News Intern Copies Press Release From Email, Entire World Wide Web Flummoxed, Including Me.

You may also like...

22 Responses

  1. Kevin C says:

    Text of the law – http://www.legis.state.tx.us/tlodocs/80R/billtext/html/HB02833F.htm

    Does this apply to corporate PCs? If so, the TX government may grind to a halt before they can repeal it…

  2. Ken says:

    Is this the language that they, and you, are reading to get that result?

    (b) For purposes of Subsection (a)(1), obtaining or
    furnishing information includes information obtained or furnished
    through the review and analysis of, and the investigation into the
    content of, computer-based data not available to the public.

    Or am I missing some other language in there?

    If that's the language in question, I don't agree with the interpretation. Is there something in the legislative history to support the notion that this refers to computer techs? I'm pretty sure this refers to PI analysis of various databases.

  3. james says:

    I've seen similar laws passed in N.C. (or maybe S.C), What they're requiring is that any computer forensics that are used in a court be done by a licensed P.I. (at least that was the intent of the N.C. law)
    In this case it looks like they want to make sure they have a means of prosecuting anyone who does data forensics without a license.

  4. Patrick says:

    Now that I look at the law (which I didn't bother to do), I agree the linked story's interpretation seems overbroad.

    Yet it's the subject of a suit for declaratory judgment by some Texas computer techs and the Texas branch of the Institute for Justice who do appear to worry about such an interpretation.

    Most curious. If this were a federal case I'd download a copy of the suit through PACER.

  5. Patrick says:

    On the other hand, of what possible use is a degree in criminal justice to a data miner or computer forensics examiner?

  6. Ken says:

    Here, in a little more detail, is why I think the local news station you linked got it all wrong, and why I don't even think it's particularly confusing:

    1. Section 1702.104(a)(1) defines "investigation company" as someone who "engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to" . . .
    2. What follows under 1702.104(a)(1) is a list of the types of information furnished that would make you an investigation company:

    (A) crime or wrongs done or threatened against a
    state or the United States;
    (B) the identity, habits, business, occupation,
    knowledge, efficiency, loyalty, movement, location, affiliations,
    associations, transactions, acts, reputation, or character of a
    person;
    (C) the location, disposition, or recovery of
    lost or stolen property; or
    (D) the cause or responsibility for a fire,
    libel, loss, accident, damage, or injury to a person or to property;

    3. Section 1702.104(b), the section people are apparently focusing on, then clarifies the definition of "obtaining or furnishing information" in (a)(1):

    (b) For purposes of Subsection (a)(1), obtaining or
    furnishing information includes information obtained or furnished
    through the review and analysis of, and the investigation into the
    content of, computer-based data not available to the public.

    4. In other words, you aren't an investigation company (and thus don't need a license) as a computer tech unless you (a) review and analyze "computer based data not available to the public, and (b) do so for one of the enumerated purposes, like investigating people. Flushing the spyware off of Uncle Lloy'd Dell is not one of the enumerated purposes.

    5. Furthermore, I'm pretty sure that "computer based data not available to the public" doesn't mean somebody's PC (which is, in a sense, available to the public, or at least a member of the public), but instead refers to various databases of information about citizens used by private investigators. Increasingly "online investigators" offer access to such databases. This impression is strengthened by 1702.324(b)(2), which has a carve-out for people who access databases solely to determine creditworthiness (like a mortgage broker).

    It's not too late to fall back and re-position the post as one about how the media doesn't understand law . . . . ;p

  7. Ken says:

    The interpretation about the computer forensics examiner is far more plausible:

    (2) engages in the business of securing, or accepts
    employment to secure, evidence for use before a court, board,
    officer, or investigating committee

    Although as written, that could apply not just to computer forensic techs, but to a wide array of experts who conduct some sort of examination or inquiry in order to testify.

    But it still doesn't extend the law to "computer repair technicians."

  8. Kevin C says:

    The interpretation seems over-broad, but may be intended to also insure those who may "accidentally" discover criminal evidence (presence of child porn for example). It may be intended to protect chains of evidence custody and so on. I don't know what possessed them…

    It may not apply to PC techs in the broadest sense – though PC techs often look at logs and data. However, it seems to clearly apply to anybody (like myself) who does computer security and auditing. I work on defense contract computer systems and clearly all of our (classified) data is "not available to the public" – but that would apply to any proprietary information as well. With the proliferation of Sarbannes-Oxley and HIPPA, etc, this applies to a lot of computer workers who do not have PI licensing.

    Another issue I am wondering about is – what if you are in TX and either working on, or being worked on remotely from out of the state? FWIW, I work in TX and this is creating a difficult corporate stir. My wife (also in TX) does PC support nationally from our home (she is 100% telecommute).

  9. Ken says:

    Maybe somebody could send this link with our analysis to the Liberty Institute and ask them how they get their interpretation. I'm just not seeing it.

    Kevin, if a repair guy comes across some actionable data accidentally, I don't think he's covered by the statute because he's not in the business of seeking such information or testifying about it.

    As to the auditing you do — it depends on what sort of auditing it is. Do you audit for employee/user misconduct?

  10. Patrick says:

    Retooled.

  11. Ken says:

    Nicely done.

  12. Kevin C says:

    Ken,

    We audit not only for technical issues but also for counter-intelligence/espionage and counter-intrusion purposes. Since most cases of compromise are internal to any company – this includes all user actions and usage of the system and can extend to all data on the system. We are required to implement comprehensive/pervasive levels of auditing and to regularly review and analyze the logs to detect actions.

