Contact
Subscribe


News Intern Copies Press Release From Email, Entire World Wide Web Flummoxed, Including Me.

Jul 2, 2008
By Patrick.
Irksome

In one of the silliest turf grabs by a profession against the laity that I’ve ever seen, someone has convinced the Texas legislature that every personal computer repair technician in the state must obtain … a private investigator’s license.

Unlicensed computer shops will have to close down until they obtain a private investigator’s license.

A private investigator’s license can be obtained by acquiring a criminal justice degree or by getting a three-year apprenticeship under a licensed private investigator.

The new law also impacts consumers. Consumers who knowingly take computers to an unlicensed company for repair can face the same penalties.

Perhaps the thinking goes: criminals, with their viruses, malware, and trojans, are at the root of most pc breakdowns, so we wouldn’t want unlicensed vigilantes, lacking criminal justice degrees, to take the law as well as hard drives, fans, sockets, and soldering irons into their own hands. Possibly this is just more evidence of the weird sexual hangups that seem to plague Texas politicians. Someone heard of unlicensed dicks inserting themselves into people’s laptops, and demanded a law.

Or maybe there was no thinking at all. There is a crime going on here, but it’s political graft at work. Either way, Texas computer repairmen who lack a detective’s license will soon be quoting Raymond Chandler:

“Trouble is my business.”

What an interesting post this has become. I found this story through Slashdot minutes before leaving for work, and threw something up. As it turns out, my interpretation of the law (which I’ll admit I’d not read) is pretty far off-base, as is that promoted on Slashdot, as is that of Extremetech, as is that of PCMag, and a host of other sites far larger than Popehat.

The law in question amends the description of an “investigations company” (a private detective) to include one whose business is:

obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.

And in context, this must be one who:

engages in the business of securing, or accepts employment to secure, evidence for use before a court, board, officer, or investigating committee.

Now, taking this language to apply to one who just looks at a customer’s hard drive to see if the Windows installation is bugged goes too far, and I think no court would ever apply it as such. More to the point, no sensible prosecutor would ever take such a case. The law in question, as amended and as I interpret it, requires licensing for computer forensics examiners.

Now, whether such examiners should be licensed as private investigators as another question entirely, but one can make a defensible argument that the level of confidentiality and discretion required of such may make the background checks and state supervison afforded to private investigators in the normal course desirable for computer forensics examiners. These people are looking for evidence of crime, not trying to determine why grandma can’t play minesweeper since she clicked on that popup ad.

But the entire web is taking the most draconian interpretation, because, like me, they have haven’t / handn’t read the law.

The journalistic root of this story, as far as I can tell, is what I’ve linked above. But the source of the journalism, so far as I can tell, is in a new suit filed by the Texas branch of the Institute of Justice, Rife v. Texas Private Security Board, just filed in Harris County Texas, seeking a declaration that the law is unconstitutionally overbroad. That may be, but I disagree with IOJ’s interpretation of this law as one that could be extended to a mom and pop computer repair store, or to systems analysts, ordinary data examiners employed to interpret customer data, or in fact anyone except for a computer forensics specialist. I suspect Texas prosecutors would also disagree, and would never charge an ordinary computer repair tech for violating this law.

The story I originally linked appears to be, with little alteration, a simple adaptation of a Texas IOJ press release, which you can see by clicking here.

I’ve retooled this post, thanks to my co-blogger Ken and commenter Kevin C (who linked to the law and worries about the overbroad interpretation), and am sending a link to the Texas IOJ, which hopefully will respond or make a copy of the suit available on the web, as Harris County Texas doesn’t make them available through public e-filing systems like RACER/PACER.

Last 5 posts by Patrick

22 Comments
Tags ,

22 Comments

  1. Kevin C  •  Jul 2, 2008 @8:37 am

    Text of the law – http://www.legis.state.tx.us/tlodocs/80R/billtext/html/HB02833F.htm

    Does this apply to corporate PCs? If so, the TX government may grind to a halt before they can repeal it…

  2. Ken  •  Jul 2, 2008 @8:51 am

    Is this the language that they, and you, are reading to get that result?

