Week in review: Keyloggers and crime fighters

The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash. Federal agents obtained a court order to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect's computer, other information found on the PC and, notably, an ongoing log of the user's outbound connections.

While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since.

Another recent court case provided a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect's home or office, implanting keystroke-logging software, and spying on what happens from afar. An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif., office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives' contents and inject a keystroke logger into the computers.

"There is no doubt that the Internet can be a valuable crime fighting tool, but there should be warrants signed by judges before information is accessed, just as there must be if law enforcement wants to search a home or business."
-- CNET News.com reader

That was necessary, according to DEA Agent Greg Coffey, because the suspects were using Pretty Good Privacy, or PGP, encryption software, and the encrypted Web e-mail service Hushmail.com. Coffey asserted that the DEA needed "real-time and meaningful access" to "monitor the keystrokes" for PGP and Hushmail passphrases.

The aggressive surveillance techniques employed by the DEA were part of a case examined by the 9th Circuit, which ruled that "e-mail and Internet users have no expectation of privacy in the To/From addresses of their messages or the IP addresses of the Web sites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties."

Because only two known criminal prosecutions in the United States involve police use of keyloggers, important legal rules remain unsettled. But keylogger makers say that police and investigative agencies are frequent customers, in part because recording keystrokes can bypass the increasingly common use of encryption to scramble communications and hard drives. Microsoft's Windows Vista and Apple's OS X include built-in encryption.

A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet. (Click here for the verbatim responses to the survey.)

While many CNET News.com readers reacted by debating various technologies' effectiveness against spyware, more lamented a loss of constitutional rights.

"There is no doubt that the Internet can be a valuable crime fighting tool but, there should be warrants signed by judges before information is accessed, just as there must be if law enforcement wants to search a home or business," wrote one reader to the News.com Talkback forum.

Privacy, and patents too
With only two months left before government agencies must figure out how to deal with data breaches and data theft, federal bureaucrats are scrambling to meet the looming deadline. The deadline was created by a White House directive published this spring that gave all federal agencies until September 22 to figure out the wisest way, using their "best judgment," to come up with a plan to secure Americans' personal data and to alert them if it falls into the wrong hands.

Finishing everything by that date is "definitely a challenge," Mischel Kwon, chief IT security technologist for the U.S. Department of Justice, said Wednesday.

While it's not clear how effective a set of written policies will be if they're not always followed and not part of the culture of an existing agency, the White House memo does recommend techniques such as encryption, limiting remote access and access logging. At the very least, the memo says, egregious disregard of privacy safeguards would result in an employee's "prompt removal of authority to access information."

Meanwhile, a House of Representatives panel approved a bill that backers say will help fix the problem of Social Security number misuse and identity theft. By a vote of 41-0, the House Ways and Means Committee voted for a 56-page bill that the panel's chairman, New York Democrat Michael McNulty, said would "stop giving access to our Social Security number to every Tom, Dick or Harry who seeks it."

The bill, called the Social Security Number Privacy and Identity Theft Protection Act, includes a requirement that government agencies not include SSNs on checks, identity cards issued to government employees, or medical tags issued to patients in government hospitals, as well a prohibition on the sale or purchase of SSNs by private companies.

In other Capitol Hill moves, House and Senate committees have approved sweeping changes to U.S. patent law that high-tech firms argue are critical to correcting perceived flaws in the U.S. system. The House of Representatives panel's Patent Reform Act of 2007, for example, proposes some of the most substantial changes to the patent system in years, including replacing a system that awards patents to the "first to invent" with one based on the "first to file," which all other foreign patent systems use. The approved version also includes a number of provisions long sought by technology companies--and contested by others.

Earning and learning
It's earnings season--time for tech companies to put their cards on the table.

Intel CEO Paul Otellini's 2006 cost cuts, painful as they were for Intel employees, paid off as the company's second-quarter profits rebounded compared with last year. The chipmaker posted a 47 percent increase in net income during its second quarter, up to $1.3 billion or 22 cents per share. The Wall Street crowd had been expecting 19 cents per share. Intel said it had 90,300 employees during the second quarter, way down from the 102,500 employees it had at this time last year.

One sore spot for Intel was its gross margin, whose tumble contributed to a sharp decline in the price of Intel shares during after-hours trading. The company's gross margin percentage (basically revenue minus the cost of making chips) fell to 46.9, lower than expected and very low compared with Intel's historical margins.

Yahoo on Tuesday posted second-quarter net profit that was down from a year ago as growth in its historically strong display advertising business slowed, and moves to better compete with Google on search advertising have yet to pan out. Yahoo executives said revenue for the rest of the year would be lower than previously anticipated because of continued lower-than-expected display ad growth and larger-than-expected declines in search affiliate revenue. Yahoo stock dropped more than 3 percent in after-hours trade.

Many Yahoo observers feel that as Google pulls further and further ahead in the ad market war, Yahoo executives keep promising big things. But so far, it appears, they're just promises, and vague ones at that.

"I'm a little frustrated by the direction of Yahoo," said Jordan Rohan of RBC Capital Markets. "Investor patience is wearing thin."

In a sharp contrast to Yahoo's earnings, Google's second-quarter revenue rose 58 percent from a year ago on continued strong search advertising sales, while profits rose 28 percent, slightly lower than analyst expectations. The search king's earnings, missing expectations by 3 cents per share, disappointed many on Wall Street and sent the stock down more than 7 percent in after-hours trading.

So what happened? Looks like the Googlers got a little ahead of themselves with spending. Specifically, it appears the culprits were payroll and data center construction. The company hired 1,548 employees during the quarter, bringing the total number of employees to 13,786.

Also of note
Broadcom and Verizon Wireless said they have agreed to a deal by which Verizon Wireless will pay Broadcom $6 for every handset, smart phone or data card that it imports that contains Qualcomm's 3G chips...A Motorola board member has denied reports that the company is actively looking to replace CEO Ed Zander after the company reported another quarter of losses...The writer of The Secret Diary of Steve Jobs appeared to break character in decrying "invasions of privacy" that have the anonymous author rattled.