Risk
9/1/2011
10:11 AM
Connect Directly
RSS
E-Mail
50%
50%

Laptop Tracking Software Faces New Privacy Heat

Judge rules couple can sue maker of Lojack For Laptops software for intercepting and sharing couple's sexually explicit communications with police.

How far can someone go when tracking stolen technology goods?

A case is set to test that question, after substitute teacher Susan Clements-Jeffrey ended up in possession of a stolen laptop that contained LoJack For Laptops, which is remote-recovery software sold by Absolute Software.

Absolute, after being notified by the laptop's owner that it had been stolen, began recording the device's IP address. It also captured what turned out to be sexually explicit messages and images captured with webcams, traded between Clements-Jeffrey, a 52-year-old widow, and Carlton Smith, a high school sweetheart with whom she'd just rekindled a long-distance relationship.

Absolute then shared the intercepted communications with police. They went to Clements-Jeffrey's house without a warrant, but with printouts of several of the sexually explicit webcam images, which they showed her. Ultimately, she admitted them to her apartment, where they found the laptop and arrested her on the charge of receiving stolen property. About a week later, the charge against her was dropped.

The suit, filed by Clements-Jeffrey and Smith--against Absolute Software, Absolute's theft recovery officer, as well as the city of Springfield, Ohio, and its police department--said that their communications had been illegally intercepted, per the Electronic Communications Privacy Act, and their privacy rights violated. The defendants, however, argued that Clements-Jeffrey had no such privacy rights when she was using the stolen laptop, and filed for a summary judgment, which is used to argue that a plaintiff lacks sufficient evidence to pursue a case.

Last week, however, federal judge Walter Herbert Rice dismissed the defendants' motion for a summary judgment, thus allowing the suit to proceed. "Although the Absolute defendants may have had a noble purpose, to assist the school district in recovering its stolen laptop, a reasonable jury could find that they crossed an impermissible boundary when they intercepted Plaintiffs' instant messages and webcam communications," wrote Rice in his judgment. "A reasonable jury could also find that such conduct would cause a person of ordinary sensibilities to suffer shame and humiliation."

The judge's 49-page judgment also suggests that Absolute may need to rethink its laptop recovery business model. "It is one thing to cause a stolen computer to report its IP address or geographical location in an effort to track it down," wrote Rice. "It is something entirely different to violate federal wiretapping laws by intercepting electronic communications of the person using the stolen laptop."

In addition, the judge said that the police department might be at fault for using images that were illegally obtained. One of the arresting officers had said that he was unfamiliar with federal wiretapping laws, and that he'd assumed Absolute had intercepted the communications legally. But according to Rice, "there is enough evidence from which a reasonable jury could find that the Springfield defendants should have known that it was illegal for the Absolute defendants to intercept plaintiffs' private communications."

According to court documents, the laptop in question was issued by the school district to a vocational student and stolen while he used it at the Springfield public library. The same day, the student reported the theft to police.

Later, a ninth-grade student at Kiefer Alternative School, where Clements-Jeffrey was a longtime substitute teacher, purchased the laptop--which had part of its serial number scratched off--at a bus station for $40. He then sold it to Clements-Jeffrey for $60, saying that the two-year-old laptop, which wasn't working after he'd accidentally wiped the hard drive, belonged to his aunt and uncle, and they'd given him permission to sell it.

Clements-Jeffrey agreed to buy the laptop, as long as another Kiefer teacher, Albert Apple, could make it work again. He did so, by reinstalling the operating system and adding free software, at which point the student attempted to renege on his deal. But Clements-Jeffrey insisted, and ultimately bought the laptop.

Read our new report, State Of The IT Service Desk: Change Management Remains Key. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.