PI License May Soon Be Required for Computer Forensics

buzzardsbay writes "The good folks over at Baseline Magazine have an intriguing — and worrisome — report on a movement to limit computer forensics work to those who have a Private Investigator license or those who work for licensed PI agencies. According to the story, pending legislation would limit the specialized task of probing deep into computer hard drives, network and server logs for telltale signs of hacking and data theft to the same people who advertise in the Yellow Pages for surveillance on cheating spouses, workers' compensation fraud and missing persons. Those caught practicing computer forensics without a license could face criminal prosecution."

License required for PI

Am I breaking the law for this? 3.14159268

3.141.....

[celardore]

I thought this article was about the irrational number at first.

Worrisome?

[Shadow+Wrought]

I would think that requiring an Investigative license for doing invetigative work would be a good thing.

Re:Worrisome?

[eht]

Depends on how vague it ends up being. Easy to imagine that your home machine gets hacked and then you "investigate" your own machine and give the info over to the FBI or Police, hey look you did forensic work without a license, go directly to jail do *not* pass go.

Re:Worrisome?

[Jah-Wren+Ryel]

I agree. Maybe it will get rid of some of the charlatans. The same way driver's licenses keep bad drivers off the road.

Re:Worrisome?

[MBCook]

That was my thought. Given the "experts" that groups like the RIAA use, having a license on someone that could be pulled to prevent them from continuing to work in that field seems like a good thing.

Maybe it should be a separate license. Maybe it should be a special add on class (PI + C for Private Investigator + Computer Specialty). But it's good it's SOMETHING. Someone who doesn't know what they are doing can not only cause big problems (enrage a spouse leading to anything from unnecessary worry to violence), but they could easily destroy evidence for someone who does know what they are doing making it useless in court.

Re:Worrisome?

[Stripe7]

Depending on the how they define forensic work, a system administrator could be prosecuted for reading the log files for login information, or tracing back history files to see what led to critical system files being corrupted. If these simple daily administrative tasks are classified as forensic it would make it illegal for a system administrator to do his job. With congress's track record of overly broad definitions and over generalizations, odds are good that this legislation will make a PI license a requirement for all system administrators. Hmm, does this mean I get to carry a gun too?

Re:Worrisome?

Dude, if all sys admins had a gun, the 'net would be a better place. Far less crowded too!

Re:Worrisome?

[torkus]

Sorry, but I don't see how another inane 'licensing' will do more good than bad. Just because someone is licensed does not mean they're honest. Heck, all care repair shops in NY have to be licensed. Do you REALLY thing that keeps them honest?

A license if just a scrap of paper that means you paid someone for it. Perhaps you passed a test too. That means about as much as that 10th grade biology final that you crammed for the night before and then erased from your brain after the next morning. I'm much more interested in holding people ACCOUNTABLE for their actions than having the government "protect" me.

Re:Worrisome?

[blueg3]

Typically investigation is defined as for hire and examining other peoples' data, not your own. So investigating your own logs, and even a company having permanent staff to investigate their own logs could constitute "security", but hiring someone from another firm to examine your logs after the fact could be "investigation".

Re:Worrisome?

[lcoughey]

Being one who has a data recovery company that provides digital forensic services, it is quite frustrating to say the least. To expect a digital forensics expert to have a PI license is as absurd as expecting a PI to have a computer science degree.

We have been trying to figure out how we can become Private Investigators, but we cannot get answers. Instead, we keep getting passed around the government's phone systems. Some say we have to write an exam that doesn't exist, others say that we should be grandfathered in and others simply shrug their shoulders.

From what I can tell, this is just another case of where someone has decided that they want all the market to themselves and think they have found a way to make it happen.

Re:Worrisome?

[MBCook]

It does. It keeps quite a lot of bad drivers off the road. It just doesn't stop all of them.

If anyone, with no prior knowledge, was allowed on public roads and highways... don't you think things would be much worse than they are now with licenses?

Re:Worrisome?

[Zeinfeld]

If I did full time forensics I would be much less worried about having to get a license than the ambiguous legal landscape that existed when I did some cases in the mid 90s. You can't preserve the rule of law by breaking it. And even if you do keep to legal methods you have to be sure that you can prove that is what you did or else you can find the criminal you are trying to stop suddenly turns the tables on you.

