Now most enterprise network engineers are the type that want to block BitTorrent on the company networks, because opening lots of connections and maxing out the pipe can slow the network if there aren’t adequate safeguards in place – QoS policies based on protocol or application, for example – to prevent P2P apps from hogging bandwidth. Still, P2P in general, and even BitTorrent specifically, might help with a more efficient distribution of information on an Intranet.

And of course, there’s a large portion of the network engineering population that hates BitTorrent on their company network but loves it on their home machines.

Back in May, Slashdot wrote about the Ono project, which is a software plug-in that:

“allows P2P clients to efficiently identify nearby peers, without requiring any kind of cozy relationship between ISPs and P2P users. Using results collected from over 150,000 users, they have found that their system locates peers along paths that have two orders of magnitude lower latency and 30% lower loss rates than those picked at random by BitTorrent, and that these high-quality paths can lead to significant improvements in transfer rates.”

In short, it’s (theoretically) good for the end-user because it speeds up the download, and it’s good for whatever is serving as the ISP because it reduces connections over longer (and presumably more expensive) connections. Aqualab, the makers of Ono stated that in their testing:

In challenged settings where peers are overloaded in terms of available bandwidth, Ono provides a 31% average download-rate improvement; in environments with large available bandwidth, Ono increases download rates by 207% on average (and improves median rates by 883%).

I passed it up but was recently reminded of the Ono project by a friend of mine. So I thought I would check it out. In order to do so, I did a little informal test here at the office – please excuse my lack of scientific rigor, but Zombie Feynman should agree with me – with the Ono plugin for the Vuze/Azureus BitTorrent client.

Now, there’s really no such thing as a really controlled environment for a BitTorrent test – Ono’s averaging seems to be the best, but what we did was download the i386 version of the latest version of Ubuntu via torrent six times, alternating between using Azureus’s default settings and the Ono plugin.

Inconclusive? You bet!

At any rate, we didn’t see any massive differences in speed between using the Ono plugin than not using it. Considering that the slowest speed in the test was made using the Ono plugin, and the fastest speed was made with Azureus’s default settings, it certainly didn’t make us hopeful that the Ono plugin could deliver what it promised.

Then again, there are some caveats: There might be some overlooked misconfiguration on our end – or maybe we misunderstand the purpose of Ono and tested it under conditions that do not take advantage of the plug-in. As I mentioned earlier, this is not a scientific test. Still, I encourage others to test out the plug-in as well – if nothing else, the concepts behind Ono are sound, and if Ono succeeds and becomes a default part of BitTorrent clients, independent testing can help produce a more efficient network overall.

Warning: Information contained herein is not actual medical advice and should not be used to aid a fallen co-worker suffering from a heart attack. However, in certain cases, it may prevent high blood pressure, headache, anxiety, depression, anger, and insomnia.

An old saying in IT: You can’t manage what you don’t measure. Or as one of our customers told me, “one test is worth 1,000 opinions.” If you subscribe to those ideas, and you’re a customer of ours, I have good news. NetQoS customers have a wide array of data at their fingertips to conduct a meaningful “CPR” session.

• Check Status – Executive or management level visibility into performance of application response times, device level statistics, or network traffic composition.


• Plan Ahead and Avoid Problems – Baseline current performance, make and justify investment decisions to improve performance. Our customers are using our tools to gauge


• React and Recover – Identify hot spots and perform rapid trouble isolation and resolution.

(By the way, this is not to be confused with our services CPR engagement, which is "Critical Problem Resolution." Aren’t mnemonics neat?)

Of course, there aren’t any network or application engineers who don’t want tools to help them plan new work activities and respond effectively when faced with a difficult problems. But there’s often a bit of hesitation when it comes to management reports – a prevailing attitude is that giving management level visibility into the network is a bit like handing someone a stick and asking them to beat you roughly about the head and shoulders.

Certainly, that’s one way of looking at it. But, I’ve always found that somehow and in some way, performance management information is going to “get out”. Someone will complain that the network sure is slow. Or your boss may get blind-sided in a dark hallway by an angry user.

Or, alternatively, you can provide performance visibility to management and enlist their support in fixing any problems you find.

As network and application engineers, it’s easy to think of yourself as doctor to the network. No doctor, however, would conceal high-risk factors for heart disease from a patient.

A note from Joel Trammell, CEO, NetQoS.

Recently, there was an article by technical marketing manager Ben Erwin about why the company is named NetQoS, talking about the importance of Quality of Service policies.  While the message about quality of service as it is known today is important, there are a few things that should be corrected.

See, “Quality of service,” in the field of telephony, was defined in 1994 in the ITU-T Recommendation E.800 as the collective effect of service performance which determines the degree of satisfaction of a user of the service.

At the time of this definition it was believed that ATM (Asynchronous Transfer Mode) would be the future networking technology that would allow for combining voice, video and data traffic on the same circuit. ATM had by design many sophisticated traffic engineering approaches available within the protocol for ensuring QoS.

