An article from yesterday caught my eye, “Court finds NJ users can expect privacy from Internet providers”
A few excerpts:
“The court ruled that a computer user whose screen name hid her identity has a “legitimate and substantial” interest in anonymity.”
“The 3-0 ruling by an appellate panel stems from the indictment of Shirley Reid, who was suspected of breaking into the computer system of her employer in Cape May County in 2004 and changing its shipping address and password for suppliers.”
“The decision upholds a lower court ruling suppressing information from Reid’s Internet service provider that linked her with a screen name that did not reveal her identity. Lower Township police obtained the information after having the township’s Municipal Court administrator issue a subpoena to the provider, Comcast Internet Service. However, the appellate panel found that the subpoena was invalid because the crime being investigated was not within that court’s jurisdiction and the subpoena was not issued, as required, in connection with a judicial proceeding.”
“It was not immediately known if the ruling would lead to the dismissal of the one-count indictment on computer theft.”
“By using a coded screen name the “defendant manifested an intention to keep her identity publicly anonymous. She could have used her own name or some other ISP address that would have readily revealed her identity, but she did not. Having chosen anonymity, we conclude that defendant manifested a reasonable expectation of privacy in her true identity, known only to Comcast,” Appellate Judge Harvey Weissbard wrote for the panel. The court, however, did not issue blanket protection for computer-based criminals. “Just as with telephones or bank records, computers cannot be used with impunity for unlawful purposes. When there is probable cause to believe unlawful use has occurred, law enforcement has the tools to respond,” the court said.”
Intrigued, I checked out the appellate ruling.
The crime that was alledgedly committed by the person whose identity was ruled as being unlawfully obtained from the ISP is quite interesting. In fact it would make a great case study for an information security and privacy training session, and some lively discussion would likely occur. Here’s the description provided within the ruling:
“On August 27, 2004, Patrolman Charles Fitzmaurice of the Lower Township Police Department handled a walk-in complaint by Timothy Wilson regarding theft via computer. Wilson, the owner of Jersey Diesel, told police someone had broken into his computer system on August 24, 2004, and changed his shipping address and password for all of his suppliers. The shipping address was changed to a non-existent address.
During his conversation with the patrolman, Wilson mentioned that Shirley Reid, an employee who had been out on disability leave, could have made the changes to his account. Wilson said Reid reported for work on August 24 and was not happy with the decision to place her on light duty. An argument ensued between Wilson and Reid, and Reid left the premises. Wilson added that Reid was the only person in the company that knew the company password and ID. Wilson learned through one of his suppliers that changes had been made to his password and shipping address. As a result, he started to investigate the changes. He discovered the changes were made by someone with an Internet Provideraddress that was owned by Comcast. Wilson then contacted Comcast to determine the name of the person responsible and was informed that a subpoena was required before Comcast would release any information.
The case was turned over to Lower Township detectives. On September 7, 2004, Detective Robert Smith went to Lower Township Municipal Court to obtain a subpoena duces tecum. Elizabeth Byrne, the Court Administrator of Lower Township Municipal Court, issued the subpoena to Comcast Internet Service. The subpoena read as follows:
The State of New Jersey, To: COMCAST INTERNET SERVICE
You are hereby commanded to attend and give testimony before the Lower Township Municipal Court at 401 Breakwater Road, Erma, New Jersey on the 7TH day of SEPTEMBER, 2004, At 3:00 o’clock P.M., on the part of LOWER TOWNSHIP POLICE DEPARTMENT in the entitled action, and that you have and bring with you and produce at the same time and place, the following: Any and all information pertaining to IP Address information belonging to IP address: 68.32.145.220, which occurred on 08-24-04 between 8:00 a.m. and 11:00 a.m. EST. This information pertains to Comcast case #:NA338384. Failure to appear according to the command of this Subpoena will subject you to a penalty, damage in a Civil Suit and punishment for contempt of Court.
Elizabeth Byrne, Court Administrator
Lower Township Municipal Court
Detective Smith then faxed the subpoena to Shamma Austin, a Comcast employee. On September 16, 2004, Comcast responded to the subpoena and provided information which implicated Reid. An arrest warrant was issued on September 29, and on October 8, Reid was arrested. She was subsequently charged in a single-count indictment with computer related theft, in violation of N.J.S.A. 2C:20-25b.”
How would your personnel respond to a subpeona asking for the personally identifiable information (PII) of your customers or employees? How would they respond to an authoritative, intimidating officer asking for information without a subpeona? What are your policies and procedures for responding to such requests? Do you provide training to your personnel about this topic?
What are the laws of your state regarding this?
The rest of the ruling also provides some good substantial situations and issues that you could also incorporate into information security and privacy training and case studies.
Want to engage your legal and compliance personnel in your training sessions? Use some real situations such as these for discussion.
Tags: awareness and training, computer crime, Information Security, IT compliance, law enforcement, policies and procedures, privacy