I don't think anyone should have to worry about investigating their own machine. But what if you are going to trace the attack to the source? At what point does that become hacking? What if you have someone hand you information that has maybe been obtained by dubious methods? In the 1990s nobody knew where the line was drawn.

What happens if you hire someone to do that type of work? Are you going to be liable if they use pretexting or the like?

If Clifford Stoll was using the same techniques today he might well have had some legal issues. Even if you don't break the law you can still ruin the chances of a successful prosecution by contaminating evidence.

I don't want to have people who are working for me acting as vigilantes. I don't want them to collect information in ways that disrupts Law Enforcement efforts. This is a professional business now and we have to act like professionals. People need to understand that there is a line and consequences for crossing it.

Re:Worrisome?

[crotherm]

What a load of crap. My job requires us to perform such checks on a regular basis. These requirements are required by Government agencies in order to work on specific projects. Requiring some ridiculous license to read log files will only create a glut of "so called" experts much like all those Windows experts a few years back.

Don't be fooled by this. This is yet another attempt of our Government wanting to control access to knowledge.

Re:Worrisome?

[wcb4]

about $3.14

Re:Worrisome?

[ocbwilg]

Typically investigation is defined as for hire and examining other peoples' data, not your own. So investigating your own logs, and even a company having permanent staff to investigate their own logs could constitute "security", but hiring someone from another firm to examine your logs after the fact could be "investigation".

Yes, but where do you draw the line? It's easy to say that you can investigate anything from within your company. But what if an attack originates from outside your network, comes across the Internet, and compromises machines on your network. Do you start investigating it internally as "security", and then hand it off to someone else once (presumably licensed) you get outside of your network? If that's the case, then won't the perpetrator have a built-in defense in court by claiming that the "internal" part of the investigation that generated the data that was fed to the "outside" investigator wasn't held to the same forensic standards?

I do see some serious problems with this. Firstly, most PIs are not what I would consider computer forensic experts, computer security experts, or even technology experts. So allowing them to collect forensic data from computers while excluding legitimate computer forensic experts (computer science types) actually lowers the standards. That doesn't make sense. The second problem is that in some states it is not easy to get a PI license, especially if your only investigative training is in computer forensics. Thirdly, because of the global nature of the Internet it means that a forensic investigator who is investigating a compromise in New York may also need to have a PI license in all 49 other states just in case they might have to collect evidence from a system in one of those states. It just doesn't make sense.

Then there's the fact that this law will dramatically reduce the number of people legally allowed to practice computer forensics and testify in court. How does that affect expert witnesses? If you're charged with a computer-related crime and the only 7 firms licensed as PI/Computer Forensic Experts in the state all work with police departments, how do you find an expert witness to rebut their testimony? I can forsee circumstances where a traditional PI with a "point and click" forensics program provides the police with allegedly ironclad evidence that is more full of holes than swiss cheese, and the defendant not being able to discredit/rebut the evidence because their own expert witness isn't licensed in the state.

Why?

[Eco-Mono]

Nerd rage aside here, the programs in question aren't dangerous, nor do the operators necessarily have to have expertise to use them. What purpose could this legislation possibly serve?

Re:Why?

[peragrin]

well for one thing it would curb the RIAA who's media sentry company doens't have a PI's license so their investigations in several states are falling short of being prosecutable.

Already Required in Texas

Texas already requires that computer forensics investigators be licensed PIs. The requirement isn't just window dressing, either. Getting a PI license is tough there. That's why there are only about a dozen licensed computer forensics investigators in entire state. Um, and Media Sentry sure as hell ain't one of them...

Re:Already Required in Texas

Texas law is also explicitly designed to prohibit individuals from becoming private investigators too. If you are an individual and wish to become a P.I., you must first form an investigations company as a sole proprietorship or LLC, then designate yourself as the security manager of that company, then prove you have the required minimum experience to qualify (e.g. 3 years documented work employed for a licenced investigator in the state, or a 4-yr criminal justice college degree, or be a licensed peace officer in Texas), then pass the tests and background checks, then pay exorbitant recurring fees, and maintain very expensive and hard to obtain liability insurance just to get your company licensed. Once you've done that, you can then repeat most all the above to get yourself licensed as a P.I. employed by your own company.