Over time IP (Internet Protocol) became the key competitor to ATM as a standard network protocol. IP’s only traffic engineering capability was the ability to provide differentiated classes of service. In an attempt to make IP seem similar to ATM, IP proponents began using the term QoS instead of the more technically correct term CoS (Classes of Service) to describe IP’s capabilities.

As IP won out in the marketplace over ATM a whole generation of engineers have come to believe that QoS and CoS are equivalent terms. NetQoS was named with the original, broader definition in mind.

(Also, the domain name NetQoS.com was available.  That was a big part of it too.)

Here’s Scott Adams’s “Dilbert” cartoon from this past Sunday. I believe it makes the argument that Wally, rather than being a slacker, is secretly a super-genius.

I could point out that it would be useful for Wally’s company to have some way to determine if the servers are indeed the problem, but that would be a bit like explaining the joke.

Of course, as far as comics go, my favorite is "Garfield Minus Garfield."

Long, long ago, in the before-time, when thunder lizards and warlocks roamed the earth, (i.e., a couple of years ago), I would have been impressed by marketing literature and contract language guaranteeing 99.999% availability. I mean, who wouldn’t be impressed at 5 minutes of downtime each year?

But five-9’s doesn’t cut it anymore. And neither does a 1 followed by 2 zeroes. Fact is, daytime users don’t care if the network, server, or [insert infrastructure type here], is available at night. A lot of dedicated people work awfully hard to keep those green lights blinking, but good availability shouldn’t come as a surprise.

Users care only about whether they can do their job at least as effectively as they are accustomed to doing it. Can they place an order, access an application, download a key file, view a video conference, place a VoIP call, etc. as effectively as they normally can? Yes? Super… but availability is still irrelevant to them. No? Not good. But don’t unsheathe your trusty availability metrics. You’re likely to be brow-beaten back to the era when people had only one brow (i.e., last week, for some of us who don’t own tweezers.)

Network gurus have passed down from generation to generation the ancient work, preserved forever, on lambskin punch-card parchment, the parable of the performance-technology gap. Let us consult the tomes.

The Guru Amnon was angry, as his field of network equipment would often fail (as it tended to do in those early days,) and his work would be undone through no fault of his own.

So Amnon left his network field and headed to the Silicon Mountain, to plead for mercy from the gods.

For three days and three nights, Amnon traveled, (with an overnight layover in the ancient city of Memphis). But he finally pleaded his case before the gods.

“Please, my servers are failing, my network cable is unreliable. I try so hard to work my network fields, so the business can harvest its bounty. But I am undone by the most frustrating of things that are never my fault.”

The gods did take pity on Amnon, but felt that it would be best to give him wisdom instead. So the Gods said to Amnon: “Go, Now, and by the time of the next great Temple Convention, you will have a network that never fails – a masterwork of infinite uptime.”

True to their words, the Gods granted Amnon’s request. By the time of the Temple Conference, on the High Holy Day of Installation, the green lights on his servers glistened like sapphires, blinking on and off in a rhythm harmonious with the universe. And the Guru was pleased, for he thought that he would not have to do so much work to keep the business going.

But it was not long before business unit owner, Casiphia, came forward and said: “What is this, wise Guru Amnon? I see the lights, but my unit cannot place or process orders. I see the green lights promise a harvest of luscious pairs, but they turn to ash in our mouth when we dare to sup.”

The Network Guru looked at his perfect network, and was confused: “This network was crafted from the gods themselves, and I, the wisest of the Gurus, maintain it! How can this be?”

In his hubris, Guru Amnon realized that he had neglected that a perfect network availability does not guarantee perfect network performance. With this, Guru Amnon was enlightened.

Measuring and reporting about availability may be a comfortable way of quantifying how a network behaves and it may be all you can squeeze out of a provider. (And yes, it is necessary… but not sufficient.) But it’s no way to measure user-effectiveness. And it’s certainly no way to support the business. The business runs on applications. Those applications run across a complex array of routers, servers, and switches. So skipping a performance first approach while managing just the underlying infrastructure is a sure fire way to find yourself foiled by your own hubris.

By Ben Erwin

Product Manager, NetQoS.

Let’s face it, as far as company names go, NetQoS doesn’t exactly roll off the tongue, unless you’re pronouncing it “Net-kose” instead of the correct pronunciation, “Net-Queue-Oh-Ess.” But obviously, QoS – Quality of Service – is an important concept in IT and so we thought we’d take a moment to explain a bit about the concept – and our name. 

What is QoS? By classifying traffic into specific queues, network managers can rank and prioritize mission critical applications to improve latency, minimize jitter and packet loss. 

Several QoS methods exist but the more common techniques include classifying (sometimes referred to as “tagging”) network traffic on the router or switch.  Therefore, router/switch companies (such as Cisco) provide different methods for configuring QoS policies and monitoring their impact. 

As a closely aligned Cisco technology partner, NetQoS supports multiple Cisco technologies capable of assessing the impact from QoS.  In addition, the inherent network monitoring capabilities within the NetQoS product suite, such as passive application response time monitoring, also provides QoS monitoring benefits. 

