Will security firms detect police spyware?

A recent court case dealing with key loggers installed by the feds invites the question: will security companies put the interests of their customers first? Security firms on police spyware, in their own words

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
A recent federal court decision raises the question of whether antivirus companies may intentionally overlook spyware that is secretly placed on computers by police.

In the case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger--call it fedware--to record the typing of a suspected Ecstasy manufacturer who used encryption to thwart the police.

A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet.

Spyware survey

Most of the companies surveyed, which covered the range from tiny firms to Symantec and IBM, said they never had received such a court order. The full list of companies surveyed: AVG/Grisoft, Computer Associates, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee and Microsoft flatly declined to answer that question. (Click here for the verbatim responses to the survey.)

Because only two known criminal prosecutions in the United States involve police use of key loggers, important legal rules remain unsettled. But key logger makers say that police and investigative agencies are frequent customers, in part because recording keystrokes can bypass the increasingly common use of encryption to scramble communications and hard drives. Microsoft's Windows Vista and Apple's OS X include built-in encryption.

Some companies that responded to the survey were vehemently pro-privacy. "Our customers are paying us for a service, to protect them from all forms of malicious code," said Marc Maiffret, eEye Digital Security's co-founder and chief technology officer. "It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools." eEye sells Blink Personal for $25, which includes antivirus and antispyware features.

Others were more conciliatory. Check Point, which makes the popular ZoneAlarm utility, said it would offer federal police the "same courtesy" that it extends to legitimate third-party vendors that request to be whitelisted. A Check Point representative said, though, that the company had "never been" in that situation.

This isn't exactly a new question. After the last high-profile case in which federal agents turned to a key logger, some security companies allegedly volunteered to ignore fedware. The Associated Press reported in 2001 that "McAfee Corp. contacted the FBI... to ensure its software wouldn't inadvertently detect the bureau's snooping software." McAfee subsequently said the report was inaccurate.

Later that year, the FBI confirmed that it was creating spy software called "Magic Lantern" that would allow agents to inject keystroke loggers remotely through a virus without having physical access to the computer. (In both the recent Ecstasy case and the earlier key logging case involving an alleged mobster, federal agents obtained court orders authorizing them to break into buildings to install key loggers.)

Government agencies and backdoors in technology products have a long and frequently clandestine relationship. One 1995 expose by the Baltimore Sun described how the National Security Agency persuaded a Swiss firm, Crypto, to build backdoors into its encryption devices. In his 1982 book, The Puzzle Palace, author James Bamford described how the NSA's predecessor in 1945 coerced Western Union, RCA and ITT Communications to turn over telegraph traffic to the feds.

More recently, after the BBC reported last year on supposed talks between the British government and Microsoft, the software maker pledged not to build backdoors into Windows Vista's encryption functions.

Even if the FBI, the Drug Enforcement Administration or other federal police haven't tried to compel security companies to whitelist fedware, security experts predict that such a court order is just a matter of time.

What remains unclear, however, is whether police have the legal authority to do so under current law. "The government would be pushing the boundaries of the law if it attempted to obtain such an order," said Kevin Bankston, an attorney with the Electronic Frontier Foundation who has litigated wiretapping cases. "There's simply no precedent for this sort of thing."

One possibility is a section of the Wiretap Act that says courts can "direct that a provider of wire or electronic communication service, landlord, custodian or other person" to help with electronic surveillance.

"There is some breadth in that language that is of concern and that the Justice Department may attempt to exploit," Bankston said.

In theory, government agencies could even seek a court order requiring security companies to deliver spyware to their customers as part of an auto-update feature. Most modern security companies, including operating system makers such as Microsoft and Apple, offer regular patches and bug fixes. Although it would be technically tricky, it would be possible to send an infected update to a customer if the vendor were ordered to do so.

When asked if it had ever received such a court order, Microsoft demurred. "Microsoft frequently has confidential conversations with both customers and government agencies and does not comment on those conversations," a company representative said. Of the 13 companies surveyed, McAfee was the other company that declined to answer. (Two others could not be reached as of Tuesday morning.)

Some security companies refused to reply to the initial version of our survey, which broadly asked about fedware whitelisting. In response, we revised the question to ask if they would alert a customer to the presence of keystroke loggers installed by a police or intelligence agency "in the absence of a lawful court order signed by a judge."

Cris Paden, Symantec's manger of corporate public relations, initially declined to reply. "There are legitimate reasons for not giving blanket guarantees--one of those is a court order," he said at first. "There are extenuating circumstances and gray issues."

But after we altered the question, Paden replied: "Barring a court order to cooperate with law enforcement authorities, Symantec would definitely alert our customers to the presence of any malicious code or programs that we detect on their systems." He added that Symantec had "absolutely not" received any such a court order.

One danger with whitelisting fedware is that it creates a potentially serious vulnerability in security software. If a malicious vendor of spyware were clever enough to mimic the whitelisted government spyware, it would also go undetected.

But if fedware becomes more common, savvy criminals could simply turn to open-source software that's less likely to have backdoors for police. ClamAV and OpenAntiVirus.org both offer open-source security software, and it's also possible to boot off of a CD-ROM and inspect the hard drive for malicious tampering.

At the moment, at least, there aren't any industry standards about detecting fedware. "CSIA does not currently have a position on this issue nor has the issue ever been addressed by its board of directors," said Tim Bennett, president of the Cyber Security Industry Alliance.