Re: Computer forensics to uncover illegal internet use

["Jason Coombs" <jasonc () science org>]

> Yes, of course this is governed by
> the rules of evidence for the
> jurisdiction they are in.

And governed by common sense, hopefully. If the persons are acting in their official capacity in their position within 
the business, they cannot be prosecuted as individuals -- the company can be prosecuted, but the person cannot, even if 
a person is the one who gives a copy to corporate counsel, or to a supervisor, or in some other way complies with a 
stated or an implied chain of command or company incident response policy and in so doing literally violates a criminal 
statute. The company can't be imprisoned, and the person was doing the company's reasonable business, so no worries. As 
long as the actors do not take actions that fail the 'reasonable company' test or perhaps better stated as the 
Reasonable Corporation Test.

(Yes, I have just coined a term, and a terrible one -- applying the 'reasonable person' test to a business even further 
attribute the quality of being a 'person' to a corporation pursuant to the 14th Amendment.)

Disagree with my assertion, if you wish. You won't find a statute, presently, that makes this clear -- but I have been 
told recently that the U.S. Attorney General is about to give a written opinion clarifying this very topic for everyone.

The opinion is reportedly going to include an explicit statement that corporations do not have a duty to report in the 
case of child pornography offenses.

It is important to understand that non-corporations (other business entities, especially sole proprietorships) may 
actually have individual criminal liability exposure for a variety of people (such as the sole proprietor herself) even 
for circumstances in which a corporate entity and its employees would not.

Also, in the case being dicussed, as in most cases of alleged employee actions at work using a computer owned by the 
employer, nobody has actually seen the alleged contraband. There may be good reason to fear it is present on the drive, 
but suspicion or feelings of a vigilante duty must not be allowed to interfere with our proper response, which is to 
consider the precise circumstances that brought the matter to our attention,

A very important and interesting discussion. Hopefully it has guided Edmond sufficiently.

(It hasn't been pointed out before, but it appears that Edmond is located in Canada where everything is quite different 
from this U.S.-centric discussion)

Best,

Jason Coombs
jasonc () science org

-----Original Message-----
From: "dave kleiman" <dave () isecureu com>
Date: Wed, 31 Aug 2005 17:18:51 
To:"'Jason Coombs'" <jasonc () science org>, <security-basics () securityfocus com>
Cc:"'Edmond Chow'" <echow () videotron ca>,       "'Beauford, Jason'" <jbeauford () EightInOnePet com>,       
<tobin.craig () va gov>
Subject: RE: Computer forensics to uncover illegal internet use

Jason,

Now that sounds more like you, and I could not agree more.

I was just a little a little concerned with the passing of the "contraband"
and the fudging the logs theory.

Yes wipe and go on could be a plausible option, as long as they stop and go
no further. However, if they get involved in making copies of it and passing
it around to whomever (attorney etc.), they have already begun an
investigation and began handling the contraband.

My vote is stop and wipe, or stop and call the proper authorities.

Yes, of course this is governed by the rules of evidence for the
jurisdiction they are in.

Best regards,

Dave


> -----Original Message-----
> From: Jason Coombs [mailto:jasonc () science org]
> Sent: Wednesday, August 31, 2005 17:06
> To: dave kleiman; security-basics () securityfocus com
> Cc: 'Edmond Chow'; 'Beauford, Jason'; tobin.craig () va gov
> Subject: Re: Computer forensics to uncover illegal internet use
>
> dave kleiman wrote:
> > You bring a drive to do an image,
> > you have to do your examination
> > there, if you want to leave the
> > imaged info on it, your imaged drive
> > now stays in the evidence room.
> >  The defense attorney would have
> > to come there to view the
> > images, or the LEO would bring it to
> > them, but they would not leave I
> > there with them.
>
> Dave,
>
> Nice response. You are correct, of course, that this is how
> many jurisdictions prefer that things be done. The prosecutor
> and law enforcement do try to follow their own rules once
> they confiscate potential contraband.
>
> I am glad to see Tobin Craig cite Title 18, USC 2252, as it
> now stands, having been modified by COPPA, etc. in recent
> years. It is very important to understand what Federal law
> requires of you in order to avoid prosecution for what has
> already been done. However, as Tobin acknowledges in his
> e-mail, he is unaware that Corporations are treated
> completely differently than are natural persons with respect
> to the child porn statutes.
>
> If not for the possibility that the worker whose computer is
> at-issue may have had their identity stolen or in some other
> fashion been framed by the actions of a third-party, such
> that the hard drives in the computer are potentially the only
> source of evidence to prove reasonable doubt of the person's
> guilt, it would ALWAYS be the proper course of action for the
> company to wipe the drive and go on with business as usual,
> without reporting to law enforcement.
>
> Where much of the discussion thus far has also been mistaken
> is in presuming that all jurisdictions operate according to
> the same rules and procedures once potential contraband is
> confiscated.
>
> This discussion deserves additional attention, for the very
> reason that the behavior of various persons on all sides of
> this struggle, and in many respects the very statutory
> language itself, are outrageous and are ruining lives of
> people who are in fact victims -- much the way that the
> original child abuse that became the contraband child
> pornography harmed an innocent child.
>
> If only persons as well-informed and concerned with the
> pursuit of truth, such as Mr. Craig, were more often involved
> in advising law enforcement and participating in decisions to
> prosecute individual cases.
>
> And if only more corporations were aware that their own
> failures to protect their employees' Windows computers from
> spyware and other security threats are placing workers at
> undue risk of criminal prosecution for doing nothing other
> than their jobs.
>
> Sincerely,
>
> Jason Coombs
> jasonc () science org