Police blotter: Ex-employee faces suit over file deletion

"Police blotter" is a weekly report on the intersection of technology and the law.

What: International Airport Centers sues former employee, claiming use of a secure file deletion utility violated federal hacking laws.

When: Decided March 8 by the U.S. Court of Appeals for the 7th Circuit.

Outcome: Federal hacking law applies, the court said in a 3-0 opinion written by Judge Richard Posner.

What happened, according to the court: Jacob Citrin was once employed by International Airport Centers and given a laptop to use in his company's real estate related business. The work consisted of identifying "potential acquisition targets."

At some point, Citrin quit IAC and decided to continue in the same business for himself, a choice that IAC claims violated his employment contract.

Normally that would have been a routine business dispute. But the twist came when Citrin dutifully returned his work laptop--and IAC tried to undelete files on it to prove he did something wrong.

IAC couldn't. It turned out that (again according to IAC) Citrin had used a "secure delete" program to make sure that the files were not just deleted, but overwritten and unrecoverable.

In most operating systems, of course, when a file is deleted only the reference to it in the directory structure disappears. The data remains on the hard drive.

But a wealth of programs like PGP, open-source programs such as Wipe, and a built-in feature in Apple Computer's OS X called Secure Empty Trash will make sure the information has truly vanished.

Inevitably, perhaps, IAC sued. The relevance for Police Blotter readers is that the company claimed that Citrin's alleged secure deletion violated a federal computer crime law called the Computer Fraud and Abuse Act.

That law says whoever "knowingly causes damage without authorization" to a networked computer can be held civilly and criminally liable.

The 7th Circuit made two remarkable leaps. First, the judges said that deleting files from a laptop counts as "damage." Second, they ruled that Citrin's implicit "authorization" evaporated when he (again, allegedly) chose to go into business for himself and violate his employment contract.

The implications of this decision are broad. It effectively says that employees better not use OS X's Secure Empty Trash feature, or any similar utility, because they could face civil and criminal charges after they leave their job. (During oral argument last October, one judge wondered aloud: "Destroying a person's data--that's as bad as you can do to a computer.")

Citrin pointed out that his employment contract permitted him to "destroy" data in the laptop when he left the company. But the 7th Circuit didn't buy it, and reinstated the suit against him brought by IAC.

Excerpts from Posner's opinion (click here for PDF), with parentheses in the original: The provision of the Computer Fraud and Abuse Act on which IAC relies provides that whoever "knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer (a defined term that includes the laptop that Citrin used)," violates the Act. Citrin argues that merely erasing a file from a computer is not a "transmission." Pressing a delete or erase key in fact transmits a command, but it might be stretching the statute too far (especially since it provides criminal as well as civil sanctions for its violation) to consider any typing on a computer keyboard to be a form of "transmission" just because it transmits a command to the computer...

Citrin's breach of his duty of loyalty terminated his agency relationship (more precisely, terminated any rights he might have claimed as IAC's agent--he could not by unilaterally terminating any duties he owed his principal gain an advantage!) and with it his authority to access the laptop, because the only basis of his authority had been that relationship...

Citrin points out that his employment contract authorized him to "return or destroy" data in the laptop when he ceased being employed by IAC (emphasis added). But it is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have--if only to nail Citrin for misconduct. The purpose of the provision may have been to avoid overloading the company with returned data of no further value, which the employee should simply have deleted.

More likely the purpose was simply to remind Citrin that he was not to disseminate confidential data after he left the company's employ--the provision authorizing him to return or destroy data in the laptop was limited to "Confidential" information. There may be a dispute over whether the incriminating files that Citrin destroyed contained "confidential" data, but that issue cannot be resolved on this appeal. The judgment is reversed with directions to reinstate the suit, including the supplemental claims that the judge dismissed because he was dismissing IAC's federal claim.

[james_bondad]

WHAT IF I LOST THE LAPTOP?

Let's say instead of returning a deleted laptop hard drive, Citrin
"accidentally" lost the laptop. Or it was ran over by a truck followed
by an SUV. Much like what happened to poor Ben Stiller in "Duplex".
Then Citrin tells IAC that he'd compensate the loss.

Will he still be in trouble?

