Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud?

from the court-may-think-so... dept

We’ve noted in the past how the courts have been stretching massively the Computer Fraud and Abuse Act (CFAA), which was really designed to deal with unauthorized access to computers — commonly referred to as malicious hacking. Yet, the courts have been interpreting it to cover all sorts of things that nobody would actually think of as hacking. In a recent case, for example, a guy who was a consultant at giant Deloitte & Touche, but then left to join a competitor, was sued by D&T because he destroyed the original hard drive in his work issued computer. When he quit, he returned the computer with a brand new hard drive. He had taken out the old hard drive and destroyed it because it had personal data on it (tax returns, account info and logins for personal things) that he didn’t want to share with D&T.

It’s difficult to see how this amounts to “hacking” or unauthorized access, and so the guy sought to have the case dismissed. Yet the court is allowing it to go forward, saying that the destruction of the hard drive was “without authorization” and thus the action fits under the CFAA. The problem here, as in other CFAA cases, is that it seems to interpret almost anything that doesn’t have direct authorization as being “unauthorized access” and thus, the equivalent of fraud or hacking. But in this case, it seems pretty clear that the guy didn’t do anything to harm the original company. He was just a little overzealous in trying to protect his personal info. Considering that his expertise as a consultant was in security and privacy… perhaps his actions aren’t all that surprising, really. What really is questionable here is why D&T is suing in the first place. They got back the computer with a newer hard drive, so it’s not like he returned a broken sytem to them.

Filed Under: , , ,
Companies: deloitte & touche

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud?”

Subscribe: RSS Leave a comment
110 Comments
Josh in CharlotteNC (profile) says:

Company Data

There could have been company data they need on the drive that was not backed up anywhere else that they no longer have access to, that he was not authorized to delete/destroy.

Especially as D&T does all sorts of tax, auditing, and financial work, and does it for some of the largest companies in the world. It’s entirely possible some of the records on his laptop could be related to legal cases. I know the hoops you need to jump through just to encrypt data on drives that may be involved in legal cases (and the encryption product I use changes neither the data itself or meta-data such as last modified dates). And we have special procedures for any machines that are considered under “legal hold” – if anything happens to it, or it is being given to someone else, the drive is pulled, stored, and a new one put into the machine.

Since supposedly he’s and expert in privacy and security, why was he keeping such sensitive personal information on a computer he didn’t own? Sure, I’ve got some personal stuff on my work laptop, but nothing I’d be afraid of my employer having access to, or being made public. When my contract is up at BigBank, I’ll be deleting my personal stuff, but sure as heck won’t be wiping the drive.

Anonymous Coward says:

He put himself in a bad place. He should have cloned the drive and wiped it, and returned it blank with all of the original equipment (perhaps reinstall the OS).

Instead, he took the drive, and that means that he has everything that was on it, including proprietary stuff from D&T. Even if he says he destroyed it, can he really prove it?

His actions show can be taken as intent, and that makes it hard to get around.

Anonymous Coward says:

Re: Re: Re:

…what’s the difference in wiping the HDD and destroying the original after replacing it…

Quoting one of the relevant provisions of the CFAA from the opinion:

A) knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

Physically destroying a hard drive is not at all the same as transmitting a ?program, information, code, or command?.
A hammer is not a program.

darryl says:

Re: Re: Re: Re:

he ‘commanded’ his arm that he commanded to pick up a hammer, and he made a willful and premeditated command to destroy the HD.
That would come under ‘computer abuse’ !!

It was not his computer, it was not his hard drive, he therefore had no right to make any claim to ownership of that HD or it’s contents because he had no right to use that computer for personal use. It was not his property, and it was a clear misuse of someone elses property.

This guy is or must be a total moron with little or no clue about computer security, as displayed by his actions.

but destroying a hard drive is a ‘command’.
Its just as much a command as “Shift-delete”.

Jon Renaut (profile) says:

Not very good at his job

If he knew what he was doing in security and privacy, he’d know how to protect his personal data without destroying the hard drive. If “destroy the hard drive” is an answer to “how do I protect personal data?” at Deloitte, sign me up for a high-paying consulting job. I can destroy hard drives ALL DAY LONG.

Still, a very bad precedent to set – hopefully the court comes to its senses.

Anonymous Coward says:

Re: Not very good at his job

If he knew what he was doing in security and privacy, he’d know how to protect his personal data without destroying the hard drive. If “destroy the hard drive” is an answer to “how do I protect personal data?” at Deloitte, sign me up for a high-paying consulting job. I can destroy hard drives ALL DAY LONG.

