervision of a licenced practitioner................. or an exempt person such as a lawyer or accountant? Otherwise you must be licenced yourself.
FWIW I know that I have done investigations for customers when they thought their husbands were cheating on them for example... but it was only between the customer and myself.
I am pretty sure that over here, any evidence that I recovered independently would be considered contaminated, and therefore worthless.
When it comes to computer "repair" there really isn't any need to look at any truly "personal" data.
The actual raw OS or application does not normally contain any personal data either, unless you go out of your way to look for it, in places you don't really need to go to for maintenance or repair purposes.
my plan would be to play ignorant and avoid mention of any delving into the OS.
When it comes to data recovery, I just take a quick look to see that it has worked within expectations. Certainly not what would constitute evidence gathering or "discovery" in a legal sense. In this part of the World, customers won't pay for any more. They know what the specialist recovery guys charge and will come to me to see if there is a quick (read "cheap") fix
To be perfectly honest, I am not so much worried about what I might find, but what might be found by the authorities on a customer's machine on my premises.
I am interested in US legislation simply because you guys are way ahead of us in actually having legislation............. and stuff like that tends to drift across the Pond?
July 10th, 2008, 12:40 AM
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
July 10th, 2008, 12:43 AM
Uh....why? What's the PI industry got against the PC repair industry??
"This law will drive up the price of computer repair for everyone, and that’s exactly what the private investigations industry wants."
July 10th, 2008, 01:14 AM
The whole issue simply started because of the vague wording of the law. All law is open for interpretation, but this one sure is doing a good job of taking that concept to the next level. This is not about how any of us interpret this law; it's about the not-so-far-fetched possibility that someone (ab)uses this law to make a case against, say, an unlicensed computer repair person who was asked by someone to recover the contents of "his" hard drive, only to find out later that it wasn't actually his.
The law states that
While many here have argued that, when I do some data recovery on a computer (even if the owner is the legitimate owner), I am not "engaging in the business of obtaining information related to the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person", I believe there's a strong case that can be made that that's exactly what I'm doing. How is recovering, say, someone's resume not "obtaining information related to the identity, business, occupation, knowledge, location..." of a person? Isn't that exactly what it is?
A person acts as an investigations company for the purposes of this chapter if the person:
(1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to:
(A) crime or wrongs done or threatened against a state or the United States;
(B) the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person;
Also, there's a difference between the letter of the law, and the spirit of the law. In this case, the letter of the law is open for interpretation, as is the spirit. Rather than the author of the law trying to clarify to the press what he meant by it, why not amend the law to at least reduce the confusion and possibility of misinterpretation (whatever the intended interpretation was in the first place).
July 10th, 2008, 09:40 AM
I am inclined to accept this view (from the lawmakers):
The author of the bill, Rep. Joe Driver, R-Garland, told the Houston Chronicle that computer techs are misinterpreting the law and that the lawsuit is simply a publicity stunt by The Institute for Justice.
The lawsuit marked the launch of the group’s Texas chapter. [As I suggested in an earlier post ]
Rep. Harvey Hilderbran, R-Kerrville, agreed the new law probably is being misread.
“It needs some tightening up and some clarification, but I have been assured that they will be very cautious about enforcing it,” Hilderbran said.
“(Driver’s) intent was that this rule only be used when analyzing data for investigative purposes.”
An e-mail sent to Hilderbran from DPS states that “only computer forensics officials must be licensed under the Private Security Act” and that those who only retrieve information from computer databases and pass it on to another person are not subject to the new law.
to make a case against, say, an unlicensed computer repair person who was asked by someone to recover the contents of "his" hard drive, only to find out later that it wasn't actually his.
Provided that you practice due diligence you will be OK. These days a computer is just another domestic appliance or consumer durable. If I take a microwave or a TV to be repaired I don't have to prove ownership.
Now, if I took a rifle or a shotgun to be repaired I most certainly would have to produce my license (UK laws here folks). The guns are licenced, computers are not.
Anyway, wouldn't you notice if there was nothing wrong with the HDD?.................. I would, which is when I would make the telephone call.
How is recovering, say, someone's resume not "obtaining information related to the identity, business, occupation, knowledge, location..." of a person? Isn't that exactly what it is?
Well a resume or curriculum vitae is doubtless covered in the "public knowledge" exclusion. Anything else, and it would be a "confession"
Resumes are intended to be broadcast, and once you send one, it is no longer your property but is effectively in the public domain, unless the recipient decides otherwise. That is how recruitment agencies work.............. just read the small print
That still leaves the fact that you are not obtaining information; merely attempting to recover that which is already there.
I still haven't heard a reasonable argument against my contention that your
personal information is yours
to do what you like with, and to employ whomsoever you like to recover.
Provided that I exercise due diligence, as mentioned above, I cannot be held responsible if the customer is not the rightful owner. The products are not registered so I have no way of knowing?
I do not see how having a PI(mp)'s licence exonerates me in any way
................. as an investigator, I should have looked into that?
July 10th, 2008, 06:13 PM
Reminds me of the time I recovered the p/w and data on a Bank of America client machine...
make a case against, say, an unlicensed computer repair person who was asked by someone to recover the contents of "his" hard drive, only to find out later that it wasn't actually his.
guy walks into store...
"hey I lost my password, can you recover it for me? While your at it can you back up my drive..."
I say sure... yank drive and b/u... then boot to p/w boot disk and reset admin acct, boots up to the desktop. First thing I see is a BOA logo on the desktop. I immediately kill the box and get on the phone...
BOA Lady on other end didn't even know a box was missing, come to find out the guy jacked it when they were doing a building remodel.
So this ties back to your liability potentially would be much higher when you have say, a stolen computer from a financal institution on your property that you just hacked into and recovered the data from. I believe this might relate to what they are aiming at, which is to lock down the procedures if this happens and what steps to take if you accidentially process stolen merchandise.
Originally Posted By nihil
"To be perfectly honest, I am not so much worried about what I might find, but what might be found by the authorities on a customer's machine on my premises."
Now that I work for a financial institution I know that there are reporting laws that are in place that BOA didn't follow that day in regards to a computer being stolen that could have contained user information. (I didn't look) Assuming I was a private investigator I would probably be required to report this incident to the authorities vs. just acting like it never happened....
Thanks for the welcome... more thanks to irongeeks website for the link over
July 10th, 2008, 10:43 PM
Hi Tex, I am also worried about the possession of IT kit with criminal content.
What we all really need is Mr. Plod to come round and seize all our kit.......... including that belonging to legitimate clients? Like that puts you out of business forever?
No wonder zero-fill and reinstall is so popular
By GbinaryR in forum AntiVirus Discussions
Last Post: October 30th, 2008, 10:33 AM
By ThePreacher in forum Miscellaneous Security Discussions
Last Post: December 14th, 2006, 09:37 PM
By gore in forum Newbie Security Questions
Last Post: December 29th, 2003, 08:01 AM
By tonybradley in forum Cosmos
Last Post: August 22nd, 2003, 04:38 PM
By hatebreed2000 in forum AntiOnline's General Chit Chat
Last Post: March 14th, 2003, 06:36 AM