According to some bloggers and news sources, a new Texas law requires all PC repair shops to get private investigator (PI) licenses. A group called the “Institute for Justice” has even filed a lawsuit based on that claim. These fears seem to rely on a drastically overbroad reading of the law.
The law, which amends the Private Security Act, expands the definition of an investigator to include anyone who does computer investigations. The key language is in Texas Occupations Code section 1702.104(b), which says that “[f]or purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.” Subsection (a)(1) lists investigation activities (e.g., criminal investigations, location/tracking investigations, finding lost or stolen property, etc.). In other words, if you do what we typically think of as an “investigation” (think Sam Spade), you have to get an investigator’s license, even if those investigations are of computers. The law is clearly aimed at computer forensics.
That’s not to say that the law is particularly well drafted to achieve that intent. The biggest problem is that “computer-based data not available to the public” is awfully vague. What does “not available to the public” mean, anyway? It is just exempting anything that’s on a public web server?
The Texas Department of Public Safety’s opinions support the stricter interpretation. The DPS explains that if computer repair services “offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators.” Yes, some computer repair shops that offer forensic services will need PI licenses. But Texas doesn’t require a PI license to remove spyware or upgrade memory.
The DPS opinions also say that not all forensic work requires a PI license. First, it draws a distinction between forensics (which involves analysis) and mere data collection (for later analysis by others).
Second, it notes that only certain information gathering makes one an “investigator.” If a forensic analyst gathers information not listed in section 1702.104(a)(1), then the analyst probably doesn’t need to be licensed as a PI. However, because the definition of “investigator” includes anyone gathering information about the “identity, . . . knowledge, . . . transactions, acts, reputation, or character of a person” and “the location, disposition, or recovery of lost or stolen property,” it seems that most computer forensic investigations would require licensing.
The DPS opinion also clarifies that network vulnerability testing firms don’t have to be licensed. There was some confusion on that point because the law uses the phrase “private security consultant.” The DPS opinion explains that as defined in the law, “security” means physical security. The law regulates security guards, locksmiths, alarm system companies, and private investigators, but not computer security consultants.
Post Process has informative and low-hype information about the Texas law.
Update:
Network Performance Daily has interviewed both State Rep. Joe Driver, who authored the bill, and Mike Miller of the Texas Institute for Justice. It’s worth reading for two different opinions of the same law.