Competent security specialists know that there are cases where destroying the drive is the most practical way to completely destroy the data on it.

pixelpusher220 (profile) says:

Re: Re: Re: Not very good at his job

I destroy my HDDs

*My* being the operative word of course. This wasn’t ‘his’ drive.

Whether he should be charged under this statute or another, he willfully destroyed property belonging to someone else.

I can quite safely say that either he was not authorized to put his personal data on that drive

OR

he was allowed to but with the understanding that he was doing so at his own risk and specifically not allowed to destroy the drive because he had put his information on it.

Richard (profile) says:

Re: Re: Re: Not very good at his job

As a former employee of a defence company I can confirm that damaged or end of life hard drives that may have contained classfied information were required to be certifiably destroyed by etching the magnetic material off the platters. It is the only way to guarantee complete removal of data.

Assuming that all company data was backed up (which seems likely) this guy has acted in an exemplary fashion and this case is ridiculous.

Anonymous Coward says:

Re: Re: Re:2 Not very good at his job

He didn’t act in an exemplary fashion, because he acted without consent and without knowledge of the company.

What it sounds more like is that he was trying to destroy data that might get him in trouble, perhaps showing that he had used the company computer in a way that was not permitted. Rather than just deleting the data and using an obscuring tool to re-write all the unused space on the drive, he instead took unilateral action.

The company has no way to know if he destroyed the drive for real, gave it to a competitor, or perhaps destroyed it after the data was taken by a third party. Who knows?

His actions really indicate he had something to hide.

Chosen Reject (profile) says:

Re: Re: Re:3 Not very good at his job

Fine, he may have done something illegal. Charge him with breaking whatever law you think he might have broken. Just because what he did might have been illegal, does not mean you can charge him with whatever you want.

Homicide and speeding are not interchangeable laws. Neither should any possibly illegal act that involves a computer involve the CFAA.

Pitabred (profile) says:

Re: Re: Re: Not very good at his job

I assume you personally burn every receipt you have, too? Shredding them can let someone put them back together.

There is such a thing as too paranoid. A nice multi-pass wipe on a modern drive will make all but maybe a few bytes recoverable, and you won’t be able to do anything with those. Context matters.

Rekrul says:

Re: Re: Re: Not very good at his job

Its actually the only way to guarantee it. Pieces of data can be left in bad sectors, cache memory etc even when doing a 35-pass wipe. I destroy my HDDs and so does my 60 year old mother for exactly the same reason this guy did.

Yes, because the first thing someone does when getting their hands on a used hard drive is spend several days running drive salvage software and trying to piece together the information from bad sectors and caches in the hopes of finding something they can use.

Here’s a challenge I’ve made to others (and never had any takers); Take your main computer, the one you keep all your programs and important files on, and without backing it up, do a full format/zero-fill of the drive. Just do ONE pass, which everyone claims is completely useless for getting rid of data. Then send the drive off to one of these hard drive recovery services. If they can salvage even 25% of the data, I’ll pay their entire bill.

Wanna try it? After all, with just a single-pass erasure, it shouldn’t take them more that a couple minutes to completely restore your drive, right? Hell, you can probably un-format the drive yourself with some piece of freeware software.

So, are you game?

Anonymous Coward says:

Re: Re: Re:2 Not very good at his job

Here’s a challenge I’ve made to others (and never had any takers);

No wonder. You need to make it worth their while first.

So, are you game?

Tell ya what, come out from hiding behind your fake name, offer some big bucks (written, legally backed by a bond) to recover *any* data, and you’ve got yourself a deal. Otherwise, you’re just blowing hot air.

Rekrul says:

Re: Re: Re:3 Not very good at his job

Tell ya what, come out from hiding behind your fake name, offer some big bucks (written, legally backed by a bond) to recover *any* data, and you’ve got yourself a deal. Otherwise, you’re just blowing hot air.

“Any data”? What happened to the argument that users need to do a 10+ pass wipe to keep hackers from recovering all the information on the drive?

Here’s a much easier challenege; Contact any drive recovery service and ask them how much data they can recover from a zero-filled drive. See if you can find even one that claims they can recover all your data.

Standard hard drives are designed to store one, and only one set of data in each sector. When that data is overwritten, there is absolutely no way to force a drive to read the previous data. If there was, don’t you think hard drive makers would use this overwrite-&-recover method to double the storage capacity of their drives? Write the data, erase it, overwrite it, and still be able to read the old data?

