Slashdot Mirror
PI License May Soon Be Required for Computer Forensics
buzzardsbay writes "The good folks over at Baseline Magazine have an intriguing — and worrisome — report on a movement to limit computer forensics work to those who have a Private Investigator license or those who work for licensed PI agencies. According to the story, pending legislation would limit the specialized task of probing deep into computer hard drives, network and server logs for telltale signs of hacking and data theft to the same people who advertise in the Yellow Pages for surveillance on cheating spouses, workers' compensation fraud and missing persons. Those caught practicing computer forensics without a license could face criminal prosecution."
Texas already requires that computer forensics investigators be licensed PIs. The requirement isn't just window dressing, either. Getting a PI license is tough there. That's why there are only about a dozen licensed computer forensics investigators in entire state. Um, and Media Sentry sure as hell ain't one of them...
Tm
Support TBI Research: http://www.raisinhope.org
I know I'm not supposed to read the article but this is about needing a PI license work for a licensed firm to testify is court. First thing I would tack on would be they should also have there PE licensed firm or not. Yes it's a bit of a slippery slope it might also get the Secret Service and the FBI to get there agents some decent skills since every time I had interaction with it a tar.gz file was unfathomable to them and everything involves lot of baby steps and spoon feeding. Unfortunately most of these investigators are just using some pretty badly written applications and get stumped by anything with real encryption or not running windows, on the good side encase and similar is a good first step in the evidence chain.
No sir I dont like it.
Considering that in some states becoming a licensed PI requires paying a fee and nothing else, I'm not sure the significance of this (other than there will be a lot more wannabe cops running around). Considering the median salary for a PI in the US is ~$32K (wikipedia), if all the CF folks out there have to get PI licensed it should certainly push that up a bit. Man this is idiotic.
The bills being considered are only about forensic evidence presented in court.
Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
Your job is quite safe without getting a PI license. You can dig around and uncover evidence in your network all you like, and you can take normal actions upon that evidence, such as tracing IPs and contacting authorities etc, all the usual stuff. What you can't do is provide what you find in your network as evidence in a court case, that is all. Someone else has to check your place out and then do the testifying themselves. Basically the court does not consider you an accredited expert witness under this legislation. If that is required, a temp PI computer forensic guy can be brought in, collect what is needed, and then he goes somewhere else (he's not into being a network admin, he's got more places to investigate), leaving your position intact.
Yes I do agree that state licensing is rather abysmal. I see where you're coming from. I'm a pathologist. Yet my state medical license states that I can legally practice medicine and surgery (which is rather insane if you ask any reasonable person). On the other hand, there must be some way to say that a particular computer forensics lab is not just some shady operation, especially if the evidence provided is going to be presented in court. Although it shouldn't be a PI license that provides this evidence.
Rule of evidence 702: "If scientific, technical, or other specialized knowledge will assist... a witness qualified as an expert by knowledge, skill, experience, training, or education may testify thereto..."
There is no requirement to be a member of the leading professional body for the field. This rule, which came about from Daubert [v. Dow Merrill Pharmaceuticals], Kumho Tire, Joiner, and others has generally been interpreted broadly by the courts because judges do not want to exclude valuable evidence and because they are too stupid to understand the falsifiability language in Daubert.
Judges are guided in their admissibility decision by the requirement of rule 702 that "the testimony is based on sufficient facts or data, the testimony is the product of reliable principles and methods, and the witness has applied the principles and methods reliably to the facts of the case."
For states in which there are meaningful qualifications to becoming a PI, one could reasonably argue that the PI license provides a (rebuttable) presumption that the holder of the license knows reliable methods and how to apply them. The question of whether a particular PI actually did correctly apply the proper methods is a fact-specific determination to be made at trial.
I guess it's too much to expect
Various definitions:
http://www.google.com/search?q=define%3Aforensic&submit2=Google
More colloquially one could describe forensics as merely data gathering evidence (whether it be used in a formal court of law or not). A parent using forensics software on a child's computer may not be considered forensics to the FBI, but it probably would be to the parent or child. Much the same for internal company forensics. Strict definitions need to keep up with colloquial usage.
Nonsense. The HTCIA is the organization that you are referring to and in no way does membership qualify you to testify in court. Most forensic examiners are not members of HTCIA in any way - it is a very heavy law enforcement membership that does require its members not to work for the defense.
There are a number of certifications, such as CCE, EnCE and CFCE that are pretty much required for practicing as a forensic examiner. You just aren't going to get anywhere without these. While the certifications seem like BS, what they are useful for is establishing to a non-technical court that you have been both educated and tested in the field. Part of being qualified as an expert witness in court is having your credentials questioned, so if you do not have certifications you will need lots and lots of other information that will need to be as convincing. I've see one person defend their qualifications without much in the way of certifications but it wasn't pretty.
