Original URL: http://www.theregister.co.uk/2006/04/26/law_change_for_pis/

Forensic felonies

New law clamps down on PIs

By Mark Rasch

Posted in Media, 26th April 2006 09:08 GMT

A new law in Georgia on private investigators now extends to computer forensics and computer incident response, meaning that forensics experts who testify in court without a PI license may be committing a felony.

In the US television show "Medium," Patricia Arquette's character uses her "special psychic skills" to help solve crimes. If a new law passed by the Georgia legislature but not yet been signed by the Governor goes into effect, not only could Miss Arquette's character face legal troubles, but thousands of computer security consultants would face the very real threat of jail time - simply for plying their trade.

The Georgia law, HB 1259, at first seems innocuous enough. It requires all private investigators in the State of Georgia to be licensed. It is intended to prevent people from simply opening up shop and claiming to be PIs. It requires such PIs to pass an exam, be in business for a particular period of time, be self-regulated, and so on. The problem lies in both the definition and interpretation of what services can only be offered by a licensed PI, and how that extends into the electronic world.

According to the legislature, a private investigator is any person who is in the business of obtaining or furnishing, or accepting employment to obtain or to furnish, information with reference to:

In addition to the aforementioned services, "private detective business" shall also mean providing, or accepting employment to provide, protection of persons from death or serious bodily harm."

Typical "Magnum PI" kind of stuff. The problem is that the statute is written so broadly as to include almost all types of computer forensics and computer incident response – at least when done by outside consultants. After all, when do you need computer forensics, or incident response? Typically, you call in a computer forensics expert when you suspect something "bad" has happened. Thus, you retain the expert to furnish information with respect to possible crimes or wrongs (the phrase against the United States or any State or territory doesn't mean that the State is the victim of the crime, just that it violates the state law.)

You also retain forensic experts to collect evidence about damages and loss to you - from computer viruses, worms, attacks, and so on. You want to know what happened, how it happened, why it happened, and how to prevent it from happening again. You want to know the, "cause and responsibility for ... losses and damage to ... property". Namely, this applies to your computer network and the information contained in it. You also want the information collected in a way so that it can be used in court or by other investigators later on, even if you do not intend to pursue a civil or criminal case. If information is stolen, you want to know the "location, disposition and [ensure the] recovery of lost or stolen property" namely the intellectual property stored on the computer. For all of these things, you would typically hire not a gumshoe, but a forensic expert. Unfortunately, under this new law that forensic expert would be committing a felony.

Forensic expert prosecuted and sued

The Georgia statute was brought to my attention by Scott Moulton. Frequent readers of this space may remember Scott as the person who was criminally prosecuted and civilly sued in Georgia for doing a port scan on a computer system prior to allowing that system to connect to the system he was managing. I wrote a column about it at the time.

Moulton was getting ready to testify as a computer forensics expert in a case in Superior Court of Coweta County, Georgia. This is one of the things that forensics experts do - they explain what they have found in an examination of a computer system, and the court determines whether they have the requisite level of training or expertise to render an opinion that would be helpful to the jury. All sorts of experts do this - not just computer forensic experts.

For example, there are forensic accountants, odontologists, anthropologists, document examiners, pathologists, toxicologists, and even forensic archeologists. These are people who make their living examining evidence and rendering expert opinions on what they see. The goal of their expertise is to determine facts to be presented in court, frequently on issues related to loss, damage, bodily injury, or violations of law. Indeed, under the US Supreme Court's decision on expert witnesses and science, Daubert v Merrill Dow, the court stated that:

"If scientific, technical, or other specialised knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue," an expert, "may testify thereto." The subject of an expert's testimony must be "scientific ... knowledge." The adjective "scientific" implies a grounding in the methods and procedures of science. Similarly, the word "knowledge" connotes more than subjective belief or unsupported speculation. The term "applies to any body of known facts or to any body of ideas inferred from such facts or accepted as truths on good grounds."

Thus, anybody with sufficient training and experience in a recognised scientific field can collect evidence to be presented in court and testify about it. A forensic entomologist can testify in court about bugs - and make a living doing it. A graphologist can not only testify about handwriting, but also collect evidence to support his or her conclusions. The sole tests are whether the opinions are scientifically based, the expert qualified, and the opinion relevant to some issue in the litigation. 'Nuff said.

So, Scott goes to testify as a forensic expert in early April 2006. He is greeted by an agent of the Georgia Bureau of Investigation, the Coweta County Prosecutor, and by a former Cobb County police officer and current Private Investigator. The prosecutor moved to exclude Moulton's testimony on the grounds that Scott was criminally violating the Georgia statute by conducting forensic investigations without a PI license. While the court allowed the testimony, the threat of criminal prosecution against Scott remained – something Scott was of course concerned about, especially in light of his history with criminal prosecutions by the GBI. Scott tried to clarify this point with the Georgia Association of Professional Private Investigators (the PI trade association) who took the position that if you, "conduct an examination of evidence, determine what can be used, compile a report and testify in court" you need to be a licensed PI.

Similar laws in other US states

Now, Georgia is not the only state that requires private investigators or private detectives to be licensed. Indeed, the Georgia law is in fact modeled after similar laws in California, Arizona, Utah, Nevada, Texas, Delaware, and New York, just to name a few. In each of these cases, the law requires that a person providing the defined "investigative" services for remuneration be licensed in that state as a Private Investigator.

