Software Vigilante

One of the final ways to guarantee a computer or smartphone's offline security is to install security software that can run if it is stolen from you. While Intel Anti-theft software, available to the law school laptops, offers to lock data and prevent the operating system from booting, there are those that take a more active approach. One such software, Prey, is open-source, meaning anyone can modify, download, and improve it. As of this publishing date, it can offer a variety of features to track, disable, and monitor your device. With the appropriate hardware (such as an attached webcamera or a smartphone), you can even take a picture of the perpetrator or watch him use your computer in real time. Since security software works on a discrete level, it is difficult for most thieves, assuming they expect it, to detect and get rid of it without having to wipe out or use a new hard drive. While it is pleasant to think that thieves are on the receiving end of digital karma, innocent purchasers who accidentally buy such products without due research may end up on the receiving end of the owner’s wrath. Such abilities previously required a significant degree of technical know-how, as evidenced by this video (some swearing, censored nudity). I'll summarize the video in nontechnical terms.

1. The speaker (aka the hacker "Zoz") owns a high end (at the time) Macintosh Pro G4 worth thousands of dollars. It ends up stolen.
2. Police manhandle his equipment when conducting an investigation, and Zoz desperately searches eBay and Craigslist to find his computer to no avail.
3. After several months, he notices that a software that typically updates his IP address for his server is no longer sending emails indicating that it is inactive, indicating that it has found an internet connection.
4. He finds the computer, and is able to ping (send a short message indicating it is online and responsive) it. It’s in Las Vegas. However, its IP address varies because it is on a dial up network, so police warrants ends up ineffective since they cannot pinpoint an address.
5. The hacker decides to both recover several files from the computer (using the thief’s own bandwidth) and monitor the thief’s activities, including installing a keylogger (a program which monitors all keystrokes made by the person). He hopes to get an address out of it. He is also able to access his desktop and access files made by the thief himself, as well as watch the real time activities of the thief.
6. Such activities include naked self-portraits, dating website activities (including the hilarious habit of copying and pasting the same message to hundreds of people, with limited success and naked pictures in response), porn surfing habits, Facebook (with an improper spelling of his own name), Gmail, and finally, his credit card information.
7. Having the credit card, he finally has an address to give to police. The address appears in a “secure” credit card website that warns about phishing. Law enforcement finally arrests the person. Zoz gives a lecture, the video goes viral, with over two million views.

Courts have currently not addressed this issue, given the previously limited availability and isolated examples of abuse. In the video’s case, the hacker’s extended monitoring was necessary because the ip address was difficult to pinpoint, data was necessary to be recovered, he had made a good faith effort to law enforcement, and the physical address of the thief was unavailable to him for a long time. Nevertheless, such internet vigilante justice raises interesting privacy risks should the owner had less noble motives. Such privacy risks are tempered because the owner's personal property is potentially traceable back to him. 

First, there is no Fourth Amendment protection, as the original owner of a computer is a private party. Societal expectations and the reasonableness of duration may not play a role. Secondly, there is the ability for real time monitoring of the hardware’s use that can be enhanced with additional tracking software without physical interaction. The hacker Zoz was able to install a keylogger (essential for uncovering the email address and dating website habits), and took screenshots of particular events which were easily sharable with law enforcement and captive audiences. The Prey software mentioned above can be upgraded with various plans that can notify the user of hardware changes, among other things. Thirdly, such privacy risks can extend beyond the original owner. Since smartphones and computers are devices that work socially, other people are likely to find themselves entangled with surveillance. Finally, such surveillance software can pinpoint addresses and its location with minimal intervention by the user. Unlike a warrant which requires a specific process and reason, a specialized program like Prey will act on its own immediately after the owner signals to the Prey server that the device has gone missing. Zoz could only figure this out by technical experience and a gut feeling, potentially missing out on early passwords and address inputs as a result. 

When active security software become ubiquitous, future case law may have to weigh the need for the owner to get relevant information and the potential of abuse and exposure of sensitive information.