A recent court decision in the U.S. against a Vancouver-headquartered company that makes computer tracing software underscores how easy it is to invade someone’s privacy in the digital age.
It also demonstrates how ill-equipped traditional law enforcement is when it comes to computer-related crime.
Susan Clements-Jeffrey, a 52-year-old Ohio woman, was given the green light August 22 to sue Absolute Software Inc. – the American subsidiary of Vancouver-based Absolute software Corp. (TSX:ABT) – over allegations the company invaded her privacy when it recorded sexually explicit images of her as part of its attempts to retrieve a stolen laptop.
On September 6, the woman and Absolute reportedly reached an out-of-court settlement for an undisclosed amount. The trial was slated to begin September 12.
Absolute CEO John Livingston did not return calls. However, a company spokesman told Business in Vancouver, “It’s Absolute’s policy not to comment on active legal cases.”
On August 22, the Ohio District Court rejected Absolute’s application for a summary judgment that its theft recovery agent acted properly when he recorded Clements-Jeffrey naked as part of its investigation. The decision cleared the way for Clements-Jeffrey to sue for invasion of privacy.
According to the written judgment, Clements-Jeffrey bought a laptop from one of her students for $60 in 2008. She claimed she was unaware that the laptop had been stolen from the school district where she worked as a substitute teacher.
The hard drive had been wiped clean, which is why she thought it was being sold so cheaply. She was able to have the operating system restored.
Remote protection
The school district that owned the device had a contract with Absolute to protect its computer with LoJack for Laptops, which allows Absolute to trace and monitor a lost or stolen computer.
When the computer is used to log on to the Internet, Absolute’s security unit can identify the IP address and can remotely lock it up, erase files or monitor any communications.
Once the company has the IP address, it can forward the information to police. But in the recent Ohio case, Absolute’s theft recovery officer, Kyle Magnus, went further than that.
According to Justice Walter Herbert Rice, Magnus infringed on Clements-Jeffrey’s privacy when he recorded sexually explicit web chats between her and an old boyfriend she had recently reconnected with.
Magnus also recorded computer keystrokes and websites Clements-Jeffrey had visited. He also took three sexually explicit screen shots of Clements-Jeffrey while she was chatting with her former boyfriend.
When Springfield, Ohio, police showed up to arrest her for possessing stolen property (the charges were dropped), they brandished the lewd photos Absolute had provided. She sued both Absolute and the Springfield police.
Absolute argued that Clements-Jeffrey should have known the laptop was stolen and therefore had no legitimate expectation of privacy. Rice disagreed.
“It is one thing to cause a stolen computer to report its IP address or its geographical location in an attempt to track it down,” he wrote. “It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.”
Rice said Absolute “crossed an impermissible boundary when they intercepted Plaintiffs’ instant messages and webcam communications. A reasonable jury could also find that such conduct would cause a person of ordinary sensibilities to suffer shame and humiliation.”
Dale Jackaman, a private investigator and president of Amuleta Computer Security Inc., which specializes in cybercrime and computer security, said an IP address alone may not be enough to locate a computer. It could be the IP address of a firewall with several computers behind it, he said.
Once armed with an IP address, it should have been up to Springfield police to take it from there and conduct the investigation.
In reality, law enforcement agencies may not have the time, manpower or technical wherewithal that a company like Absolute or Amuleta has to collect the information needed to conduct a proper investigation.
Police in the U.S. also are required to obtain warrants for things like wiretaps – something they might not even bother applying for if it’s simply a case of retrieving a stolen laptop or smartphone.
“Private companies have a lot more ability to do these sort of things and get away with it,” Jackaman said.
“We’re getting a lot of cybercrime-related stuff because law enforcement is just not answering the call. They just don’t have the resources or facilities or the people to do it, so we’re getting dragged in more and more.”
Canadian judgment
Sara Levine, a Vancouver lawyer specializing in privacy and freedom of information law, said she believes that if Absolute had been caught doing surveillance on a Canadian citizen, a Canadian judge would very likely have come to a similar ruling as Rice did in the U.S.
“I don’t think the fact that the computer is stolen would give anyone, let alone a third party, the right to use it to undertake surveillance of the people who are using the computer,” Levine said. “It is clearly an invasion of privacy and an unauthorized collection of personal information.”
Canadians’ rights to privacy are set out in provincial and federal acts: B.C.’s Personal Information Protection Act and the federal Personal Information and Protection and Electronic Documents Act (PIPEDA).
Anyone who breaches those acts can be sued in civil court and the complainant does not have to prove injury.
“There are private-sector laws that would give people rights to make claims against any company that would collect their personal information in this manner,” Levine said.
Absolute’s software is used to track and protect 5.8 million computers worldwide. Apart from the privacy concerns the Clements-Jeffrey case raises, privacy groups also have raised concerns about companies using tracing software to monitor employees’ private communications either during work or in off hours but using company computers and devices.
Companies do have the right to monitor email and other communications of its employees on company time and company devices. However, it has to be reasonable, says Micheal Vonn, policy director for the BC Civil Liberties Association.
A company that intercepts a private email between an employee and his or her spouse about a doctor’s appointment, for example, might be crossing the line.
“You obviously don’t have the same amount of privacy protection you have in your private life in an office environment,” Vonn said. “But it has to be justified and proportional.” •
