IT staff, raise your right hand

It wasn't unusual a couple of decades ago for business owners to learn that agents of the state were quietly working under the guise of employees, keeping an eye on happenings in the company. Of course, that was in the former Soviet Union, back before the Iron Curtain fell. But you'd never know that if you work in South Carolina.

This summer, the state legislature passed, and the Governor signed into law, a provision that would require computer technicians, including corporate IT workers, to report to the police any instance of child pornography they might find on computers they are servicing. The law, in effect, requires people who work on computers and have access to the computer hard drives to act as agents of the state, while carrying out their tasks for their employers.

Though this practice is currently confined to South Carolina, civil rights and privacy advocates are already worried that the idea might spread. Whether it does or not, it raises many serious issues that were never addressed when this law, concealed in an education standards bill as an amendment, made its way through the approval process. Those people that know about the existence of this law, mostly people in government, say that this law is necessary to fight child pornography.

I think most people will agree that child pornography is a terrible thing. It's child abuse and exploitation pure and simple, but that's not the issue here. The issue is really the process of making a class of worker into agents of the state by law, and ordering them to spy on their customers and coworkers. The implications of that are scary indeed.

Though there are some serious Fourth Amendment issues that arise when this law is applied to individuals, the greater risk is in the corporate environment. Just to start with, are IT personnel trained to recognize child porn? For that matter, is there any agreement on what constitutes child pornography? And what happens when one company employee turns another into the police for allegedly possessing child pornography?

The more you think about the implications, the worse they look. For example, Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center in Washington, tells of an instance in which a photo processor (they have a similar requirement in South Carolina) turned in a mother for having taken a photo of her young child in the bathtub. Hoofnagle says that even if the person isn't convicted of anything in such a case, his or her life could easily be ruined.

There are relatively few privacy concerns with respect to corporate- owned computers. (The courts have decided that if the company owns the computers, it can inspect the contents of the hard disks, if it wishes.). But the prospects of other sorts of abuse are rampant. Suppose, for example, you have a disgruntled tech in the IT office who decides to teach you, his IT manager, a lesson by installing a photo or two, and then calling the police. How long would it take to prove your innocence? Could you even keep your job?

And that doesn't even cover the other legal issues of what happens when one class of employee becomes an agent of the state. The experts I've talked to say the new law is so far out on the fringes of the legal system that little has been tested yet. And speaking of experts, that recent bust of the child porn ring in Texas was the work of experts. Aren't they the ones most suited to enforce those laws?

But of course, the practice of making some employees into agents of the state was tested for over fifty years. We all cheered when that era ended with the fall of the Soviet Union. Maybe South Carolina and the governments that would follow their model will realize the perilous course they're on, and change direction.

Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics. He can be reached at wrash@mindspring.com.