In July of 2005, pursuant to the California statute, a company providing forensic computer software and services was prompted to write to the State Bureau of Security and Investigative Services (BSIS), the entity charged with the duty to enforce the PI licensing scheme. The enforcement manager for California at that time issued a formal opinion stating that, "if a person or entity performing a computer forensic investigation within California obtains information that will be used, or results in [anything described in the PI licensing scheme]...a private investigator license is required". But in April of 2006, the BSIS agreed not to enforce this opinion pending review by the Bureau's legal counsel.

In Delaware, State Deputy Attorney General Ralph Durstein issued a letter to the Board of Examiners of Private Investigators (the state licensing agency) in January of 2005 containing the formal legal opinion that forensic specialists, "gather data from computer media", and that "the conduct of a computer forensic specialist is no different from that of a more traditional private investigator or detective, namely seeking information for a client about another person". As such, the AG's office concluded that forensic specialists have to be licensed in Delaware, or face civil or criminal prosecution. This position is officially being challenged by the maker of computer forensic software.

In other states, the legal status of forensic investigators is less than clear. For example, in February, 1991, Arizona Attorney General Grant Woods was asked by a society of professional engineers whether they, in providing engineering consulting services for litigation (forensic engineering) would be required to be licensed as private investigators, since they clearly were collecting information to be presented in court. In saying, "of course you aren't PIs" - that is, discovering the blatantly obvious - Attorney General Woods cited a 1954 California case Kennard v Rosenberg, 127 Cal.App.2d 340, 273 P.2d 839 (1954) where the court found that engineers collecting evidence to be used in court did not have to be licensed PI's under California's statute. This was decided because they, "were licensed engineers and as such were authorized to make investigations in connection with that profession"(Bus & Prof Code, § 6701).

It seems quite clear that the private detective license law was not intended by the Legislature to place a limitation on the right of professional engineers to make chemical tests, conduct experiments and to testify in court as to the results thereof. A physician, geologist, accountant, engineer, surveyor or a handwriting expert, undoubtedly, may lawfully testify in court in connection with his findings without first procuring a license as a private detective, and, as in the instant case, a photographer may be employed to take photographs of damaged premises for use in court without procuring such a license. Likewise, plaintiff Wolfe, who was hired as a consultant and expert and not as a private detective and investigator was not required to have a license as such before being permitted to testify in court as an expert.

Similarly, in New Mexico in 1969, court held that a licensed engineer, gathering evidence and giving an opinion about the speed of a vehicle involved in an accident didn't have to be a licensed private investigator because he was licensed in another profession. Dahl v Turner, 80 N.M. 564, 458 P.2d 816 (1969).

The licensing issue

So here is the problem. Forensic investigators are generally not licensed, certified, registered or regulated. Anybody with some skills (and many without them) can hang a shingle and claim to be a forensic investigator - for money. License a copy of EnCase, hook up a cable to a hard drive and voila - another successful forensic investigation! It is understandable that legislatures might want to regulate this kind of activity. Unlike the cases in New Mexico and California, the people seeking to avoid being regulated as PIs are not licensed elsewhere.

Also, forensic investigators make the argument that they do not "collect" evidence, they merely examine the evidence that is collected by others - typically the client themselves. They review the contents of hard drives, floppies, network files, and other records collected by the client. This argument is not complete either. When the client has failed to collect sufficient evidence (as in, when they are not logging data), the forensic examiner will seek information from third parties, and will cause logging and auditing to be turned on - effectively "collecting" data, or conducting an investigation.

There is a difference between conducting a forensic "examination" of evidence that has already been collected, and conducting a forensic investigation - but not much of a difference. And it is not clear that the statutes mentioned clearly make that distinction. Thus, anyone performing computer forensics or incident response services which seek to find out what happened potentially must be a licensed PI.

What is worse is the fact that internet based crimes occur across jurisdictions, but licensing boards' authority do not. So a company performing computer forensics in Georgia, run by a licensed PI in Georgia who had to examine a hard drive in California, theoretically would either have to obtain a license in California or retain the services of a California PI to do the work. Is this a full employment programme for former cops? Somehow this might, in fact, be the whole idea.

Ex-Sergeant Sam Spade, expert computer forensics PI?

Most PIs lack the skills and training to perform computer forensic functions. Sure, there are PIs who are experts in electronic evidence, but it is hardly a core PI skill set. Moreover, should we then modify the state examinations for PIs to require that the average Sam Spade be rigorously tested on FAT file recovery? To paraphrase Bogart's Sam Spade, "I don't know much, but I know when a man's files are deleted, he's supposed to do something about it". Clearly, if PIs want the exclusive right to do investigations, then they should have to demonstrate competence in the field. Somehow, I think if we did that we would see an immediate and precipitous drop in the number of PIs.

Now there are exceptions to most of these laws. Fortunately for the investigations I conduct and lead, attorneys and those working directly under them are generally exempt under the state PI licensing laws. Similarly, under many of the state licensing schemes in-house experts may also be exempt. But most companies do not have the ability, the resources or the expertise to retain full-time trained computer forensics experts. Nor would such experts benefit from having seen similar situations in other environments. There are both economies and skills to be obtained by outsourcing significant portions of incident response and computer forensics services. And most companies providing detailed forensic services have neither a PI nor an attorney on staff (What? No attorney on staff?!).

Now there obviously comes a point where, in the course of conducting a forensic investigation or incident response, that your average techo-nerd will recognise that he or she is out of his or her league, and needs a real investigator. That's when the PI can and should be called in. Asking the system administrator what logging the company is doing is not the same thing as grilling a suspect - but they both involve asking questions to determine the facts.

I can just see the promo now, Mission Impossible IV - Ethan Hunt, forensic investigator! This movie will self-destruct in five seconds. Good luck.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as senior vice president and chief security counsel at Solutionary Inc.