Slashdot Mirror
Deleting Files is a Crime?
cemaco writes "A former employee of International Airport Centers, who is currently embroiled in a legal dispute with them, returned his company laptop as required. Hoping to find incriminating evidence, I.A.C. attempted to retrieve deleted information from the laptop in question with no success. This employee had beaten them to the punch. He had used 'secure delete' software, in order to make sure nothing could be recovered. He is now being charged with a violation of the Computer Fraud and Abuse Act."
Of course it is. Wasn't this law passed when Gmail went public? Why if google could get its way, you wouldn't delete shi.. oh wait... :)
So if he has the files, he's a criminal. But if he doesn't have the files, he's also a criminal? How is deliberate obstruction determined in a case like this?
"The term "damage" means any impairment to the integrity or availability of data, a program, a system, or information;" Whoa, better not install windows. But really, after I close the lid on my laptop it takes a few seconds for the system to come back to life when I open it, technically, the availability of data is impaired in those few seconds (well 30 if it's a compaq). Oh, whoa again! So if I'm watching a DVD and my brother steps in front of the screen and I can't see for a second, then my access to the "data" is "impaired". Huzzah! We're all going to jail! BONG!
If the laptop was classified as evidence in the case, chances are it wouldn't be in his possession. If it wasn't, then he didn't commit a crime.
On the other hand, if a document was issued classifying the harddrive as evidence before he deleted the contents of the drive, he did commit a crime.
Ideally, it should be as simple as that.
Interestingly, it appears to me that the ex-employee did the right thing.
i ndofmatthew.com
1.)He is protecting the privacy of whoever's data was on the computer.
2.)He is ensuring that the computer is free from viruses, worms, spy ware, etc (assuming he performed a total wipe).
If the company wanted evidence against their employee then they should have attained it before accusing him. To do so in reverse order, as they did, only allows the employee to cover his tracks. If anything I am disappointed in the way that the company handled their business and at the very minimum reflects on the "quality of employees" that they hire.
One more note: doesn't this sort of thing fall under the category of "entrapment."
Argggg, I'm getting frustrated.... and I don't know if I should blame stupidity or the lawyers... oh wait... aren't they the same?
Matthew Wong
http://www.themindofmatthew.com/">http://www.them
If this "secure eraser" is so awesome, then what trace was there that this "secure eraser" had been used? If someone hauls me in for a crime and my computer has no evidence, does that mean I must have used a "secure eraser" on it?
So then if I have nothing to hide, am I now hiding something?
If I have been able to see further than others, it is because I bought a pair of binoculars.
Yes and no.
If the company had a set of policies in place, and had informed the employees about them, that ALL data that was put onto the system became the property of the company. Or if there was a clause on there about not putting personal data or programs on there.
In this case, they would pretty much need to PROVE that anything he deleted was possibly incriminating. Which, at this point, would be damn near impossible.
Chas - The one, the only.
THANK GOD!!!
I can't find it now, but a federal court judge once made the comment that people need the ability to delete files and have courts recognize them as "destroyed". Just because computer forensics has a much greater chance of success shouldn't mean that people can't deliberately disassociate themselves from material. This is core to the right against self incrimination.
Consider what might happen if I sent you a child porn image. You, offended, delete the image immediately and report me to the FBI. Now what if, unable to find me, the FBI came to your door, confiscated your laptop with a warrant (after all, you reported seeing the file, therefore you must have it) and used an undelete program to recover it. Are you now guilty of the crime of possession of child pornography? Yes, you are. At least, as far as the prosecutors are concerned.
It's never been tested legally to my knowledge, but the court MUST recognize that for someone to be charged over deleted evidence is akin to government agent pulling memories from your brain and using those memories to reconstitute matter in the same patter and then use it as evidence against you in a court of law.
This is Orwellian to the extreme, but it is quite possible that the raving "think of the children" lunatics out there will create just such a legal system. After all, they will argue, what stops kiddie porners from keeping their porn collections in the Recycle Bin? What about on a shadow drive with no FAT to link sectors to filenames? At what point does the work involved in recovery become high enough to consider something "gone"?