Re:Already Required in Texas

[Unlikely_Hero]

only having 12 people allowed to do computer forensics for a living is probably more of a bad thing than a good thing...

A new security measure

[revengebomber]

New snoop-proofing: chmod -R 000 / Anyone who tries to access your drive is obviously trying to perform computer forensics.

Re:A new security measure

[wizardforce]

even better:
rm -rf /

This is good!?

[NFN_NLN]

How is this a bad thing? Requiring a PI license would imply some level of legitimacy.

"So long as computer forensic specialist implies a PI license" AND NOT "a PI license implies a computer forensic specialist".

Re:This is good!?

[FooAtWFU]

Why not have a voluntary certification program, and require people not certified to disclaim that they aren't? You could easily have the best of both worlds.

What if I want to go set up a little computer forensics business and employ my own genius employees that I know and trust? Why should I have to submit to a board comprised of my competitors, deal with licensing requirements which seriously may (now or in the future) risk being outdated, not applicable to many specialized sorts of work, or which provide a false sense of security by being utterly trivial? What happens when the board requires you use Microsoft-certified tools only and bans grep et cetera?

Some economists hold that labor market regulations such as these are among the primary long-term threats that hamper economic growth. (Some places require you to get a license to arrange flowers.)

Re:This is good!?

[harlows_monkeys]

Well, one problem is that the skills required for a PI have little to do with forensics skills, so this makes as much sense as requiring a hazardous waste transporting licensing would. If there is a need for regulation of forensics, then make a new license for that.

Re:This is good!?

[GNUALMAFUERTE]

That's because I have a /. Calendar. After December 2007, there is a dupe.

Re:This is good!?

[nonumnos]

Good lord! In just about every state the licensing requirement does not prove you have a specific skillset.

There are PIs that specialize in TSCM (Technical Surveilance CounterMeasures -- electronic bug hunters that sweep rooms, etc...), workers comp cases, divorce/infidelity, competitive intelligence (thinking of buying a company?), background investigations, skip tracing, and yes, computer forensics.

The license is a means to gate who can operate on a for-hire basis to introduce evidence into a court or other similar body. That's it.

Read the existing laws. The article cites at least six states with some laws already on the books. Go read them and understand what they really require.

I don't see the problem

[Urger]

After all PI's get to drive around in their employer's red Ferrari and have witty repartee with the English Estate manager (who may or may not be ghostwriting the employer's books) while having casual sexual relationships with clients. In Hawaii. Am I right here folks?

Not necessarily a bad thing

[the_humeister]

Although I don't think the license should be a PI license. Rather, it should be computer forensics license. Someone with a PI license doesn't necessarily know jack about computers.

Wonder if my Employer would pay for this cert...

[Tmack]

So I can keep my job as SysAdmin... After all, forensic investigation and digging through logs and monitoring for intrusion and such is basically what a SysAdmin is for (aside from making that part of the job unnecessary or as limited/automated as possible). Imagine all the /.'s that would be able to claim themselves as PIs (though Im sure some already reference 3.14159 alot).

Tm

Forensic "work" vs forensic "hobby"?

[Kazoo+the+Clown]

Doesn't this simply say that you have to be licenced to do computer forensic work for hire? What does it really say about doing it on your own PC just to learn about it? I suspect there's some mislead impressions being taken here...

Over hyped

[silas_moeckel]

I know I'm not supposed to read the article but this is about needing a PI license work for a licensed firm to testify is court. First thing I would tack on would be they should also have there PE licensed firm or not. Yes it's a bit of a slippery slope it might also get the Secret Service and the FBI to get there agents some decent skills since every time I had interaction with it a tar.gz file was unfathomable to them and everything involves lot of baby steps and spoon feeding. Unfortunately most of these investigators are just using some pretty badly written applications and get stumped by anything with real encryption or not running windows, on the good side encase and similar is a good first step in the evidence chain.

Hahahah....wooooo, that's a killer

[rindeee]

Considering that in some states becoming a licensed PI requires paying a fee and nothing else, I'm not sure the significance of this (other than there will be a lot more wannabe cops running around). Considering the median salary for a PI in the US is ~$32K (wikipedia), if all the CF folks out there have to get PI licensed it should certainly push that up a bit. Man this is idiotic.

