Monday, August 03, 2009

Private Cyber Investigators

This post was prompted by questions I was asked to address when I participated in a panel discussion of cybersecurity. Here are the relevant questions:

Should we reconsider the notion that companies under attack are prohibited from investigating the attackers and trying to locate them? We allow private investigators to conduct some activities that usually only the police are allowed to do; should we accredit private cyber investigators?

I’m not really sure what my response is to the first question. I didn’t realize companies are prohibited from investigating the source of an attack and identity of the attackers.


Obviously, conducting such an investigation would be illegal if the company employees broke the law while they conducted the investigation; so if, say, computer investigators working for Company X hacked into computer systems in an effort to find out who had been hacking their system, that would be a crime under U.S. state and federal law and under the law in many other countries, as well. They’d be accessing those computers without being authorized to do so, and unauthorized access is, as I just noted, a crime in many countries. Aside from that, I’m not aware there’s any free-standing prohibition on a company investigating a cyber attack (or a real world attack, for that matter).


That question doesn’t really interest me, I’m afraid. The one I found more interesting is the second question: whether we should accredit private cyber investigators.


It looks like we already do, at least in some states. Michigan’s Professional Investigator Licensure Act, for example, defines a “professional investigator” as someone “who for a fee, reward, or other consideration engages in the investigation business.” Michigan Compiled Laws § 338.822(h). The Act defines “investigation business” as a business

that, for a fee, reward, or other consideration, . . . accepts employment to furnish. . . or makes an investigation for the purpose of obtaining information with reference to any of the following:

(i) Crimes or wrongs done or threatened against the United States or a state or territory of the United States, or any other person or legal entity. . .

(v) Securing evidence to be used before a court, board, officer, or investigating committee.

(vi) The prevention, detection, and removal of surreptitiously installed devices designed for eavesdropping or observation, or both.

(vii) The electronic tracking of the location of an individual or motor vehicle for purposes of detection or investigation.

(viii) Computer forensics to be used as evidence before a court, board, officer, or investigating committee.

Michigan Compiled Laws § 338.822(e). The Professional Investigator Licensure Act defines “computer forensics” as “the collection, . . . analysis, and scientific examination of data held on, or retrieved from, computers, computer networks, computer storage media, electronic devices, electronic storage media, or electronic networks, or any combination thereof.” Michigan Compiled Laws § 338.822(e). Since you have to get a license to engage in the investigation business, it looks like Michigan already accredits private cyber investigators . . . at least in a literal sense. And if Michigan does, I suspect other states do, as well.


What I found interesting about the second question, though, was what it might imply. My first question was what, precisely, would we want these private cyber investigators to do that isn’t already being done?

My sense is that companies are, as I noted earlier, already having employees with the necessary skills investigate cyberattacks launched against the companies. If that is true, and we’ll assume it is true for the purposes of this analysis, what would we achieve by accrediting a company employees as private cyber investigators or, alternatively, letting companies hire independent private cyber investigators to analyze cyberattacks? The question, I think, necessarily implies that we would achieve something we don’t already have, but what?


One possibility is that when the question says “accredit” it really means “deputize.” Why might that be a logical possibility? The answer, I think, lies in figuring out what we’d be trying to accomplish by giving private cyber investigators some special status. The only way the question makes sense is if we’re trying to (i) let the private investigators do things they can’t already do and/or (ii) get them to do things they’re not currently doing.


What would we be trying to let them do that they can’t already do? As I noted above, private cyber investigators can’t break the law as they conduct their investigations, so maybe this is what the “can’t” alternative is going toward. I don’t really think that is what the question is going toward. I certainly hope that isn’t what it’s assuming because that would mean we’d be authorizing vigilante action; and as I noted in an earlier post, while vigilante action can be superficially appealing when we’re dealing with activity that tends to elude the efforts of law enforcement, it’s always, IMHO, a very, very bad idea to go down the vigilante path.


The “can’t” alternative might be trying to address the breaking the law/vigilante scenario by letting us deputize the private citizens who investigate cyberattacks on behalf of the companies that employ them. I briefly checked some state statutes and confirmed that law enforcement officers in at least some states can still deputize private citizens so they can help regular officers deal with crimes, etc. Deputies apparently didn’t die with Old West posses. So maybe the notion of accrediting private cyber investigators is meant to overcome the “can’t” problem by letting them do things law enforcement officers can do, which brings us back to the “what?” issue.


What would deputizing private investigators let them do that they can’t do now but law enforcement officers can do? One thing might be to let them apply for search warrants that authorized them to go into other systems to collect evidence; that could address the civilians-can’t-violate-the-law issue. If we deputizing them did this, then the deputized private cyber investigators would presumably also be able to rely on exceptions to the 4th Amendment’s warrant requirement, and use consent or exigent circumstances to go into a system without first getting a search warrant authorizing the intrusion.


At this point, I don’t know if that’s doable under our law or not. I’ve been traveling so I haven’t had time to research the issue in detail. I’m going to assume it is doable, if only because it seems a logical implication of the power to deputize citizens to assist law enforcement officers in the conduct of their duties. I don’t like it, though, because it could get out of hand; I did a post a couple of years ago on the American Protective League, a World War I initiative that essentially deputized civilians to help federal agents find German spies and saboteurs and that got way out of hand. I fear something similar could happen with the scenario I’m postulating here.


