Skip to content
Naked Security Naked Security

Man logs into Facebook account of the woman using his stolen laptop

Two wrongs don't make a right: even if you find someone using your stolen laptop via remote-control software it doesn't mean you can snoop through their stuff

Nothing like a little remote monitoring software to see who’s got their mitts on your stolen laptop, eh?

…or to log into that person’s Facebook page, discover all her phone numbers, find her friends’ lists and photos, read her past chats, and contact one of her chat buddies to inform them that their friend was about to become very famous indeed.

(Please don’t do that. Yes, you’re a victim of theft, but it’s still an invasion of privacy.)

That’s what happened to Stu Gale, from the Canadian town of Cochrane, in Alberta.

As reported by CTV News Calgary,  somebody stole a truck on January 16. Then someone stole Gale’s laptop from his car, which was parked nearby.

And thus the game was on. Gale remoted into his laptop, where he found that a woman was using his laptop to log in to her Facebook account.

Eventually, she wandered away. That’s when Gale had a chance to snoop through her profile and get her personal information and give one of her friends a call. CTV News Calgary quotes Gale:

I went through and got her phone numbers, friends list and pictures, and while I was doing that, two [chat] conversations started. I called one of them and told her [that the person in possession of his computer] was on a stolen laptop and told her I’d give [that person] the opportunity to return it.

Gale didn’t stop there. He also sent text messages to all the phone numbers he found on her Facebook account, saying that he planned to report the woman to the police.

He also left a note for the woman, presumably on her Facebook page. He went on to post her information to a number of Facebook groups. She reportedly shut down the computer when she came back to the room. She also deleted her Facebook account.

You’ll notice, if you look at the news coverage of this vengeance piece, that the woman is being referred to as a “thief”.

She’s been convicted without a trial. Unfortunately, it’s the kind of assumption that sparks virtual mobs carrying torches to burn people who should be considered innocent until proved guilty. This woman, regardless of how red-handed she appears to be, could in fact turn out to be innocent.

After all, just because somebody’s got your stuff doesn’t mean they stole it. All it might mean is that…

  • They’re a thief,
  • They bought stolen goods from a thief,
  • They found it, or …
  • A thief gifted them with the loot and they might not even be aware it was stolen.

If you want to emulate Gale by tracking stolen gadgets, best be careful. It’s far too easy to break privacy laws by accessing people’s private accounts.

Tom Keenan, a computer security expert at the University of Calgary, had this to say to CTV News Calgary about the legal ramifications of publishing such people’s information:

If you take somebody’s Facebook and you repost it, that’s a form of privacy invasion. You really do need to think about what you’re doing. Probably a better idea to take it to law enforcement.

In other words, just because we’ve been victimized by a thief doesn’t exonerate us from the crime of privacy invasion.

At any rate, Gale did in fact take the information he collected from the woman’s Facebook page and handed it over to local police.

RCMP said that they’re confident they’ll catch the thief, according to CTV News Calgary.


Tough, wouldn’t bother me to go through their facebook page and if they were “gifted” the laptop, they can take it up with the person that gave it to them! :)


But wasn’t the “suspected” thief invading the privacy of the victim by using a laptop that contained all the victim’s private content? The victim’s only mistake IMHO was warning the suspect and her friends before sending the cops around to collect the stolen property.


No he wasn’t. he logged in to his own property ‘laptop’ what the person was doing on it at the time was irrelevant. Take that up with the person you got it off. and tell them you got busted using the stollen laptop and your details were compromised. I would login to mine if it were stolen and give details to the police. Or if it were close enough I would be bashing on the door telling them to hand it back. There should be a FIND MY LAPTOP 💻 APP TO DOWNLOAD it will tell the address of where it is.


If the laptop still contained private information of the victim then I say all bets are off. You can’t be so naive to think someone is going to “gift” you a computer with other people’s info on it.


I once bought a new laptop from a reputable mail order supplier only to find a small amount of information on it, which I was then able to trace down to knowing that it had been used at some point by a kid in a specific year at a specific school and would have been able to identify them if I wanted. This was a good dozen years ago – pre Facebook.
But who broke the privacy laws – the one time owner for returning it with information on it, the manufacturer (as it would have gone via warranty), the reputable vendor, or myself for being the accidental recipient?
For “goods” being unaware of the source is no defence against “being in possession of stolen goods” which leads to some interesting possible interpretations.


That’s tricky. I suspect you’d not be the one liable, unless the information were abused–then you’d be the most liable. Good on you for not doing so.

That’s a great lesson/reminder for anyone about to return tech products–wipe as much as you can and restore factory state when possible.


Lisa–your thoughts? Mark and Duck please chime in.

We’ve seen similar slippery-slope cases. Privacy invasion is wrong and illegal–and messaging multiple contacts “your friend is a thief” clearly goes too far.

However our own privacy violated, we’re all prone to knee-jerk reactions–and knowing how often petty crime remains unsolved will degrade rational, in-flight thought processes. Can we evaluate good ideas now? Sooner or later we may wish we knew.

It’s also tough to ascertain the device is idle so useful reconnaissance is possible–they see you sleuthing and power down or disconnect. Knowing this will exacerbate already-hasty decisions and sloppy execution of even good ideas. I’ve asked TeamViewer to dashboard IP for this among other administrative reasons, but privacy is their scapegoat–even though I’m responsible for the devices–and I’m paying the bill. /tangent

Given remote software, I propose:

Immediately determine IP (i.e. WimIP dot com), and if Facebook is logged in, send a private message to the local policeRegardless of whose account you see, this message was sent via my stolen laptop. My name is Bryan, and I will message you from my own account shortly, then phone your department. I appreciate any help you can offer. thanksPre-composing the note locally and then pasting it to FB would help. Technically gleaning the IP is redundant since FB will have it–but knowing it outright precludes waiting on a FB subpoena.