[declan00]

if he lost the laptop

If he honestly lost the laptop, or it was stolen, or it was run over by a steamroller, he'd be off the hook. This is one reason why it's a remarkable opinion.

[Zymurgist]

"Loss" would be, presumably, unintentional

The point would be that a loss would be
unintentional, so that would be okay. It's
intent that matters.

This is a dim-witted decision, though. It
disregards the letter of the law, so it's likely
to be overturned. First, the law explicitly
refers to "networked" computers and refers
throughout to activity conducted on a computer
network. Presumably, networking was never
involved.

Further, it is a stretch to consider deleting
files unrelated to the actual operation of the
computer "damage" to the system as defined - be
it simple deletion or wiping. It's destruction
of data that may belong to the employer, yes,
but that's not the complaint presented.

There oughtn't be a distinction between wiping
and simple deletion. It's not reasonable to
believe that a file will be recoverable. What if
DiskKeeper was on there and defragged the disk
between the time he deleted the files normally
and the time he passe in the laptop. A goo
defragmentation post deletion would (could) have
the same effect, and the user might not even
know that happened.

No, the issue should be: did he willfully delete
the data, and in doing so did he violate the
stated terms of company policy? Deleting files
that you created / had ownership of is part of
normal computer usage. Presumably there's some
agreement that the employer has rights to what
he produces, but that should be spelled out
already and that should be the core of the
dispute.

[james_bondad]

LESSON LEARNED -- LOSE THE LAPTOP

In the event I get into the same sticky situation, I'd just "lose" the
item.

I would invite my ex-boss over breakfast on a lovely morning
cruise to the Bahamas. I'd pretend to type some e-mail as I got
inspired with the ocean's tranquilility. Then I would pretend
suddenly sufferring from motion sickness. I'd tip it over so it
falls in the bowels of the great blue sea. Then look at him and
say, "Ooops!"

[curtiscarmack]

Posner should be too smart for this

When a guy as smart as Richard Posner writes an opinion like this, it just serves to show that analysis disconnected from reality can lead to a lot of trouble. The honorable Mr. Posner should know better, given his law & economics background. I certainly hope that this does not become the law of the land in this country.

[inthewoods]

What if it's standard practice?

I can't help but wonder how it might affect the case if he were able to show that every system he controlled ran scheduled or automatic secure deletes. That's the rule vs. exception in my system community.

[dargon19888]

The Courts screwed this one up...

Secure Delete vs Delete?
It shouldn't matter.

While the laptop is in the possession of the employee, it is his/her responsibility to maintain the integrity of the laptop. They are responsible for the data on the laptop. This includes deletion of the data.

Unless the ICA had an explicit corporate policy governing the use of any such "secure" deletion software, then he should be in the clear.

Of course, what's to say that he deleted the files and then downloaded copies of DVDs he rented to his hard drive? (repeatedly).

The author is correct that normal deletes just remove the inode reference. (Unix) And the OS then reclaims the disk space. So if he used the normal delete and then reused the diskspace for something else, then ICA would still be out of luck.

[joshuaguttman]

Defragging helps too

An easy way to protect most of your deletes is to delete the files first, and then run deftagmenting software. Defragmenting moves parts of a file closer together and generally reoganizes and disk significantly if there are a lot of empty spots (Caused by deleting the files).

[gerhard_schroeder]

Use a clorox wipe, go to prison?

Whats next? Using a clorox wipe to clean your desk results in prison time for "removing fingerprints"... uhhh... yeah...

[joshuaguttman]

I always Wipe

I always wipe my computer when I leave a job. I make sure they have a copy of all my work. I never do anything wrong, but I'm the little guy and they are the big guys. So suing me, even without cause, would be a big waste of my time and money so I always wipe out anything personal before leaving.

[chassoto--2008]

Hype - this has no implications whatsoever

Honestly, I don't see a problem. The minute he terminated his
employment, he should have handed over the laptop, nothing
more (and courts decide matters of fact, not website "police
blotters"). The act of deleting files was, probably a violation of
his terms of employment, or even a violation of law. I take issue
with this statement from the article:

"Normally that would have been a routine business dispute. But
the twist came when Citrin dutifully returned his work laptop--
and IAC tried to undelete files on it to prove he did something
wrong."

