Department Stores, Computer Forensics, and the Private Police

target.png

The September 1st issue of the New Yorker includes a fascinating article (not yet available online, but here’s the abstract) by John Colapinto about the high-tech, mini-police departments being set up by department store chains to catch shoplifters. The article, which focuses in particular on Target, veers for a brief moment into one of my areas of interest–computer forensics. Target has hired a “senior computer investigator” named Brent Pack, a former Army computer crime investigator who helped analyze the Abu Ghraib photographs. Why does Target need a computer investigator? Mr. Pack

analyzes digital storage devices seized from suspected retail-crime gangs–BlackBerrys, photo memory cards, cell phones, business servers, and desktop computers. . . . At the moment, Pack was analyzing a hard drive seized by the police in a phony-check-writing operation that had victimized Target stores. “I’m going through here and looking for any evidence of check-writing software on any of their hard drives,” he said, pointing to the computer screen, which showed a JPEG of a blank check

Is it proper for the police to delegate its forensic work to Target? The FBI agents I used to work with as a DOJ computer crimes prosecutor kept a tight leash on the data they had seized and were reluctant to share data with state and local cops, much less private parties. They justifiably worried about ensuring that non-FBI analysts were staying within the scope of the warrant, because courts have suppressed electronic evidence obtained outside of the scope of the warrant and have even thrown out all of the evidence obtained if the warrant was executed in flagrant disregard of its terms. I’m not saying that the use of a third-party forensic analyst should automatically result in a flagrant disregard ruling, but it will invite scrutiny.

And even if one can justify the use of private forensics specialists generally, shouldn’t the police refrain from giving 500 gigabytes of personal information to victims of crimes? Because victims–even corporate victims–have a strong incentive to solve the crimes committed against them, might they not feel more pressure than a cop to look beyond the scope of warrants, peering deeply into the private lives of data owners?

I am even more worried about a much more troubling possibility: Is Target seizing cellphones and laptops from suspected shoplifters? Discussing another, anonymous store, not Target, Colapinto describes how suspected shoplifters get hauled into interrogation rooms and questioned at length by former law enforcement agents. In addition to this, are store security personnel frisking suspects and seizing electronic devices? I can understand how a department store might be entitled to engage in a limited search to look for its stolen property, but does this justify the seizure, retention, and subsequent analysis of cell phones and laptops?

Reading this Article kept bringing me back to David Sklansky’s excellent article, The Private Police, 46 UCLA L. Rev. 1165 (1999) (abstract). A decade ago, Sklansky traced the rise of private police forces, focusing in particular on neighborhood patrol services starting with Pinkertonism in the 1800’s. He noted that as these entities play a greater role in policing society, this might give rise to the kind of invasions the Fourth (and Fifth and Sixth) Amendment was intended to prevent. If Target is seizing cell phones from suspected thieves–and I must stress that it is not clear from this article that they are–it realizes Sklansky’s fears.

You may also like...

4 Responses

  1. JP says:

    Interesting. I haven’t read the Sklansky article, but I’m curious as to why any Constitutional references are necessary. Isn’t common law civil liability (e.g., conversion, false imprisonment) intended to protect against this type of conduct? The corresponding criminal laws could be applicable against the security officers and corporations as well.

    Also, the stores might in some cases be more interested in large-scale detection and prevention of future fraud or shoplifting than in ensuring convictions on a few individual counts of shoplifting or check fraud.

  2. Cathy says:

    The Target guy might have issues doing what he does in Michigan:

    http://recordingindustryvspeople.blogspot.com/2008/09/computer-forensics-technicians-are.html

    (Michigan apparently has just passed a law requiring computer forensics technicians be licensed as private investigators in light of the MediaSentry nonsense regarding the RIAA lawsuits.)

  3. Paul Ohm says:

    JP–

    I haven’t done the Sklansky article justice. He doesn’t say that Constitutional remedies are necessary–in fact, he disagrees with others who had argued for extending the state action doctrine to cover the private police. Instead, he uses the spread and prevalence of private policing to engage in some interesting ruminations about the state action doctrine and equal protection.

  4. Danielle Citron says:

    Paul, Thanks for that excellent post. Law enforcement’s move here is part of a broader trend of privitization of government, which has a host of problems now including your terrific point. Do controls exist to ensure that the third-party contractors processing data (including individuals’ SSNs and other sensitive personal information) for agencies adhere to the Privacy Act? Not that I know of. And my favorite topic–the automated decision-making systems often built by vendors who encode policy, get it wrong, and no one knows until after lives are affected? Your post really got me thinking–thanks so much!