Membership in HTCIA is restricted to law enforcement and law enforcement sponsored people. It does not qualify anyone as a forensic examiner because you do not have to be a forensic examiner to belong - anyone in law enforcement or associated with law enforcement can be a member. They just can't work for the defense. A court that used HTCIA membership as a qualification would be equivalent to a court requiring someone to have contributed to Bill Clinton's legal defense fund to be accepted as a legal expert.
The usual, IANAL, this isn't legal advice, etc. etc...
However, I am a current, licensed private investigator in Ohio who happens to do digital forensics from time to time. So, I believe that I can shed some experience (or spread some BS) on this subject.
Private Investigation in Ohio is governed by Ohio Revised Code Chapter 4749. To summarize:
- You have to be a licensed investigator to perform investigations for hire. (Meaning you get paid.)
- The exceptions (and there are specific ones listed) boil down to a) insurance adjustors, arson inspectors, forensic accountants, etc., and b) it's part of your normal job (such as a network administrator tracking down a break-in. My example, not the law's.)
- Anything you do for yourself is, well, for yourself, and doesn't require a license.
A lot of other states have a similar setup.Now, without having read the actual proposed law in South Carolina (this is /., after all), I would say that it sounds like a bad idea. An investigator license is not a magic wand to say that you are an expert, and the summary makes it sound like having a PI license gives you almost automatic "expert witness" status. (From my IANAL point of view, that is a specific determination that the court has to make, and normally they don't take it lightly.
PI licenses are used to regulate who goes around snooping into other people's information. There are specific criminal penalties for performing investigation services, for hire, without a license; I believe that it keeps the people honest (in Ohio, Homeland Security oversees the licensing!), and prevents a lot of wasted time and money on some Magnum wannabe who ends up doing more damage to his clients cases/circumstances than good.
As far as I can tell, those who do purely "digital forensics" are the equivalent of DNA lab techs or fingerprint analysts: They perform a technical function whose methods and findings are narrow, reviewable, and (should be) reproducible. The aspect of "investigation" only comes in when you begin to track down names, background, places, and faces relevant to the process. Despite what CSI: Miami tries to put out, lab guys are not normally the folks interviewing the suspects and poking holes in alibis; they deal with facts and findings. (More like Abbie on NCIS.)
Which leads to the counter-proposal from the Nevada situation: If the courts already have a tried-and-true method of determining what an "expert witness" is, there really isn't a need for another licensing agency. Yes, courts can and do rely on licensing for some determinations, but again, they use experience, knowledge, reproducibility, and accepted methodology as real determining factors. That way, a medical license isn't an automatic "my opinion is indisputable" stamp.
I think South Carolina is either overreacting or trying to pay off a party contributor....but hey, what do I know? (Or, how could I find out? :-)
And yes, I realize that I said I "do computer forensics." Being a geek with a license, it's easier (and much faster and cheaper for the client) to do a forensic run-through myself than to hire it out to a lab every time. But I also know my own limitations, and quickly admit when/if I ever get over my head and need to call in the hard-core experts.
Never confuse movement with action. --Hemingway
From the Code of Virginia:
9.1-138. Definitions.
""Private investigator" means any individual who engages in the business of, or accepts employment to make, investigations to obtain information on (i) crimes or civil wrongs; (ii) the location, disposition, or recovery of stolen property; (iii) the cause of accidents, fires, damages, or injuries to persons or to property; or (iv) evidence to be used before any court, board, officer, or investigative committee. "
and
9.1-139. Licensing, certification, and registration required; qualifications; temporary licenses.
"C. No person shall be employed by a licensed private security services business in the Commonwealth as armored car personnel, courier, armed security officer, detector canine handler, unarmed security officer, security canine handler, private investigator, personal protection specialist, alarm respondent, central station dispatcher, electronic security sales representative, electronic security technician's assistant, or electronic security technician without possessing a valid registration issued by the Department, except as provided in this article."
Note, there is very similar language under New York State laws as well. In fact it's all damn near boiler plate, they are so similar. I would suspect several other states therefore have comparable laws on the books already (No, I have not yet bothered to RTFA). Just because lots of people have been doing it for a while because they were/are ignorant of the law does not excuse it. They are committing a Class 1 misdemeanor. Any decent opposing council will move to exclude any evidence produced by an unlicensed/unregistered company or person.
9.1-149. Unlicensed activity prohibited; penalty.
"C. Any person convicted of a violation of subsections A or B shall be guilty of a Class 1 misdemeanor. "
Good lord! In just about every state the licensing requirement does not prove you have a specific skillset.
There are PIs that specialize in TSCM (Technical Surveilance CounterMeasures -- electronic bug hunters that sweep rooms, etc...), workers comp cases, divorce/infidelity, competitive intelligence (thinking of buying a company?), background investigations, skip tracing, and yes, computer forensics.
The license is a means to gate who can operate on a for-hire basis to introduce evidence into a court or other similar body. That's it.
Read the existing laws. The article cites at least six states with some laws already on the books. Go read them and understand what they really require.