Reply from a PI and CISSP
The author makes several false assertions.
First, the article implies that that those employed in private industry would be prohibited from performing forensic work for their employers. While I can only speak to the regulations of the states of California and Washington, where I have been licensed, both states only require a PI license when one is investigating a crime or loss for hire AS A CONTRACTOR. Employees are not restricted from doing their duties, and in fact, performing investigative work as an employee is how many PIs qualify for their license. There is no prohibition on gathering evidence for your employer.
The purpose of all forms of state licensing of professionals is to establish minimum qualifications in fields for which the general public would be incapable of determining. Would you want to see anyone who claims to be a medical doctor? Are you qualified to ascertain their educational background, professional performance history, and to submit to them written examinations? Would you want to have to do this every time you needed to vet a new professional?
Specifically with regard to PIs, the issuing state takes fingerprints and runs those prints through the state's criminal records agency and the FBI. This is to prevent the fox from guarding the hen house. The state also opens an account with those agencies to detect any new arrests and convictions of persons holding a license. Finally, the state can revoke the license of an unscrupulous licensee to prevent further harm from being done to the public.
While the ISC2 (the board governing CISSP certifications) asks applicants if they have felony convictions, they do not and can not verify the applicant's claims by checking their fingerprints. It's on the "honor system." The paradox of that situation should be obvious: can we trust criminals to be honest? The need for a criminal background check is apparent in the case of PIs, since they often gather evidence for use in court and could possibly alter that evidence to suit their needs.
The author claims that: "Most private investigators come from a police or forces background..." While that may be true, I didn't have one day of experience in either field when I received my PI license. The California Bureau of Security and Investigative Services (BSIS) credited me with the computer forensics work I had done in private industry in order to qualify for the 6,000 hours of documented and paid investigative experience needed to qualify for a PI license. California may require a PI license for some computer forensic work, but they also grant credit toward receiving a license for those who have actually done that work for their employers.
The requirement to hold a PI license is not a barrier to entry for anyone possessing the requisite years of experience in the field, and the author's claim that the requirement smacks of protectionism is no more so than the requirements for medical doctors, attorneys, and other professionals to qualify for state licenses.
The author's suggestion that all PIs should now be required to hold a computer science degree is as absurd as requiring that aircraft pilots be required to hold degrees in aeronautical engineering. A PI license demonstrates general knowledge in conducting investigations, retaining evidence, and state-specific laws pertaining to evidence. While the CISSP exam covers investigations - and it could not possibly cover the state-specific laws and procedures pertaining to all 50 states. Finally, imagine the cost to the public if PIs were actually required to hold a computer science degree.
Performing computer forensics is a highly specialized field, while the knowledge needed to obtain a PI license and pass the written exam pertains to gathering evidence for use in court. Digital forensic data is in a special class: it is far more perishable and vulnerable to alteration and chain-of-custody failures than is conventional physical evidence. If your freedom and property were at risk, would you want someone who had not been verified as being a non-felon or who may not have received intense training on the custody of evidence -- gathering your forensics for use in court?
Patrick Bryant, CISSP, CISA, California Licensed PI number 23268
Biting the hand that feeds IT