Re:what's the problem?

Not having a PI license, I'm making this all up.

But a lot of the licensing process for many professions is not so much licensing and testing their skill AT the profession (certainly there is some aspect of that in some case), rather it's ensuring that the practitioner is aware of the legal and procedural environment within which they practice.

Understanding what they can look at, what the limitations they are under in performing their practice, what obligations they have in terms of working with State agencies, what their liabilities are, etc.

As a perfect example, consider a Notary Public. Here's a profession that, at least at the knowledge and technical level, requires little skill. It is almost solely a beauraucratic invention. How to takes signatures, how to validate ID's, the laws and procedures surrounding witness and notarizing signatures. But it's all very formalized to ensure integrity of the process, because of the weight and ramifications the actual signatures carry legally. It's one thing to "sign" something, but getting it notarized is "signing it right" and carries extra weight.

Since computer forensics starts encroaching in to the legal arena, a lot of the "legal mumbo jumbo" surrounding how the evidence is gathered, handled, and processed comes in to play, and licensing the "evidence gatherer" is a mechanism to ensure that the investigator is aware of their limitations and responsibilities under the law to perform their task.

But most importantly...

[Gordonjcp]

... does it mean I need to grow a big moustache, and do I get a Ferrari with it?

This...

[danwesnor]

...would stop the RIAA dead in their tracks.

protectionism...

[j0nb0y]

This is just protectionism...

Most states have ridiculous requirements for getting a PI license. You basically can't get one in many states unless you've been a police officer. There is no public interest reason to do this. Requiring the PI license for this is just a gift to all the people who already have PI licenses.

I haven't looked at computer forensics recently, but when I did (roughly five years ago), there were some problems with it. Basically, because of the way that courts certify experts to testify in court, it was impossible to hire a computer forensic expert to work for the defense. It went something like this:

1. To testify as an expert in court, you have to be a member of the leading professional body for your field.
2. The leading professional body of computer forensic experts forbade its members from working for the defense.

Obviously that's problematic. Hopefully it's changed by now.

The other thing I thought was really funny was the way that most computer crime labs staff up with "experts". Rather than hiring people with computer science degrees and training them on how to do police work, they tend to hire police officers and then train them on computer forensics. The good ole boy system at work.

Re:protectionism...

[OSPolicy]

Rule of evidence 702: "If scientific, technical, or other specialized knowledge will assist... a witness qualified as an expert by knowledge, skill, experience, training, or education may testify thereto..."

There is no requirement to be a member of the leading professional body for the field. This rule, which came about from Daubert [v. Dow Merrill Pharmaceuticals], Kumho Tire, Joiner, and others has generally been interpreted broadly by the courts because judges do not want to exclude valuable evidence and because they are too stupid to understand the falsifiability language in Daubert.

Judges are guided in their admissibility decision by the requirement of rule 702 that "the testimony is based on sufficient facts or data, the testimony is the product of reliable principles and methods, and the witness has applied the principles and methods reliably to the facts of the case."

For states in which there are meaningful qualifications to becoming a PI, one could reasonably argue that the PI license provides a (rebuttable) presumption that the holder of the license knows reliable methods and how to apply them. The question of whether a particular PI actually did correctly apply the proper methods is a fact-specific determination to be made at trial.

Re:protectionism...

[cdrguru]

Nonsense. The HTCIA is the organization that you are referring to and in no way does membership qualify you to testify in court. Most forensic examiners are not members of HTCIA in any way - it is a very heavy law enforcement membership that does require its members not to work for the defense.

There are a number of certifications, such as CCE, EnCE and CFCE that are pretty much required for practicing as a forensic examiner. You just aren't going to get anywhere without these. While the certifications seem like BS, what they are useful for is establishing to a non-technical court that you have been both educated and tested in the field. Part of being qualified as an expert witness in court is having your credentials questioned, so if you do not have certifications you will need lots and lots of other information that will need to be as convincing. I've see one person defend their qualifications without much in the way of certifications but it wasn't pretty.

