Many of our readers have traveled with laptops, often crossing borders, and sometimes being subjected to a border search by customs agents. For most of us, crossing a border with a laptop is a no-brainer and we don’t really think of the implications.
The truth is, law enforcement and border control officials may seize and search laptops and electronic storage devices when travelers, regardless of their citizenship, enter or exit the United States. This right has been established and upheld by U.S. courts, mainly under anti-terrorism measures. Earlier this year, in July, in United States v. Romm, 455 F. 3d 990, the Court of Appeals for the Ninth Circuit upheld the right of U.S. officials to conduct an allegedly intrusive warrantless search of a laptop computer carried by a traveler entering the United States from Canada, and allowed evidence recovered during the search to be used in prosecuting the traveler for possession of child pornography.
The Association of Corporate Travel Executives (ACTE) (yes, there is such association, apparently) has sought guidance from the federal government on the data security and privacy protection policies when U.S. border officials seize and review contents of travelers’ laptop computers. Many executives are naturally worried, as they often carry valuable and sensitive company (or private) information on their laptops. ACTE claims that most of its executives members (94%) were surprised to learn of the broad rights U.S. government officials have to inspect, download, or even seize information.
The good news is that ACTE reports that its members, upon learning that their laptops are subject to intrusive warrantless searches at the airport, have indicated an overwhelming desire to limit the kind of proprietary information typically carried in an executive’s computer. This is good. Even if the ACTE doesn’t get an answer and guidance from the federal government, at least it should educate its members to limit what kind of information they carry on their laptops.
Is it just me, or these results are scary (pardon the Halloween-theme lead)? A study commissioned by Cisco Systems on the habits of workers who telecommute (and this access company systems remotely) interviewed 1,000 teleworkers in 10 countries and resulted in some interesting results. My favorite,
One in 10 users noted that they have used, without permission, their neighbor’s wireless Internet connection when working remotely.
Ten percent of telecommuters putting their company accounts and most likely extremely sensitive company information out in the open in plain text for anybody to see? This is troubling, especially for IT managers who support a growing number of telecommuters. Although the survey doesn’t detail how many users use secondary encryption such as VPN tunnel or a secure proxy, my feel is that this number is close to zero. Thus, after spending millions to secure your corporate network from intruders, your company information is flowing in a distant neighborhood’s airwaves for anybody to see in plain text. Scary.
Other results from the survey,
Scary stuff. Happy Halloween!
A recent case from the U.S. District Court for the District of Columbia held that a company cannot be held liable for an employee’s violation of the Computer Fraud and Abuse Act in a case where the emploee acted on its own volition and without the company’s knowledge. The court said that the CFAA required intentional conduct on the part of the defendant, and that neither the fact that the alleged CFAA violation was committed with company assets nor the fact that the alleged hacker was a company employee supplied requisite intent on the part of the company.
A law firm, Butera & Andrews, claimed that it was subjected to 42,000 attacks on its e-mail server from 80 different IP addresses, all controlled or belonging to defendant IBM. Butera & Andrews alleged that the attacks were made with IBM-owned equipment and were directed by IBM employees or agents. IBM denied knowledge of the attacks and moved to dismiss claiming that the complaint failed to allege intentional conduct on IBM’s part as CFAA allows action against somebody who "intentionally accesses" a computer without authorization. See 18 U.S.C. 1030(a).
The court said that the CFAA’s intent requirement is narrower than the common-language dictionary definition. The court further said that CFAA’s "intentional" means knowing and conscious activity and that there is a distinction between use of company assets of a company’s assets to commit a crime and that company’s endorsement or even knowledge of the activity. Absent something more than an employer-employee relationship, "there are no grounds whatsoever for bringing an action against IBM under any of the statutes relied on, … as each requires ‘intentional’ conduct."
Also, under District of Columbia law, IBM cannot be held liable under respondeat superior doctrine for an employee’s intentional conduct, "[t]here is no basis to hold IBM liable under theories of respondeat superior or vicarious liability for the actions of the John Doe defendant, even if the attacks were actually carried out by an IBM employee or agent."
With the reasoning above, the court dismissed the CFAA cause of action without prejudice. Full opinion in Butera & Andrews v. IBM Inc. can be found here.