Slashdot Mirror
No Right to Privacy When Your Computer Is Repaired
Billosaur writes "ZDNet's Police Blotter bring us the interesting story of a Pennsylvania man who brought his computer into Circuit City to have a DVD burner installed on his computer and wound up being arrested for having child pornography on his hard drive. Circuit City employees discovered the child pornography while perusing Kenneth Sodomsky's hard drive for files to test the burner, then proceeded to call the police, who arrested Sodomsky and confiscated the computer. Sodomsky's lawyer argued in court that the Circuit City techs had no right to go rifling through the hard drive, and the trial court agreed, but prosecutors appealed and the appeals court overturned the lower court's decision, based on the fact that Sodomsky had consented to the installation of the DVD drive."
Windows doesn't offer any way to "password protect" with any actual security, files and folders and so forth. That's a major part of the problem -- people want like 1 or 2 folders to be encrypted to where you actually have to authenticate to get in each time.
Windows EFS is decent crypto (I think it's 3DES on workstation, AES on server versions) but once you've authenticated your session, you're in to all the files automatically, it's only good for preventing offline reads. That's it. Privacy -- in general, not just for these situations where someone was doing something illegal -- would be greatly served (and Geek Squad wouldn't find people's private videos of themselves on vacation or whatever) if they'd just add in the feature everyone wants.
Local file access security exists only in a domain or with third-party tools like TrueCrypt.
Well yeah they need to be able to login to make sure whatever they're repairing worked. Just create them a joe user account and give that to them.
Or better yet ... learn how to fix your computer yourself. Or just keep all your important information on an external hard drive.
The higher the technology, the sharper that two-edged sword.
"Circuit City employees discovered the child pornography while perusing Kenneth Sodomsky's hard drive for files to test the burner"
That's right your Honor, we were just looking for some jpegs and avis to test the burner with.
The ones that have flesh-colored icons work are best for testing burners.
It's a DVD-BURNER!!!! I used to work in a Retail Tech shop where this EXACT thing happened. A few years ago of course in a different big box store. This was NOT uncommon. You open nero, throw in a blank dvd, find some files, and burn them to the DVD to TEST the BURNING. If it WASN"T a dvd burner, then yeah, something would be weird. But with all the news about Best buy employees scowering your hard drive for pr0n, WTF do you expect!? Let him burn I say.
So it only matter when you're requesting their services for an opinion on law, legal services, or help in a legal proceeding. It'd be a bit of a stretch to claim any of those three if you had them install a DVD burner for you - hence, AC Privilege wouldn't apply.
I don't know about anyone else, but 'poking around for files' is pretty damn intrusive. Just burn a couple of files on the desktop to the CD rom.
I hate child porn as much as anyone else, but this stinks of people looking for personal details on their clients that are none of their business. This shady shit has to stop.
Don't worry about it, the average moderator doesn't even read what they're moderating anyway.
The USA federal criminal statute had been amended to include computer generated CP (18 USC 2256, 2258). http://www.cyber-rights.org/reports/uscases.htm
Submission as evidence constitutes plaintiff and/or prosecutorial misconduct.
That can be faked easily, like all other technical data on a hard disk. They would still get him though, because there are probably links to sources, addresses or other information that the people in the shop couldn't have guessed and which can be traced back to him (server logs, accounts, etc.)
If you know who did something, it's usually much easier to prove it than without that a priori information.
Your clients can hold you liable for unauthorized access to their data?
Yet when someone takes their computer into a best buy, circuit city, etc, that person then becomes a client of said store, and has different rights?
The point is that they looked through his files without his express permission.
Was he dumb? Yes.
Were they wrong in going through his files, even for a test burn? Yes.
If they do a routine test burn, they should also do a routine disc read.
Why not have a test dvd that they copy, and burn back?
The fact is these stores LOVE to rummage through your files.
It's good PR when the company can say they help fight child porn.
It's a laugh riot for the employees to dig through your favorites and personal files.
It's not beyond reason to suspect that said files may have been planted.
It's wrong of them to do it, and legally, this guy has a good defense.
When you develop film, they HAVE to see the pictures to do their job.
Film developers are required by law to report anything involving child abuse or animal abuse (and probably murder, etc).
A tech installing a dvd drive does not need to look through your files, even for a test burn.
It's the equivalent of a plumber coming into your house and pawing through your stack of magazines on the lid of your toilet tank.
This did not warrant an arrest for this man.
It warranted an investigation, with the computer being returned and law enforcement going to a judge requesting a warrant.
It's called due process.
Firstly, there is no need to test the software. He asked them to install the burner. Period.
:gasp: :shock: a burned DVD.
Second, they should not be poking around the CUSTOMERS files- use a USB key with a (public domain) video file on it. Or,
There is NO excuse for a simple hardware install to turn into a search of the customers hard drive.
Or just keep all your important information on an external hard drive.
I have my home directory on an external hard disk so the only stuff on the computer hard disk is the operating system and swap. I could do away with the swap partition but it is easy enough to wipe that partition in the event I was going to hand-over the computer to someone. Besides I do a lot of work-related writing on the computer and certainly do not want unauthorized persons to be reading those documents at some future date.
First, when a repair tech looks for something to burn for a test or whatever, We usually don't just go rummaging through thing, We do a wild card search, *.mpg, *.avi, or something similar. You are then presented with a bunch of stuff and we usually look for something that fits the criteria we need.
Second, there is nothing stopping one tech from putting it on there to have another see it and call the cops. I have friends who have found kiddy porn on clients computers before. And yes, they have notified the authorities. But from there, they took it to another shop who I know the techs and the couple of items turn into more then what his hard drive had marked as used space. A portion of the evidence presented in court wasn't there when the original complaint was made. Of course I assume they ran recovery software and claimed those, but file that were deleted before the fact aren't really files that can be viewed, so I'm not entirely sure about how that happened or how it played with the charges.