Membership in HTCIA is restricted to law enforcement and law enforcement sponsored people. It does not qualify anyone as a forensic examiner because you do not have to be a forensic examiner to belong - anyone in law enforcement or associated with law enforcement can be a member. They just can't work for the defense. A court that used HTCIA membership as a qualification would be equivalent to a court requiring someone to have contributed to Bill Clinton's legal defense fund to be accepted as a legal expert.

blame the realtors

[acvh]

They started it with mandatory licensing. I mean, come on, a license to sell a house? What advanced training does that require? But each group, when it gets big enough, lobbies for this protection of its turf. In NJ you need a license to be an interior decorator.

License required for use in court

[muridae]

I don't see a problem here. The law is pretty simple, if you want to collect evidence for use in court, you need to have a license to prove you are doing things right.

A guy who comes home and finds his door kicked in does not get to collect finger prints from his house to prove who did it. Frankly, there is no reason why the CEO's nephew should be allowed to pick through a log file like he picks his nose and, upon seeing an IP address with 66.6 in it be allowed to declare 'This is who hacked our computer.'

Yes, it's another unneeded tax, but it's not as bad as the summary makes it sound. Right now, any one can claim to be a computer forensics specialist.

Re:Worrisome? RTFA

[Watson+Ladd]

The bills being considered are only about forensic evidence presented in court.

This state has a bad track record with licensing

Let me give you an example of South Carolina professional licenses. I am an engineer, a PE, licensed as an engineer by the state. My degree is in Chemical Engineering, yet my PE license says nothing about chemical engineering... it is no different from a mechanical engineer, electrical engineer, or structural engineer, or any other engineer. I can officially stamp the blueprints for your house, despite the fact I have absolutely no experience in construction or building practice whatsoever. Tne only thing that stops me is ethical guidelines and my own conscience -- neither of which stop a PI.

Re:Worrisome? RTFA

[BarryJacobsen]

The bills being considered are only about forensic evidence presented in court. Darn you with your "facts" and "reading the article"! Where's the hearsay and made up statistics, dammit!

Re:license requirements?

[blueg3]

Few nerds gather evidence of hacking or data theft for later use in legal proceedings.

So yeah.

[Damocles+the+Elder]

So...I know it's against the whole Slashdot mindset to read the article, but I at least skimmed it, and here's what I got out of it.
1. It's a South Carolina thing (And who lives in S.C., anyways? Seriously.)
2. It's only in the case of evidence in court cases. (i.e., you'd have to have a PI license to submit evidence gleaned from a computer HD).

So all you people freaking out, even kiddingly, about not being able to tag -a at the end of your ls commands, you can calm down.

Re:what's the problem?

[hashish]

No it doesn't. There is nothing stopping a IT security 'investigator' gaining a PI license, what is being proposed is using existing laws to ensure that the IT security invegtigator are controlled in the same way PI are. The existing PI laws were created to weed out the rouge PIs and how would weeding out the rouge IT investigator be a problem?

Re:Wonder if my Employer would pay for this cert..

[Feanturi]

Your job is quite safe without getting a PI license. You can dig around and uncover evidence in your network all you like, and you can take normal actions upon that evidence, such as tracing IPs and contacting authorities etc, all the usual stuff. What you can't do is provide what you find in your network as evidence in a court case, that is all. Someone else has to check your place out and then do the testifying themselves. Basically the court does not consider you an accredited expert witness under this legislation. If that is required, a temp PI computer forensic guy can be brought in, collect what is needed, and then he goes somewhere else (he's not into being a network admin, he's got more places to investigate), leaving your position intact.

Courts have rules

[bill_mcgonigle]

I would think that requiring an Investigative license for doing invetigative work would be a good thing.

Yes, especially if you want to get paid. Imagine being hired by a company to do some forensic work, and you've found out all kinds of interesting things, and then it makes it to court, and it's all thrown out because you didn't understand and follow basic rules on how to handle evidence, and what's legal and not legal to do.

Good luck getting paid by the employer after losing the case for them. In some jurisdictions you might even face liability or criminal charges.

I've looked into the process, and in some states it's not too bad - IIRC some states require a period of apprenticeship, you can't just take a test.