    (b) For purposes of Subsection (a)(1), obtaining or
    furnishing information includes information obtained or furnished
    through the review and analysis of, and the investigation into the
    content of, computer-based data not available to the public.

    Or am I missing some other language in there?

    If that’s the language in question, I don’t agree with the interpretation. Is there something in the legislative history to support the notion that this refers to computer techs? I’m pretty sure this refers to PI analysis of various databases.

  3. james  •  Jul 2, 2008 @9:06 am

    I’ve seen similar laws passed in N.C. (or maybe S.C), What they’re requiring is that any computer forensics that are used in a court be done by a licensed P.I. (at least that was the intent of the N.C. law)
    In this case it looks like they want to make sure they have a means of prosecuting anyone who does data forensics without a license.

  4. Patrick  •  Jul 2, 2008 @9:07 am

    Now that I look at the law (which I didn’t bother to do), I agree the linked story’s interpretation seems overbroad.

    Yet it’s the subject of a suit for declaratory judgment by some Texas computer techs and the Texas branch of the Institute for Justice who do appear to worry about such an interpretation.

    Most curious. If this were a federal case I’d download a copy of the suit through PACER.

  5. Patrick  •  Jul 2, 2008 @9:17 am

    On the other hand, of what possible use is a degree in criminal justice to a data miner or computer forensics examiner?

  6. Ken  •  Jul 2, 2008 @9:20 am

    Here, in a little more detail, is why I think the local news station you linked got it all wrong, and why I don’t even think it’s particularly confusing:

    1. Section 1702.104(a)(1) defines “investigation company” as someone who “engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to” . . .
    2. What follows under 1702.104(a)(1) is a list of the types of information furnished that would make you an investigation company:

    (A) crime or wrongs done or threatened against a
    state or the United States;
    (B) the identity, habits, business, occupation,
    knowledge, efficiency, loyalty, movement, location, affiliations,
    associations, transactions, acts, reputation, or character of a
    person;
    (C) the location, disposition, or recovery of
    lost or stolen property; or
    (D) the cause or responsibility for a fire,
    libel, loss, accident, damage, or injury to a person or to property;

    3. Section 1702.104(b), the section people are apparently focusing on, then clarifies the definition of “obtaining or furnishing information” in (a)(1):

    (b) For purposes of Subsection (a)(1), obtaining or
    furnishing information includes information obtained or furnished
    through the review and analysis of, and the investigation into the
    content of, computer-based data not available to the public.

    4. In other words, you aren’t an investigation company (and thus don’t need a license) as a computer tech unless you (a) review and analyze “computer based data not available to the public, and (b) do so for one of the enumerated purposes, like investigating people. Flushing the spyware off of Uncle Lloy’d Dell is not one of the enumerated purposes.

    5. Furthermore, I’m pretty sure that “computer based data not available to the public” doesn’t mean somebody’s PC (which is, in a sense, available to the public, or at least a member of the public), but instead refers to various databases of information about citizens used by private investigators. Increasingly “online investigators” offer access to such databases. This impression is strengthened by 1702.324(b)(2), which has a carve-out for people who access databases solely to determine creditworthiness (like a mortgage broker).

    It’s not too late to fall back and re-position the post as one about how the media doesn’t understand law . . . . ;p

  7. Ken  •  Jul 2, 2008 @9:23 am

    The interpretation about the computer forensics examiner is far more plausible:

    (2) engages in the business of securing, or accepts
    employment to secure, evidence for use before a court, board,
    officer, or investigating committee

    Although as written, that could apply not just to computer forensic techs, but to a wide array of experts who conduct some sort of examination or inquiry in order to testify.

    But it still doesn’t extend the law to “computer repair technicians.”

