PI License May Soon Be Required for Computer Forensics

buzzardsbay writes "The good folks over at Baseline Magazine have an intriguing — and worrisome — report on a movement to limit computer forensics work to those who have a Private Investigator license or those who work for licensed PI agencies. According to the story, pending legislation would limit the specialized task of probing deep into computer hard drives, network and server logs for telltale signs of hacking and data theft to the same people who advertise in the Yellow Pages for surveillance on cheating spouses, workers' compensation fraud and missing persons. Those caught practicing computer forensics without a license could face criminal prosecution."

License required for PI

Am I breaking the law for this? 3.14159268

3.141.....

[celardore]

I thought this article was about the irrational number at first.

Worrisome?

[Shadow+Wrought]

I would think that requiring an Investigative license for doing invetigative work would be a good thing.

Re:Worrisome?

[eht]

Depends on how vague it ends up being. Easy to imagine that your home machine gets hacked and then you "investigate" your own machine and give the info over to the FBI or Police, hey look you did forensic work without a license, go directly to jail do *not* pass go.

Re:Worrisome?

[Jah-Wren+Ryel]

I agree. Maybe it will get rid of some of the charlatans. The same way driver's licenses keep bad drivers off the road.

Re:Worrisome?

[Stripe7]

Depending on the how they define forensic work, a system administrator could be prosecuted for reading the log files for login information, or tracing back history files to see what led to critical system files being corrupted. If these simple daily administrative tasks are classified as forensic it would make it illegal for a system administrator to do his job. With congress's track record of overly broad definitions and over generalizations, odds are good that this legislation will make a PI license a requirement for all system administrators. Hmm, does this mean I get to carry a gun too?

Re:Worrisome?

Dude, if all sys admins had a gun, the 'net would be a better place. Far less crowded too!

Re:Worrisome?

[blueg3]

Typically investigation is defined as for hire and examining other peoples' data, not your own. So investigating your own logs, and even a company having permanent staff to investigate their own logs could constitute "security", but hiring someone from another firm to examine your logs after the fact could be "investigation".

Re:Worrisome?

[lcoughey]

Being one who has a data recovery company that provides digital forensic services, it is quite frustrating to say the least. To expect a digital forensics expert to have a PI license is as absurd as expecting a PI to have a computer science degree.

We have been trying to figure out how we can become Private Investigators, but we cannot get answers. Instead, we keep getting passed around the government's phone systems. Some say we have to write an exam that doesn't exist, others say that we should be grandfathered in and others simply shrug their shoulders.

From what I can tell, this is just another case of where someone has decided that they want all the market to themselves and think they have found a way to make it happen.

Re:Worrisome?

[MBCook]

It does. It keeps quite a lot of bad drivers off the road. It just doesn't stop all of them.

If anyone, with no prior knowledge, was allowed on public roads and highways... don't you think things would be much worse than they are now with licenses?

Re:Worrisome?

[Zeinfeld]

If I did full time forensics I would be much less worried about having to get a license than the ambiguous legal landscape that existed when I did some cases in the mid 90s. You can't preserve the rule of law by breaking it. And even if you do keep to legal methods you have to be sure that you can prove that is what you did or else you can find the criminal you are trying to stop suddenly turns the tables on you.

I don't think anyone should have to worry about investigating their own machine. But what if you are going to trace the attack to the source? At what point does that become hacking? What if you have someone hand you information that has maybe been obtained by dubious methods? In the 1990s nobody knew where the line was drawn.

What happens if you hire someone to do that type of work? Are you going to be liable if they use pretexting or the like?

If Clifford Stoll was using the same techniques today he might well have had some legal issues. Even if you don't break the law you can still ruin the chances of a successful prosecution by contaminating evidence.

I don't want to have people who are working for me acting as vigilantes. I don't want them to collect information in ways that disrupts Law Enforcement efforts. This is a professional business now and we have to act like professionals. People need to understand that there is a line and consequences for crossing it.

Re:Worrisome?

[wcb4]

about $3.14

Re:Worrisome?

[ocbwilg]

Typically investigation is defined as for hire and examining other peoples' data, not your own. So investigating your own logs, and even a company having permanent staff to investigate their own logs could constitute "security", but hiring someone from another firm to examine your logs after the fact could be "investigation".