I'm glad to see this case, and I hope that the jurist in charge realizes that this is about a person's right to prevent their own thoughts and memories from being used against them in a court of law. After all, if the evidence went beyond the employee's person...there will be copies in e-mails, filed records, other computers. For someone to be able to go beyond the bounds of corporate communications into the person at the computer makes that employee's mind the company's property and not just his laptop.
-JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Depends. It's certainly the company's laptop, but the NON-work-related data may not be theirs. Every company I've worked in that allowed the use of a laptop had allowances for "limited personal use" in their acceptible use policies. That meant that it was cool for me to use the laptop to check my webmail accounts during lunch, etc. That information was mine, not theirs. It was also assumed reasonable for me to delete my personal data that was left on the system.
Operative word being "Reasonable."
It would all depend on whether his company's acceptible use policy had an allowance for limited personal use or not. If they did say it was OK to use it for personal use, they had no legal grounds upon which to try and recover HIS personal (not work related) data since it was HIS.
Your analogy implies that EVERYTHING in a workspace is company property, when in most cases it's not. Having personal effects in my office, and removing them when I leave the employer, is no different form having some personal data on a computer.
Never attribute to malice what can as easily be the result of incompetence...
From the article:
That law says whoever "knowingly causes damage without authorization" to a networked computer can be held civilly and criminally liable.
The 7th Circuit made two remarkable leaps. First, the judges said that deleting files from a laptop counts as "damage." Second, they ruled that Citrin's implicit "authorization" evaporated when he (again, allegedly) chose to go into business for himself and violate his employment contract.
The court argued that the worst damage you can cause to someone's computer is erase their personal data. Seems he deleted his client list (or something similar, the article wasn't very clear on that point), and the company wanted it. Unethical way to leave a company, and he probably deserves to be nailed.
The main thing that bothers me is, what if I delete some JPGs that were stored on the computer? I may have a good reason for not wanting anyone to see them, and since they were mine, there should be nothing wrong with deleting them. Will this law allow them to come after me? Seems like it will, and that's what's scary.
Qxe4
I read most of -- maybe 95% -- of the original article, but I did NOT read the court papers nor try to look for them.
So, this is on the assumption that he SELECTIVELY deleted files and didn't delete day-to-day financials, IT-installed AV software, IT-installed firewall and logger software..
But, since he used a secure delete:
-- HOW does IAC know WHAT he deleted?
-- WHY be such specious pieces of shit and sue him for something they cannot prove/trying to prove the unknowable?
If he once had a company proposal, but then had his own ideas and prototyped them, but left the company-bound original in place then the stuff he made for himself is HIS HIS HIS! Not the company's "just because he put it there".
If he put a pic of his family, they'd deleted it without a second thought. But, because it may be or they FEEL it's in their "sphere of interest", of course they'll want a copy. But, too bad. If they had a plan to expand and didn't include him, and liked his ideas but said, "See ya, we don't need ya", and he felt they we're using HIS ideas (which, if he's smart, can be reconstructed by any MBA observing the business potential, studying the companies and entities involved, and using some wit and imagination...), then if they didn't have them in their meetings minutes, they're stupid.
Now, IF he produced the stuff on COMPANY time FOR the company and it was stuff they TOLD him to make as an in-process and end-product set of information, then he shouldn't have deleted it. But, if he, for instance, installed (say, with their permission) his own licensed software and produced data for them, but say, deleted their data, then they have NO damn business expecting to keep "evidence of his Corel (or whatever) copy". He could have had Maya, Alias, ACAD, who knows. And, if they had ACAD, but he drew floorplans of an office he intends to have fitted out, THAT, TOO is none of their goddam business.
Sour grapes. Sometimes, some COMPANIES just don't get it. Same goes for those companies whic hire programmers and and then "compensate" them to intentionally embed, encrypt and then claim as "their own intellectual property" some GPL/GNU software they goddam didn't create, and then adamantly pass off and defend as their own and expect smarter employees to sign NDAs and Non-Competes over stuff the company didn't create.
