Week in review: Keyloggers and crime fighters

While federal agents get more practice with Internet surveillance, federal agencies grapple with privacy challenges. Also: Earnings season.

Federal agents have a new weapon in the war on crime: keyloggers.

The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash. Federal agents obtained a court order to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect's computer, other information found on the PC and, notably, an ongoing log of the user's outbound connections.

While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since.

Another recent court case provided a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect's home or office, implanting keystroke-logging software, and spying on what happens from afar. An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif., office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives' contents and inject a keystroke logger into the computers.

That was necessary, according to DEA Agent Greg Coffey, because the suspects were using Pretty Good Privacy, or PGP, encryption software, and the encrypted Web e-mail service Hushmail.com. Coffey asserted that the DEA needed "real-time and meaningful access" to "monitor the keystrokes" for PGP and Hushmail passphrases.

The aggressive surveillance techniques employed by the DEA were part of a case examined by the 9th Circuit, which ruled that "e-mail and Internet users have no expectation of privacy in the To/From addresses of their messages or the IP addresses of the Web sites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties."

Because only two known criminal prosecutions in the United States involve police use of keyloggers, important legal rules remain unsettled. But keylogger makers say that police and investigative agencies are frequent customers, in part because recording keystrokes can bypass the increasingly common use of encryption to scramble communications and hard drives. Microsoft's Windows Vista and Apple's OS X include built-in encryption.

A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet. (Click here for the verbatim responses to the survey.)

While many CNET News.com readers reacted by debating various technologies' effectiveness against spyware, more lamented a loss of constitutional rights.

"There is no doubt that the Internet can be a valuable crime fighting tool but, there should be warrants signed by judges before information is accessed, just as there must be if law enforcement wants to search a home or business," wrote one reader to the News.com Talkback forum.

Privacy, and patents too
With only two months left before government agencies must figure out how to deal with data breaches and data theft, federal bureaucrats are scrambling to meet the looming deadline. The deadline was created by a White House directive published this spring that gave all federal agencies until September 22 to figure out the wisest way, using their "best judgment," to come up with a plan to secure Americans' personal data and to alert them if it falls into the wrong hands.

Finishing everything by that date is "definitely a challenge," Mischel Kwon, chief IT security technologist for the U.S. Department of Justice, said Wednesday.

While it's not clear how effective a set of written policies will be if they're not always followed and not part of the culture of an existing agency, the White House memo does recommend techniques such as encryption, limiting remote access and access logging. At the very least, the memo says, egregious disregard of privacy safeguards would result in an employee's "prompt removal of authority to access information."

Featured Video