Police blotter: Ex-employee faces suit over file deletion

International Airport Centers sues former employee, saying use of secure file deletion utility violates hacking laws. Court agrees.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
"Police blotter" is a weekly report on the intersection of technology and the law.

What: International Airport Centers sues former employee, claiming use of a secure file deletion utility violated federal hacking laws.

When: Decided March 8 by the U.S. Court of Appeals for the 7th Circuit.

Outcome: Federal hacking law applies, the court said in a 3-0 opinion written by Judge Richard Posner.

What happened, according to the court: Jacob Citrin was once employed by International Airport Centers and given a laptop to use in his company's real estate related business. The work consisted of identifying "potential acquisition targets."

At some point, Citrin quit IAC and decided to continue in the same business for himself, a choice that IAC claims violated his employment contract.

Normally that would have been a routine business dispute. But the twist came when Citrin dutifully returned his work laptop--and IAC tried to undelete files on it to prove he did something wrong.

IAC couldn't. It turned out that (again according to IAC) Citrin had used a "secure delete" program to make sure that the files were not just deleted, but overwritten and unrecoverable.

In most operating systems, of course, when a file is deleted only the reference to it in the directory structure disappears. The data remains on the hard drive.

But a wealth of programs like PGP, open-source programs such as Wipe, and a built-in feature in Apple Computer's OS X called Secure Empty Trash will make sure the information has truly vanished.

Inevitably, perhaps, IAC sued. The relevance for Police Blotter readers is that the company claimed that Citrin's alleged secure deletion violated a federal computer crime law called the Computer Fraud and Abuse Act.

That law says whoever "knowingly causes damage without authorization" to a networked computer can be held civilly and criminally liable.

The 7th Circuit made two remarkable leaps. First, the judges said that deleting files from a laptop counts as "damage." Second, they ruled that Citrin's implicit "authorization" evaporated when he (again, allegedly) chose to go into business for himself and violate his employment contract.

The implications of this decision are broad. It effectively says that employees better not use OS X's Secure Empty Trash feature, or any similar utility, because they could face civil and criminal charges after they leave their job. (During oral argument last October, one judge wondered aloud: "Destroying a person's data--that's as bad as you can do to a computer.")

Citrin pointed out that his employment contract permitted him to "destroy" data in the laptop when he left the company. But the 7th Circuit didn't buy it, and reinstated the suit against him brought by IAC.

Excerpts from Posner's opinion (click here for PDF), with parentheses in the original: The provision of the Computer Fraud and Abuse Act on which IAC relies provides that whoever "knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer (a defined term that includes the laptop that Citrin used)," violates the Act. Citrin argues that merely erasing a file from a computer is not a "transmission." Pressing a delete or erase key in fact transmits a command, but it might be stretching the statute too far (especially since it provides criminal as well as civil sanctions for its violation) to consider any typing on a computer keyboard to be a form of "transmission" just because it transmits a command to the computer...

Citrin's breach of his duty of loyalty terminated his agency relationship (more precisely, terminated any rights he might have claimed as IAC's agent--he could not by unilaterally terminating any duties he owed his principal gain an advantage!) and with it his authority to access the laptop, because the only basis of his authority had been that relationship...

Citrin points out that his employment contract authorized him to "return or destroy" data in the laptop when he ceased being employed by IAC (emphasis added). But it is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have--if only to nail Citrin for misconduct. The purpose of the provision may have been to avoid overloading the company with returned data of no further value, which the employee should simply have deleted.

More likely the purpose was simply to remind Citrin that he was not to disseminate confidential data after he left the company's employ--the provision authorizing him to return or destroy data in the laptop was limited to "Confidential" information. There may be a dispute over whether the incriminating files that Citrin destroyed contained "confidential" data, but that issue cannot be resolved on this appeal. The judgment is reversed with directions to reinstate the suit, including the supplemental claims that the judge dismissed because he was dismissing IAC's federal claim.