A DISCUSSION OF LAW AND JOURNALISM

The Legal Lowdown on LoJack

By Meghan Lalonde and Ryan Morrison

Chances are if you have Internet access (which you almost certainly do if you are reading this article), you spend a decent amount of time watching videos on your computer. How would you feel, though, if you found out your computer was also watching you? Cheesy plot to a horror film? Yes actually… but for one 52 year old widow this storyline was a reality.

Our story begins when Susan Clements-Jeffrey, a long-term substitute teacher, bought a non-functioning laptop for $60 from one of her students.. Although at first wiped of all software, the computer was restored to working condition by a fellow teacher at the school. Ms. Clements-Jeffrey claims she believed she had received an amazing deal and did not consider for even one second that she’d purchased stolen goods.

The substitute teacher used the laptop for a number of standard purposes, and some not-so standard, including intimate webcam conversations with her boyfriend, which she conducted in the nude. Her audience was larger than she anticipated.

Because the computer had the popular security software Lojack for Laptops installed, after it was reported missing by its owners, the Clark County School District, LoJack employees were monitoring its web activity.  Screenshots of the video were taken and turned over to Springfield Police who identified her.   She was arrested for possession of stolen property, though the charges were soon after dismissed.

But in 2009 Ms. Clement-Jeffrey sued the computer software company and  the Springfield Police Department in Federal District Court for the Southern District of Ohio alleging violations of her Fourth Amendment right to privacy, the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and the Fourth Amendment.

The Associated Press reported that Ms. Clements-Jeffrey recently accepted a settlement of an undisclosed sum with the software developers so we’ll never know how a trial would have played out.  But though we can’t hear you from your computer (we don’t work for LoJack) we’ll just assume you’re curious about a legal analysis of the case.   Here goes.  

First, a bit about how LoJack works.  When a device is reported missing, the owner notifies Absolute, whose employees can remotely locate the device through a GPS signal or a wireless network the next time the computer gets online.  The location is pinpointed by the computer’s IP address, but LoJack is able to photograph the computer’s surroundings by remotely accessing its webcam. In addition, Absolute employees can access and retrieve any documents and files located on the machine’s internal memory. According to Wired, the Clark County School District, had given Absolute’s staff “the ability to view and recover any files” on the computer.

The ECPA prohibits unauthorized persons from intentionally, actually, or even attempting to intercept, use, or disclose any personal electronic communication. Violations are punishable by fine or imprisonment for up to five years. The SCA specifies the narrow procedures law enforcement officials must follow to legally gain access to stored emails, account records, and other electronically saved data.

Absolute argued that Ms. Clements-Jeffrey was a “computer trespasser” defined in 18 U.S.C. § 2511 as “a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer.” But the statute refers to law enforcement agents, or those acting under the “color of law”, as those capable of breaching these privacy rights.  LoJack employees don’t exactly fit the bill.

Absolute maintained that, in fact, it was working as a law enforcement agency since it was acting on behalf of its customer, a public school district, to return stolen goods but Judge Rice stated in preliminary hearings that this defense was “wholly without merit.” The judge went on to say, “It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down. It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.”

While the Lojack remains available for purchase despite the troubling capabilities of the software and its developers, the biggest hurdle for Ms. Clements-Jeffrey on the path to settlement was proving she was a good-faith buyer – meaning she had not knowingly purchased a stolen device. A good-faith buyer is entitled to an expectation of privacy. A bad faith buyer?  Not so much.  If Ms. Clements-Jeffrey knew the laptop was stolen, she would have forfeited the law’s protection. But the court determined that although close inspection of the laptop may have indicated it was stolen, Ms. Clements-Jeffrey remained a buyer in good faith.  She seemed to have a good chance of winning this case on the merits.

Still, it’s no surprise this case was settled out of court. Ms. Clements-Jeffrey received a settlement and saved herself the embarrassment of having her webcam sexual conversations being covered at the trial and discussed on the local news. Calls placed to the law firm representing Ms. Clements-Jeffrey were not immediately returned.

CORRECTION:  LoJack Corporation licenses its name to Absolute Software for the LoJack for Laptops product, but that product is manufactured, marketed, sold and supported by Absolute Software and not LoJack or LoJack Corporation.

