Slashdot Mirror
Deleting Files is a Crime?
cemaco writes "A former employee of International Airport Centers, who is currently embroiled in a legal dispute with them, returned his company laptop as required. Hoping to find incriminating evidence, I.A.C. attempted to retrieve deleted information from the laptop in question with no success. This employee had beaten them to the punch. He had used 'secure delete' software, in order to make sure nothing could be recovered. He is now being charged with a violation of the Computer Fraud and Abuse Act."
So if he has the files, he's a criminal. But if he doesn't have the files, he's also a criminal? How is deliberate obstruction determined in a case like this?
If the laptop was classified as evidence in the case, chances are it wouldn't be in his possession. If it wasn't, then he didn't commit a crime.
On the other hand, if a document was issued classifying the harddrive as evidence before he deleted the contents of the drive, he did commit a crime.
Ideally, it should be as simple as that.
Yes and no.
If the company had a set of policies in place, and had informed the employees about them, that ALL data that was put onto the system became the property of the company. Or if there was a clause on there about not putting personal data or programs on there.
In this case, they would pretty much need to PROVE that anything he deleted was possibly incriminating. Which, at this point, would be damn near impossible.
Chas - The one, the only.
THANK GOD!!!
Depends. It's certainly the company's laptop, but the NON-work-related data may not be theirs. Every company I've worked in that allowed the use of a laptop had allowances for "limited personal use" in their acceptible use policies. That meant that it was cool for me to use the laptop to check my webmail accounts during lunch, etc. That information was mine, not theirs. It was also assumed reasonable for me to delete my personal data that was left on the system.
Operative word being "Reasonable."
It would all depend on whether his company's acceptible use policy had an allowance for limited personal use or not. If they did say it was OK to use it for personal use, they had no legal grounds upon which to try and recover HIS personal (not work related) data since it was HIS.
Your analogy implies that EVERYTHING in a workspace is company property, when in most cases it's not. Having personal effects in my office, and removing them when I leave the employer, is no different form having some personal data on a computer.
Never attribute to malice what can as easily be the result of incompetence...
Ideally, a judge would, like the article's author, take one look at the charges and say, "whaaaaat?" just before throwing the whole silly thing out. Now three loops have decided returning the drive clean is a crime, unanimously.
RTFA. That's exactly what the judge did. The company appealled the decision, and the appeals court sent it back to the judge saying: no, you can't throw this out. The company might be right. You need to hold a trial to figure it out.
Having read the article, I agree. The issue is not so clear-cut that it should be dismissed out of hand: it deserves its day in court. The guy may have deleted incriminating information (which is a crime, see Enron paper shredders). He may also have been propping up his business at company's expense (i.e. using whatever data he acquired while making sure the company doesn't get a hold of it). That's for the judge to decide, and that's exactly what the appeals court said should happen.
Oh and, btw:
Adolf Hitler
you lose.
___
If you think big enough, you'll never have to do it.
Ideally, a judge would, like the article's author, take one look at the charges and say, "whaaaaat?" just before throwing the whole silly thing out. Now three loops have decided returning the drive clean is a crime, unanimously.
I urge you to consider the possibility that all the judges who have thus far ruled that it can be a criminal act to destroy information that does not belong to you may, in fact, not be "out of their league" regarding workplaces and technology, and even may understand the issues better than either you or Mr. McCullagh.
Or the third possibility is he does not delete the files, and there are no files which shows he violated his work contract. The crime was in deleting the files. There could not be a crime in leaving the files there.
What most likely happened was he used his employers laptop in starting his own buisness. Who knows how he did this, maybe he used trade secrets or something else. When he decided to quit, he wanted to remove the evidence of his actions, so he removed everything from the laptop.
The company has a right to issue the laptop and require it is returned in the same condition, and that would include the software and data on the laptop.
Is the laptop's data the property of the employer? That is the question. If the laptop is the property of the employer, and the employer has a right to the data on the laptop, then what this guy did is the same thing as if he deleted records from a PC in his cubicle. Or is it different because he can take a laptop out of the office?
My gut reaction is to want more privacy. But maybe that is not possible anymore. Heck, the government demanded search records from Yahoo, MSN, and Google a few months ago so they could see who was searching for prohibited porn and terrorism. Google was the only one who did not provide the data, but not because they wanted to protect their users privacy, but because they did not want other companies to see their data.
Presumably, there was somewhat confidential data on that notebook anyway. The use of a secure deletion program should be required to keep that data out of the hands of competitors.
But there are things in the case that we don't know.. for example, what evidence does the company have that these files were even there in the first place? Maybe he was secure-deleting personal information that the company had no right to in the first place (where I work, we have an incidental use clause regarding technology--that is, we can use it for our own personal purposes as long as it doesn't degrade the system as a whole). Simply put, we don't know most of the facts of this case.