Pulling any information off sectors that have been overwritten requires disassembling the drive, removing the platters and placing them in a hugely expensive machine that can read residual magnetic patterns, and even then, it can’t recover anything reliably if the sector has been written to more than a couple times. They can also read tiny bits of data at the edges of tracks, where the head wasn’t perfectly centered, but there’s no way they’re going to be able to read all of the data, or even enough of it to do anything with. No to mention that these methods are out of the reach of your average hacker, whose idea of salvaging data is to run Recuver-It on a quick-formatted drive where none of the data was actually overwritten.

Almost Anonymous (profile) says:

Re: Re: Not very good at his job

Still, there is a tangential point to be made there: a competent security specialist should never have had such personal sensitive information on a company laptop that he felt the hard drive required being destroyed. If you must have personal data on a company laptop (and frankly, you don’t), and it’s ultra-sensitive data (the stupid is increasing), then use a TrueCrypt container to store it, and just remove the container from the hard drive and format/killdisk before you turn the laptop back in.

I don’t really see the harm in what he did, but that doesn’t mean that what he did was right.

Benny6Toes (profile) says:

From the article:

In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the ?without authorization? element to be adequately pled.

I can see Deloitte having an issue with the hard drive being destroyed if they believed that it had records of his soliciting another employee to leave with him, but do they not have email or chat archives to look at? I don’t think that rises to the level of “hacking” by any means though. After all, those ocnversations would be considered personal in nature anyway, right? So how would deleting that be any different from deleting his tax returns, etc.?

And wouldn’t an expert in security and privacy know better than to keep that stuff on his work computer anyway (despite stupidity of the masses)?

This just seems like a case of Deloitte bullying a manager who left for something more interesting. If it is a question of him recruiting another employee in violation of an emlpoyment agreement, then ” still don’t see how this rises to a claim of hacking.

Anonymous Coward says:

Re: Re:

In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the ?without authorization? element to be adequately pled.

Wait, what? So the court actually found that “soliciting another employee to leave” is an element of computer hacking? I know that many courts have a big-company bias these days, but isn’t that stretching the law really far?

Dark Helmet (profile) says:

Re: Re: Re:

“Wait, what? So the court actually found that “soliciting another employee to leave” is an element of computer hacking? I know that many courts have a big-company bias these days, but isn’t that stretching the law really far?”

No, but I can see how taking a company owned piece of hardware and destroying evidence on it to hide breaking company policy (I’m guessing, but it’s pretty standard employment/contractor language not to solicit other company employees for other employment) could be accessing company property or systems w/o access.

While I’m loathe to agree with this particular AC who throws the word FUD around with such ease, in this case I think Techdirt has it wrong. At the very least, I can see why the court would think the statute applies at least enough to allow the case to go forward….

Anonymous Coward says:

Re: Re: Re: Re:

No, but I can see how taking a company owned piece of hardware and destroying evidence on it to hide breaking company policy (I’m guessing, but it’s pretty standard employment/contractor language not to solicit other company employees for other employment) could be accessing company property or systems w/o access.

Wow. By that reasoning then, practically anyone who violates a company policy and then accesses any company computer equipment (time clock, most modern phones, email, etc.) could then be charged under the CFAA. That’s even scarier.

Anonymous Coward says:

Re: Re: Opinion pdf

For someone that claims that this is “hilarious to watch”, you sure seem angry and bitter. I’m not saying that it’s wrong or anything (we are all crazy in our own way), just saying that your reaction doesn’t quite fit the commonly accepted definition of finding something to be hilarious.

I mean, there’s no ๐Ÿ™‚ or :p or ๐Ÿ˜€ in your posts. What’s up with that?

Anonymous Coward says:

Re: Opinion pdf

The opinion pretty clearly interprets the CFAA in the DISCUSSION section under heading B. sub-heading i. as covering anything done to a computer ?without authorization,? which is, in my mind, overboard. The statute as it was written seems to be far more explicit than that.

What the plaintiff is arguing is that, essentially, breaking any clause in an employment contract is grounds for CFAA liability if you did literally anything with one of their computers after having done so and the judge says he’s ok with that:

“Defendants argue first that there is no allegation that Carlson acted ?without authorization,? as required by the statute. Defendants highlight that Carlson was an employee of Deloitte when the alleged data destruction occurred, and therefore not acting ?without authorization.? Defendants do acknowledge that an employee may be acting without authorization if he has breached a duty of loyalty to his employer prior to the alleged data destruction. See Int?l Airport Centers LLC v. Citrin, 440 F.3d 418, 420-21 (7 Cir. 2006). In the Defendants? words, Citrin does not apply because in that case ?the employee had been undertaking a pattern of activity adverse to his employers? interests? prior to the official end of his employment.
This is exactly what is alleged in this case. Here, Carlson is claimed to have begun his solicitation of Deckter before departing Deloitte. The data destruction was done, in part, to cover his tracks in wrongfully soliciting Deckter. If, as claimed, Carlson was so nakedly violating his
Director Agreement, he would have been acting contrary to his employer?s interests, thereby ending his agency relationship with Deloitte and making his conduct ?without authorization.”