Comments

8 Comments »

8 Responses

  1. r2d2 says:

    Gimme a break. The woman bought stolen property, and the LoJack folks and police saw her naked. Big deal. They didn’t make this public, she did, when she sued them. So now all the world including her students can know she made sexy talk with her boyfriend. And the LoJack should pay her? Why? We all want privacy but if someone is trying to return stolen goods and sees us naked, they shouldn’t have to pay for the privilege.

  2. Todd Thomas says:

    well, she’s 52 and she’s no spring chicken…sounds like she was just embarrassed to me!

  3. r2d2 says:

    she was so embarrassed she sued, so that everyone in the world would know she did this, rather than just a cop and a LoJack employee. She wasn’t so much embarrassed as out for gold.

  4. Greenville says:

    This chick looks like The Millionaire Matchmaker, Patty Stenger. I thought it was really her.

  5. Jason Gamboa says:

    The legitimate owner of the machine has the authority and right to authorize Absolute to perform this type of monitoring on their machine. The computer does not cease actually belonging to the actual legitimate owner just because someone else bought it, good faith or not. If a police report is on file and the owner has declared on the record the machine is stolen, they have every right to monitor the usage of their own computer and to authorize Absolute to do so on their behalf. In fact Absolute has an EULA that you must agree to and certain features, like location monitoring, you must specifically choose to authorize them to perform. It’s just like if your car was stolen and you report it to police and OnStar uses the onboard equipment to find the car. They don’t have to wait to find out if you bought it in good faith to track you down, it is STOLEN. The only part that good faith is supposed to play is when it comes down to charging the person who has the machine or not with receiving stolen property.

    It wasn’t a good idea for the police to show the woman the pictures they had. There was no need for them to reveal the software’s capability and put her through that if it wasn’t required to find that machine. Her IP address was sufficient and all they needed to do was see her face and say “Yep, same lady, we’re on the right track” without showing her the photos. IP addresses alone won’t tell you WHO is using the machine, you do need photos, screen grabs and some keystroke logs to put together a picture of who has the machine, especially if it’s being used on an open wi-fi hotspot.

  6. Jason Gamboa says:

    By the way, there IS NO such animal as a fourth amendment “right to privacy”. There IS a fourth amendment right against UNREASONABLE searches and seizures. Funny that the judge ruled that Absolute was NOT a law enforcement entity for the purposes of Absolutes insistence that it was withing federal law. Therefore there is no fourth amendment claim, because case law clearly establishes that searches conducted by private entities are not bound by restrictions of the fourth amendment, which obviously only applies to government entities.

  7. Jeremy says:

    Hello – I wanted to send the editor a correction on this article. The specific case that you’re referring to involves Absolute Software and their LoJack for Laptops product. LoJack Corporation licenses its name to Absolute Software for the LoJack for Laptops product, but that product is manufacturered, marketed, sold and supported by Absolute Software and not LoJack or LoJack Corporation. If this article could reflect those edits, I’d appreciate it. Please let me know if you have any questions.

  8. Just another victim... err Acer customer says:

    The author is missing an important point here: Lojack itself and how it works.
    -So, how does it work: it’s backdoor component comes pre-installed on a lot of machines not necessarily with customer consent or knowledge… then it gets an activation command over a software (or, what guarantee do we have it can’t be activated over the network itself by some sort of a wake up command? Since it’s not sold as a BIOS update, I can’t see any.). Afterwards it sends at least daily the computer ID and location in form of IP, downloads and runs any software from Absolute.
    -Does the Absolute backdoor activate and start sending location and computer ID (personal identifiable information) under other circumstances? In my case it did so.
    -Now: imagine someone foolish enough to pay for that backdoor to be opened and used to retrieve his laptop if it’s ever stolen, hoping Absolute will not allow someone access to the computer data, microphone, camera, and so on, instead of buying theft insurance.
    -Does Absolute claim Lojack protects the data from falling into wrong hands in case of theft? If they do so they Lie or tell only half of the truth. Is the thief after the data, he will remove the battery 5 minutes after theft. Then unscrew the HDD, put it in his computer and copy at will. As far as I know no Lojack can stop him at that point. A somewhat effective protection in this case would have been drive encryption and the best free tool I can recommend for this is TrueCrypt.

Leave a Reply