A former Boston College student was indicted on Thursday for allegedly installing keystroke-recording software on more than 100 campus computers and accessing databases containing personal information on other students, staff and faculty.
A grand jury in Cambridge, Mass., indicted Douglas Boudreau, 21, on charges of violating seven criminal laws, including six counts of intercepting electronic communications and eight counts of unauthorized access to a computer system. Boudreau is staying with his mother in Warwick, R.I., until a Feb. 25 arraignment in Middlesex County Superior Court, the school said.
The case may be the first criminal prosecution of a person accused of unlawfully installing a key-logging device, which is designed to capture and record what a computer user types, including passwords and other private information. In 1999, the FBI surreptitiously used a key-logger to snatch the PGP passphrase used by Nicodemo Scarfo, who pleaded guilty last year to a bookmaking charge related to organized crime.
"I am very concerned about (key-logging software) given the enormous number of public access computers at schools, copy shops and libraries," said John Grossman, chief of the Massachusetts attorney general's corruption, fraud and computer crimes division. "Those people have a responsibility to make sure their boxes are locked down. I think consumers need to be careful about where they use their credit card numbers and various other private information."
Boudreau could not be reached for comment Thursday, and Boston College said it was prohibited from releasing his family's phone number. Unless Boudreau hires an attorney, the school said, he will have a court-appointed defense lawyer at his arraignment.
According to the attorney general's office, Boudreau began to install key-logging software around April 2002 and used intercepted information to add money to a stored-value card used in the campus dining and bookstore system. Boudreau is not, however, accused of misusing credit card numbers or profiting from selling any private information he allegedly gleaned.
A person at Boston College with knowledge of the situation said the attorney general's office exaggerated Boudreau's accomplishments in its press release, in an attempt to tout this prosecution as a high-visibility test case. "I feel bad for this kid," the person said. "He's not the appropriate test case. He's feeling bad. He has all these issues. He's been depressed."
Grossman, the prosecutor, said the Boston College bookstore noticed illicit use of a campus stored-value card and alerted the university police. Boudreau, a senior studying computer science, was suspended in October, and Boston College notified local prosecutors around the same time.
Key-loggers can take the form of relatively simple software that runs in the background and forwards keystrokes to an e-mail account or FTP site. It can also be a small physical device that hides inside a keyboard or attaches to the keyboard cable. Universities have grown more worried about the possibility of key-loggers monitoring their systems, as previously reported by CNET News.com, with the University of Illinois at Urbana-Champaign warning that the "Secret Service has advised us about several nationwide computer intrusions/hacking incidents."
"While Mr. Boudreau used poor judgment in gathering the personal ID numbers of his fellow students, he never misused the information in any way," said Jack Dunn, Boston College's director of public relations. "He cooperated with BC police and is likely to face probation and community service."
The charges against Boudreau include unauthorized access to a computer system, wiretapping, and breaking into a building at night "with intent to commit a felony." The last charge alone carries a penalty of up to 20 years in state prison.
Until worries about computer crime became more acute in the last decade, universities tended to punish undergraduates through internal disciplinary processes. "When you have a case that involves computer hacking, you have to refer it," Dunn said. "Our police were obligated to refer it to the district attorney's office in Middlesex County," who then referred it to the attorney general's office, he said.