Posted on 03/11/2006 8:16:58 AM PST by atomic_dog
What: International Airport Centers sues former employee, claiming use of a secure file deletion utility violated federal hacking laws.
When: Decided March 8 by the U.S. Court of Appeals for the 7th Circuit.
Outcome: Federal hacking law applies, the court said in a 3-0 opinion written by Judge Richard Posner.
What happened, according to the court: Jacob Citrin was once employed by International Airport Centers and given a laptop to use in his company's real estate related business. The work consisted of identifying "potential acquisition targets."
At some point, Citrin quit IAC and decided to continue in the same business for himself, a choice that IAC claims violated his employment contract.
Normally that would have been a routine business dispute. But the twist came when Citrin dutifully returned his work laptop--and IAC tried to undelete files on it to prove he did something wrong.
IAC couldn't. It turned out that (again according to IAC) Citrin had used a "secure delete" program to make sure that the files were not just deleted, but overwritten and unrecoverable.
In most operating systems, of course, when a file is deleted only the reference to it in the directory structure disappears. The data remains on the hard drive.
But a wealth of programs like PGP, open-source programs such as Wipe, and a built-in feature in Apple Computer's OS X called Secure Empty Trash will make sure the information has truly vanished.
Inevitably, perhaps, IAC sued. The relevance for Police Blotter readers is that the company claimed that Citrin's alleged secure deletion violated a federal computer crime law called the Computer Fraud and Abuse Act.
That law says whoever "knowingly causes damage without authorization" to a networked computer can be held civilly and criminally liable.
The 7th Circuit made two remarkable leaps. First, the judges said that deleting files from a laptop counts as "damage." Second, they ruled that Citrin's implicit "authorization" evaporated when he (again, allegedly) chose to go into business for himself and violate his employment contract.
The implications of this decision are broad. It effectively says that employees better not use OS X's Secure Empty Trash feature, or any similar utility, because they could face civil and criminal charges after they leave their job. (During oral argument last October, one judge wondered aloud: "Destroying a person's data--that's as bad as you can do to a computer.")
Citrin pointed out that his employment contract permitted him to "destroy" data in the laptop when he left the company. But the 7th Circuit didn't buy it, and reinstated the suit against him brought by IAC.
Excerpts from Posner's opinion (click here for PDF), with parentheses in the original: The provision of the Computer Fraud and Abuse Act on which IAC relies provides that whoever "knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer (a defined term that includes the laptop that Citrin used)," violates the Act. Citrin argues that merely erasing a file from a computer is not a "transmission." Pressing a delete or erase key in fact transmits a command, but it might be stretching the statute too far (especially since it provides criminal as well as civil sanctions for its violation) to consider any typing on a computer keyboard to be a form of "transmission" just because it transmits a command to the computer...
Citrin's breach of his duty of loyalty terminated his agency relationship (more precisely, terminated any rights he might have claimed as IAC's agent--he could not by unilaterally terminating any duties he owed his principal gain an advantage!) and with it his authority to access the laptop, because the only basis of his authority had been that relationship...
Citrin points out that his employment contract authorized him to "return or destroy" data in the laptop when he ceased being employed by IAC (emphasis added). But it is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have--if only to nail Citrin for misconduct. The purpose of the provision may have been to avoid overloading the company with returned data of no further value, which the employee should simply have deleted.
More likely the purpose was simply to remind Citrin that he was not to disseminate confidential data after he left the company's employ--the provision authorizing him to return or destroy data in the laptop was limited to "Confidential" information. There may be a dispute over whether the incriminating files that Citrin destroyed contained "confidential" data, but that issue cannot be resolved on this appeal. The judgment is reversed with directions to reinstate the suit, including the supplemental claims that the judge dismissed because he was dismissing IAC's federal claim.
I see that activist judges have now done away with the presumption of innocence.
If they don't like it, maybe they should hire a lawyer to write up a better employment contract.
A laughable decision, which makes it all the scarier. Does this mean you can't defrag your drive?
It wasn't his drive.
This is a civil suit not a criminal one. You have read between the lines here. Citrin obviously started his new competing company before he left his employment, like many employees do. All this case says is that the employer has a cause of action for destruction of data against Citrin. In this case it will be virtually impossible to assess damages for this act because the employer will never be able to establish what this data would have yielded them had it not been destroyed.
I think that a presumption of innocence only applies in criminal matters, not in civil litigation.
BUMP!
Yes, that is scary.
The fact that it's a civil case makes it even scarier. There are fewer checks and balances operating on trial lawyers than on cops, after all. Meanwhile, don't expect this will escape the notice of cops. An interesting and rather chilling precedent has been set regarding the interpretation of laws which will have puppies, count on it.
I understand it was not his drive. What it does is open the door for lawsuits against any of us if we erase any data on our company-owned PCs, particularly if the act is followed at a later date with a defrag operation, which can have the same impact on recoverability as use of a wiping utility. This is especially worrisome if you're in a corporate political battle with someone--a boss, a co-worker, a rival--who plays dirty. Clear your browser cache and at some later date defrag your drive-- wham, you're nailed. "You are charged with misuse of corporate assets, namely reading the ultra-right-wing FreeRepublic on your coffee break. You purposely and willfully attempted to cover up your bad acts."
Just be careful, is all. The precedent this sets is not a friendly one.
Your drive? Sure. Your bosses? Get permission first.
With the decreasing cost of USB flash drives, it would make sense to keep all your personal/private data on a personally-purchased flash drive.
Using a flash drive is a good idea but doesn't address all possible "incrimination". The example I gave of flushing your PC's web browser cache is a good example.
On IE, you can specify where the cache goes. Put it on your flash drive. Then your browser cache never existed on your hard drive
Of course, that is clearly intent to cause harm to the PC by removing files so they cannot be retrieved. Some jury somewhere will find that equivalent to erasure.
I have a feeling that this one is going to SCOTUS. The only judges who actually know what a computer is are Alito and Roberts.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.