For example, NetQoS SuperAgent assesses the impact of application response time on mission critical applications, by monitoring TCP transactions from client to data center, which includes latency attributed by the wide area network (WAN). In addition, SuperAgent’s baselining capability allows you to create a profile of “normal” performance, which you can test against your changes in QoS policies – so you can prove the benefits of QoS to colleagues and management. 

We also have a product, NetQoS NetVoyant, which works with Cisco IP SLA.  It allows users to run synthetic tests between routers to calculate a varity of response time metrics over the WAN.  In these tests, users can set different parameters, including the QoS level.  The QoS parameter allows IP SLA users to test how QoS will impact response time metrics from router to router (i.e. over the WAN), prior to rolling out QoS on production applications.  Once the measurements have been collected, NetVoyant can access the routers, extract the measurements, and report the results, visually. 

Additionally, NetVoyant can track and visually report Cisco’s CBQoS, which provides a real-time status of how QoS has been deployed and performing on a given network device.  Policy trees, input class maps, output class maps, pre-policy bit rates, post-policy bit rates, and traffic shaping statistics are just a few of the metrics that can be extracted from CBQoS.

Part of every Cisco router currently in production includes a technology called NetFlow, which exports IP layer detail for every conversation traversing the router. Part of this IP layer detail is the ToS bit which corresponds to a specific QoS queue. ToS bits (or DSCP bits) are used to tag or classify network traffic into specific queues.  NetQoS ReporterAnalyzer, the traffic analysis module of the NetQoS Performance Center, collects NetFlow data and reports the associated volume, rate, and utilization metrics relevant to the network traffic.  Therefore, users have full visibility into how applications are being classified on the network to verify QoS deployment strategies or utilization per queue. 

So, as you can see, QoS is extremely important for managing application delivery – and that’s one of the reasons it’s part of our company name. 

Series Summary and Editorial
Part One: Interview with Texas State Rep. Joe Driver
Part Two: Interview with Matt Miller, Institute for Justice
Part Three: Interview with Capt. RenEarl Bowie, Texas Private Security Bureau

by Brian Boyko
Editor, Network Performance Daily

We’ve written three stories and conducted three interviews regarding HB2833.  The first was with the author of the law, Texas State Representative Joe Driver, the second with Matt Miller of the Institute for Justice, and the third with Texas Private Security Bureau Captain RenEarl Bowie.

Here is our editorial summary:

HB2833, the law designed to make changes to laws regarding private investigation but has PC and Network techs worried that their work may now be illegal, has caused confusion and worry from normal people doing normal jobs in a normal manner.  Whatever the original intent of the law, it is clear to see from its effects that the law itself is poorly written. 

Ultimately, words like “open to interpretation” and “case-by-case basis” are not words you want to use when describing either the meaning of, or enforcement of, the law.

So, where did things go wrong?  I think the man problem was a key misunderstood concept by Texas State Rep. Driver when he wrote the law.  It is clear from the interview with him that he believes that there is a clear and well defined line between “retrieval of data” and “investigation.”

“’Review, analyze, and investigate’ are the three key words, in my opinion, that drive the need for people to have some kind of license. Because if they're doing some of that, then they don't need to be - it doesn't need to be just anybody able to do that - they need to have somebody that has a security license. But if someone's just retrieving information and providing information for someone who is going to analyze, to use one of the words, then that's just a regular computer repair person.” – Rep. Driver.

But what Rep. Driver simply did not realize is that in the practical realities of IT, no such line exists. Any and every interaction that any IT person has with a computer requires some sort of “review, investigation and analysis,” whether it’s simple troubleshooting or complex network latency optimization. 

I can see where Rep. Driver was going with the law and what his intent was when writing it – rooting around through someone’s Windows Recycle Bin can be just as invasive as rooting around in somebody’s trash. 

But rooting around in the guts of a computer to discover the cause of a malware infection is different from rooting around in the guts of a computer to discover infidelity.  However, instead of making the criteria of “investigation” the purpose and use to which the information could be put, the law makes the criteria the way that the information is stored – “computer-based data not available to the public.”  The end result is that the net was cast too widely. 

Compounding this problem is the interpretation provided by the Texas State Private Security Bureau of the law – a literal one.

“Computer repair or support services should be aware that if they offer to perform investigative services… they must be licensed as investigators” – Texas Private Security Bureau Opinion Summary.

Unlike the law itself, the opinion summary is an unambiguous statement, and while Capt. Bowie may say that the law will be interpreted on a “case-by-case” basis, that is not what is in the official statement of opinion. 

As for the court case brought by the Institute for Justice – unfortunately, the Institute for Justice seems to want to fight this case on Constitutional grounds.  However, that will be a hard sell, as qualifications and licensing are clearly powers that states exercise, from state bar associations for lawyers, and state medical boards for doctors.  If the state of Texas wants to make a PI license a requirement for PC repair techs, it certainly has the power to do so.  It may be absurd, but absurdity is not unconstitutional. 

So, where does that leave technical practitioners like network engineers and PC repair gurus?  As a practical matter, I think most people are going to continue going about this, “business-as-usual” style and make a stink only after the law is enforced on some, most likely unsuspecting, tech somewhere in Texas.

