Risk
9/1/2011
10:11 AM
Connect Directly
RSS
E-Mail
50%
50%

Laptop Tracking Software Faces New Privacy Heat

Judge rules couple can sue maker of Lojack For Laptops software for intercepting and sharing couple's sexually explicit communications with police.

How far can someone go when tracking stolen technology goods?

A case is set to test that question, after substitute teacher Susan Clements-Jeffrey ended up in possession of a stolen laptop that contained LoJack For Laptops, which is remote-recovery software sold by Absolute Software.

Absolute, after being notified by the laptop's owner that it had been stolen, began recording the device's IP address. It also captured what turned out to be sexually explicit messages and images captured with webcams, traded between Clements-Jeffrey, a 52-year-old widow, and Carlton Smith, a high school sweetheart with whom she'd just rekindled a long-distance relationship.

Absolute then shared the intercepted communications with police. They went to Clements-Jeffrey's house without a warrant, but with printouts of several of the sexually explicit webcam images, which they showed her. Ultimately, she admitted them to her apartment, where they found the laptop and arrested her on the charge of receiving stolen property. About a week later, the charge against her was dropped.

The suit, filed by Clements-Jeffrey and Smith--against Absolute Software, Absolute's theft recovery officer, as well as the city of Springfield, Ohio, and its police department--said that their communications had been illegally intercepted, per the Electronic Communications Privacy Act, and their privacy rights violated. The defendants, however, argued that Clements-Jeffrey had no such privacy rights when she was using the stolen laptop, and filed for a summary judgment, which is used to argue that a plaintiff lacks sufficient evidence to pursue a case.

Last week, however, federal judge Walter Herbert Rice dismissed the defendants' motion for a summary judgment, thus allowing the suit to proceed. "Although the Absolute defendants may have had a noble purpose, to assist the school district in recovering its stolen laptop, a reasonable jury could find that they crossed an impermissible boundary when they intercepted Plaintiffs' instant messages and webcam communications," wrote Rice in his judgment. "A reasonable jury could also find that such conduct would cause a person of ordinary sensibilities to suffer shame and humiliation."

The judge's 49-page judgment also suggests that Absolute may need to rethink its laptop recovery business model. "It is one thing to cause a stolen computer to report its IP address or geographical location in an effort to track it down," wrote Rice. "It is something entirely different to violate federal wiretapping laws by intercepting electronic communications of the person using the stolen laptop."

In addition, the judge said that the police department might be at fault for using images that were illegally obtained. One of the arresting officers had said that he was unfamiliar with federal wiretapping laws, and that he'd assumed Absolute had intercepted the communications legally. But according to Rice, "there is enough evidence from which a reasonable jury could find that the Springfield defendants should have known that it was illegal for the Absolute defendants to intercept plaintiffs' private communications."

According to court documents, the laptop in question was issued by the school district to a vocational student and stolen while he used it at the Springfield public library. The same day, the student reported the theft to police.

Later, a ninth-grade student at Kiefer Alternative School, where Clements-Jeffrey was a longtime substitute teacher, purchased the laptop--which had part of its serial number scratched off--at a bus station for $40. He then sold it to Clements-Jeffrey for $60, saying that the two-year-old laptop, which wasn't working after he'd accidentally wiped the hard drive, belonged to his aunt and uncle, and they'd given him permission to sell it.

Clements-Jeffrey agreed to buy the laptop, as long as another Kiefer teacher, Albert Apple, could make it work again. He did so, by reinstalling the operating system and adding free software, at which point the student attempted to renege on his deal. But Clements-Jeffrey insisted, and ultimately bought the laptop.

Read our new report, State Of The IT Service Desk: Change Management Remains Key. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7484
Published: 2014-10-20
The Coca-Cola FM Guatemala (aka com.enyetech.radio.coca_cola.fm_gu) application 2.0.41725 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7485
Published: 2014-10-20
The Not Lost Just Somewhere Else (aka it.tinytap.attsa.notlost) application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7486
Published: 2014-10-20
The Mitsubishi Road Assist (aka com.agero.mitsubishi) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7487
Published: 2014-10-20
The ADT Aesthetic Dentistry Today (aka com.magazinecloner.aestheticdentistry) application @7F080181 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7488
Published: 2014-10-20
The Vineyard All In (aka com.wVineyardAllIn) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.