Snoop Software Gains Power and Raises Privacy Concerns New York Times, October 10, 2003 By JOHN SCHWARTZ Earlier this year, Rick Eaton did something unusual in the world of high technology: he made his product weaker. Mr. Eaton is the founder of TrueActive, which makes a computer program that buyers can install on a target computer and monitor everything that the machine's user does on the PC. Spying with software has been around for several years but Mr. Eaton decided that one new feature in his program crossed a line between monitoring and snooping. That feature is called "silent deploy," which allows the buyer to place the program on someone else's computer secretly via e-mail, without having physical access to the machine. To Mr. Eaton, that constituted an invitation to install unethical and even illegal wiretaps. He made the change, he said, "so we could live with ourselves." Such principles seem almost quaint in a market where the products seem to grow more powerful and intrusive all the time. Other makers of "snoopware" - as opposed to the software known as "spyware" that many businesses use to monitor the activities of Web site visitors and to send them pop-up ads - enthusiastically pitch their products' ability to be installed remotely. They typically skirt the ethical and legal issues with fig-leaf disclaimers and check-off boxes where buyers promise not to violate the law. Privacy experts are not buying such arguments. Marc Rotenberg, who heads the Electronic Privacy Information Center in Washington, contended that selling software that can tap people's communications without their knowledge violated the Electronic Communications Privacy Act. "I don't think there's any question that they are violating the federal law," he said. The disclaimers, he said, "fail the straight-face test." Law enforcement officials seem to agree. According to Chris Johnson, a federal prosecutor in Los Angeles, the F.B.I. recently began an investigation in California into the maker of one program, LoverSpy, that advertises heavily via junk e-mail, or spam. LoverSpy promises to let buyers "Spy on anyone by sending them an e-mail greeting card!" Federal officials note that federal laws on wiretapping make it illegal even to advertise illegal wiretap products - and a little-noted change to the law last year expanded its scope explicitly to include advertising on the Internet. There are more than a dozen snooping programs on the market, and their makers say they are used legally by employers to monitor workers' Internet use, by parents to follow their children's online wanderings, and by husbands and wives to catch cheating mates. Mr. Eaton's program has even been used by the F.B.I., with approval of the courts, to capture hackers. The programs include "key loggers" that capture keystrokes, and can record what's onscreen, even turn on a computer's Webcam so that the user can sneak a peek at the target - and get the information and images back via the Internet. "You don't have to be an F.B.I. agent or a computer genius to use this stuff," said Richard Smith, a privacy and security expert who is concerned about the rise of the products. "You just point and click." And so a new market has emerged: criminals are using such programs on public computer terminals at copy shops and libraries to harvest credit card numbers, computer passwords and personal financial information. A New York man, Juju Jiang, recently pleaded guilty to planting monitoring software on computers at branches of Kinko's. In a case filed yesterday, federal prosecutors in Boston accused a 19-year-old college student, Van Dinh, of using a keystroke-logging program to capture the investment account password of a man in Westboro, Mass. Prosecutors say Mr. Dinh then used the victim's account to unload stock options that Mr. Dinh owned and that would otherwise have caused him a large loss. Last year the Secret Service warned colleges and universities that key-logger systems had been found on public computers in schools in Arizona, Texas, Florida and California. And earlier this year a former Boston College student, Douglas Boudreau, pleaded guilty to charges that he had installed key-loggers on machines at the school to create student ID and debit cards that allowed him to steal about $2,000 worth of goods and services. "Anybody who routinely uses a computer that isn't their own ought to be thinking, `who's looking over my shoulder?' " said Ross Stapleton-Gray, a computer consultant who has worked for the University of California system. Jerry Brady, the chief technical officer of Guardent, a computer security firm, said, "You can assume that most hotel and airport lounge computers have had keystroke loggers installed at one time or another," whether because of commercial snoopware or key-loggers installed by viruses and worms. Little wonder, then, that a mini-industry has grown up to detect and defuse the programs. Software with names like TrapWare and NetCop are designed specifically to combat monitoring programs, but the most recent versions of more traditional computer security products like Norton Antivirus from Symantec and McAfee VirusScan from Network Associates have been upgraded to search for digital snoops as well. Finding snoopware is "a logical extension to what antivirus software is already doing," said Tom Powledge of Symantec. The companies that say they make products for legitimate uses bristle at the suggestion that their products are used illegally, except in a few exceptional cases. Doug Fowler, the president of Spectorsoft, makes three snooping programs, including eBlaster, which can be installed remotely. He said the product was used legitimately by parents whose children were away at school, and by companies with far-flung field offices. The product can be used for nefarious purposes, he admits, but he added: "A car can run somebody over. That doesn't mean you design a car to run over somebody." He says he has no respect for the company that puts out LoverSpy and advertises its remote-spying abilities online. "Lines have to be drawn somewhere in this world," he said. The creators and marketers of LoverSpy, who were traced through Internet registries and comments they have made in online discussions, did not respond to over a dozen phone calls and e-mail messages. Mr. Eaton, the TrueActive founder, said that while he had worked closely with law enforcement, the decision to hamstring his program, which is called WinWhatWhere, was not based on worries about possible liability. "It was an ethical problem," he said. Mr. Eaton also noted that the feature demanded a disproportionate amount of attention from his technical support staff. His company, he said, will "actively help anyone that thinks or has found our software illegally installed." Besides, he added, "this kind of program has a bad enough reputation without this kind of stuff." One executive of a computer security company said that the situation was getting worse. "We're definitely seeing quite the ramp-up in the number, and the sophistication, and the malicious intent of monitoring software in recent months," said Bryson Gordon, the senior product manager for the McAfee consumer security division and the company's chief spam prevention officer. But at least one program, he said, may not pose a real threat - of spying, at least. Mr. Gordon said that his company's security researchers, working with the Justice Department, were unable to find any actual working software that could be downloaded from the LoverSpy site after paying the fee. He seemed less than stunned by the notion that a product advertised via spam might not be all that it was claimed to be. "You can't be all that surprised," he said. Copyright 2003 The New York Times Company