Legal BlackBook
TM
CyberInsecurity
April 2018
CAN A COMPANY BE TOO COOPERATIVE
WITH THE GOVERNMENT?
Best Buy’s employees weren’t law enforcement agents, but they acted as if they were.
“How we 
think about cooperation is different than the way [FBI] Director [Christopher] Wray thinks about it.”
       hey don’t look like cops, and their cars don’t look like police vehicles. They’re not 
       supposed to. They’re supposed to epitomize computer geeks. But lawyers at the Electronic Frontier Foundation (EFF) have learned that some of the individuals who work for the Geek Squad, the Best Buy employees who repair customers’ computer equipment, have been searching devices for incriminating information and passing what they find to the FBI. Aaron Mackey, a staff attorney at the EFF, has been working on the case for the San Francisco-based nonprofit. The civil liberties group is concerned about the Fourth Amendment implications, and it’s been digging for documents through the Freedom of Information Act (FOIA). Mackey, a former journalist, has also been blogging about it. The interview has been edited for style and length.

Legal BlackBook: How did you first bump into this case?
Aaron Mackey: I first learned of this story when a doctor in Southern California [named Mark Rettenmaier] was prosecuted as a result of the Geek Squad finding potentially illegal material on a hard drive that he had submitted for repairs. 

LBB: Have there been other cases like that one? 
AM: We know of at least one other. It’s actually a state case in Kentucky which the FBI and federal prosecutors declined to prosecute and referred to state authorities, who are prosecuting a man now. There may be others.

LBB: To your knowledge, did all of the Geek Squad searches that resulted in some law enforcement activity—whether they resulted in charges or not—involve alleged child pornography?
AM: The prosecutions that we’ve seen, yes. Some of the documents that we received as part of our Freedom of Information Act request make reference to identity theft investigations, but it’s a cover sheet and there’s a lot that’s redacted. It could be just a file name or a designation. It may not mean that there’s an investigation. What I can say is that all of the investigative reports that we’ve seen as part of our FOIA lawsuit involve investigations of potential child pornography.

LBB: After you found out about the Rettenmaier prosecution, what did you decide to do?
AM: We decided to file a Freedom of Information Act request to try to learn more about the relationship between the FBI and the Geek Squad. We wanted to understand what that relationship looked like and how it worked. We were concerned about the Geek Squad employees being paid to find this material, which was something that came out in the Rettenmaier prosecution. We were concerned also that perhaps the technicians who were being paid were going beyond their repair duties and actually doing investigations as an arm of the federal government. The FBI denied our request and told us they couldn’t confirm or deny anything. Then we filed our lawsuit, and they’ve produced a number of records—and withheld a number of others. 

LBB: Where did you file the lawsuit?
AM: In Washington. We have an attorney in D.C., David Sobel, who does a lot of our FOIA litigation. Our civil liberties director, David Greene, is also working with us. 

LBB: In summary, what is the FBI’s argument?
AM: What the FBI has said from the beginning, and what the Geek Squad and Best Buy have said as well, is that there’s no coordination. They don’t have an established relationship. All that happens is that the Geek Squad employees, in the course of repairing people’s devices, call the FBI when they find child pornography or other illegal material. And then 
the FBI comes and reviews what the Best Buy employees have found. They make a determination, and then they seize the device and get a search warrant and search for additional material. Then they decide whether to bring charges. Best Buy put out a 
statement that says there was no high-level coordination. There were four employees who were receiving payments. And three of them no longer work for Best Buy. The other has 
been reassigned.

LBB: What’s your response to the FBI?
AM: We’re concerned that the documents produced in the Rettenmaier prosecution, as well as the documents produced in our FOIA request, show some sort of relationship that goes back at least to 2008. The FBI was having meetings at the Geek Squad facility, they were receiving tours and they were paying individuals who we later learned were supervisors at the Geek Squad facility. So our No. 1 concern here is that this relationship is something more than just a private employee of Best Buy doing his or her work and finding something illegal and calling the cops. Our concern is that they’re going beyond that and actually doing something at the direction of the FBI. And in so doing, they’ve transformed themselves into agents or extensions of the FBI, and they shouldn’t be searching people’s devices without a warrant. And that’s ultimately what we’re concerned about: the potential Fourth Amendment violations of everyone who sends a device to be repaired at the Geek Squad facility.

LBB: This facility you’re referring to is in Kentucky?
AM: Yes. What happens is there are Geek Squad employees at Best Buys throughout the country. I think they come out to your home, and if you have low-level, minor repairs, you can take them in to the stores. But when you have a hard drive that’s failing or you’ve lost data on your device—what Geek Squad calls “data recovery”—they have to send those computers to this Brooks, Kentucky, facility. And it’s there where technicians do things to try to recover, or, if the hard drive is broken, extract the data and put it on a new hard drive or other media. It’s a wonderful thing if you lose your wedding photos, or photos of your kids. You can send it to them, and they’ll fix it. 

LBB: Is that the only place where, to your knowledge, this kind of law enforcement role has played out? 
AM: Yes. In our FOIA request, we asked for documents that would show whether they had any sort of relationship with other repair facilities—be they national tech businesses or local repair facilities in various cities—and the FBI has refused to confirm or deny whether any of those records exist.

