X

Security firms on police spyware, in their own words

Will companies that make antispyware software detect key loggers implanted by federal agents? We survey 13 companies and include their answers verbatim.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
14 min read
In a case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger to record the typing of a suspect who used encryption to scramble his communications.

But would that government spyware used in that investigation actually be detected by security software? Or would security companies intentionally fail to report it?

To answer that question, CNET News.com performed the following survey. We asked three questions of 13 security companies, ranging from tiny ones to corporations like Microsoft and IBM, and the results are below.

When there is no answer listed for a specific question, the company chose not to answer it. In some cases we followed up with additional questions. We began the survey last Tuesday and asked the final questions on Monday.

AVG/Grisoft

Responses from Fran Bosecker, spokeswoman for Grisoft, which publishes the AVG Anti-Virus, AVG Anti-Spyware, and AVG Anti-Rootkit programs, many of which are free. Grisoft has offices in the United States, Czech Republic, and Cyprus.

Question: Has Grisoft/AVG ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: Not to the best of my knowledge in the U.S. or Europe.

Question: Is it Grisoft/AVG's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?

Answer: So far this is the policy, also based on the valid legislature.

Question: Do these policies vary depending on the country (the U.S. vs. others, for instance)?

Answer: Yes. Current AVG policy is to flag Trojans that exhibit these types of actions. With that said, AVG will of course consider all laws, regulations and compliance rules set forth by the nations and/or local governments to the best of our abilities.

Question: We understand that you have to comply with applicable laws and regulations. But do any laws and regulations currently require security companies to ignore spyware/malware/key loggers placed on computers by governmental agencies?

Answer: None that we're aware of in the U.S. or Europe, or at least no law enforcement or agency has asked that we ignore any.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: No

Check Point

Responses from Allison Wagda, director of public relations at Check Point Software, which makes the ZoneAlarm security software, including a Vista version announced last month. Other Check Point products provide disk encryption, firewalls and intrusion detection.

Question: Has Check Point ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: No, we've never been approached with such a request.

Question: Is it Check Point's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?

Answer: Our goal is to detect malicious software. ZoneAlarm does so by detecting certain behaviors (such as keystroke logging) and alerting the user. We do have a policy whereby legal, legitimate software programs from any third-party vendor can be "whitelisted" from detection upon request. We would afford law enforcement the same courtesy.

Question: In a follow-up conversation, we asked Check Point under what circumstances they would afford that "courtesy."

Anwser: We've never been in the situation, but if the request fell outside of our typical parameters for whitelisting (i.e. having a signed certificate, among other things), then we'd consider on a case-by-case basis.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: Not to our knowledge.

Computer Associates

Response from Jessica Cassidy, a spokeswoman for Computer Associates, which makes software such as PestScan and CA Anti-Virus.

Question: Have you ever had any discussions with any government agency, not counting conversations related to a lawful court order signed by a judge, about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: No.

Question: Is it your policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?

Answer: The simple answer is yes. CA builds detections for all spyware and keystroke loggers that fail to pass our published scorecard criteria. Following is a link to our spyware scorecard.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: (Editor's note: No answer to the last question by Monday evening, although we didn't give CA that much time to respond to it.)

eEye

Response from Marc Maiffret, eEye Digital Security's co-founder and chief technology officer (who also has a regular podcast talking about security). eEye products include a network security scanner and a network traffic analyzer.

Question: Has eEye ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: eEye has never had any discussions with any government agencies about not detecting any sort of malware, including spyware, keystroke loggers, etc.

Question: Is it eEye's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?

Answer: Our customers are paying us for a service, to protect them from all forms of malicious code. It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools.

As soon as a company, like we have seen with McAfee, starts making exceptions to their protection products, they can no longer guarantee a sound and safe product for their customers. We will not play that game.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: No

IBM

Response from Angela Frechette, spokeswoman for IBM Internet Security Systems. IBM sells a wide array of consumer and enterprise security products, including mail filters and the Proventia desktop security software that has antispyware features.

Question: Have you ever had any discussions with any government agency, not counting conversations related to a lawful court order signed by a judge, about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: No, IBM Internet Security Systems has not had discussions of this kind.

Question: Is it your policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?

Answer: Yes, it is IBM Internet Security Systems' policy to alert customers of any malicious programs/activities on their machines.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: IBM Internet Security Systems has never received such a court order.

Kaspersky Lab

Response from Randy Drawas, vice president of marketing at Kaspersky Lab, with offices in Massachusetts and Moscow. Last year, CNET Reviews awarded Kaspersky Anti-Virus 6 an Editor's Choice award.

Question: Have you ever had any discussions with any government agency, not counting conversations related to a lawful court order signed by a judge, about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: No.

Question: Is it your policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?

Answer: Yes. While part of our product's technology relies on static signatures to detect known malware, signature detection is only one of several detection methodologies in Kaspersky products. Our products, as with many other commercial anti-malware software, implement proactive detection methodologies--statistical analysis, heuristics, emulation, and so on. These methodologies, unlike signature detection, do not "know" what they are detecting; they only know they've detected a form of malware. This is basically to say that detection of malware written specifically for purposes of law-enforcement is something that we cannot control. If our product detects a piece of malware, it detects it.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: The answer is no, not to date.

McAfee

Response from Siobhan MacDermott, vice president for worldwide corporate and executive communications for McAfee, which makes antivirus and antispyware software (here's our review of McAfee VirusScan Plus 2007). VirusScan Plus includes spyware protection and a personal firewall.