That’s a little crazy I think. Suddenly any breach of an employment contract could be a CFAA violation if you do anything with a company computer afterward.

Anonymous Coward says:

Re: Re: Opinion pdf

That’s a little crazy I think. Suddenly any breach of an employment contract could be a CFAA violation if you do anything with a company computer afterward.

That’s one way to frame it. I think though that if an employee pulls a hard drive out of his computer and destroys it for the purpose of covering his tracks for wrongdoings against his employer, it’s probably safe to say that that employee is acting “without authorization” as to that hard drive and he damn well knows it.

Chosen Reject (profile) says:

Re: Re: Re: Opinion pdf

So if an act involves a computer, and authorization wasn’t allowed, you’re saying that act is in violation of the CFAA? So, stealing a laptop from Best Buy is a violation of the CFAA rather than a violation of stealing laws? How about rather than stealing the laptop, just smashing it. Is that a violation of the CFAA or a violation of destruction of property laws?

I’m perfectly fine with allowing that the guy may have done something illegal, but let’s charge him with whatever law he supposedly broke rather than stretching the CFAA absurdly.

Anonymous Coward says:

Re: Re: Re: Opinion pdf

Here’s another way to frame it:

You don’t have to shoehorn this case into the CFAA (and neither does the judge) in order for him to be liable for a number of things due to his actions. They aledge them in the case, “breach of the non-solicitation provision of an employment contract, breach of a right-to-inspect provision of the contract concerning access to personal computers, breach of the fiduciary duty of loyalty, and tortious interference with prospective economic relations.”

There’s no need to tack on CFAA violations and twist the provision into applying by pedantically focusing on two words and ignoring the rest of the statue.

Anonymous Coward says:

But in this case, it seems pretty clear that the guy didn’t do anything to harm the original company. He was just a little overzealous in trying to protect his personal info. Considering that his expertise as a consultant was in security and privacy… perhaps his actions aren’t all that surprising, really. What really is questionable here is why D&T is suing in the first place. They got back the computer with a newer hard drive, so it’s not like he returned a broken sytem to them.

I know you’re in such a hurry to FUD out anything related to the CFAA by pulling out the word “hacking” (even though that word is nowhere to be found in the statute), but did you even read the article on Evan Brown’s Internet Cases blog that you linked to?

As Evan Brown says on his blog: “In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the ?without authorization? element to be adequately pled.”

Why they are suing is right there. Or better yet, if you want to understand why they’re suing, you could actually look up the case and read the complaint for yourself.

Nope. Not Mike. Mike’s too busy pouncing on anything that involves the CFAA with his stupid FUD-tastic “hacking” bullshit. Pure idiocy, Mike. Absolute nonsensical FUD.

Anonymous Coward says:

Re: Re:

That would be a lawsuit, not a CFAA violation, now, wouldn’t it? Destruction of evidence (Of a CRIME, of course) is a crime, but destruction of evidence in a civil matter before said civil matter is brought? No case. So, explain how this is a CFAA violation? All you’ve done is point at a civil suit.

Dark Helmet (profile) says:

Re: Re: Re: Re:

“The CFAA is broader in scope than just “hacking”. “Hacking” is but a subset of several activities covered by the statute.”

That’s absolutely true, but now my opinion is changing a bit. While I think the employee may have done something wrong here, I’m not so sure the CFAA actually applies. Granted, I’m relying heavily on Wikipedia here, but in their list of violations of the act, I’m not sure I see anything under which this particular action would apply.

http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

This may be something that would need to be relegated to a contract law case, assuming he was under some kind of no-solicitation clause, or some kind of destruction of evidence law. I’m not seeing it in the CFAA, but if there’s a clause or language you could point me to otherwise, I’d be willing to listen….

Anonymous Coward says:

Re: Re: Re:2 Re:

A link to the decision is provided in one of the above comments. It clearly noted that a claim associated with the CFAA was but one of many separate and distinct claims asserted by the plaintiff, including, for example, breach of contract, breach of a duty of loyalty, interference with prospective contractual advantage, etc., etc.