Proof that he deleted work he was hired to do is prima facie
evidence that he destroyed the company's work, and by this
judgement, violated the law.

The implications for this are not broad at all. You are already
not allowed to destroy your employer's data. Sorry, but it's no
leap of logic to believe that deleting data (the company's work
for hire) such that it's unrecoverable is legitimate damage. This
ruling changes nothing, except perhaps for Citrin. News.com is
again overhyping a non-issue.

Charles

[grossph]

That is an assumption

YOu are assuming he deleted all the work he did for his employer and they don't have a copy of it. If that is the case then yes he deleted and your argument might be valid,

But if all files he worked on for the company were provide or back up on a server, then the mere deletion of a computer file is not destruction of corporate property. That would be like saying, I get an email from a person on my corporate laptop and decide it is nothing of importance and I delete it. Am I now in violation of the law.

I do believe it was a stretch to say pressing the delete key is a transmission. If that is the case then pressing the delete key will typing a sentence could get you thrown in jail.

Old judges that don't understand techology should not rule on the details of a technology case...I know that sounds harsh, but if you don't understand the law you shouldn't rule, so why should it be any different if they don't undstand the technology and base their ruling on the technology.

[SmyersM]

News.com should avoid FUD.

The data was the property of the company. He deleted data that he knew would have value to the company, that they paid him to acquire. He took their money and deleted what they paid him for.

The tagline/summary is innacurate and an attempt to bring in more readers.

He is at fault for destruction of company property. If he deleted his sexy pictures that would be a different story.

One ***** in the armor -- How do they prove the data he deleted was company property -- how can they prove he didnt just secure delete his pr0n.

Food for thought.

[SmyersM]

hmm, filtered words

c h i n.k in the armor is a filtered word. wonderful.

[Bill Dautrive]

They did not prove that he deleted anything of value

It is a bad decision, period.

[SmyersM]

News.com should avoid FUD.

The data was the property of the company. He deleted data that he knew would have value to the company, that they paid him to acquire. He took their money and deleted what they paid him for.

The tagline/summary is innacurate and an attempt to bring in more readers.

He is at fault for destruction of company property. If he deleted his sexy pictures that would be a different story.

One ***** in the armor -- How do they prove the data he deleted was company property -- how can they prove he didnt just secure delete his pr0n.

Food for thought.

[SmyersM]

News.com should avoid FUD

The data was the property of the company. He deleted data that he knew would have value to the company, that they paid him to acquire. He took their money and deleted what they paid him for.

The tagline/summary is innacurate and an attempt to bring in more readers.

He is at fault for destruction of company property. If he deleted his sexy pictures that would be a different story.

One ***** in the armor -- How do they prove the data he deleted was company property -- how can they prove he didnt just secure delete his pr0n.

Food for thought.

[SmyersM]

3 posts? Thanks for the 404 when i clicked submit...

yea, good programming. and i cant delete the dupe posts.

[Earl Benser]

Mediocre law, assinine judges...

... didn't know you can hang a man for what he COULD have done.
That's a new development in legal principles. Or a new low in
judicial competence.

[heystoopid]

Oh well, ther goes the fourth amendment!

the appeal court judges, have failed to apply the fourth amendment as originally intended!

such is life as the justices continue to downgrade the constitution, and replace it with expedience!

[bgmason]

Not a priavcy violation

An employer owns all business related data on all computers, phones, pda, etc. that was developed, discovered or improved by an employee while under employment. To deleting that data is no different than stealing a file folder from a filing cabinet. In this case it was compounded because Citrin had access to, and presumabley kept, information that may benefit his new business at the expense of IAC.

On the flip side IAC is negligent in protecting its own data which could bring an interesting argument to the table. If IAC felt that the data was so important why didn?t they take steps to have the laptop backed up on a regular basis. Since it did not is the Citrins fault?

[WornHall]

Unintended consequences!

Courts can't say "This is over our heads" or "We do not have the time to study this case enough to render a verdict from new knowledge of the subject or the core principles of the case." However, this is the case here and many other cases involving programs. Sometimes, courts move slowly enough such that public feedback prevents decisions that have damaging results such as in the huge Microsoft proceedings.