Some law in the UK makes it illegal to possess encrypted data and not provide a key to decrypt it. it even allowed for the situation where i could email u an encrypted archive and your inability to open it would put u in breach of the law.
hehe, the rebel i am.. i just emptied my recycle bin..
--AlexC
Just because I dont agree with climate change doesnt make me a troll
Basically the whole issue ended up being about timing.
When he decided to leave employ of the IAC to start his own venture, his authorization at that point to use the computer did not belong to him. Though he may have physically retained the computer, and had all access to it, he did not have legal rights to its contents.
At that point, he was a competitor to IAC, possibly with information on his person about IAC that a competitor should not.
IAC wondered what he had, and whether he was misusing this laptop for his own benefit, which would break all kinds of laws. They wanted to take a look at said laptop, and see if he'd used it or seen anything he shouldn't have recently.
This employee then accessed the laptop and deleted all kinds of stuff, akin to shredding documents Enron or Watergate style. He then returns the laptop to IAC, his former employer and now competitor.
Unsurprisingly, former employee is now sued, though his conviction is by a tenuous interpretation of a law.
Citrin pointed out that his employment contract permitted him to "destroy" data in the laptop when he left the company.
His right to do this was in his contract. Can anyone tell me why a contract can no longer protect an individual from a company?
I think his mistake was in arguing about his authority to delete files at all. His argument should have been that all the files alleged to have been deleted were personal files, personal use of the laptop was authorized by his employment agreement (quote the relevant paragraph from the agreement, and the company has no right to demand that those files be turned over in the first place. You can't be charged under the law he was if the only things you "damaged" belonged to you.
Of course, this only works if he was scrupulous to avoid mixing his personal stuff with company data and can clearly show that all the files the company can prove were theirs are untouched. If he did delete files from an area normally or provably containing company data, he's pretty much SOL.
This should be a civil matter.
It is a testament to the broken state of our laws (and especially our computer crime laws) that his former employer was able to (convince a DA to) drag him into criminal court for this.
If the guy had hacked into company computers and destroyed data, then sure, he should be prosecuted under criminal laws. But wiping files from a hard drive? If the guy really did do damage to his former employer, or violated a contract with them, then it shouldn't be a criminal case. It should be a civil case.
If you had super powers, would you use them for good, or for awesome?
Of course it's BS. But so is the whole case.
The REAL case is that the guy was setting up his competing business, and they wanted the laptop data to prove it.
They shouldn't be going after him for "destruction of data on a networked device" but for violating his non-compete. Especially since, if they can't prove he violated the non-compete, then it IS his data to do as he pleases, even if it was sitting on their laptop.
Look at it this way: If they can't first show he violated his non-compete, then they have no claim to the data he erased, as it may have been "his" data just as much, or more, than theirs.
On the other hand, prove first that he violated his non-compete, and you can THEN also get him on the data destruction.
What you CAN'T do is the reverse - prove the destruction of your data if you can't first prove that it is uncontestedly your data.
The employer can demand anything he wants. And the employee can say "sue me."
In this case, though, the employer is putting the cart before the horse - attempting to claim vandalism to their property (destruction of files on a networked computer) without first proving the files in question were their property. They wanted the files to show he broke his non-compete and, as such, was no longer an employee, and thus not authorized to delete the files. Seems to me, if they can't first show he broke his non-compete, they can't claim uncontested ownership to the files.
They're in a catch-22.
That is bullshit. If that were true: a company could argue that the government can't look at their financial records because it would incriminate them; a murderer could deny police access to their premises because they would find a body in her freezer that would incriminate her.
A murderer CAN deny access to their property even having a dead body in the freezer, enless the police have a warrant. A company CAN refuse to turn over documents enless the police have a warrant. Police can't walk in anywhere they want and/or just take things because they may or may not be incriminating, it's called probable cause. They must have enough viable reason to further their investigation, you can't just bother every citizen because you may or may not know a partial bit of information about a crime.
When I return a PC or laptop to a client site, they are entitle to:
That's it. Everything else on the machine is my personal property, and removing it is my right the same as cleaning out my desk when I finish a contract.
I do not fail; I succeed at finding out what does not work.
I'll go out on a limb here and say that if this company is sophisticated enough to have a non-compete agreement in place, there's probably an agreement in place that covers what you should and should not have on a company laptop. You say that if they can't prove violation of the non-compete then hte data is his to do with what he pleases. This is almost certainly not so. I'd be willing to bet that ANYTHING on that company computer is company property. The company has a right to look at any of it at any time, and the individual's use of the computer is tactit agreement to that policy. Therefore, if he has deleted ANYTHING the company wants to see he is likely in violation of the company's data policy. If any data recovered was unrelated to his work, he's again violated the company's data policy. If any data recovered was related to a private business he was running using company property, then he's in violation of the company's data policy AND his non-compete agreement. If it's company hardware then everything on it is uncontestedly their data. They don't need to prove it.