    This is not a particular case just because I currently work on defense systems – similar work is conducted on unclassified systems (for a whole lot of companies) for the same reasons. All companies have proprietary data or some sort and most fall under laws and regulations intended to protect the integrity of financial data (Sarbannes-Oxley) or the privacy of individuals (HIPPA). I'm sure that most large companies routinely and continually monitor the activities of their employees and conduct counter-intrusion efforts. Any System Admin (SA) worth his or her salt is looking for compromises of their systems.

    In the case of PC techs – they routinely are called upon to remove spyware/malware and so on, and most are required to report criminal evidence, if found in the course of those duties. Large companies have incident procedures and very careful controls to handle actionable data. That, arguably, makes investigation and handling of evidence normal job duties for PC techs and system admins in those companies.

  13. Ken says:

    Kevin:

    1. Under the plain language of the statute, I don't think that your activities require a license to the extent they are a general audit and inspection for possible misfeasance by someone unknown. Perhaps, under a broad reading of the statute, to the extent you are instructed to investigate the activities of a particular user, that would qualify under 1702.104(a)(1)(B), and to the extent that you are engaged to figure out how an intrusion or other threat to the system happened, that could come under 1702.104(a)(1) (D) (both quoted in my post above).

    2. It's important to note that not all of the bill you linked represents new law — only (as far as I can tell) the underlined portions, which is how legislatures typically denote new legislative language in draft bills. Therefore one should ask whether it is this new language that actually leads to the feared extension to computer repairs, or preexisting language. For instance, 1702.104(a)(2) — the section applying the requirement to anyone who gathers information to present to a court — is preexisting language. (The reason for the heartburn may be the addition of criminal penalties).

    3. The decision to spin this as aimed exclusively at computer technicians is a strange one. If one is going to take an equally broad (and I think unsupportable) interpretation of the statutory language, one could apply it, for example, to the corporate HR person who investigates sexual harassment claims by interviewing employees.

    4. The most interesting part of the press release Patrick links in his amended post is the suggestion that somebody has told these computer professionals that the state requires them to get a license. Yet the press release is oddly coy about who told them. If they are getting threatening letters from Texas' PI board, that would be a credible reason to think the state is taking the broad interpretation they fear, whether or not that interpretation is reasonable.

  14. Patrick says:

    Nothing heard from the Texas Institute for Justice, though it's possible justice has taken an early holiday.

  15. Sandy says:

    PC Techs could use some diversification on their resume anyway…. When they burn out they can use the barely-legal skills of a PI and have much more fun spying, eavesdropping and getting cool girls. (I say that as someone who would be stuck going to school with everyone else.)
    The whole thing sounds like ITT, with their new School of Criminal Justice, did a good job of lobbying Texas lawmakers.
    And you never know, maybe the legislature thinks 3 years of education is 3 years of watching Law and Order…
    I'll look forward to not seeing this law enforced. No basis and just plain stupid.

  16. Jollyrgr says:

    Per the pandering being done by the Bill's author, Rep. Joe Driver, R-Garland, states "The law says anyone who retrieves data from a computer, analyzes it and makes a report to a third party must obtain a private investigator's license." (See Ken's post #14.) As an IT professional I routinely recover hard drives and copy data off failing systems. Six computers in the last two weeks and this past week was a short one! Again we have Republicans trying to play the parent and protect us from ourselves. Meanwhile the feds want to be able to lisent to all of our phone calls, retrieive our e-mails, and monitor our travels WITHOUT court orders.

    Or maybe Sandy is right and ITT needs extra business.

  17. Mel says:

    Most states have the same basic statute (some with even wording the same). What matters is the legislative intent when the law was passed. Considering that a good portion of the legislature has probably used the services of a computer tech when their hard drive crashed, I hardly believe that the intent was to prohibit computer repairs from being made by anyone other than a PI. Note that further on in the statute there are exemptions for licensed professions who would need to examine data in order to provide expert testimony. It would seem that while the wording of the statute could be more clear (what statute couldn't be made more clear?), that this lawsuit is overreaching and a ploy for publicity for the "Institute." Attorneys love scare tactics.

  18. Skip says:

    Patrick Says:

    —July 2nd, 2008 at 9:17 am
    —On the other hand, of what possible use is a degree in criminal
    —justice to a data miner or computer forensics examiner?

    I'd agree with ya if I did'nt already have a degree in both AND live in Texas..LOL

  19. Skip says:

    The Law seems right in the case where the intent of the investigation is to locate evidence of criminal activity. Of course, a full blown PI license seems overkill. They need to make a more specific (and CHEAPER) eDiscovery license.

    Where it gets sticky is in the case of incidental discovery (disaster recovery etc). There needs to be clarifying language in the Law for such situations. If left unchanged, the likelyhood of a tech deciding to "look the other way" (not report her findings) to avoid fines and jail time is very high.

  20. Mel says:

    The group that should be suing over this law are the Certified Fraud Examiners. If you are a CFE you can't do a fraud investigation unless you are a PI, CPA, Atty, or other licensed professional listed in the exemptions. There are quite a few CFE's with CJ degrees or other qualifications, but no additional license to go with it who are out in the cold.

  21. Skip says:

    I've been thinking more about this and in the case of Computer Techs seeking or discovering Evidence of criminal activity be better covered in a professional certification rather than a broad spectrumed PI license? As long as the CISSP (or whatever Digital Forensics Techs get certified in) cover courts and criminal procedure wouldnt that be sufficient?