The good news is that I think that it is indeed possible to clarify and change the law through the legislative process – Rep. Driver has stated that he would indeed make changes to the law if it needs clarification or amendment. 

It clearly does.  

Part three of a series.
Part One: Interview with Texas State Rep. Joe Driver
Part Two: Interview with Matt Miller, Institute for Justice
Part Three: Interview with Capt. RenEarl Bowie, Texas Private Security Bureau

by Brian Boyko
Editor, Network Performance Daily

Recently, a posting on Slashdot linked to a story from PC Magazine called “Texas PC Repair Now Requires PI License.” Obviously, this story has gathered tons of attention, and if strictly true, would have a major impact on IT departments across the state, if not the nation.

Earlier, we posted a summary of the controversial law, HB 2833. We’ve also published interview with State Rep. Joe Driver, who authored HB 2833, and yesterday, we published an interview with Matt Miller of the Texas branch of the Institute for Justice, which is currently challenging the law in court.

Today we present an interview with Capt. RenEarl Bowie, of the Texas Private Security Bureau, regarding the Bureau’s interpretation of the law and policies towards PI licensing for computer and network techs:

Editor Brian Boyko, at NPD: First of all, could you tell me a little bit about who you are and what your position is?

Capt. RenEarl Bowie: Well, my name is RenEarl Bowie, I'm with the Texas Department of Public Safety, Private Security Bureau, and I'm the Captain of that bureau.

NPD: This department basically determines who needs, and issues, Private Investigator licenses, is that correct?

Bowie: Well the responsibility of the Bureau is to regulate the private security industry. And, encompassed in that industry are individuals who are considered private investigators.

NPD: The big controversy seems to be that a lot of people in the computer industry are doing investigations which they don't consider part of the private security industry, and it seems like there's been a lot of press recently - very recently - about whether or not the day-to-day operations of a typical PC repairman or network tech would constitute private investigation under the law and therefore require a license.

Bowie: Right, and I think, Brian, based on what you're saying, is that is what the intent and the spirit of the law is, under the Texas Occupations Code, 1702.104 [which] gives us a definition of what an investigation company is, and - you know, one thing you have to look at is when you read that particular statute, the interpretation is [that] the review of computer data for the purpose of investigating potential criminal or civil matters is a regulated activity under that code.

NPD: So could you give me a couple of examples as to what would be and what would not be covered under this law?

Bowie: A basic example would be an individual like a computer repairman who is providing computer repair or support services for a customer; normally that is not a regulated activity. But when an individual is performing work involving the review of computer data for the purpose of investigating criminal or civil matters, then they could fall under the 1701.104, which is considered an investigation company.

NPD: So, maybe I could give you a couple scenarios and you could help - maybe you could explain whether or not it would be covered. For example, let's say there was a network engineer who is trying to find the root cause of a slowdown on the network, and in the course of investigating that, they discover that the root cause is some sort of criminal activity, such as a virus infection, or someone engaging in massive intellectual property violation, in other words "piracy," something like that. Would they then require a private investigation license? Would they have to stop their investigation at that point?

Bowie: Based on the scenario you gave it sounds like they're performing a repair or support service, and they're not - the intent was not to go in and do an investigation, they are just collecting information that they found, and that doesn't, based on that scenario, doesn't rise to that level of an investigation.

NPD: What about a PC repairman who is being asked to check for viruses on a person's computer?

Bowie: That does not rise to that level either.

NPD: What if a parent brought in a computer that they owned, but which is primarily used by a son or daughter, and they wanted to find out, say, the browsing history?

Bowie: That's just considered normal computer repair or support service.

NPD: What wouldn't be considered normal computer repair - can you give me a very specific example where that line is crossed?

Bowie: No, it's - when you read into 1702.104, there is some interpretation there that you have to consider. I can't give you a specific example, I could probably use some type of scenario in the sense of, for example, if an individual is contracted to come in and say, for example, investigate your computer at your company - you have employees there, and you believe identity theft has occurred, that there's been some issues and you want this individual to come in, inspect the computers, you want them to come in, perform an investigation relating to the identity, the habits, the efficiency, movement, affiliations or locations or transactions and acts, or the character of a person, or the location and disposition of lost or stolen property, or some type of damage to the system, then I think you're moving more towards the spirit of the law, and falling into an investigations company.

NPD: Okay, so once you get to that point - this is something that's considered now to be routine is, if a person is suspected of - well, you could say a number of different things. Not just illegal activity but also perhaps, unauthorized use of the network - recreational network use - would that speak to the character of a person if they're browsing YouTube at work, and an investigation is made to determine if someone is browsing YouTube at work?

Bowie: I think what you have to do is take those on a case-by-case basis, and do a thorough investigation into the matter to determine whether a violation of the code has occurred. You just have to keep in mind that every scenario and case is different, and you have to take it on a case-by-case basis, and use the utmost discretion.

NPD: What happens if for, whatever reason, someone is ignorant of the law and they violate the law accidentally - that they perform an investigation, and in their particular case, even though they didn't intend to violate the law, they did? What happens then?

