Spyware Products: Crossing the Line
By John Schwartz
October 14, 2003

Anybody who routinely uses a computer that isn't their own ought to be thinking, 'Who's looking over my shoulder?' said Ross Stapleton-Gray, a computer consultant who has worked for the University of California system.

Rick Eaton, founder of the company TrueActive, decided he had no choice. In an unusual move in the world of high technology , he made his product weaker. TrueActive makes a computer program that buyers can install on a target computer to monitor everything that the target computer's user does.
Spying with software has been around for several years, but Eaton decided that one new feature in his program crossed a line between monitoring and snooping. That feature is called silent deploy, which allows the buyer to place the program on someone else's computer secretly via e-mail, without having physical access to the machine. To Eaton, that constituted an invitation to install unethical and even illegal wiretaps. He removed the feature, he said, so we could live with ourselves.

Such principles seem almost quaint in a market where the products seem to grow more powerful and intrusive all the time. Other makers of snoopware, as opposed to the software known as spyware that many businesses use to monitor the activities of Web site visitors and to send them pop-up ads enthusiastically, pitch their products' ability to be installed remotely. They typically skirt the ethical and legal issues with fig-leaf disclaimers and check-off boxes in which buyers promise not to violate the law.
Privacy specialists are not buying such arguments, however. Marc Rotenberg, who heads the Electronic Privacy Information Center in Washington, contended that selling software that can tap people's communications without their knowledge violates the Electronic Communications Privacy Act.

I don't think there's any question that they are violating the federal law, he said. The disclaimers, he said, fail the straight-face test.

Law enforcement officials seem to agree. According to Chris Johnson, a federal prosecutor in Los Angeles, the FBI recently opened an investigation in California into the maker of one program, LoverSpy, that advertises heavily via junk e-mail, or spam. LoverSpy promises to let buyers Spy on Anyone by sending them an Email-Greeting Card!

Federal officials note that U.S. laws regarding wiretapping make it illegal even to advertise illegal wiretap products, and a little-noticed change to the law last year expanded its scope to explicitly include advertising on the Internet.
There are more than a dozen snooping programs on the market, and their makers say they are used legally by employers to monitor workers' Internet use, by parents to follow their children's online wanderings and by husbands and wives to catch cheating mates. Eaton's program has even been used by the FBI, with approval of the courts, to capture computer hackers.

The programs include key loggers that capture keystrokes and can record what is on the screen, even turn on a computer's Webcam so that the user can sneak a peek at the target and get the information and images back via the Internet.
You don't have to be an FBI agent or a computer genius to use this stuff, said Richard Smith, a computer privacy and security specialist who is concerned about the rise of the products. You just point and click.

And so a new market has emerged: Criminals are using such programs on public computer terminals at copy shops and libraries to harvest credit card numbers, computer passwords and personal financial information. A New York man, Juju Jiang, recently pleaded guilty to planting monitoring software on computers at local branches of Kinko's.
In a case filed on Thursday, federal prosecutors in Boston accused a 19-year-old student, Van Dinh, of using a keystroke-logging program to capture the investment account password of a man in Westboro, Massachusetts. Dinh then allegedly used the victim's account to unload stock options that Dinh owned and would otherwise have lost a great deal of money on.

Last year the Secret Service warned colleges and universities that key-logger systems had been found on public computers in schools in Arizona, Texas, Florida and California. And a former Boston College student, Douglas Boudreau, this year pleaded guilty to charges that he had installed key loggers on machines at the school to create student identification cards and debit cards that allowed him to steal about $2,000 worth of goods and services.
Anybody who routinely uses a computer that isn't their own ought to be thinking, 'Who's looking over my shoulder?' said Ross Stapleton-Gray, a computer consultant who has worked for the University of California system.

Jerry Brady, chief technical officer of Guardent, a computer security company, said, You can assume that most hotel and airport lounge computers have had keystroke loggers installed at one time or another, whether because of commercial snoopware or key loggers installed by computer viruses and worms.
It's little wonder, then, that a mini-industry has grown up to detect and defuse the programs. Software with names like TrapWare and NetCop are designed specifically to combat monitoring programs, but the most recent versions of more traditional computer security products like Norton Antivirus from Symantec and McAfee VirusScan have been upgraded to search for digital snoops as well.

Finding snoopware is a logical extension to what antivirus software is already doing, said Tom Powledge, director of product management for Symantec. The companies that say they make products for legitimate uses bristle at the suggestion that their products are used illegally, outside of a few exceptional cases.
Doug Fowler, president of Spectorsoft, makes three snooping programs, including eBlaster, that can be installed remotely. He said that the product was used legitimately by parents whose children are away at school and by companies with far-flung field offices. The product can be used for nefarious purposes, he conceded, but added: A car can run somebody over. That doesn't mean you design a car to run over somebody.

No replies were received to more than a dozen phone calls and e-mail requests for comment to the creators and marketers of LoverSpy, who were traced through Internet registries and comments they have made in online discussions.
Eaton, the TrueActive founder, said that the decision to hamstring his program, which is called WinWhat Where, had not been based on worries about possible liability for illegal use.

It was an ethical problem, he said. His company, he said, will actively help anyone that thinks or has found our software illegally installed. Besides, he added, this kind of program has a bad enough reputation without this kind of stuff.

ect