Re:This state has a bad track record with licensin

[the_humeister]

Yes I do agree that state licensing is rather abysmal. I see where you're coming from. I'm a pathologist. Yet my state medical license states that I can legally practice medicine and surgery (which is rather insane if you ask any reasonable person). On the other hand, there must be some way to say that a particular computer forensics lab is not just some shady operation, especially if the evidence provided is going to be presented in court. Although it shouldn't be a PI license that provides this evidence.

Re:Worrisome? RTFA

[schon]

The bills being considered are only about forensic evidence presented in court. *sigh* Forensic evidence is by definition presented in court. That's what forensic means.

I guess it's too much to expect /.'ers to actually know the definition of a word before they begin railing on it.

Right. I can see Guy Noir investigating now.

[ydra2]

It was a cold blustery winter day in Chicago, the kind of cold that chills
McDonalds coffee from "blistering shreds of dangling skin" hot to merely
blistering hot. I downed the last gulp of coffee in my office on the 39th
floor of the Acme building when she walked in the door. A sultry gorgeous
dame, with long billowing blonde hair, and deep green eyes that burned with
angst, and a figure that could pop out eyeballs in a gay bar. I tried to look
her in the eyes but she had a mystique about her, something that told a man
to lower his gaze. I complied with my gut feeling and I wasn't disappointed.
She was to cleavage what Mount Rushmore is to monuments, and in that
second before she spoke, I forgot all about lab reports, stake-out schedules,
and my lost suit at Kim Speedee Dry Cleaning. Her dress was so tight I could
read the J.C. Penny's label on her underware, and I was damned glad for that.

After an awkward moment she spoke. "Mr. Noir, I have a laptop here. I think
my husband has been using the built in web cam to spy on me when he's out
of town...." I had to stop her there. "Just a minute Miss, I don't even know
who you are." And she had the perfect answer when she replied with "I'm
the widow of the late Johann Marstad, owner of Marstad Industries LTD.
I'm Elenor Marstad. Will you look at this computer and tell me what you
find?"

Of course I had to know more. "Where and when do you normally use this
computer?" I asked inquiringly, and once again she didn't disappoint.
"Mostly late at night, in my bedroom." she unhesitatingly answered. My
mission was rather clear. Find the pictures of a stunning beauty, on a
laptop, showing her using it late at night in her bedroom. I'm a licensed
PI so I have the right to do that. It's right there on the license, just
after the part that gives us the right to spy on ordinary Americans, just
before the section that reads "License to argue with Chief of Police."

I was about to take the laptop when my secretary Sally came in...

Worrisome!

[mi]

So, when a copyright violator gets away (or tries to) with unauthorized reproduction of other people's artwork by claiming, she was investigated by an unlicensed investigator, the entire Slashdot is cheering for her. And I only picked the posts moderated at 5...

Other times, we are capable of looking at the requirement with a cooler head and recognize it as worrisome. Even if one accepts, that the classic gun-wielding detectives of the Dr. Watson kind should be licensed (and Dr. Watson was not), it should not be necessary for a computer forensics experts.

Licenses in general are a terrible idea, because they are issued (and revoked!) by the Executive branch with very little recourse from the Courts — in fact, this is why the (Executive) government likes them so much. They allow them to twist the businessmen's arms without the troubles of lawsuits. In the city of New York, for example, a driver can not even appeal a driving citation to the real courts — one's only venue is "Traffic Court", where the "judge" is, in fact, a city employee and part of the Executive branch... (That's right — the separation of powers will not help you, if the government of New York City decides to ban you from the "public" roads.)

Making yet another activity require a license is, indeed, a worrisome development.

Re:Worrisome? RTFA

[unlametheweak]

*sigh* Forensic evidence is by definition [wikipedia.org] presented in court. Forensic evidence does not NEED to be presented in court. Forensics is merely gathering evidence that MAY be used in court. More specifically the article is talking about computer forensics (http://en.wikipedia.org/wiki/Computer_forensics).

Various definitions:
http://www.google.com/search?q=define%3Aforensic&submit2=Google

More colloquially one could describe forensics as merely data gathering evidence (whether it be used in a formal court of law or not). A parent using forensics software on a child's computer may not be considered forensics to the FBI, but it probably would be to the parent or child. Much the same for internal company forensics. Strict definitions need to keep up with colloquial usage.