Bowie: Well, then again, it goes back to on a case-by-case basis, it involves good investigative work on behalf of the investigator looking into the matter, and then you have to evaluate what occurred, and what the individual knew, and what happened - and present the case to the court or to the prosecutor, if it even rises to that level.

NPD: Why do you think that this has been so controversial?

Bowie: As for as why it's been so controversial? I believe that there are entities or individuals that just want clarification and to get some understanding in regards to the statute, and it just recently became known to the media in regards to the individuals who raised the question, and of course the law was passed last year, but it has just been brought to media attention here just recently.

NPD: Is there any way you can think of to clarify the law and the interpretation of the law even further, so that instead of having to rely on the case-by-case basis scenario, to really hammer that down, "yes this case would be considered a private investigation, and this case would not."

Bowie: One thing individuals can do is they can definitely log on to our Web site, and when they get to the [Texas] Private Security Bureau Web site, there's a spot on the Web site called Private Security Bureau Opinion Summaries, and you click on that, and it has some definitions and even examples and some clarifications of 1702, and individuals can click on that and it'll definitely provide them with a lot of good information.

NPD: Well, thank you for speaking with us.

Part two of a series.
Part One: Interview with Texas State Rep. Joe Driver
Part Two: Interview with Matt Miller, Institute for Justice
Part Three: Interview with Capt. RenEarl Bowie, Texas Private Security Bureau

by Brian Boyko
Editor, Network Performance Daily

Recently, a posting on Slashdot linked to a story from PC Magazine called “Texas PC Repair Now Requires PI License.” Obviously, this story has gathered tons of attention, and if strictly true, would have a major impact on IT departments across the state, if not the nation.

Earlier, we posted a summary of the controversial law, HB 2833, along with an interview with State Rep. Joe Driver, who authored HB 2833.

Today we present an interview with Matt Miller of the Texas branch of the Institute for Justice, which is suing the Texas State Private Security Bureau. (We plan to conclude our series with an interview with RonEarl Bowie at the Texas State Private Security Bureau tomorrow. )

Matt Miller, Executive Director of the Texas State Chapter, Institute for Justice:

Editor Brian Boyko, at NPD: So, could you tell me a little bit about your organization?

Executive Director Matt Miller: Sure. We are a public interest law firm; we're based in Arlington, Virginia. We have offices now in Minnesota, Washington (state), Arizona, and now in Texas, and we file public interest litigation on behalf of individuals whose Constitutional liberties are taken away from them by government.

NPD: How many cases have you filed?

Miller: The Institute for Justice, in total?

NPD: Yeah.

Miller: Probably close to a hundred. "IJ" has been in business since 1992, and we work in four areas. We work in property rights - you may have heard of our "Kelo vs. New London" decision that came out of the U.S. Supreme Court, we work in free-speech in the areas of commercial speech and campaign finance reform, we work in economic liberty - which is what the case that we'll be discussing today is about - which challenges licensing restrictions. And then we're also the lawyers for the school choice movement.

NPD: So, could you tell me a little bit about who you are and what your position with the organization is?

Miller: Sure. I'm the executive director of the Texas State Chapter, so I run the office here in Austin. I have a staff attorney that works with me, and then we have an office manager and some law clerks from the University of Texas Law School.

NPD: So, could you tell me a little bit about this bill that has been passed into law - House Bill 2833?

Miller: Well, last Thursday [June 26, 2008], we filed suit against the [Texas] State Private Security Board on behalf of the owners of some computer repair shops here in Texas and their customers. Last year, the state of Texas passed a law that basically said that to perform a lot of types of data analysis; you have to have a private investigator's license. And, if you perform that analysis without a license, or if you are a customer and you seek to have that analysis performed by somebody without a license, it is punishable by up to one year in jail and up to $14,000 in fines.

NPD: Could you tell me a little bit about the language of the bill, where exactly it says that in the bill?

Miller: Well, what was changed in the bill - they amended the Texas Occupations Code, Chapter 1702, Section 104 of the Texas Occupations Code. And they added one little line - and it was done in subsection B, and they that for the purpose of subsection A, "obtaining or furnishing information" includes "information obtained or furnished through the review and analysis of any investigation into the content of computer-based data not available to the public."

This case got on our radar screen because the Private Security Board has issued a series of interpretations saying flat-out that this law applies to computer repair shops and a lot of people who analyze computer data in certain ways.

NPD: Sorry, what board was that again?

Miller: The Texas Private Security Board. They're basically charged with licensing private investigators, security guards, guard dog trainers - people of that type.

NPD: Alright, is that a government agency, or private function?

Miller: It is a State Agency. They are a sub-agency of the Texas Department of Public Safety.

NPD: The Lawsuit names them as the defendant?

Miller: It does. We have sued the members of the board in their individual capacity - excuse me, I'm sorry, let me correct that. In their official capacity. Which is what you're required to do when you file a lawsuit of this type against a state agency. And we are asking the Judge to declare that the law violates our clients' constitutional rights to practice their occupation free from unreasonable governmental interference.