This case was wrongly decided because of hubris; the judges proudly assumed (they had) adequate knowledge and intelligence to see the principles of this case. Clearly, they did not.

The target of this case is the consultant who merely improved the workings of the provided computer by actually wiping deleted space. In doing so error dumps become smaller because the error report can compress images of effected areas by summarizing data (lines m to n: all x'00') and eliminate "eye traps" of familiar data images. The concept of a temporary file record buffer having real or non-real information is quite obscure for a "layman". Similarly, the question of who "owns" deleted space in a computer buffer is fraught with problems: theoretically, a consultant could gain insight into business data or processes, especially error handling which is the weak underbelly of any operating system!

So, the defendant shielded himself from acquiring such information, and now, after the courts decision, no others will be able to create such a shield; they will acquire the information by happenstance, or be misled by dump information , or merely waste space and time because the next consultant cannot do a ?real? delete.

Of course, the ?condemned consultant? could have achieved the very same results, clearing unused physical hard drive space, by doing a simple, highly recommended task, namely, defrag. This task improves the entire operation of a computer because it calls together all the pieces of any object that is NOT deleted. Recapturing wasted space dramatically improves the physical task of accessing data because the process pulls all objects into logical and physical sequence; the read/write process against a busy file can improve many times over as the 4k buffers are no longer scattered over the drive.

This case has decided in favor of unused buffer space ? that?s the unintended consequence. It does not take a terribly skilled analyst or user to see the damage done.

Warren

[tom.murphy1]

As bad as you can do

"Destroying a person's data--that's as bad as you can do to a computer."

I think sending a competitor the data would have been far worse.

[tom.murphy1]

As bad as you can do

"Destroying a person's data--that's as bad as you can do to a computer."

I think sending a competitor the data would have been far worse.

[ajbright]

Essential Procedure

I work in State government, and even though the majority of workstations have no confidential data on them, it is written State policy that every computer is disk wiped (or has its hard disk drilled to prevent access if the disk wipe isn't possible) prior to it being surplused (sent to a holding facility that will eventually sell the computer to the public at a reduced cost to recover a portion of the public's money that was used to purchase the equipment).

Therefore things such as personnel data held on manager's workstations, private information such as the names and addresses of the general public, and other private documents are guaranteed to be inaccessible to all but the most costly data recovery experts, and sometimes not even them.

Like I said, this is a mandated procedure, and failure to properly wipe a computer prior to its possible release to the public would end in termination of the employee responsible, as well as that employee's supervisor who must countersign the accompanying documentation.

This is not done for laughs or just to protect State employees from embarressing documents being leaked.

Certain instances, such as domestic violence victims who are paid child support, but have a guarantee that their name and address will not be made public, make this policy essential to protect vulnerable members of the public.

Equally it is not considered abuse of equipment if an employee decides to check their personal bank account during a lunch break, maybe to verify they have funds to pay for a meal.

So a precedent that makes wiping computers a crime is outrageous. Maybe this person did have something to hide, but also it's not a stretch to say he may have had a small number of personal documents that he had every right to keep on the computer while he was an employee and quite correctly wouldn't want a computer tech reading.

This decision is so wrong it makes the demand that judges with no technical knowledge be barred from making decisions on technical issues totally valid.

[colllar]

RE

The files erased can still be restored using data recovery tools. The most powerful of them are imho Active@ Undelete and uneraser. Their restore methods are powerful so they never failed me before. Give it a try if you really need files back.

http://www.active-undelete.com/

http://www.uneraser.com/

[hackdotEd]

No evidence that evidence ever existed, is there?

My questions:

1. How does IAC KNOW that the files that were deleted and are now unrecoverable ever existed in the first place? Presumably, a good secure deletion program would remove all traces of the file, making even the file handle and other associated entries in the FAT or similar file system index impossible to discover, let alone recover.
2. Same as 1. except this time, how do they KNOW that the deleted files contained any evidence of wrongdoing?
3. Same as 2 but how do they KNOW that Mr. Citrin deleted the files AFTER he violated his employment agreement? Proof? How can you proove it without any evidence? Makes no sense to me.

More comments at my website, http://www.hackdot.org