Stop overreacting

[MillionthMonkey]

Sorry, but I don't see how another inane 'licensing' will do more good than bad. Just because someone is licensed does not mean they're honest. Heck, all care repair shops in NY have to be licensed. Do you REALLY thing that keeps them honest?

Whether "all car repair shops in NY are honest" or not, the licenses do present a mechanism that can hold them accountable and close them down if sufficient effort is put into enforcement. Licensure can often atrophy into a simple tax collected by a licensing authority that doesn't perform proper enforcement procedures for the licenses it issues, but that's not the idea.

Since a private investigator has a license, he's on the hook if he presents incorrect or bullshit evidence to the court. Ordinarily I can't go to a PI with pictures of my wife and my neighbor taken through open windows, and have him photoshop them into obscene pictures that I can take to court for a divorce proceeding, presented as evidence bearing the imprimatur of a licensed investigation. The court would indeed take that type of evidence more seriously than if you just had some friend of yours photoshop his dick into her mouth himself. That wouldn't be admitted as evidence. The PI has got a license; your friend doesn't. If the PI is indeed found to have violated the terms of his license by doing that, he'll lose his license, and may be subject to fines and jail time in addition to those he'd get for falsification of evidence.

"The problems in South Carolina occur when folks from national [law] firms come into South Carolina, seize digital evidence, have that evidence analyzed in a lab in some other state, and then send it back to South Carolina for litigation," Abrams says. "The state has no mechanism to hold them accountable if they screw up, which I see all the time in cases."

A license if just a scrap of paper that means you paid someone for it. Perhaps you passed a test too. That means about as much as that 10th grade biology final that you crammed for the night before and then erased from your brain after the next morning. I'm much more interested in holding people ACCOUNTABLE for their actions than having the government "protect" me.

A license is not just "a scrap of paper" that required a fee for a licensing authority. After your 12th grade finals are over you may find that scraps of paper can do surprising things. They can imbue you with certain legal responsibilities. If you practice medicine, or practice law, or conduct private investigations, you can do certain things the rest of us can't, and you are on the hook for doing them correctly- you're held ACCOUNTABLE for your actions. Doctors, lawyers, and private investigators each bear their own types of accountability. If you make a legal promise to conduct yourself in some way, and the promise you made then gets "erased from your brain after the next morning", you're going to find yourself in a world of hurt. You'll find it's not like studying for finals at all.

A forensic investigator is gathering information that might certainly be used to put someone in jail. "Oh no, I need a license to do that? Waaah!" Well, duh! What if you're incompetent, or a liar, or the darling of law enforcement because you find child porn on every machine that comes in? Do you really think that type of behavior should be legal, or that evidence from your lab should be admissible in courts?

"It's an ambush," says Phipps, a 31-year FBI veteran now with Norcross Group, a digital e-discovery business. "Under the South Carolina statute, only a handful of licensed PIs across that state have the years of information system and tools experience needed to do true digital forensics with repeatable processes of documentation and chain of custody. This is the only group that stands to gain."

I don't know what he's complaining about; he stands to gain too. They're trying to make everyone imagine that a handful of film-noir private eyes are planning to take over the computer

A current private investigator geek

[happyslayer]

The usual, IANAL, this isn't legal advice, etc. etc...

However, I am a current, licensed private investigator in Ohio who happens to do digital forensics from time to time. So, I believe that I can shed some experience (or spread some BS) on this subject.

Private Investigation in Ohio is governed by Ohio Revised Code Chapter 4749. To summarize:

• You have to be a licensed investigator to perform investigations for hire. (Meaning you get paid.)
• The exceptions (and there are specific ones listed) boil down to a) insurance adjustors, arson inspectors, forensic accountants, etc., and b) it's part of your normal job (such as a network administrator tracking down a break-in. My example, not the law's.)
• Anything you do for yourself is, well, for yourself, and doesn't require a license.

A lot of other states have a similar setup.

Now, without having read the actual proposed law in South Carolina (this is /., after all), I would say that it sounds like a bad idea. An investigator license is not a magic wand to say that you are an expert, and the summary makes it sound like having a PI license gives you almost automatic "expert witness" status. (From my IANAL point of view, that is a specific determination that the court has to make, and normally they don't take it lightly.