I hope that guy is smart, has a smart lawyer and that he actually IS in the right. But, unless we actually see the court transcripts, get our own forensics team on the hard drive (assuming the company didn't distrub the 1s and 0s any more than the ex-employee did), then it's going to be hard for any geek/nerd on this site to say much of anything meaningful without laying out some reasonable scenarios. I guess....
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Ideally, a judge would, like the article's author, take one look at the charges and say, "whaaaaat?" just before throwing the whole silly thing out. Now three loops have decided returning the drive clean is a crime, unanimously.
RTFA. That's exactly what the judge did. The company appealled the decision, and the appeals court sent it back to the judge saying: no, you can't throw this out. The company might be right. You need to hold a trial to figure it out.
Having read the article, I agree. The issue is not so clear-cut that it should be dismissed out of hand: it deserves its day in court. The guy may have deleted incriminating information (which is a crime, see Enron paper shredders). He may also have been propping up his business at company's expense (i.e. using whatever data he acquired while making sure the company doesn't get a hold of it). That's for the judge to decide, and that's exactly what the appeals court said should happen.
Oh and, btw:
Adolf Hitler
you lose.
___
If you think big enough, you'll never have to do it.
Ideally, a judge would, like the article's author, take one look at the charges and say, "whaaaaat?" just before throwing the whole silly thing out. Now three loops have decided returning the drive clean is a crime, unanimously.
I urge you to consider the possibility that all the judges who have thus far ruled that it can be a criminal act to destroy information that does not belong to you may, in fact, not be "out of their league" regarding workplaces and technology, and even may understand the issues better than either you or Mr. McCullagh.
Or the third possibility is he does not delete the files, and there are no files which shows he violated his work contract. The crime was in deleting the files. There could not be a crime in leaving the files there.
What most likely happened was he used his employers laptop in starting his own buisness. Who knows how he did this, maybe he used trade secrets or something else. When he decided to quit, he wanted to remove the evidence of his actions, so he removed everything from the laptop.
The company has a right to issue the laptop and require it is returned in the same condition, and that would include the software and data on the laptop.
Is the laptop's data the property of the employer? That is the question. If the laptop is the property of the employer, and the employer has a right to the data on the laptop, then what this guy did is the same thing as if he deleted records from a PC in his cubicle. Or is it different because he can take a laptop out of the office?
My gut reaction is to want more privacy. But maybe that is not possible anymore. Heck, the government demanded search records from Yahoo, MSN, and Google a few months ago so they could see who was searching for prohibited porn and terrorism. Google was the only one who did not provide the data, but not because they wanted to protect their users privacy, but because they did not want other companies to see their data.
That law says whoever "knowingly causes damage without authorization" to a networked computer can be held civilly and criminally liable.
Here's a simple defense then:
"I had unplugged the network cable at the time I deleted the files."
You can't claim damage to a networked computer if the computer wasn't networked.
Presumably, there was somewhat confidential data on that notebook anyway. The use of a secure deletion program should be required to keep that data out of the hands of competitors.
But there are things in the case that we don't know.. for example, what evidence does the company have that these files were even there in the first place? Maybe he was secure-deleting personal information that the company had no right to in the first place (where I work, we have an incidental use clause regarding technology--that is, we can use it for our own personal purposes as long as it doesn't degrade the system as a whole). Simply put, we don't know most of the facts of this case.
Unless the company's written policy was "you cannot delete files from this laptop we've given you" then I can't see where there is a problem. If they really needed those files, they should have taken possession of the laptop BEFORE the fit hit the shan rather than cry foul after the fact.
From what I understand of the courts opinion - his fault is NOT in deleting files on laptop in itself, but in deleting the files AFTER he terminated his contract. Termination of the contract made his access of laptop unauthorized and destroying data on machine you are not authorized to access is a crime, leading me to think that he would have been ok if he deleted the files PRIOR to terminating his contract. They are treating it as if he, after quitting his job, connected to his former employer's network and deleted files on their servers.
-Em
RelevantElephants: A Somatic WebComic...
Deleting files is a crime.
Copying files is also a crime.
What about deleting copied files? Will the two cancel each other out?