NPD: Is the problem with the law or the interpretation of the law that the Texas Private Security Board has taken?

Miller: Well, it's with both. Laws can be interpreted in a lot of different ways, and the private security board has chosen to interpret this law very aggressively. Since the law can be interpreted in that way, there are problems with the law itself. The interpretations that the board has issues, is the reason that this case has come to our attention, because they say specifically that computer repair shops should be aware that if they offer to provide these services they've committed a crime. And that kind of caught our attention, so we started looking into it, and the law itself is problematic because it is subject to such a broad and aggressive interpretation.

NPD: Would it also affect network engineers performing network analysis on their own companies' computers?

Miller: Sure, and let's talk about that because, it is complicated and there is quite a bit of nuance. It kind of leads to how this applies to these guys. We've gotten calls from people who say, "Well, if somebody's switching out a hard drive, then that doesn't apply to them, right?" And the answer to that is, yes. It doesn't apply to them. But anyone who is analyzing data in a situation where that data points back to the actions of a third party - so, somebody who is not the computer's owner, or someone who is not the owner of the company - anytime a third party is implicated by data analysis, this law is potentially triggered.

What the board came back and did was, they said that any analysis of non-public computer data to determine the causes of events or the conduct of persons is what they're calling a regulated service. Of course, that is extremely broad. You know, for instance, if an employer went to a company and wanted to know how their employees were using the computer - that constitutes an investigation. The Board has said that when the service provider is charged with reviewing the client's computer-based data, for evidence of employee malfeasance and a report is produced that describes the computer related activities of an employee, it has conducted an investigation and has therefore provided a regulated service.

NPD: So, other than the lawsuit, is your organization taking any other actions?

Miller: We've obviously tried to bring this issue to light in the media. Because it is somewhat technical, we've had to educate the media on how this works. And they've been very responsive. But the primary vehicle we're taking here is this lawsuit and our goal is just to change the law. We're not seeking monetary damages, this is not a personal lawsuit - we're going to a judge and saying: "Judge, this is a bad law, and it stops our guys from practicing their profession - it stops a lot of people from potentially doing the things they do on a daily basis, and the law needs to be changed." So we're asking the judge to strike the law down.

NPD: Have you spoken to the author of the law? Rep. Driver?

Miller: We have not. We will do that in the due course of a part of our litigation, but we've not talked to him prior to filing this litigation.

NPD: What would happen if the judge does not find that the law is a bad law, but rather that the interpretation of the Texas Private Security Board was overly broad?

Miller: Well, in that event, then the board would be limited in the future in how they can enforce the law. And that would be a partial victory for our clients, because, if they were prohibited from enforcing the law against people who were just basically analyzing computer data in a way that was legal and that someone had asked them to analyze it, then obviously that would be a partial victory. The problem is that the law is still hanging out there, and it's going to be difficult for a judge to say that the interpretation is a problem without also saying that the law in which that interpretation is based is also a problem.

NPD: Well, is there anything else you wanted to add, anything that you think I've left out?

Miller: Well, again, I appreciate you interviewing me for this. The law is tricky, and the computer community just needs to be aware that anything they're doing that implicates third-party data or any reports they're producing for customers or for employers that says something about how a third party has used a computer is potentially regulated by this law. And they just need to be careful. We are working hard to have the law struck down in court, and we're moving as fast as possible on that, but in the meantime, people just need to keep an eye out and be aware of the issue.

NPD: Alright, well, thank you very much.

Miller: Certainly, thank you for your time.

Part one of a series.
Part One: Interview with Texas State Rep. Joe Driver
Part Two: Interview with Matt Miller, Institute for Justice
Part Three: Interview with Capt. RenEarl Bowie, Texas Private Security Bureau

by Brian Boyko
Editor, Network Performance Daily

Recently, a posting on Slashdot linked to a story from PC Magazine called “Texas PC Repair Now Requires PI License.” Obviously, this story has gathered tons of attention, and if strictly true, would have a major impact on IT departments across the state, if not the nation.

The law in question is Texas HB 2833, which is an updated collection of amendments to laws regarding private security services. It explains who, exactly, is required to get a private investigator’s license.

The controversial bit of the law in question seems to be this bit. The underlined part is what has been added:

SECTION 4.  Section 1702.104, Occupations Code, is amended to read as follows: 
Sec. 1702.104.  INVESTIGATIONS COMPANY.

• (a) A person acts as an investigations company for the purposes of this chapter if the person:




• (1)  engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to:




• (A)  crime or wrongs done or threatened against a state or the United States; 


• (B)  the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person;


• (C)  the location, disposition, or recovery of lost or stolen property; or


• (D)  the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property;


• (b)  For purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.

Because the law can be difficult to interpret, the Texas Private Security Bureau issued an opinion statement which clarified their position on this matter. The controversial statements there seem to be:

Computer Repair & Technical Assistance Services October 18, 2007

Computer repair or support services should be aware that if they offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators… [Text of law posted above.]

