Feds use keylogger to thwart PGP, Hushmail

A recent court case provides a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect's home or office, implanting keystroke-logging software, and spying on what happens from afar.

An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif., office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives' contents and inject a keystroke logger into the computers.

That was necessary, according to DEA Agent Greg Coffey, because the suspects were using PGP and the encrypted Web e-mail service Hushmail.com. Coffey asserted that the DEA needed "real-time and meaningful access" to "monitor the keystrokes" for PGP and Hushmail passphrases.

The aggressive surveillance techniques employed by the DEA were part of a case that resulted in a ruling on Friday (PDF) by the 9th Circuit Court of Appeals, which primarily dealt with Internet surveillance through a wiretap conducted on a PacBell (now AT&T) business DSL line used by the defendants. More on that below.

The DEA's pursuit of alleged Ecstasy manufacturers Mark Forrester and Dennis Alba differs from the first known police use of key-logging software, which snared reputed mobster Nicodemo Scarfo in 1999. In the Scarfo case, the FBI said in an unclassified affidavit (PDF) at the time, a keylogger that also was planted in a black bag job was disabled when the Internet connection became active.

Not much more is known about the DEA's keylogger in the Forrester-Alba case. An affidavit prepared by DEA agent Coffey in July 2001 asks for permission to enter the Escondido office "by breaking and entering, if necessary, for the purpose of installing, maintaining, and removing software tools" that "will enable agents to capture and record all keyboard keystrokes."

Note there's no evidence the DEA used the FBI's keystroke logger known as Magic Lantern, which reportedly can be installed remotely by taking advantage of operating system vulnerabilities without having agents physically break into an office.

Keyloggers are hardly unusual nowadays, of course. In 2003, a former Boston College student was indicted for allegedly installing key-logging software on campus computers. More recent surveys indicate that plenty of workplaces are infected by spyware with key-logging abilities.

Keyloggers: Unresolved questions
The use of keyloggers by police, however, seems to be uncommon: A search on Monday through legal databases for terms such as "keylogger" turned up only the Scarfo and Forrester-Alba cases.

When used by police, they raise novel legal issues. That's because it's not entirely clear in what circumstances they're permitted under the U.S. Constitution and wiretap laws (which is why, in the Scarfo case, the FBI cleverly ducked this issue by, according to sworn testimony, disabling the keylogger when the modem was in use).

Even so, Scarfo's defense attorney claimed that a keylogger is akin to a "general warrant" permitting the DEA to seize "any record, including e-mail, simply because it was typed on a computer." General warrants are prohibited by the Fourth Amendment, which requires that warrants specify the "things to be seized." Another potential legal obstacle is whether wiretap laws apply--including their requirement of minimizing the interception of irrelevant conversations.

A federal judge eventually ruled that the unique design made the Scarfo logger permissible. But in the Forrester-Alba case, because Alba did not challenge the keylogger directly, the 9th Circuit never weighed in.

Eavesdropping without probable cause
Instead, the 9th Circuit spent much of its time evaluating whether government agents can eavesdrop on the Internet addresses Americans visit and the e-mail address of their correspondents without obtaining a search warrant first.

The judges' conclusion: federal agents did not violate the Fourth Amendment when spying on the Escondido DSL line without any evidence of criminal wrongdoing on his behalf, a legal standard known as probable cause. All the feds must do is prove the information is "relevant" to an ongoing investigation.

The wiretap was done at PacBell's connection facility at 650 Robinson Rd. in San Diego. The DEA obtained what's known as a "mirror port," a feature that many network switches made by companies including Cisco Systems include for troubleshooting purposes.

A mirror port duplicates all the Internet traffic of one user to a second port on the same switch, without the suspect being alerted that electronic surveillance is under way. The scheme is probably easier to accomplish with a static Internet Protocol (IP) address, which is what the Escondido case involved.

According to the DEA, only IP addresses of Web sites (such as 216.239.122.200 instead of cnet.com) and e-mail headers are captured, and not the rest of the communication stream. That, they argue, makes it akin to existing precedent dealing with pen registers, which capture telephone numbers dialed and are permitted without any proof of probable cause of wrongdoing.

The 9th Circuit agreed, ruling on Friday that "e-mail and Internet users have no expectation of privacy in the To/From addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties." This follows the lead of a Massachusetts judge who said much the same thing in November 2005.

Both Forrester and Alba were sentenced to 30 years in prison (PDF) on charges including conspiracy to manufacture and distribute Ecstasy. In a decision made on unrelated grounds, however, the 9th Circuit reversed Forrester's conviction and partially reversed Alba's. Forrester faces retrial.