I guess deleting is like killing, copying is like saving someone's life (but still getting sued over cracked ribs or something), and file compression is pretty much torture.
Some law in the UK makes it illegal to possess encrypted data and not provide a key to decrypt it. it even allowed for the situation where i could email u an encrypted archive and your inability to open it would put u in breach of the law.
hehe, the rebel i am.. i just emptied my recycle bin..
--AlexC
Just because I dont agree with climate change doesnt make me a troll
Saying that a company owns everything on a laptop is like saying they own everything in your desk. So take a good long look around where you work and ask if you have anything personal inside company property. If you pick up the kids with the company car do they become an asset used on a balance sheet? No. It all comes down to common sense (something that is lacking more and more these days).
Personall I think this is nothing more then a case of them getting ticked off. They got pissed because he decided to go on his own as a real estate competitor and when he returned the laptop THEY tried to find incriminating evidence on him. No accusations of "You did this and we are looking for the proof" no, they went on a fishing trip through the hard drive. Seeing as they were looking for anything I think this guy was getting into sh*t no matter what.
There are only 10 kinds of people in the world. Those that understand binary and those that don't.
Basically the whole issue ended up being about timing.
When he decided to leave employ of the IAC to start his own venture, his authorization at that point to use the computer did not belong to him. Though he may have physically retained the computer, and had all access to it, he did not have legal rights to its contents.
At that point, he was a competitor to IAC, possibly with information on his person about IAC that a competitor should not.
IAC wondered what he had, and whether he was misusing this laptop for his own benefit, which would break all kinds of laws. They wanted to take a look at said laptop, and see if he'd used it or seen anything he shouldn't have recently.
This employee then accessed the laptop and deleted all kinds of stuff, akin to shredding documents Enron or Watergate style. He then returns the laptop to IAC, his former employer and now competitor.
Unsurprisingly, former employee is now sued, though his conviction is by a tenuous interpretation of a law.
Citrin pointed out that his employment contract permitted him to "destroy" data in the laptop when he left the company.
His right to do this was in his contract. Can anyone tell me why a contract can no longer protect an individual from a company?
I think his mistake was in arguing about his authority to delete files at all. His argument should have been that all the files alleged to have been deleted were personal files, personal use of the laptop was authorized by his employment agreement (quote the relevant paragraph from the agreement, and the company has no right to demand that those files be turned over in the first place. You can't be charged under the law he was if the only things you "damaged" belonged to you.
Of course, this only works if he was scrupulous to avoid mixing his personal stuff with company data and can clearly show that all the files the company can prove were theirs are untouched. If he did delete files from an area normally or provably containing company data, he's pretty much SOL.
This should be a civil matter.
It is a testament to the broken state of our laws (and especially our computer crime laws) that his former employer was able to (convince a DA to) drag him into criminal court for this.
If the guy had hacked into company computers and destroyed data, then sure, he should be prosecuted under criminal laws. But wiping files from a hard drive? If the guy really did do damage to his former employer, or violated a contract with them, then it shouldn't be a criminal case. It should be a civil case.
If you had super powers, would you use them for good, or for awesome?
Of course it's BS. But so is the whole case.
The REAL case is that the guy was setting up his competing business, and they wanted the laptop data to prove it.
They shouldn't be going after him for "destruction of data on a networked device" but for violating his non-compete. Especially since, if they can't prove he violated the non-compete, then it IS his data to do as he pleases, even if it was sitting on their laptop.
Look at it this way: If they can't first show he violated his non-compete, then they have no claim to the data he erased, as it may have been "his" data just as much, or more, than theirs.
On the other hand, prove first that he violated his non-compete, and you can THEN also get him on the data destruction.
What you CAN'T do is the reverse - prove the destruction of your data if you can't first prove that it is uncontestedly your data.
Or better yet Mr. Goatse.
The employer can demand anything he wants. And the employee can say "sue me."
In this case, though, the employer is putting the cart before the horse - attempting to claim vandalism to their property (destruction of files on a networked computer) without first proving the files in question were their property. They wanted the files to show he broke his non-compete and, as such, was no longer an employee, and thus not authorized to delete the files. Seems to me, if they can't first show he broke his non-compete, they can't claim uncontested ownership to the files.
