| |
|
This page contains all of the posts and discussion on MemeStreams referencing the following web page: hb504_LC_29_2714_a_2.html. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.
|
hb504_LC_29_2714_a_2.html
by k at 6:43 pm EST, Feb 22, 2007 |
Presumably Decius is concerned primarily with the definition apparently now covering computer security analysis as follows (excisions mine, for clarity) : 'Private detective business' means ... the business of obtaining or furnishing, or accepting employment to obtain or to furnish, information, including ... digital or electronic information, with reference to:
...
(C) The location, disposition, or recovery of lost or stolen property;
(D) The cause or responsibility for ... losses, ... damage, ...
I have to admit it seems rather absurd to require that the nerds going through your server logs be licenced PI's. That being said, given the potential for such data to be used as evidence, it wouldn't hurt for them to be trained in the relevant laws thereof. I'm not certain I see categorically how removing a virus would fall into these provisions however, and I'd like to hear what I've missed.
Perhaps insofar as it would require you as an IT professional to "furnish information" that the "losses" resulting from downed computers was due to such-and-such virus in the course of your removal of it? Anyway, I think there's two different aspects to consider here. The first is your normal IT functions, such as virus and spyware removal, the configuring and monitoring of firewalls, etc., and the second is more advanced computer security such as responding to system compromises, "forensic" data analysis, systems fraud monitoring, etc. The former, I'd think, should be pretty much completely exempt from any sort of regulation. The latter, on the other hand, as I've said, has implications for evidence and the potential recovery of losses or the proscecution of a criminal investigation. Given that, I actually don't oppose the notion that such workers should be verifiably conversant in the legalistic aspects of their work. As a matter of fact, I'm kind of surprised that those kinds of activities aren't already considered as being the exclusive jurisdiction of "the Law". Allowing company employees to process information that exposes the perpetrator of an alleged criminal act seems rather like allowing the fox (or, perhaps, merely the fox's close friend) to guard the henhouse. Don't confuse my statements with endorsing this law, mind you. I absolutely don't think the law as it stands addresses what I'm talking about. Neither kind of work is quite the same as existing licenced PI or PS activities where you have trained personnel, frequently armed, handling physical security or so forth. -k] |
| |
RE: hb504_LC_29_2714_a_2.html
by Decius at 10:04 pm EST, Feb 22, 2007 |
I'm not certain I see categorically how removing a virus would fall into these provisions however, and I'd like to hear what I've missed.
If someone comes to you with a computer that they think might be infected with a virus and offers to pay you to look at it and possibly clean it up, you are providing services in which you are collecting information with reference to a crime. The text "crimes against the United States" does not mean circumstances were the federal government is the victim, it means circumstances where a United States law was violated. The distribution of viruses is illegal, and collecting information about that as a work for hire would be, under this law, a felony punishable with prison time. Its worth pointing out that such activity may already be illegal under the present law, but that law has never been enforced in this context. There are clear signs, in particular, statements made by the PI board, that certain quarters are interested in seeing that law enforced in this context. With this rule change the risk goes from a minor misdemeanor charge to a felony with serious penalties. The result will be that IT professionals who do not have a background in criminal justice will have to think twice before making any offer to help someone who has been the victim of a computer crime. That is the intent of this bill and the intent of the people who support its enforcement in this context.
Anyway, I think there's two different aspects to consider here. The first is your normal IT functions, such as virus and spyware removal, the configuring and monitoring of firewalls, etc., and the second is more advanced computer security such as responding to system compromises, "forensic" data analysis, systems fraud monitoring, etc. The former, I'd think, should be pretty much completely exempt from any sort of regulation.
This law makes no such distinction, and I don't know how you can distinguish between a spyware infection and a system compromise, nor do I know how you can distinguish between normal IT functions and "systems fraud monitoring." They are the same things. There is a professional practice of detailed computer forensics for the purpose of evidence collection for trial which is separate from normal IT security functions. You'd expect people who offer such services to understand the law of evidence collection, but there is absolutely no reason to require that those people be former police officers. In fact, in dealing with this issue for a year now I have yet to hear anyone offer an articulate explanation of why such a requirement would be desirable. The latter, on the other hand, as I've said, has implications for evidence and the potential recovery of losses or the proscecution of a criminal investigation. Given that, I actually don't oppose the notion that such workers should be verifiably conversant in the legalistic... [ Read More (0.2k in body) ]
|
|
|
|
