To catch a thief, with monitoring software

Identity of faux thief is revealed in a matter of hours in CNET experiment with LoJack for Laptops.

Elinor Mills
Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

6 min read
Our faux thief in action, not realizing that his every move online is being watched.
Our faux thief in action, not realizing that his every move online is being watched. Donna Tam/CNET

If you have ever had a laptop or smartphone stolen, you probably found yourself fantasizing about capturing the thief red-handed. I know I did when I lost my smartphone last year.

I used the Lookout mobile security service to locate where the phone was on a map and made it "scream" a few times. But I didn't want to knock on a stranger's door all by myself and ask if they had my phone, and the battery had died by the time I could take someone with me. I just wasn't sure I was ready for a confrontation based on approximate GPS location tracking.

But some device recovery services let you spy on whoever snatched your laptop or phone. For instance, LoJack for Laptops allows investigators to watch what a thief might be doing with the device, checking e-mail, conducting Google searches, and so on -- activities that in most cases can lead police straight to the device. Apparently, even thieves can't resist the urge to log on to social-networking sites.

"When they get to a password prompt, to get through they reinstall Windows," said Geoff Glave, a senior product manager at Vancouver-based Absolute Software, which makes LoJack for Laptops. "But the app is there and turned on when they brag on Facebook about stealing a cool laptop."

Curious to see how the monitoring worked, we got a loaner Dell Latitude E6430 laptop from Absolute Software that has the program on it. I had a colleague hand it off to her brother to play thief with it. He used it for a short while one night and by the next morning Absolute had identified him, figured out where he lives, who his family members are, what school he attends, and other sensitive data that must have surprised him.

Though victims generally aren't privy to details about what a thief does with the stolen device, Absolute Software shared the report with me so I could see exactly how the program snoops and what investigators do to track down the thief. The first thing our fake thief did was connect to the Internet over a Wi-Fi hot spot and get on eBay. This revealed an e-mail address ending in ".edu," and it was easy to figure out which college he goes to based on that. He also accessed a Yahoo e-mail account, which revealed his first name.

Investigators for the software maker then searched for that e-mail address on Facebook and found a match, which revealed his full name. His privacy settings there were fairly lax, so his family members were publicly visible. The investigators then found his MySpace page and found his birth date from comments posted there, as well as photos of him, friends, and family members. The investigators found the final key piece of information -- his address -- by doing a reverse look-up using his e-mail address on Emailfinder.com.

The investigators cross-referenced the information using a database called Accurint. And based on Wi-Fi connections, they were able to see that our "thief" had taken the laptop from his home to another address about seven blocks away at one point. All in all it can be a couple of hours worth of work, if it even took that long, an investigator told CNET.

Our "thief" could have reformatted the device, but once he connected to the Internet a program hidden on the BIOS (Basic Input/Output System) called the "Computrace Persistent Module" would phone home to the servers at Absolute Software and the monitoring capabilities would be revived. A password on the laptop would force a thief to reboot the computer in Safe Mode or via a USB and reinstall Windows. But then the Persistent Module, which comes preloaded on certain Dell, Hewlett-Packard, and Lenovo notebooks, would still ultimately spring into action. Our "thief" tried to delete the Computrace software from the laptop but was not able to.

In a real-world scenario, the victim would need to file a police report before Absolute Software would kick into gear. The software can capture keystrokes and screens, as well as track a device via GPS (Global Positioning System), but it doesn't turn on the Web cam. "The Web cam doesn't tell us anything," Glave said. "It could be an innocent person at the other end, and there's no name" associated with a live image. Plus, the company wants to avoid anything that could be perceived as wiretapping, he added.

There's always the possibility that whomever is being monitored didn't actually steal the computer and is innocent. If investigators determine that to be the case, for instance the person being monitored appears to have purchased it on Craigslist, the company can display a message on the screen that warns that the computer is stolen and asks for it to be returned.

The use of surveillance software to snoop on people can pose problems in some cases. The Federal Trade Commission recently settled charges with some rent-to-own computer firms that were accused of spying on customers using software that captured keystrokes, screenshots, and photos. The software was designed to be used to track down the computer in the case that the customer got behind on payments, but the FTC accused the companies that used it of engaging in unfair business practices.

There is other software that allows people to spy on their laptop in the hopes of stalking the thief and getting the machine back. Blogger Joshua Kaufman used software dubbed Hidden to track down his stolen MacBook last year. He presented to police photos of the cab driver who had it in his possession and screenshots of him signing into his Gmail account and deleting Kaufman's MacBook account. But police didn't really do much on the case until a few months later when the blog Kaufman created, This Guy Has My MacBook, caught the attention of people on Twitter and Good Morning America.

Another blogger, Sean Power, used software called Prey last year to track down his stolen MacBook (MacBooks must be the Hondas of the laptop world in the eyes of thieves). Power appealed for help on Twitter and posted photos of the man who had the laptop, his name, and location information. One of his Twitter followers confronted the man in a bar and got the laptop back, but Power was worried about sending a complete stranger into a potentially volatile situation. Thankfully it all turned out OK.

Absolute Software representatives say those services encourage vigilantism and put people at risk of being harmed. Absolute hires former cops who do the forensics and deliver their findings to police who then can use the evidence to knock on doors and make arrests. The firm boasts "relationships" with more than 6,700 law enforcement agencies globally.

Device theft is commonplace these days, so these services are only going to get more popular. Americans lose a smartphone about once a year, according to Lookout mobile security, while the Ponemon Institute estimates that a laptop is stolen every 53 seconds. Most laptops in the U.S. are stolen from public schools, homes, and automobiles, followed by offices, universities, restaurants, and hotels, according to Absolute Software's latest Computer Theft Report. For consumers, the cost of replacing a lost laptop is typically whatever the price of the machine was, but for corporations who end up paying for forensics, lost intellectual-property costs, lost productivity, and other expenses, the cost per laptop can be as high as $49,000, according to a Ponemon study.

So far, Absolute Software has recovered more than 25,000 computers, averaging between 100 and 125 per week worldwide, and has seen more than 4,000 criminal charges filed in cases, the company says. Nearly $30 million worth of devices have been recovered, it says. One laptop stolen from a high school in Detroit was tracked all the way to New York, London, and Gambia. The company's Computrace persistence technology is embedded in the firmware of computers from Acer, Dell, Fujitsu, HP, Lenovo, Toshiba and others and it supports Windows and Mac. It's also available for Android devices and BlackBerry and Symbian phones. LoJack for Laptops runs on Windows and Mac. A one-year subscription is $40.

Absolute Software, founded in 1993, initially offered its Computrace service just for corporations but then licensed the LoJack name to appeal to consumers in the U.S. who are familiar with the LoJack car theft prevention brand.

Our "thief," Alexander Tam, said he wasn't that shocked at the amount of general information that Absolute Software was able to dig up on him once they had his e-mail address. But the fact that they had data on family members and sensitive information was alarming. "I was surprised by the information provided by emailfinder.com," Tam said in an e-mail. "I wasn't expecting them to find my home address or my family members' information...the partial SSN numbers were kind of concerning."

Updated 2:20 p.m. to correct number of law enforcement agencies company has relationships with and clarify that company hires former police officers.