Yes, but where do you draw the line? It's easy to say that you can investigate anything from within your company. But what if an attack originates from outside your network, comes across the Internet, and compromises machines on your network. Do you start investigating it internally as "security", and then hand it off to someone else once (presumably licensed) you get outside of your network? If that's the case, then won't the perpetrator have a built-in defense in court by claiming that the "internal" part of the investigation that generated the data that was fed to the "outside" investigator wasn't held to the same forensic standards?

I do see some serious problems with this. Firstly, most PIs are not what I would consider computer forensic experts, computer security experts, or even technology experts. So allowing them to collect forensic data from computers while excluding legitimate computer forensic experts (computer science types) actually lowers the standards. That doesn't make sense. The second problem is that in some states it is not easy to get a PI license, especially if your only investigative training is in computer forensics. Thirdly, because of the global nature of the Internet it means that a forensic investigator who is investigating a compromise in New York may also need to have a PI license in all 49 other states just in case they might have to collect evidence from a system in one of those states. It just doesn't make sense.

Then there's the fact that this law will dramatically reduce the number of people legally allowed to practice computer forensics and testify in court. How does that affect expert witnesses? If you're charged with a computer-related crime and the only 7 firms licensed as PI/Computer Forensic Experts in the state all work with police departments, how do you find an expert witness to rebut their testimony? I can forsee circumstances where a traditional PI with a "point and click" forensics program provides the police with allegedly ironclad evidence that is more full of holes than swiss cheese, and the defendant not being able to discredit/rebut the evidence because their own expert witness isn't licensed in the state.

Already Required in Texas

Texas already requires that computer forensics investigators be licensed PIs. The requirement isn't just window dressing, either. Getting a PI license is tough there. That's why there are only about a dozen licensed computer forensics investigators in entire state. Um, and Media Sentry sure as hell ain't one of them...

This is good!?

[NFN_NLN]

How is this a bad thing? Requiring a PI license would imply some level of legitimacy.

"So long as computer forensic specialist implies a PI license" AND NOT "a PI license implies a computer forensic specialist".

Re:This is good!?

[GNUALMAFUERTE]

That's because I have a /. Calendar. After December 2007, there is a dupe.

I don't see the problem

[Urger]

After all PI's get to drive around in their employer's red Ferrari and have witty repartee with the English Estate manager (who may or may not be ghostwriting the employer's books) while having casual sexual relationships with clients. In Hawaii. Am I right here folks?

Not necessarily a bad thing

[the_humeister]

Although I don't think the license should be a PI license. Rather, it should be computer forensics license. Someone with a PI license doesn't necessarily know jack about computers.

protectionism...

[j0nb0y]

This is just protectionism...

Most states have ridiculous requirements for getting a PI license. You basically can't get one in many states unless you've been a police officer. There is no public interest reason to do this. Requiring the PI license for this is just a gift to all the people who already have PI licenses.

I haven't looked at computer forensics recently, but when I did (roughly five years ago), there were some problems with it. Basically, because of the way that courts certify experts to testify in court, it was impossible to hire a computer forensic expert to work for the defense. It went something like this:

1. To testify as an expert in court, you have to be a member of the leading professional body for your field.
2. The leading professional body of computer forensic experts forbade its members from working for the defense.

Obviously that's problematic. Hopefully it's changed by now.

The other thing I thought was really funny was the way that most computer crime labs staff up with "experts". Rather than hiring people with computer science degrees and training them on how to do police work, they tend to hire police officers and then train them on computer forensics. The good ole boy system at work.

Re:Worrisome? RTFA

[Watson+Ladd]

The bills being considered are only about forensic evidence presented in court.

Re:Worrisome? RTFA

[BarryJacobsen]

The bills being considered are only about forensic evidence presented in court. Darn you with your "facts" and "reading the article"! Where's the hearsay and made up statistics, dammit!

Right. I can see Guy Noir investigating now.