They're in a catch-22.
A few years back, I worked on a project that used ClearCase, and the management really wanted us to use it to record the full history of our projects. The group I was working with decided to take them literally.
.o and executable files, see ...
After about a week, we found that we were each able to fill our workstations' disks with the compiles we did. The ClearCase setup saved all our
If was fun watching them actually install a second disk on most workstations the first time this happened (and we all showed that the disks were 99% full of ClearCase files recording the week's work. Then, by the end of the next day, the new disks were full, and we announced that our progress was blocked until we could get more disks.
It actually took a couple weeks of meetings (and no progres on the project) before they faced the fact that "You can't delete your files" was not a tenable rule. They simply couldn't afford the petabytes of disk that the project was projected to require under their "save everything" rule.
So finally we were able to start deleting the 99% of our files that couldn't possibly be of any use to anyone, and only save the interesting source files. I don't think most of the management ever did understood what "source" and "binary" files referred to.
Anyway, yeah; if an employer wants to pay for the disk space, I'll happily save all my files for their later study. But somehow, I suspect that they're not gonna get much for their investment. They'll be much better off if they let me be the judge of which 99% of my files can be safely discarded.
If this court does go along with a "save all files" rule, it could be a very interesting precedent. It'll take more than a couple weeks of meetings to get such a court ruling overturned. In the meantime, some disk manufacturers might be doing a lot of business.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
We ask supervising managers what files/data are required and ask the users to send us those files. Provided that data is returned and the user left on good terms the drive on their machine/laptop is wiped. We have a lot of users who travel fulltime and to ask or even expect them not to use their laptop for personal reasons while on the road is ridiculous and management thankfully agress with that stance. So, for everyone's privacy... the drive just gets zapped and then reimaged.
It was argued that we may lose valuable information in doing so but I pointed out to our CMMI happy managers that this would indicate a failure in the document creation and control process and not an issue with our IT policy and they conceded the point.
Additionally we work on secure projects for the government and have NDA's in place with corporate clients. I can't allow my IT staff to dig through files that they're not authorized to see and because of that we have to treat the whole drive as if its classified material unless we can get someone who is authorized to see to come in and sort through the whole mess. And we're never going to be able to pull a billable consultant off a project to do that unless something is missing.
Long story short... *ZAP*
That is bullshit. If that were true: a company could argue that the government can't look at their financial records because it would incriminate them; a murderer could deny police access to their premises because they would find a body in her freezer that would incriminate her.
A murderer CAN deny access to their property even having a dead body in the freezer, enless the police have a warrant. A company CAN refuse to turn over documents enless the police have a warrant. Police can't walk in anywhere they want and/or just take things because they may or may not be incriminating, it's called probable cause. They must have enough viable reason to further their investigation, you can't just bother every citizen because you may or may not know a partial bit of information about a crime.
Having RTFA, it looks like Mr. Citrin's problem was that he resigned first, THEN handed back the laptop. The judge ruled that Citrin's right to issue commands of any sort on the system ended upon resignation. If I'm reading that correctly, the solution for other soon-to-be-former employees or contractors seems simple: delete, then quit.
More than anything, use head main ting when separating from a company. 1) get your personal gear out of the office; 2) delete email and files relating to personal business (or that might reflect especially poorly on you); 4) clear your browser history and cache; 5) securely overwrite all free sectors on disk; 6) log out and power down; 7) resign. It looks like Mr. Citrin may have gone overboard and nuked all of the company data on the laptop, which is of value and use to the company and their next person to fill his position, and made it look like he had something to hide.
Luke, help me take this mask off
When I return a PC or laptop to a client site, they are entitle to:
That's it. Everything else on the machine is my personal property, and removing it is my right the same as cleaning out my desk when I finish a contract.
I do not fail; I succeed at finding out what does not work.
Besides the poor choice of going into business that directly completes with his former employer, this guy allegedly made the other poor choice of using a 'wipe' utility to remove data.
