Risk
9/1/2011
10:11 AM
50%
50%

Laptop Tracking Software Faces New Privacy Heat

Judge rules couple can sue maker of Lojack For Laptops software for intercepting and sharing couple's sexually explicit communications with police.

How far can someone go when tracking stolen technology goods?

A case is set to test that question, after substitute teacher Susan Clements-Jeffrey ended up in possession of a stolen laptop that contained LoJack For Laptops, which is remote-recovery software sold by Absolute Software.

Absolute, after being notified by the laptop's owner that it had been stolen, began recording the device's IP address. It also captured what turned out to be sexually explicit messages and images captured with webcams, traded between Clements-Jeffrey, a 52-year-old widow, and Carlton Smith, a high school sweetheart with whom she'd just rekindled a long-distance relationship.

Absolute then shared the intercepted communications with police. They went to Clements-Jeffrey's house without a warrant, but with printouts of several of the sexually explicit webcam images, which they showed her. Ultimately, she admitted them to her apartment, where they found the laptop and arrested her on the charge of receiving stolen property. About a week later, the charge against her was dropped.

The suit, filed by Clements-Jeffrey and Smith--against Absolute Software, Absolute's theft recovery officer, as well as the city of Springfield, Ohio, and its police department--said that their communications had been illegally intercepted, per the Electronic Communications Privacy Act, and their privacy rights violated. The defendants, however, argued that Clements-Jeffrey had no such privacy rights when she was using the stolen laptop, and filed for a summary judgment, which is used to argue that a plaintiff lacks sufficient evidence to pursue a case.

Last week, however, federal judge Walter Herbert Rice dismissed the defendants' motion for a summary judgment, thus allowing the suit to proceed. "Although the Absolute defendants may have had a noble purpose, to assist the school district in recovering its stolen laptop, a reasonable jury could find that they crossed an impermissible boundary when they intercepted Plaintiffs' instant messages and webcam communications," wrote Rice in his judgment. "A reasonable jury could also find that such conduct would cause a person of ordinary sensibilities to suffer shame and humiliation."

The judge's 49-page judgment also suggests that Absolute may need to rethink its laptop recovery business model. "It is one thing to cause a stolen computer to report its IP address or geographical location in an effort to track it down," wrote Rice. "It is something entirely different to violate federal wiretapping laws by intercepting electronic communications of the person using the stolen laptop."

In addition, the judge said that the police department might be at fault for using images that were illegally obtained. One of the arresting officers had said that he was unfamiliar with federal wiretapping laws, and that he'd assumed Absolute had intercepted the communications legally. But according to Rice, "there is enough evidence from which a reasonable jury could find that the Springfield defendants should have known that it was illegal for the Absolute defendants to intercept plaintiffs' private communications."

According to court documents, the laptop in question was issued by the school district to a vocational student and stolen while he used it at the Springfield public library. The same day, the student reported the theft to police.

Later, a ninth-grade student at Kiefer Alternative School, where Clements-Jeffrey was a longtime substitute teacher, purchased the laptop--which had part of its serial number scratched off--at a bus station for $40. He then sold it to Clements-Jeffrey for $60, saying that the two-year-old laptop, which wasn't working after he'd accidentally wiped the hard drive, belonged to his aunt and uncle, and they'd given him permission to sell it.

Clements-Jeffrey agreed to buy the laptop, as long as another Kiefer teacher, Albert Apple, could make it work again. He did so, by reinstalling the operating system and adding free software, at which point the student attempted to renege on his deal. But Clements-Jeffrey insisted, and ultimately bought the laptop.

Read our new report, State Of The IT Service Desk: Change Management Remains Key. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.