As for the CFAA, while many believe it to be so, the act is not limited to so-called “hacking”. It is broader and reaches a number of other actions associated with what one may do to a computer.

Dark Helmet (profile) says:

Re: Re: Re:3 Re:

Right, I get the guy fucked up and the CFAA claim is one of many. From what I’m reading, I actually agree that D&T has a good case against him. I thought I was clear on that.

What I’m now NOT clear on is HOW the CFAA applies. The decision doesn’t seem to jive w/what I’m reading about the CFAA and what constitutes as a violation of it. The article was about an over-broad application of the CFAA and I’m starting to see why that may be so.

So can you point to something in the CFAA that would apply here or not?

Anonymous Coward says:

Re: Re: Re:4 Re:

The statute can be found at 18 USC 1030.

As for how it relates to the lawsuit, the above-cited opinion by the court does go into some detail about how the act applies. The general gist (and I do mean “general” to avoid presenting a post the length of a legal treatise) is that data was destroyed, and in doing so the defendant violated one or more of the many provisions of 18 USC 1030.

OC says:

Re: Re: Re:4 Re:

“So can you point to something in the CFAA that would apply here or not?”

Mr Hat, I am not a lawyer but I have seen one on TV. One could possible, with a fair amount of stretching, apply item 3 and 4 from the wiki page. However, item 3 mentions goverment computer. Perhaps they meant the term “protected computer” defined above. If so, replacing the drive with a blank one would apply. Maybe. As for item 4… this guy clearly saw some value in removing sensitive data, if he was indeed covering his tracks.

I can see why the judge would let the case move forward.

Anonymous Coward says:

Re: Re: Re:

Heh, Anonymous Apologist trying to pretend that it isn’t an anti-“hacking” law. Funny.

Yes, Mike. It is an anti-hacking law. But it’s also broader than that.

My point is simple. At the end of the piece you say: “What really is questionable here is why D&T is suing in the first place. They got back the computer with a newer hard drive, so it’s not like he returned a broken sytem to them.”

The reason “why D&T is suing in the first place” is right there in Brown’s blog entry that you linked to and made the basis of this entire article. As Brown explains: “In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the ?without authorization? element to be adequately pled.”

Now, either you completely missed this when you read Brown’s blog piece, or you are intentionally misleading your readers. Considering the fact that Brown’s piece is short and easy to read (with a font size even my mother would love), I think it’s safe to assume that you read and understood all of it. You did, after all, write a whole article about it. Thus, it seems likely to me that you are intentionally leaving information out.

The goal, I presume, is because you want to spread your silly “it’s not hacking so they’re wrongfully broadening the scope of the CFAA” FUD. I think there are good arguments that the CFAA shouldn’t apply here, but jumping to your “hacking” FUD does little to advance the discussion.

Anonymous Coward says:

Re: Re: Re:2 Re:

I’m merely pointing out that when Mike played like he didn’t know why D&T was suing this guy, it was for the purpose of advancing his CFAA-hacking FUD.

Let’s run through how the FUD is created.

Brown explains that the defendant claims to have destroyed the hard drive because “it had personal data on it such as tax returns and account information.”

Rephrasing this, Mike claims the defendant destroyed it because “it had personal data on it (tax returns, account info and logins for personal things) that he didn’t want to share with D&T.”

Yes, Mike made up the “logins for personal things” out of thin air.

Later, Brown explains the plaintiff’s theory of why the defendant really destroyed the hard drive. They claim “that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks.”

But Mike feigns cluelessness.

First, Mike says “it seems pretty clear that the guy didn’t do anything to harm the original company.” This isn’t clear at all, considering all the claims the plaintiff is making. The claims which Mike conveniently pretends don’t exist.

Second, Mike says the defendant is “just a little overzealous in trying to protect his personal info.” Of course, leaving off the fact that he is alleged to be covering his tracks makes his destroying the hard drives seem all the more OK.

It’s another classic example of Mike FUDing something out to the hilt.

Anonymous Coward says:

Re: Re: Re:4 Re:

It’s not speculation, it’s deduction and reasoning. Do you really think Mike just happened to completely miss the fact that the plaintiffs might have had a different version of why the defendant destroyed the drive, or is it more likely that he intentionally left that part off?

Mike wonders aloud about why the plaintiffs could possibly be upset about the defendant destroying the hard drive, while at the same time the very article he links to and makes the basis of his whole article explains why in one simple sentence. It’s ridiculous FUD. If you can’t see that, I’m not sure how else to explain it.