  8. Kevin C  •  Jul 2, 2008 @9:24 am

    The interpretation seems over-broad, but may be intended to also insure those who may “accidentally” discover criminal evidence (presence of child porn for example). It may be intended to protect chains of evidence custody and so on. I don’t know what possessed them…

    It may not apply to PC techs in the broadest sense – though PC techs often look at logs and data. However, it seems to clearly apply to anybody (like myself) who does computer security and auditing. I work on defense contract computer systems and clearly all of our (classified) data is “not available to the public” – but that would apply to any proprietary information as well. With the proliferation of Sarbannes-Oxley and HIPPA, etc, this applies to a lot of computer workers who do not have PI licensing.

    Another issue I am wondering about is – what if you are in TX and either working on, or being worked on remotely from out of the state? FWIW, I work in TX and this is creating a difficult corporate stir. My wife (also in TX) does PC support nationally from our home (she is 100% telecommute).

  9. Ken  •  Jul 2, 2008 @9:30 am

    Maybe somebody could send this link with our analysis to the Liberty Institute and ask them how they get their interpretation. I’m just not seeing it.

    Kevin, if a repair guy comes across some actionable data accidentally, I don’t think he’s covered by the statute because he’s not in the business of seeking such information or testifying about it.

    As to the auditing you do — it depends on what sort of auditing it is. Do you audit for employee/user misconduct?

  10. Patrick  •  Jul 2, 2008 @9:58 am

    Retooled.

  11. Ken  •  Jul 2, 2008 @10:06 am

    Nicely done.

  12. Kevin C  •  Jul 2, 2008 @10:15 am

    Ken,

    We audit not only for technical issues but also for counter-intelligence/espionage and counter-intrusion purposes. Since most cases of compromise are internal to any company – this includes all user actions and usage of the system and can extend to all data on the system. We are required to implement comprehensive/pervasive levels of auditing and to regularly review and analyze the logs to detect actions.

    This is not a particular case just because I currently work on defense systems – similar work is conducted on unclassified systems (for a whole lot of companies) for the same reasons. All companies have proprietary data or some sort and most fall under laws and regulations intended to protect the integrity of financial data (Sarbannes-Oxley) or the privacy of individuals (HIPPA). I’m sure that most large companies routinely and continually monitor the activities of their employees and conduct counter-intrusion efforts. Any System Admin (SA) worth his or her salt is looking for compromises of their systems.

    In the case of PC techs – they routinely are called upon to remove spyware/malware and so on, and most are required to report criminal evidence, if found in the course of those duties. Large companies have incident procedures and very careful controls to handle actionable data. That, arguably, makes investigation and handling of evidence normal job duties for PC techs and system admins in those companies.

  13. Ken  •  Jul 2, 2008 @10:32 am

    Kevin:

    1. Under the plain language of the statute, I don’t think that your activities require a license to the extent they are a general audit and inspection for possible misfeasance by someone unknown. Perhaps, under a broad reading of the statute, to the extent you are instructed to investigate the activities of a particular user, that would qualify under 1702.104(a)(1)(B), and to the extent that you are engaged to figure out how an intrusion or other threat to the system happened, that could come under 1702.104(a)(1) (D) (both quoted in my post above).

    2. It’s important to note that not all of the bill you linked represents new law — only (as far as I can tell) the underlined portions, which is how legislatures typically denote new legislative language in draft bills. Therefore one should ask whether it is this new language that actually leads to the feared extension to computer repairs, or preexisting language. For instance, 1702.104(a)(2) — the section applying the requirement to anyone who gathers information to present to a court — is preexisting language. (The reason for the heartburn may be the addition of criminal penalties).

    3. The decision to spin this as aimed exclusively at computer technicians is a strange one. If one is going to take an equally broad (and I think unsupportable) interpretation of the statutory language, one could apply it, for example, to the corporate HR person who investigates sexual harassment claims by interviewing employees.