[ydra2]

It was a cold blustery winter day in Chicago, the kind of cold that chills
McDonalds coffee from "blistering shreds of dangling skin" hot to merely
blistering hot. I downed the last gulp of coffee in my office on the 39th
floor of the Acme building when she walked in the door. A sultry gorgeous
dame, with long billowing blonde hair, and deep green eyes that burned with
angst, and a figure that could pop out eyeballs in a gay bar. I tried to look
her in the eyes but she had a mystique about her, something that told a man
to lower his gaze. I complied with my gut feeling and I wasn't disappointed.
She was to cleavage what Mount Rushmore is to monuments, and in that
second before she spoke, I forgot all about lab reports, stake-out schedules,
and my lost suit at Kim Speedee Dry Cleaning. Her dress was so tight I could
read the J.C. Penny's label on her underware, and I was damned glad for that.

After an awkward moment she spoke. "Mr. Noir, I have a laptop here. I think
my husband has been using the built in web cam to spy on me when he's out
of town...." I had to stop her there. "Just a minute Miss, I don't even know
who you are." And she had the perfect answer when she replied with "I'm
the widow of the late Johann Marstad, owner of Marstad Industries LTD.
I'm Elenor Marstad. Will you look at this computer and tell me what you
find?"

Of course I had to know more. "Where and when do you normally use this
computer?" I asked inquiringly, and once again she didn't disappoint.
"Mostly late at night, in my bedroom." she unhesitatingly answered. My
mission was rather clear. Find the pictures of a stunning beauty, on a
laptop, showing her using it late at night in her bedroom. I'm a licensed
PI so I have the right to do that. It's right there on the license, just
after the part that gives us the right to spy on ordinary Americans, just
before the section that reads "License to argue with Chief of Police."

I was about to take the laptop when my secretary Sally came in...

A current private investigator geek

[happyslayer]

The usual, IANAL, this isn't legal advice, etc. etc...

However, I am a current, licensed private investigator in Ohio who happens to do digital forensics from time to time. So, I believe that I can shed some experience (or spread some BS) on this subject.

Private Investigation in Ohio is governed by Ohio Revised Code Chapter 4749. To summarize:

• You have to be a licensed investigator to perform investigations for hire. (Meaning you get paid.)
• The exceptions (and there are specific ones listed) boil down to a) insurance adjustors, arson inspectors, forensic accountants, etc., and b) it's part of your normal job (such as a network administrator tracking down a break-in. My example, not the law's.)
• Anything you do for yourself is, well, for yourself, and doesn't require a license.

A lot of other states have a similar setup.

Now, without having read the actual proposed law in South Carolina (this is /., after all), I would say that it sounds like a bad idea. An investigator license is not a magic wand to say that you are an expert, and the summary makes it sound like having a PI license gives you almost automatic "expert witness" status. (From my IANAL point of view, that is a specific determination that the court has to make, and normally they don't take it lightly.

PI licenses are used to regulate who goes around snooping into other people's information. There are specific criminal penalties for performing investigation services, for hire, without a license; I believe that it keeps the people honest (in Ohio, Homeland Security oversees the licensing!), and prevents a lot of wasted time and money on some Magnum wannabe who ends up doing more damage to his clients cases/circumstances than good.

As far as I can tell, those who do purely "digital forensics" are the equivalent of DNA lab techs or fingerprint analysts: They perform a technical function whose methods and findings are narrow, reviewable, and (should be) reproducible. The aspect of "investigation" only comes in when you begin to track down names, background, places, and faces relevant to the process. Despite what CSI: Miami tries to put out, lab guys are not normally the folks interviewing the suspects and poking holes in alibis; they deal with facts and findings. (More like Abbie on NCIS.)

Which leads to the counter-proposal from the Nevada situation: If the courts already have a tried-and-true method of determining what an "expert witness" is, there really isn't a need for another licensing agency. Yes, courts can and do rely on licensing for some determinations, but again, they use experience, knowledge, reproducibility, and accepted methodology as real determining factors. That way, a medical license isn't an automatic "my opinion is indisputable" stamp.

I think South Carolina is either overreacting or trying to pay off a party contributor....but hey, what do I know? (Or, how could I find out? :-)

And yes, I realize that I said I "do computer forensics." Being a geek with a license, it's easier (and much faster and cheaper for the client) to do a forensic run-through myself than to hire it out to a lab every time. But I also know my own limitations, and quickly admit when/if I ever get over my head and need to call in the hard-core experts.