Question: Have you ever had any discussions with any government agency, not counting conversations related to a lawful court order signed by a judge, about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: It is McAfee policy to not comment on our conversations with law enforcement.

Question: Is it your policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?

Answer: Yes. McAfee alerts the user to the presence of any spyware or keystroke logger it detects, regardless of who installed it.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: Sorry, but I will have to refer to my previous response for this one. "It is McAfee policy to not comment on our conversations with law enforcement."

Microsoft

Response from a representative of Microsoft at the company's outside public relations firm, who asked to be identified as a company spokesperson. Microsoft makes Windows Defender, which offers free spyware protection. It also makes operating system patches available through its Windows Update site for Internet Explorer users.

Question: Has Microsoft ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Question: Is it Microsoft's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?

Answer: Microsoft's antispyware tools and products are designed to alert customers to any spyware that these tools detect. The company only modifies these tools to improve their ability to detect spyware.

Question: Is Microsoft able to answer more directly whether its spyware/key logger detection tools are ever turned off per the government/law enforcement's request, or whether it has ever had discussions with government agencies about not detecting spyware/key loggers they install?

Answer: Microsoft does not turn off Windows Defender's ability to detect any spyware or other potentially unwanted software, including keyloggers, at the request of government entities.

Question: We were hoping to push our luck and see if you would give a yes-or-no answer to these two narrower questions:

Question: Has Microsoft ever had any discussions with any government agency, not counting conversations related to a lawful court order signed by a judge, about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Question: Is it Microsoft's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?

Answer: We heard back from the appropriate parties at Microsoft and got some additional clarification. They let us know that it is Microsoft's policy to provide visibility and notification to an individual about what is running on their computer including any spyware or keystroke logger--how it got there is not a factor.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: Microsoft frequently has confidential conversations with both customers and government agencies and does not comment on those conversations. This should not be construed to imply these conversations have occurred, but instead taken as an indication that Microsoft does not comment on conversations, on any topic, that we have had with our customers or government agencies in confidence--to do so would violate the trust and confidence customers and governments agencies around the world place in us.

Sana Security

Response from San Mateo, Calif.-based Sana Security Chief Technology Officer Vlad Gorelik. Sana's products include Primary Response SafeConnect, Primary Response MemoryShield Server, and a utility that aims to improve Wi-Fi security.

Question: Has Sana ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: No. Our product detects potentially malicious software based on its behaviors. We are not looking at whether the purpose of the software is legitimate or not but rather whether it is potentially compromising the usage of the computer or users data. We adhere to industry standard definitions on legitimate information access such as the "Anti-Spyware Coalition" which define expected policy on software and information access on the computer.

Question: Is it Sana's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?

Answer: Absolutely! For the reason stated above.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: The short answer is "No." Actually, I don't think there is a longer answer.

Sophos

Response from Ron O'Brien, senior security analyst at Sophos, which says its enterprise and small business products do a superior job of protecting against viruses, spyware, adware, hackers, spam and malicious Web sites.

Question: Has Sophos ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: No.

Question: Is it Sophos policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?

Answer: Yes. See this Sophos statement that was made in 2001. Sophos has not been asked to turn off detection of any spyware, viruses, worms or Trojan horses by any intelligence agency around the world and continues to believe that detection of all such malware is important to our users.

(Editor's note: During a follow-up conversation, Sophos added that it would still stand by that statement today if approached by law enforcement or intelligence agencies and asked to change its policies.)

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: No, we have not received an order from a judge instructing us not to disclose the presence of a keylogger.

Symantec

Response from Cris Paden, manager of corporate public relations at Symantec, one of the world's largest computer security companies. Symantec sells a range of products including the Norton series for home use, and a long list of options for business customers. Here's our review from February of Norton 360, which won a CNET Editor's Choice award.

Question: Have you ever had any discussions with any government agency, not counting conversations related to a lawful court order signed by a judge, about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: No, we have not had any discussions along those lines with any law enforcement agencies.

Question: Is it your policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?

Answer: Yes, barring a court order to cooperate with law enforcement authorities, Symantec would definitely alert our customers to the presence of any malicious code or programs that we detect on their systems. Symantec makes no differentiation from where an attack originates. If they are a customer of ours, we will alert them to all threats, regardless of where they come from.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: Absolutely not. We have never received such an order or even a request.

Trend Micro

Response from Mike Haro, a representative of Trend Micro, which has its headquarters in Tokyo and an office in Cupertino, Calif. Trend Micro's products for home use include Trend Micro Internet Security 2007, which offers antivirus and antispyware protection. Here's our review.

Question: Have you ever had any discussions with any government agency, not counting conversations related to a lawful court order signed by a judge, about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Question: Is it your policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?

Answer: We still prefer not to comment on our communication and policies for communicating with government agencies and government customers.

However, we can comment on your specific question: "Is it your policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?"

Our answer is "yes."

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: (Editor's note: No answer as of Monday evening.)

Websense

Response from Dan Hubbard, Websense's vice president of security research. Websense started out as an Internet porn-filtering company and still sells Websense Enterprise, which the company calls the "world's leading Web filtering solution." It also sells spyware detection software

Question: Has Websense ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Question: Is it Websnese policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?

Answer: Our customers decide whether to block or allow such code. Websense detects malware irrespective of its source. Websense detects malware based on the behavior and perceived intent of the code.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: We have never received such a court order.