Anonymous Coward says:

Re: Re: Re:5 Re:

You can explain it by considering that you might be manufacturing that perspective yourself rather than it being Mike’s. I read the post and recognize that the validity (or not) of Deloitte’s claim is less important to the overall post than the validity of the use of the CFAA.

Deloitte’s claim probably has merit. The defendant is probably a douche-bag, but that doesn’t mean we should warp laws to make them apply.

You’re too busy trying to make everyone turn against Mike to participate in the actual discussion though.

The Infamous Joe (profile) says:

Re: Re: Re:5 Re:

It’s ridiculous FUD.

Side note: You need a new buzz word. I find it very difficult to keep reading your comments once I hit that word. It would be easier if you knew what that acronym meant, or if you didn’t obviously have such an ax to grind for anything posted on this site, ever.

I’m only bothering to type this at all because if you could sound less like a frothing douche canoe (while keeping your own viewpoints, of course!) you’d be a valuable member of the community here; You seem intelligent and knowledgeable.

So, try and work on that, okay?

Anonymous Coward says:

Re: Re: Re:3 Re:

and it’s another example of you assuming things that aren’t there.

People ingest information through the filter of their own context. You would likely argue that the majority of readers on this site don’t view the posts critically enough and others would likely argue that you view all posts far too critically–so much so that you read in intent and agenda that isn’t there. Both are likely true–but not to the degree either party thinks.

Most people here wanted to discuss whether the CFAA was being stretched to cover this situation. Mike wanted to bring that situation to light.

Everything else you’ve brought with you and the words you use completely undermine any point you want to make, which is frankly, sad.

Anonymous Coward says:

Re: Re: Re:4 Re:

Fair enough. It is a topic worthy of discussion. But framing it as “not hacking” and pretending like he has no idea why the company could possibly be mad at the guy for destroying the hard drive (when it’s simply because they say he’s covering his tracks for alleged wrongdoings against the company) is sad on Mike’s part. I’m all for the discussion. What I don’t appreciate, and what I feel is worthwhile to point out, is that Mike is kicking off the debate with his typical lopsided, misleading FUD. Talk about sad.

Anonymous Coward says:

Re: Re: Re:5 Re:

I’m trying really hard to see what you see and I just don’t. I don’t read a single word of his post as “lopsided, misleading FUD.”

Your words, “pretending like he has no idea why the company could possibly be mad at the guy”.

I guess it was the last few sentences of the post that are the problem. You see those words as Mike not digging enough or reacting in a shallow manner to certain words, but I see them similarly but without the judgment part. In other words, yes perhaps he could have understood Deloitte’s position better, but he still achieved the objective: point out an area for commenter scrutiny.

Ultimately, the value in the site for me is not Mike’s opinion, but the identification of possible areas of government, corporate, and legal overreach in technology and rights. I, for one, believe that is happening more and more. Perhaps you fundamentally believe it is a witch hunt, but many of us do not.

But if you removed the personal attacks from your posts I imagine more of us would listen to you.

Anonymous Coward says:

Re: Re: Re:6 Re:

You’re right. If you take Mike’s silly, unsupported, and purposefully misleading “opinions” out of the picture, the site has value. It’s a shame though that the reader has to eliminate the FUD, and then do their own homework to get the whole picture. I’m OK with someone having an opinion. I’m not OK with someone lying and misleading others while calling it an opinion. Big difference.

Anonymous Coward says:

Re: Re: Re:6 Re:

In other words, yes perhaps he could have understood Deloitte’s position better, but he still achieved the objective: point out an area for commenter scrutiny.

And how could he promote an informed conversation in the comments if he doesn’t even know (or pretends not to know) the facts of the case or the court’s reasoning in denying the motion to dismiss? That’s what proves it’s all FUD. He can’t be bothered with the actual acts or the actual reasoning in deciding that the CFAA is being abused. Give me a break. Mike is just being super silly here. His motives are clear enough to me.

Anonymous Coward says:

Re: Re: Re:7 Re:

I am truly fascinated by your ability to accuse one party of something you are so clearly demonstrating yourself: myopic fanaticism.

He can promote an informed discussion because he provides ample citations and allows all sides of the discussion to occur below rather than restrict or prevent them (by requiring logins or posting approval).

I will listen to you if you post reasonable arguments, but I will not dismiss what I read here based on your ad-hominem assertions.

Their arguments are well-reasoned, well-founded, and as informed as can reasonably be expected. If that isn’t good enough for you, well… don’t expect people to keep listening or to treat you as anything other than a troll.