Contacting the police directly denies the (alleged) thief a chance to initiate the device’s safe return, but prior comments are correct that receiving a device with private files should raise an eyebrow–if they’re honest they’re about to figure it out and report it anyway–let the police evaluate the alibi.

Lastly, one thing I’m sure of:
Telling a suspected thief “return my stuff, avoid the cops” is inadvisable. Scheduling a rendezvous with Unknown Someone who may or may not have taken my laptop and may or may not bring several large, armed acquaintances and who may or may not only agree to meet me because I’ve threatened law enforcement (but who at best recently had a stranger inform them “I caught you with a stolen laptop”) is not the best idea.

One could lose more than a laptop–including a wallet, a few teeth…or worse.


Bit hard to buy this scenario ..even a boos has a right to snoop on work computers…


The degree of snooping afforded to employers is likely well-defined, and I won’t pretend to know where the line is–though I’ll bet it falls short of using a keylogger to derive the users’ passwords for personal accounts–EVEN IF corporate policy strictly forbids personal use of any sort.

And your boss owns the computer you’re using, which also changes the dynamic in his/her favor.

Stu Gale understandably felt justified snooping–we all would–but sending messages to all of the woman’s FB contacts was unnecessary, as one message to the police (or himself) could accomplish the same without legally opening himself to counter-charges.


“And your boss owns the computer you’re using, which also changes the dynamic in his/her favor.” In this case Stu Gale also owns the computer the alleged thief is using. And I am wondering if just using her FB account without her consent (even if it is just to send a message to the police) is already illegal?


Good points–unsure. Speeding 51 in a 50 is clearly measurable and enforceable, but these matters could be more open to interpretation. It’s different telling police privately “I’m not Jane Doe, but she has my laptop,” and messaging every contact found.

It would certainly be easier to assert false impersonation (or identity theft, whatever legal term would apply) when Gale leaves comments intended to shame the woman into returning the property than quietly taking action without resorting to what countersuits would call libel.

Another thought about employer/employee interaction: it’s understood everywhere that on a work computer you’ll perform work duties, but how personal you can *also* get with your work computer varies. I’m in an informal environment, and personal use is given. At other places minimal personal use is implicit but not enforced. Still others have very strict policies and policing, with reprimands for violation–and/or technical limitations like DNS filtering, disabled USB/CD mounting…

If an employer gives advance documented notice that they’ll surveil workers’ activity, employees would have trouble making claims of violated privacy.

Then again, it’s probably universally understood that using someone else’s laptop without their consent might diminish certain expectations of privacy. :-)


I am not even thinking about identity theft or impersonation. Just the fact of using someone elses account without their consent should be problematic. I mean, you are not allowed to log into someones account even if their account details are readily available to you. unless they give consent. So using their account while they are logged in should fall into the same category. Even if they are logged in on a stolen laptop that belongs to you.


Thanks for being patient with me–brevity and I are like oil and water. I suppose I only meant that police and judges are human and therefore subject to bias–even when it’s unintentional.

While it’s technically illegal to cross most streets without signal and crosswalk, a cop would be having a really bad day to still cite you for jaywalking if you did it to (i.e.) perform CPR on a little old lady. Open to interpretation via “extenuating circumstances.”

I still think you’re right about the letter of the law.


Should have encrypted the drive and no lock screen password either? Oh dear! As for untended valuables in your car…. Mind you, it takes the whole leaving USB drives lying around the car park to a new level – just leave your “modified” laptop in plain sight lying around and wait for the fun to begin. RAT on standby! Given enough time you could easily assume their identity. I think I would hand it in to the police rather than take the chance!


What kind of computer security expert is quoted in the article??

“If you take somebody’s Facebook and you repost it, that’s a form of privacy invasion. You really do need to think about what you’re doing. Probably a better idea to take it to law enforcement.”

How do you “take somebody’s Facebook and repost it”???


I really don’t think the victim here has anything to worry about, he was well within the law to “snoop” on “his” personal property. Anything the girl put,typed,entered instantly lost the expectation of privacy since the laptop was acquired by a criminal act and did not legally belong to the girl. The victim was within all legal rights to recover, establish, and secure his laptop in any way he could without committing another a crime in the process.

The question is, therefore: Did he commit a crime in the process of doing what he did? Did the actions of the woman lead investigators to believe that she knew she received stolen goods? (Deleting Facebook accounts after being called out publicly online and trying to hide posts) most likely yes, she knew she received stolen goods and did not report (which is a crime).

Sometimes we must take steps protect ourselves and the victim in this case did a fine job, I would not give him scoldings as the Author did in the article. In fact the victim took a problem that would have never been solved by local police and thought outside the box and solved the case himself. Bravo. We need more “Doers” like him in society and less like the author of this article.


Depends. As far as I see his actions didn’t get him his Laptop back (yet). In order to do that he will need the police. And giving the policy the identity of the suspected thief could have been done without messaging her all her contacts. Probably would have been smarter, as it wouldn’t have made her aware that someone is on to her (should she be the actual thief).


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!