10:11 AM

Laptop Tracking Software Faces New Privacy Heat

Judge rules couple can sue maker of Lojack For Laptops software for intercepting and sharing couple's sexually explicit communications with police.

How far can someone go when tracking stolen technology goods?

A case is set to test that question, after substitute teacher Susan Clements-Jeffrey ended up in possession of a stolen laptop that contained LoJack For Laptops, which is remote-recovery software sold by Absolute Software.

Absolute, after being notified by the laptop's owner that it had been stolen, began recording the device's IP address. It also captured what turned out to be sexually explicit messages and images captured with webcams, traded between Clements-Jeffrey, a 52-year-old widow, and Carlton Smith, a high school sweetheart with whom she'd just rekindled a long-distance relationship.

Absolute then shared the intercepted communications with police. They went to Clements-Jeffrey's house without a warrant, but with printouts of several of the sexually explicit webcam images, which they showed her. Ultimately, she admitted them to her apartment, where they found the laptop and arrested her on the charge of receiving stolen property. About a week later, the charge against her was dropped.

The suit, filed by Clements-Jeffrey and Smith--against Absolute Software, Absolute's theft recovery officer, as well as the city of Springfield, Ohio, and its police department--said that their communications had been illegally intercepted, per the Electronic Communications Privacy Act, and their privacy rights violated. The defendants, however, argued that Clements-Jeffrey had no such privacy rights when she was using the stolen laptop, and filed for a summary judgment, which is used to argue that a plaintiff lacks sufficient evidence to pursue a case.

Last week, however, federal judge Walter Herbert Rice dismissed the defendants' motion for a summary judgment, thus allowing the suit to proceed. "Although the Absolute defendants may have had a noble purpose, to assist the school district in recovering its stolen laptop, a reasonable jury could find that they crossed an impermissible boundary when they intercepted Plaintiffs' instant messages and webcam communications," wrote Rice in his judgment. "A reasonable jury could also find that such conduct would cause a person of ordinary sensibilities to suffer shame and humiliation."

The judge's 49-page judgment also suggests that Absolute may need to rethink its laptop recovery business model. "It is one thing to cause a stolen computer to report its IP address or geographical location in an effort to track it down," wrote Rice. "It is something entirely different to violate federal wiretapping laws by intercepting electronic communications of the person using the stolen laptop."

In addition, the judge said that the police department might be at fault for using images that were illegally obtained. One of the arresting officers had said that he was unfamiliar with federal wiretapping laws, and that he'd assumed Absolute had intercepted the communications legally. But according to Rice, "there is enough evidence from which a reasonable jury could find that the Springfield defendants should have known that it was illegal for the Absolute defendants to intercept plaintiffs' private communications."

According to court documents, the laptop in question was issued by the school district to a vocational student and stolen while he used it at the Springfield public library. The same day, the student reported the theft to police.

Later, a ninth-grade student at Kiefer Alternative School, where Clements-Jeffrey was a longtime substitute teacher, purchased the laptop--which had part of its serial number scratched off--at a bus station for $40. He then sold it to Clements-Jeffrey for $60, saying that the two-year-old laptop, which wasn't working after he'd accidentally wiped the hard drive, belonged to his aunt and uncle, and they'd given him permission to sell it.

Clements-Jeffrey agreed to buy the laptop, as long as another Kiefer teacher, Albert Apple, could make it work again. He did so, by reinstalling the operating system and adding free software, at which point the student attempted to renege on his deal. But Clements-Jeffrey insisted, and ultimately bought the laptop.

Read our new report, State Of The IT Service Desk: Change Management Remains Key. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.