... How about a group of graphics files that are public domain textures, traffic signs, fragments from websites (taken from browser cache), etc.. Another good group is music - record meetings and lectures then rename them to look like popular music titles. The final idea is to include some encrypted zip files with suggestive names - of course the files contained are renamed unix man docs. Just be sure to use the standard delete command to 'hide' the files from recovery.
What he should have done is used what I refer to as the general-use non-wipe routine. Basically, it involves simply deleting files you don't want/need, then filling the remaining drive space with 'wipe' files - various sized files filled with random or meaningless data and given random or misleading file names. Generate a group of base files, store on USB drives, then copy to the root directory of the target drive, renaming the files as you go. For extra fun, delete your 'wipe' files after you fill the drive. You could probably write a script to help, just make sure it is given an innocent name and stays on the USB drive.
It would be interesting to see the reaction of the managers and scavengers to finding a directory of hundreds of text files and then discovering that each file is a copy of unix man files, or five year old project documentation (that you had no part), or trek fan fiction, or
If you are brought into court like this poor guy your lawyer can argue that those files are there from the day-to-day use of the system. Nothing sinister or devious about those files.
Someone please tell me how the fuck they could prove that certain incriminating files even existed, if said files were wiped before they got the laptop?
What if they were never there to start with?
What a fucking idiot retard of a judge.
The company is stupid for not requiring backups. The guy's an idiot for using his position to start his own business, and using the company're property to do it. He screwed over all his co-workers by doing that, because it takes away from the company's viability.
/., so that's saying something.
I'm really surprised they actually needed the guy's laptop to support their position in all this, they should be able to prove it without that. Going after him because he deleted files is just a vindictive ploy after they realized they had no way of proving what he was doing.
Sounds like the guy AND the people at the company are both guilty of being freaking morons.
I mean really.... all of the sudden "Wipe"-like programs are going to be off corporate computer systems? Yeah, good luck with that. That's the stupidest damn thing I've read all day.... and I've been reading
I kept the computer quite tidy due to a small hard drive. Most work was accouting, spread sheets and some word processing. Hard copies were printed and filed as permanent reports and as backups. Every month or two I would do a Norton Speed Disk which would wipe unused space.
When I left the company I left about two months of data on the hard drive and a 20 page status report which detailed where all the hard copy documents/files/data were physically located and info on the work in progress. The company sent the computer out for data recovery and when no erased files could be recovered I was sued. The company claimed the hard copies did not exist but were later found when I succeeded in obtaining a court ordered search of the company's office.
My lawyers filed a motion to dismiss claiming there was no triable evidence. The judge ruled that the lack of recoverable files was in itself evidence that "something" on the computer had been destroyed and thus fit the statute. The bopgus case settled a few year. No money changed hands but my legal fees ran about $150,000, my life savings.
Advice: 1. NEVER erase anything. Simply move the file out of the current workspace to an archive directory. When the drive gets full have the company buy a new drive -- give the old drive to the boss with a corresponding memo detailing in general what was on the drive. 2. Keep each file you create in a separate directory and maintain a printout of that directory. 3. Run your own backups and transfer the backups via memo when you leave. Leave another copy of the backup with a trusted co-worker who can put them where they can't easily be found and destroyed. The more people involved the better.
If you accidentially have personal info on the hard drive it might be a good idea to wipe the info before you leave. But you need to overwrite the directory and file space deleted since the empty space might be detected. Others here can suggest a procedure.
I'll go out on a limb here and say that if this company is sophisticated enough to have a non-compete agreement in place, there's probably an agreement in place that covers what you should and should not have on a company laptop. You say that if they can't prove violation of the non-compete then hte data is his to do with what he pleases. This is almost certainly not so. I'd be willing to bet that ANYTHING on that company computer is company property. The company has a right to look at any of it at any time, and the individual's use of the computer is tactit agreement to that policy. Therefore, if he has deleted ANYTHING the company wants to see he is likely in violation of the company's data policy. If any data recovered was unrelated to his work, he's again violated the company's data policy. If any data recovered was related to a private business he was running using company property, then he's in violation of the company's data policy AND his non-compete agreement. If it's company hardware then everything on it is uncontestedly their data. They don't need to prove it.