Please be aware that providing or offering to provide a regulated service without a license is a criminal offense. TEX. OCC. CODE §§1702.101, 1702.388. Employment of an unlicensed individual who is required to be licensed is also a criminal offense. TEX. OCC. CODE §1702.386.

and:

Computer Forensics August 21, 2007

First, the distinction between “computer forensics” and “data acquisition” is significant. We understand the term “computer forensics” to refer to the analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons. We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.

For example, when the service provider is charged with reviewing the client’s computer-based data for evidence of employee malfeasance, and a report is produced that describes the computer-related activities of an employee, it has conducted an investigation and has therefore provided a regulated service. On the other hand, if the company simply collects and processes electronic data (whether in the form of hidden, deleted, encrypted files, or otherwise), and provides it to the client in a form that can then be reviewed and analyzed for content by others (such as by an attorney or an investigator), then no regulated service has been provided.

… Consequently, we would conclude that the provider of computer forensic services must be licensed as an investigator, insofar as the service involves the analysis of the data for the purposes described above.

In order to clarify some of this and figure out what this would mean to both personal computer repair technicians and network engineers, analysts and system administrators, we contacted Texas State Representative Joe Driver, who authored the bill, Matt Miller at the Texas branch of the Institute for Justice, which has launched a suit against the Texas Private Security Bureau, and RonEarl Bowie of the Texas Private Security Bureau. We’ll have podcasts and transcripts available on this site soon.

First, Texas State Representative Joe Driver, Author of Texas HB 2833:

Editor Brian Boyko, at NPD: So, could you tell me a little bit about who you are and what you do in the Texas Legislature?

Rep. Joe Driver: Hi. My name’s Joe Driver, I am state representative from Garland, Sachse, and Rowlett area which is Northeast Dallas County. I’m the current chairman of the Law Enforcement Committee, and this is my eighth term.

NPD: How often are each of those terms, two years, four years?

Driver: Two years.

NPD: So you have 16 years of experience writing legislation. And you authored this bill, I believe it’s [Texas] HB 2833?

Driver: Yes, sir.

NPD: Now that's currently a bill, not a law, correct? Or has it been passed?

Driver: No, it's been passed. The governor signed it.

NPD: Let me just bring up the law right here - and I'm looking at it. It is "an act relating to the licensing and regulation of certain private security services." Could you tell me a little bit more about what this act was designed to do?

Driver: Basically, it was a clean-up situation for the Securities Act. We felt like we had to go in and clean some things up. Some of it was old stuff, some of it was new stuff, but basically we worked pretty hard to try to just get it so that it was easier for people to interpret and - you know, some things hadn't been changed for quite a few years, so we were going through it, trying to just basically do a real thorough clean-up, and it turned into what you'd call an omnibus bill which is basically something that encompasses a lot of different areas.

NPD: How has the law changed for people who practice investigative services?

Driver: Well, there's quite a few changes in there. I really truthfully couldn't go into all of it, I mean, it's a pretty good sized bill. Of course, the one that's - there's some area that's getting some, I don't know, "interest" out there, but I think it's interest that has been generated by a group of folks, and basically in their newsletter, they just opened a new chapter in Texas and decided to file a lawsuit. That's all in one sentence - so it sounds like they decided to file the lawsuit so they could bring some attention to their new chapter.

NPD: It does to me that the law... now, I am not a lawyer...

Driver: Me neither.

NPD: I am not a... um... pretty good reader of bills. So, what I wanted to know... The claim is that people who repair personal computers would need to get a private investigator's license in order to continue repairing computers.

Driver: Yeah, and that's what they're claiming. It's interesting that they're claiming all that, and they filed a lawsuit on the same day that they decided to open their Texas chapter. To me, I just felt it was a way they're getting a lot of free publicity, and a lot of free press, and free TV time and free radio time, because the bill to me, it says what it says. There's three words that describe somebody that repairs computers, and that's if people retrieve or provide information, and there's three words that somebody "reviews, analyzes, or investigates" that material, then, they do need to have some sort of security clearance because they're delving into people's private lives or private property on the computer.

NPD: The one thing that I noticed was that it seems very clearly that this is for personal computer investigators, like someone who does analysis to determine whether a crime has been committed or something has been stolen, or intellectual property has been violated. It doesn't seem to me that this would apply to people trying to just recover information for the person's wishes.

Driver: Right, and you're correct. You used one of the key words in my opinion, which is "analyze." "Review, analyze, and investigate" are the three key words, in my opinion, that drive the need for people to have some kind of license. Because if they're doing some of that, then they don't need to be - it doesn't need to be just anybody able to do that - they need to have somebody that has a security license. But if someone's just retrieving information and providing information for someone who is going to analyze, to use one of the words, then that's just a regular computer repair person. And those guys are great, they're good at what they do, and we never intended for them to get any kind of license other than have the ability to repair.

NPD: So, how do you think this came about - you mentioned that there was a new group - I think I may have a copy here of - are you talking about the Institute for Justice?