Finally, Yes, I agree. Separate emotion from the real issue. The real issue is that you should expect techs to look through files when they are doing something that would be considered "fixing" the computer. You might not expect them to open the files and so on, but they would at least look through them. Also, if your going to have files that could be considered illegal on your computer, don't give it to someone else when they can see them. Finally, find Spyware, virus or something that can give you an escape if you are caught. Something as simple as a back door trojan and a webserver hosting the files that while turned off can be turned on by the trojan can give you the reasonable doubt if anything happens.
Its about stupidity. You see, im not worried that they checked, not worried that they found. What worries me is how the HELL do you prove beyond the shadow of a doubt that the guy was actually the user of that porn?
How do you prove he didnt get it by clicking on some pr0n spam. How do you know he didnt just get it off of google images and it got into his cache.
What has to stop is the assumption that people are responsible for whatever shit gets dropped in their box. They arent and most specially arent when using microsoft software. Anyone can put the pr0n there.
NO SIG
The above raises a good point -- store your data in a manner that's not easily accessed.
But, this case raises TWO different questions that are getting confused.
1 -- Did the service technician violate the privacy of the computer owner by looking at files on the hard drive that might not have been required to perform the repair work? This is a question of civil law, and possibly of the contract between the user and technician.
2 -- Can the police use the evidence found by the technician to prosecute the computer owner? This is a question of constitutional law and criminal procedure.
The answers to 1 and 2 are not necessarily linked.
The constitution provides protection against GOVERNMENT searches of your property. The government can't, without a warrant or an emergency, take your computer away and look through your files. Nor can the government pay a repairman to do what the government can't do directly--for example, if the government paid repairmen to snoop through computer.
But, the constitution doesn't say anything about what OTHER people can do. If the repairman did snoop beyond the limits of his authorization then the computer owner might be able to sue the repairman. But, just because the repairman did a bad thing doesn't mean that the protections in the constitution against government invasion are automatically triggered. Take a different example -- a burglar breaks into a home, steals a lot of stuff, and also sees child porn on the way out the door. If the burglar gives an anonymous tip to the police (or bargains for a lighter sentence in exchange for testimony) then the evidence can probably still be used, even though the burglar had no right whatsoever to be in your house. In fact, it was CRIMINAL for the burglar to be inside your house at the time he saw the child porn, but it's still probably fair game in a prosecution.
The key difference is whether the STATE has violated your right to privacy. You can't bargain with the state to set a higher or lower expectation of privacy; we have a Constitution that sets a minimum floor of privacy for everyone. But, you can negotiate with a computer repair service--if one service offers "no privacy-we'll read all your files" and the other say "complete privacy, for a little bit more money" then you get to pick which one you like, and to sue the "complete privacy" company if they break their word.
Disclaimer: Before you do something dumb, speak with YOUR attorney. I am not an attorney and the law often turns on what seem like very small differences in facts; your situation is probably different and will require personalized advice.
Yes, badge: Ich meine Abzeichen tragen mit Stolz (excuse my german, it's rusty)
As rich_r said, we (the pimply faced teens) realised it wasn't our call to make and passed it on to the someone else to deal with. Many others have said that if you see something that you think is illegal you should report it.
http://yro.slashdot.org/article.pl?sid=07/12/15/1459243 raises a similar issue. Customs officers _thought_ that some cartoons among a bunch of ADULT porn were illegal so they detained the guy. The whole thing there is now the police want access to the encrypted drive to see if there is or is not actually illegal porn there. That whole mess became significant because a judge ruled that the defendant can't be forced to even divulge that he knows the encryption key; let-alone actually give it to police. That guy was reported on the basis that somebody THOUGHT something was illegal, not because they were sure of it.
To pull a terrorism analogy here, if your neighbour was collecting lots of ammonium nitrate what would you do? Say "geez he must really care about his garden" or possibly report him. It is not your or my call to make if what the guy is doing is illegal. At the end of the day if it's not illegal and you do report him the worst that happens is the police knock on his door, he lets them poke about and they say sorry for bothering you.
WTF? You're entitled to your opinion I guess. There are varying levels of what is right and not.I drink to make other people interesting!
It's official. Most of you are morons.
IANAL and I don't know what specifically is the law in Pennsylvania. However, some jurisdictions in the US (South Carolina, for example) compel computer technicians to report child pornography just like social workers, teachers, and medical professionals are often required to report suspected abuse.
The technician in this case apparently, according to TFA, was searching for random video files on the customer's PC to burn using the newly installed DVD burner to make sure everything was working. He got suspicious based on the names of some files, including one listing a male name and a number he thought was an age of 13 or 14. Upon deciding he'd probably found child porn, he contacted authorities. This doesn't sound like rifling through all the guy's files at all if that's the way it really happened.
The judge decided the test was a commercially common and acceptable way to test a DVD burner -- by searching for video files on the user's drive. I'm not sure how common it is these days to do it that way, but it certainly sounds reasonable and not nefarious to test it that way.
The appellate court also decided that you have no privilege of confidentiality with a computer store like you would with a doctor or lawyer.
I think a better analogy would be that you bring the car in to get new tires, forgetting you had a dead body in the trunk. The shop guys check on your full size spare as a courtesy, find the corpse. Should they protect your privacy or report their findings to the authorities? I know, sounds really dumb, how can you forget you have a dead body in the back? Then again, what was the guy thinking when he gave full access to the computer and all data on it, knowing that some of the content was clearly illegal?