PI licenses are used to regulate who goes around snooping into other people's information. There are specific criminal penalties for performing investigation services, for hire, without a license; I believe that it keeps the people honest (in Ohio, Homeland Security oversees the licensing!), and prevents a lot of wasted time and money on some Magnum wannabe who ends up doing more damage to his clients cases/circumstances than good.

As far as I can tell, those who do purely "digital forensics" are the equivalent of DNA lab techs or fingerprint analysts: They perform a technical function whose methods and findings are narrow, reviewable, and (should be) reproducible. The aspect of "investigation" only comes in when you begin to track down names, background, places, and faces relevant to the process. Despite what CSI: Miami tries to put out, lab guys are not normally the folks interviewing the suspects and poking holes in alibis; they deal with facts and findings. (More like Abbie on NCIS.)

Which leads to the counter-proposal from the Nevada situation: If the courts already have a tried-and-true method of determining what an "expert witness" is, there really isn't a need for another licensing agency. Yes, courts can and do rely on licensing for some determinations, but again, they use experience, knowledge, reproducibility, and accepted methodology as real determining factors. That way, a medical license isn't an automatic "my opinion is indisputable" stamp.

I think South Carolina is either overreacting or trying to pay off a party contributor....but hey, what do I know? (Or, how could I find out? :-)

And yes, I realize that I said I "do computer forensics." Being a geek with a license, it's easier (and much faster and cheaper for the client) to do a forensic run-through myself than to hire it out to a lab every time. But I also know my own limitations, and quickly admit when/if I ever get over my head and need to call in the hard-core experts.

Re:A current private investigator geek

[happyslayer]

If by "forensic work" you mean autopsying a computer to figure out why/how/when it died or was compromised, then that could fall into your normal work. (Again, I'm talking from Ohio statutes; they leave that exception open. I think this was a reasonable exception, because lots of jobs require some "investigation" to find out what happened.)

If your client/company decides that they even might be filing criminal charges or a civil complaint, then they should, early on, consciously decide how they are going to proceed. If they want an airtight case, or prevent opposing counsel from ripping them and their evidence to tattered little pieces, they have to decide if an in-house investigation is sufficient.

Again, in my opinion (IANAL, blah-blah-blah), figuring out what's on a computer, what happened to it, and even how to prevent it could be considered "digital forensics" but also doesn't require an special licensing. If you start trying to track the people responsible, that's where you start to get into the realm of private investigation, and you should be aware of what your laws require.

As I said, IMHO, "digital forensics" is just like any other lab tech: Specialized knowledge and analysis capability, and an ability to prove your findings to an opposing expert, an attorney, or a court. Beyond that, the South Carolina law/bill seems to be creating an issue where there really shouldn't be one.

Already is the law in Virginia

[nonumnos]

From the Code of Virginia:

9.1-138. Definitions.

""Private investigator" means any individual who engages in the business of, or accepts employment to make, investigations to obtain information on (i) crimes or civil wrongs; (ii) the location, disposition, or recovery of stolen property; (iii) the cause of accidents, fires, damages, or injuries to persons or to property; or (iv) evidence to be used before any court, board, officer, or investigative committee. "

and

9.1-139. Licensing, certification, and registration required; qualifications; temporary licenses.

"C. No person shall be employed by a licensed private security services business in the Commonwealth as armored car personnel, courier, armed security officer, detector canine handler, unarmed security officer, security canine handler, private investigator, personal protection specialist, alarm respondent, central station dispatcher, electronic security sales representative, electronic security technician's assistant, or electronic security technician without possessing a valid registration issued by the Department, except as provided in this article."


Note, there is very similar language under New York State laws as well. In fact it's all damn near boiler plate, they are so similar. I would suspect several other states therefore have comparable laws on the books already (No, I have not yet bothered to RTFA). Just because lots of people have been doing it for a while because they were/are ignorant of the law does not excuse it. They are committing a Class 1 misdemeanor. Any decent opposing council will move to exclude any evidence produced by an unlicensed/unregistered company or person.

9.1-149. Unlicensed activity prohibited; penalty.
"C. Any person convicted of a violation of subsections A or B shall be guilty of a Class 1 misdemeanor. "