    4. The most interesting part of the press release Patrick links in his amended post is the suggestion that somebody has told these computer professionals that the state requires them to get a license. Yet the press release is oddly coy about who told them. If they are getting threatening letters from Texas’ PI board, that would be a credible reason to think the state is taking the broad interpretation they fear, whether or not that interpretation is reasonable.

  14. Ken  •  Jul 2, 2008 @6:51 pm

    Something of an update.

  15. Patrick  •  Jul 3, 2008 @4:43 am

    Nothing heard from the Texas Institute for Justice, though it’s possible justice has taken an early holiday.

  16. Sandy  •  Jul 4, 2008 @1:45 pm

    PC Techs could use some diversification on their resume anyway…. When they burn out they can use the barely-legal skills of a PI and have much more fun spying, eavesdropping and getting cool girls. (I say that as someone who would be stuck going to school with everyone else.)
    The whole thing sounds like ITT, with their new School of Criminal Justice, did a good job of lobbying Texas lawmakers.
    And you never know, maybe the legislature thinks 3 years of education is 3 years of watching Law and Order…
    I’ll look forward to not seeing this law enforced. No basis and just plain stupid.

  17. Jollyrgr  •  Jul 4, 2008 @2:50 pm

    Per the pandering being done by the Bill’s author, Rep. Joe Driver, R-Garland, states “The law says anyone who retrieves data from a computer, analyzes it and makes a report to a third party must obtain a private investigator’s license.” (See Ken’s post #14.) As an IT professional I routinely recover hard drives and copy data off failing systems. Six computers in the last two weeks and this past week was a short one! Again we have Republicans trying to play the parent and protect us from ourselves. Meanwhile the feds want to be able to lisent to all of our phone calls, retrieive our e-mails, and monitor our travels WITHOUT court orders.

    Or maybe Sandy is right and ITT needs extra business.

  18. Mel  •  Jul 15, 2008 @4:59 pm

    Most states have the same basic statute (some with even wording the same). What matters is the legislative intent when the law was passed. Considering that a good portion of the legislature has probably used the services of a computer tech when their hard drive crashed, I hardly believe that the intent was to prohibit computer repairs from being made by anyone other than a PI. Note that further on in the statute there are exemptions for licensed professions who would need to examine data in order to provide expert testimony. It would seem that while the wording of the statute could be more clear (what statute couldn’t be made more clear?), that this lawsuit is overreaching and a ploy for publicity for the “Institute.” Attorneys love scare tactics.

  19. Skip  •  Jul 16, 2008 @11:10 pm

    Patrick Says:

    —July 2nd, 2008 at 9:17 am
    —On the other hand, of what possible use is a degree in criminal
    —justice to a data miner or computer forensics examiner?

    I’d agree with ya if I did’nt already have a degree in both AND live in Texas..LOL

  20. Skip  •  Jul 16, 2008 @11:35 pm

    The Law seems right in the case where the intent of the investigation is to locate evidence of criminal activity. Of course, a full blown PI license seems overkill. They need to make a more specific (and CHEAPER) eDiscovery license.

    Where it gets sticky is in the case of incidental discovery (disaster recovery etc). There needs to be clarifying language in the Law for such situations. If left unchanged, the likelyhood of a tech deciding to “look the other way” (not report her findings) to avoid fines and jail time is very high.

  21. Mel  •  Jul 17, 2008 @7:33 am

    The group that should be suing over this law are the Certified Fraud Examiners. If you are a CFE you can’t do a fraud investigation unless you are a PI, CPA, Atty, or other licensed professional listed in the exemptions. There are quite a few CFE’s with CJ degrees or other qualifications, but no additional license to go with it who are out in the cold.

  22. Skip  •  Jul 17, 2008 @8:37 am

    I’ve been thinking more about this and in the case of Computer Techs seeking or discovering Evidence of criminal activity be better covered in a professional certification rather than a broad spectrumed PI license? As long as the CISSP (or whatever Digital Forensics Techs get certified in) cover courts and criminal procedure wouldnt that be sufficient?

Leave a Reply

Allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>