Driver: Yeah, yeah, that's them. Well, and I think - to me - that - I mean I've got something, I don't know if it’s a press release or just some information about them, but they actually said in here that they tell about how they're the "nation's leading litigators." They have a little cute name for them, and I thought I could think of that, but I'm not coming up with it. But, they basically said, "we fight for the rights of those violated by the government." And they're opening their new Texas chapter today (whenever this was written) by filing a lawsuit against the Texas Private Security Board. So they're kind of kicking off their opening - well, what better to draw attention to someone's opening then to get a lot of free press - they don't have to go out and advertise because - and I'm not criticizing you guys [the media] because, I'm just saying, that - to me, that's what they intended and that's part of what they did.

So. Lawyers can interpret, like you and I know, and we're not both, either one of us, luckily, they can interpret the same word three different ways if you get three different lawyers. And, I think that's what they decided to do here, and - to me, if someone reviews, analyzes, or investigates, they need a license. If they're just retrieving, providing or preparing information, that's what computer companies do, and as long as they want to do that, they're fine.

NPD: There is another possibility though - there is, - you wouldn't call them computer repairmen. There are people who work in enterprise networks, and we even have a term for it, "Network Forensics."

Driver: Like forensic scientists and all that stuff?

NPD: Not so much forensics...

Driver: That's the investigative part.

NPD: Not so much forensic scientists like a criminal forensic scientist. But for example, if a network is running slowly, not running at peak performance, there are tools that people can use to determine which computer may be slowing it down. Is it a virus - and that's all investigative work, but not investigative work related to criminal activity. It's just - so basically I'm wondering if maybe the law could have been written - not thinking about this possibility, and that maybe there might be some sort of loophole that needs to be amended. Does this just not apply to companies trying to improve their network performance?

Driver: Truthfully, you may be just a little bit out of my realm of comprehension on that, because, maybe that's something we need to look at tweaking, along those lines, to clarify that situation. We talked to lots of folks when we were writing this. Maybe we didn't talk to enough folks. But, as far as those types of things - maybe just a little bit far out of my comprehension on that. But the whole deal - like, if you have an IT person, (just cause that's all the terms I know,) IT person that somebody says, "Hey, we want you to delve into this person's computer, and find out what's going on." Well, if they delve into that person's computer, and - this is all I know about computers - and hands the information over to somebody else, then they don't need any kind of license because they're just doing their retrieving job. So, if the area you're talking about is different from that, you're probably out of what I understand and maybe something we have to look at.

But - anytime we do anything this massive, a lot of times there are areas of tweaking. But I just thought the coincidence of this particular group filing this lawsuit and bragging about filing the lawsuit on the day they opened their new chapter was just - coincidental and - because the intent of the bill was, as I've been saying, was, if you retrieve and provide information, you don't need a license.

Because I'm sure not trying to put anyone out of business. I'm a small business person, I would never do that!

NPD: What business do you run?

Driver: I'm in insurance sales.

NPD: What I'm wondering is if there is - like a specific exemption in the law that - most of these forensic investigators for network performance tend be of one of two types - the first time is that they're in-house, and that the company hires these people to do this job on the computers that the company owns. And if there's a specific exemption for investigative work on material that you own yourself. And the second, sometimes the people are hired by the company as a separate company - not direct employees, but outsourced. Is this something that might be protected under the law even if it falls under the "investigative" arm?

Driver: If it falls under the investigative arm, probably not, but I - I don't know about what you're describing to really comment more than that. I mean, I wish I did. But in this particular case, I don't. It's just a little deeper into the computer world than I know about.

NPD: You don't foresee legis-- any activity... what's the word I'm looking for...

Driver: A future bill, maybe, corrective measures, tweaking, something along those lines?

NPD: I was actually thinking of enforcement against-- you don't see this possibly being enforced against..

Driver: I don't. I don't. I really don't. I don't see - and then again, and it may be something that we may need to look at. And we may have somebody else look at it. Every time we have something like this come up we have people that want to tweak it just a little bit or change it just a little bit. And I'm not hardcore set against it. If it causing somebody problems then we ought to change it. I don't foresee it doing that but, I don't know. I mean, I really don't think it is. But if we find out that it does, that's what we're there for, to make sure it's written correctly and if it's not, we're going to change something a bit to make it right. Cause we're not after anybody, that's for sure, except the people that are doing investigative service for a living and yet, they don't want to bother with having - giving any kind of background or being qualified or licensed in any way.

NPD: That's pretty much all the questions I had.

Driver: Well, I wish I could have given you better answers. I think I kind of danced around one that - just because I don't have enough knowledge.

NPD: Don't worry about it - I'm not saying that - we're getting into some technical stuff. This isn't even a technical bill.

Driver: Not in intent, anyway.

NPD: History's full of bills that had to be amended after the fact because of something.

Driver: Well if you find out more information about it and found we really need to do something about it, call me back, and we'll get back in session, maybe we can use you for a little information, as far as how to do it right.

Representative Joe Driver can be contacted via e-mail through the Texas House Web site.We will have interviews with Matt Miller at the Texas branch of the Institute for Justice and RonEarl Bowie of the Texas Private Security Bureau available on this site shortly.

Network Performance Daily is based in Austin, Texas.