That brings us back to the other alternative: trying to get private cyber investigators to do something they’re not already doing. I suspect this may be the real rationale for the question about accrediting private cyber investigators. One of the problems we have in dealing with cybercrime (and related cyberattacks) is that companies are not inclined to report attacks; since they’re not inclined to report attacks, the data a victimized company compiles about the attack almost certainly won’t make its way to law enforcement.


So maybe the question about accrediting private cyber investigators is only going to the issue of trying to get those who investigate cyberattacks against private entities to share the evidence they collect with law enforcement officers. I think that’s a real possibility. My problem with this alternative is that I don’t really see how accrediting investigators could get them to report their findings to law enforcement. I suppose it would give them more of a professional reputation, more gravitas, and maybe the theory is that this enhanced professionalism would encourage them to share their findings with law enforcement. I don’t see how and why that would work, though; it’s my impression that the failure to report is attributable to the companies’ concerns about negative publicity, not any lack of professionalism on the part of the employees who deal with cyberattacks.


Now, if the question is using “accredit” to mean “deputize,” that might change the analysis. If private cyber investigators were deputized, I assume it would mean they were under a legal obligation to share evidence they’d collected with law enforcement. And maybe that’s what the question is really going to – maybe it’s postulating a kind of nationalization strategy for the employees of private companies who are charged with investigating cyberattacks. If they became deputies of whatever governmental system (I don’t think the federal system does deputies, so they could be state deputies), then they would presumably be obligated to share what they had with the official representatives of that system.



7 comments:

Anonymous said...

Companies are not in any way prohibited from investigating and locating hackers. This should be made clear by the 16,000 cases that RIAA has brought against file sharers. Anyone who has done any file sharing while using a program like peer guardian to block bad IP addresses knows that anti p2p organizations are already tracking individuals. The same goes for any corporate website or network that a hacker tries to gain entrance to. Whether you are an employee logging on to fill out your time card or a hacker hired by a rival company to steal proprietary information, your successful and unsuccessful attempts to log in are logged, i.e. tracked.

The idea of registering private cyber investigators would never work. First, it would cost a lot of money for companies to register everyone in IT who works to secure a company's network and investigates attacks on the network. It would not give them any new technical skills. The only way to require them to report an attempted breach is to legally require companies to disclose an attempted breach. Companies, of course, are legally required to disclose an actual known breach of private information of customers. However, tracking the IP addresses of people who are attempting to gain unauthorized entry does not catch real hackers who use proxy servers to protect their identity. Also, what are you going to require companies to report? Does google have to report every time someone tries to guess the password of a gmail account and can't get in? This could very easily be the person who owns the account. If it is a real hacker, like the guy who breached the gmail accounts (and many other services) of twitter employees, including the CEO's, you are never going to catch them unless they attempt to sell the information, thus making a trackable transaction. The hacker who released the twitter documents to tech crunch will never be caught. He didn't want money, he just wanted to show how easy it was to hack.

The idea of giving cyber private investigators the power to apply for search warrants is just plain scary. Too many companies are already collecting too much private information on individuals on the internet. If a company could request a warrant to hack into individuals' accounts or into their computers, in order to monitor them for supposedly illegal activity that a corporation believes has been carried out, it would be a major blow to privacy. We don't allow private investigators to do this in non-cyber space, do we?

In short, this is a waste of people's time and money.

Susan Brenner said...

I pretty much agree with you on all counts . . . especially as to the inadvisability of giving private cyber investigators the ability to obtain and execute search warrants.

As I said, this wasn't my idea.

Anonymous said...

I like your blog. I have been reading it for awhile and only recently commented on this article and the one on seizing data. Very interesting legal updates on privacy issues. Sometimes it becomes too legal, without enough practical common sense, but in general it provides a fascinating discussion of privacy law. You obviously put a lot of time into producing it, it is a shame so few people read it (based on the number of comments anyway).

I was wondering if you had seen this or had any comments on it.
http://www.wired.com/gadgetlab/2009/08/britain-to-put-cctv-cameras-inside-private-homes/

You're obviously an American lawyer, but do you have any sense of how this could be legal in Britain? Obviously it would violate the 4th amendment in the United States, but I find it unreal that this could be legal in the UK. Any ideas?

-avid reader

Anonymous said...

I like your blog. I have been reading it for awhile and only recently commented on this article and the one on seizing data. Very interesting legal updates on privacy issues. Sometimes it becomes too legal, without enough practical common sense, but in general it provides a fascinating discussion of privacy law. You obviously put a lot of time into producing it, it is a shame so few people read it (based on the number of comments anyway).

I was wondering if you had seen this or had any comments on it.
http://www.wired.com/gadgetlab/2009/08/britain-to-put-cctv-cameras-inside-private-homes/

You're obviously an American lawyer, but do you have any sense of how this could be legal in Britain? Obviously it would violate the 4th amendment in the United States, but I find it unreal that this could be legal in the UK. Any ideas.

-avid reader

Unknown said...

This is all very interesting. I am currently conducting research on technology and law issues as part of my Master's program. Most smaller jurisdictions do not have resources to hire, train, certify and employ computer forensic investigators. If private citizens could be "deputized" some how, they may be able to assist LE, for little cost...

Professor Don said...

Might want to look at Texas. A cyber expert cannot testify unless they are also a PI (if they actually investigated something). They can testify about how networks etc work. Anything else raises a defense challenge.

Rationale is that a PI takes an oath etc and can be punished for ethics violations where regular folks cannot.

Currently raising a big ruckus.

Susan Brenner said...

Interesting, thanks Don . . . I'll take a look at it.