LBB: Has anything changed to date as a result of your efforts and the resulting publicity?
AM: It’s hard to say. Best Buy has basically said about their employees who were paid that they didn’t know about it and they’ve put a stop to it. And in testimony in the state case, one of the special agents of the FBI who was involved said that they’ve stopped paying employees and they’ve stopped having that sort of relationship with the Geek Squad, although she was cagey about it—didn’t even want to call it a relationship. But we don’t have confirmation.

LBB: What are some of the unanswered questions you have at this point?
AM: Are there similar relationships that the FBI has with other repair facilities, say Apple and Apple Care? You bring your device into Apple, whether it’s an iPad or a MacBook, they take it and ship it out somewhere. Is there a similar type of relationship with wherever those repairs occur? Were there additional payments made to Geek Squad employees? How far back does this relationship go? What does the one-on-one interaction between the Best Buy employees and the FBI look like? Those are some of the basic questions that we don’t have answers to. 

LBB: What’s next?
AM: The government has produced all the records that they claim they’re going to produce, and so they’re going to move for summary judgment, arguing that they’ve met their burden under FOIA. What’s up next for us is we’ll be filing a cross-motion challenging their withholdings and asking the court to order further disclosure of records, including ordering the FBI to confirm or deny whether they have relationships with other repair facilities. 

LBB: Do you think you have a good chance at obtaining that information?
AM:  We think that there’s good law on this point in FOIA. When you have some official confirmation of a similar type of pattern or practice, you can’t just say, “We’re not even going to tell you whether or not these documents exist.” So we think we have a fair shot at convincing the court that the FBI has to at least give us a yes or no answer. And then process records if they do have records. Whether or not we’ll ultimately prevail in terms of getting some of the records released or getting less redacted records, we’re optimistic.

LBB: Do you have reason to believe that they do have relationships with other companies similar to the one they had with Best Buy?
AM: We don’t have any documents or anything else that we’re aware of that would show us another relationship. We only learned about the Best Buy relationship, which has been going on for more than 10 years, as a result of this more recent prosecution. So it’s obvious that there are efforts to try to keep these relationships secret. 

LBB: FBI Director Christopher Wray gave a speech at a cybersecurity conference in Boston in March in which he talked about the importance of cooperation—the cooperation of all the government agencies that work on cybersecurity, and cooperation between the government and the private sector. The theme he kept returning to was: We’re all in this together. In your opinion, what are some of the potential benefits of public-private cooperation in this area? 
AM: How we think about cooperation is different than the way Director Wray thinks about it. The one area of cooperation that we would like to see is the government more affirmatively disclosing when they have identified vulnerabilities in software or hardware that’s used by all of us. And they should let the manufacturers know so they can fix the flaws rather than the government’s hoarding the information to use offensively, or keeping it secret so that they can patch their systems but leave us all vulnerable. That’s definitely an area where we think there needs to be better cooperation. But we see that as something where the government needs to do a better job, not necessarily private industry. Our concern, whenever there is private industry cooperation, is that it potentially requires those private actors to side with the government’s interests at the expense of the privacy and security of the company’s users. And that’s something that we think is really problematic. 

LBB: To continue to explore that perspective, what are the potential dangers for 
businesses when they cooperate with the government? 
AM: You put yourself in the position of harming your relationship with your customers, with the owners of your stock, and with the public goodwill more broadly when you’re seen as siding with the government and perhaps doing things that intrude on the privacy of your users or jeopardize their security.

LBB: In your opinion, has Best Buy made mistakes here? 
AM: It’s hard to tell. What we’re still looking for is whether there was some sort of high-level coordination. It’s clear that there were supervisors at this facility who were taking money from the FBI. What we don’t know is whether they did so and then became active agents for the government. At the same time, I want to recognize that, to the extent that employees at Best Buy or anywhere find illegal material, particularly child pornography, there are legal requirements—usually state law—that says that they have to notify law enforcement. To the extent that what they say is true, that people at these facilities are just finding things because they’re making sure that all your photos are still working, then that’s fine. But what our concern has been is that it appears that perhaps there were several employees and supervisors at this facility who were potentially going beyond that and actively searching 
for it. 

LBB: What are the lessons other companies can learn from this?
AM: One lesson is to make sure you really know what’s going on at these types of facilities. The management of the company has to work with law enforcement and respond to government orders and warrants. But they have to be aware of the pitfalls and damage to their brand and their goodwill with their customers if they’re seen as being agents of law enforcement. 

LBB: Are there potential costs for the FBI?
AM: Perhaps if someone were to bring a civil rights lawsuit. There are costs associated with the inability to bring cases and prosecute them through. You see that with the Rettenmaier prosecution. The FBI’s conduct played a central role in what the court ultimately found in terms of tossing out the search warrant because it found that the FBI agents were not truthful and misled or omitted information. And so that cost them a prosecution. And then there are more general costs: people’s perceptions of the bureau, and law enforcement in general, when they see this type of behavior.

Aaron Mackey
The EFF filed 
a FOIA request to assess the relationship between the Geek Squad and the FBI.
AARON MACKEY / ELECTRONIC FRONTIER FOUNDATION
INTERVIEW:
T
If you are interested in contributing thought leadership or other content to this platform, 
please contact Lester Goodman, Publisher
Contact Us