Anonymous Coward says:

Re: Re: Re:8 Re:

I think an informed conversation can happen despite Mike’s contribution, but I wouldn’t say that promoting a reasoned debate is his object. There’s just too much FUD on too many issues from Pirate Mike to pretend that he’s trying to spread a reasoned insight into any of this. This article is a great example. He doesn’t know the facts, law, or reasoning, but still, he’s quite sure the judge got it wrong. It’s all about the FUD-filled headlines and pirate-approved agenda on techdirt. Reasoned debate takes the backseat.

Anyway, I’ve said my piece. Bring on the enlightened debate.

John Doe says:

As an expert he should have known about Eraser

Surely a security expert knows about programs like eraser to securely wipe hard drives? He could have deleted everything possible, uninstalled unnecessary programs and then run eraser to wipe free space. Or if he was that worried, wipe the drive and re-install the OS and applications.

Of course that might still be hacking by the CFAA definition.

freak (profile) says:

Re: As an expert he should have known about Eraser

As a security expert working for a corp with security experts, he might have realized that, well, data is really really hard to destroy, particularly when someone has physical access.

Things that have been done with physical access:
1) RAM that was unpowered for 10 minutes was read perfectly, using a special hot-boot OS. For example, to grab an encryption or decryption key.
2) A 10 character password was copied into 10 files randomly distributed on a hard drive, then the hard drive was formatted, and written over 3 times with random 1’s and 0’s. The password was able to be recovered, (because some of the bits refuse to flip and areas/bits of non-randomness were apparently easy to identify). You aren’t likely to copy down a password ten times, but it might be, say, store din a cookie, in firefox for auto-complete, maybe once in a password file somewhere, maybe all of those are copied because you have a back-up of your program preferences for some reason, whatever.
3) Files that they suspected to exist were completely falsified, because the defendant could not deny that they could reconstruct the file.

Jimr (profile) says:

When I returned my company issued laptop I cleaned the hard drive and re-formatted it using the Military format clearer (Does about 100 cycles of filling the hard drives with random one and zero and reformat it).

Replacing the hard drive is not that simple – it could have been a more expensive enterprise class hard drive or some other special hard drive. Also depending on how this guy destroyed the hard drive – is there a certificate from an authorized hardware disposal or did he sell the hard drive?

Fickelbra (profile) says:

I dunno..

I know my opinion might not be shared but I think the company has a right to pursue this. Perhaps the CFAA is the wrong channel, but destroying a component of something the company owns and replacing it is not an acceptable practice. That is just common sense.

The part of the story that sticks out to me is there doesn’t seem to be any proof the defendant destroyed the drive. Just a claim that he did.

Robert Doyle (profile) says:

It wasn't his drive to destroy

I don’t see how it is a CFAA violation, but why they have to bring such legislation against someone when it isn’t the point of the case unless they are insinuating that the destruction of the drive was to cover up a CFAA violation… but that can get pretty circular pretty fast…

Can’t they just do a good old criminal/civil combo using common reasons? Criminal: He stole the drive – whether or not he made restitution isn’t the issue; Civil: That drive had information on it that we feel is relevant and we would like compensation for the loss of it.

Anonymous Coward says:

Re: Re: It wasn't his drive to destroy

If they file the charge, he will have high probability to be found guilty, but since he had voluntarily return a new harddisk to the company, and has good reason to back it up, while this will mark him with criminal record, the judge probably wouldn’t put him into jail or even fine him much. And that’s probably not what his ex-company wants.

The best way to ruin a security professionals’ life of business is probably get him convicted guilty with CFAA. In this way most computer security related companies won’t hire him, and if they hire him, it’d be clear that something fishy has happened.

me... says:

Without Authorization....

Was he authorized to open the PC? Was he authorized to remove the HD? Was he authorized to destroy company data?

Last place I worked had an acceptable use policy, opening the case was NOT acceptable… taking anything from inside the PC was NOT acceptable… just because he was allowed to take it home, does not mean that he was allowed to open it up.. Unless they issued him with a machine that had a blank hard drive, returning the machine with one would not be acceptable in any place I worked..

Someone else asked if there was proof of drive destruction… that’s something that needs more looking into…

and is it theft if you take something that isn’t yours, even if you replace it with something equivalent?

out_of_the_blue says:

WHY did he put personal info on company's computer?

IF he did. That may be only a cover story for removing the employee-luring that seems nailed down.

Regardless, there’s basis for allowing suit to continue, if only because ALL data on the drive was company property, no question. This high-powered consultant got himself into a tangle through a series of stupid decisions. Let him hang, be an example for others to NOT mix work and personal.

Anonymous Coward says:

Ninth circuit criticizes seventh circuit

The Seventh Circuit’s decision in Citrin (upon which the present opinion is based) has been heavily criticized. In LVRC Holdings v Brekka (2009), the Ninth Circuit was not pursuaded by that precedent.

From an article contrasting Citrin with Brekka:

Brekka, a civil case that affirmed summary judgment for the defendant employee, is the first circuit court opinion to hold that an employee?s authorization to access the company computer is not based on the law of agency. Brekka involves the classic employee theft of data whereby employees, before they leave to compete, e-mail to themselves competitively sensitive company data. The Brekka court refused to apply the CFAA to this theft of data, holding that employees cannot act ?without authorization? because their employer gave them ?permission to use? the company computer. The court acknowledged that its holding directly conflicts with the U.S. Court of Appeals for the 7th Circuit?s decision in Int?l Airport Centers LLC v. Citrin.

(Citations omitted.)

Note that the present case, in the Northern District of Illinois, is in the Seventh Circuit, so the district court is bound by Citrin.

Anonymous Coward says:

Consultants usually brand themselfs as experts, they know funny words, dress like presidents, and do higly detailed powerpoints full of things like “the sky is blue”, “water can be found in liquid state”, etc.

Most funny thing to watch its an all “I am a consultant, an expert” project, its like an Opera documentary on Discovery Channel.

Richard (profile) says:

Unintended consequences

Whatever the legal rights and wrongs Deloitte & Touche have clearly acted in a vindictive and high handed manner – and been widely seen to do so to the pool of potential employees.

The net result is that their ability to employ good staff in future is compromised – and as a result they will have to pay slightly more for slightly worse employees for a while to come.

Verdict (if they win) Pyrrhic victory!
(if they lose the appeal) Pure own goal!

Anonymous Coward says:

$5,000 damage

A laptop hard drive isn’t $5,000 these days.

From the opinion:

Deloitte argues for liability based on subclause (I), which requires ?loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course ofconduct affecting 1 or more other protected computers) aggregating at least $5,000 in value.?

From the first Google hit: Newegg.com – Notebook Hard Drives, Laptop Hard Drives.

A laptop hard drive isn’t $5,000 these days.

Donadl F. Truax (user link) says:

[Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud?]

For a “security consultant” to put “personal data on a company computer” is (in my opinion) somewhat laughable.

For emphasis, there are a few variables here to consider:

1. Who owns the computer?

2. Who destroyed the data?

3. Who “owns” the data?

4. What was the company policy at time of hire and did the said person go through orientation of that policy?

As noted in “3” the ownership of the said data is key. This is why when I do any kind of development (that goes outside of the SOW or Scope of job title) I always did it on “my” laptop and on my time as to retain not only ownership, but, chain of custody.

In my humble opinion.

3

Anonymous Coward says:

Re: [Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud?]

It does seem worth mentioning, as the court did in its opinion, that the defendant who “smashed” the hard drive was the Director of IT for the company. In all likelihood he was the one who promulgated company IT policy, so if anyone should be familiar with the policy it should be him.

Anonymous Coward says:

Regarding writing random bits to erase data

I remembered that 20 years ago, the standard to ensure completely unrecoverable erasure is just 3 passes random writes. Now it’s 20.

While I agree there physical limit that can make sure it’s unrecoverable with “current technologies”, I’m agreeing no non-physical measure is enough if the harddisk contains data that I absolutely want noone to recover the tiny bit.

A previous post mentioned 25 percent recovery rate. But you know, for confidential data, the risk of being able to recover 0.0001% of data is still too high.

aldestrawk says:

Re: Regarding writing random bits to erase data

The standard to erase modern, high density, drives is only one pass.
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

This has been true since about 2001 and is applicable to drives that are larger than 15GB. It’s all about density. There are no longer multiple paths possible for read/write heads on hard drives. The critical question is whether all sectors are being overwritten. The only software that guarantees this does it by triggering the ATA secure erase command, a command embedded in all hard disk controllers which are always integrated within the hard disk.

David Johnson (profile) says:

As far as my knowledge is concerned, many big companies take multiple computers for lease in huge numbers to complete their task. They are bound by laws and policies, to erase all their confidential data from the hard drive with the help of secure data erasure software, before handing over the computers to their original owners. If found guilty both the company and their employees have to face heavy fine or even imprisonment or both. So there is no harm to erasing data because no one want to compromise there data and become victim of data breach.โ€‹

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...