Keystroke Logger Faces Federal Wiretap Charges

securitas writes "In what prosecutors say is the first case of its kind, a former insurance claims manager was indicted on federal wiretapping charges for allegedly installing a keystroke logger on another employee's computer. The device was secretly installed 'on a PC used by a secretary to senior executives at Bristol West Insurance Group.' Reuters reports that the man, who had been fired, was gathering information for a class action lawsuit against his former employer. SecurityFocus interviews would-be keystroke logger user Larry Lee Ropp who reportedly installed the KEYKatcher device on the PC."

Just slightly OT

[The-Bus]

From http://www.keykatcher.com/testimonials/index.html

"I must thank you for this great invention. Early this year, I discovered my 14-year-old daughter was on the ICQ with a person with a name of "P****". I was shocked and did not know what to do. I then e-mailed the editor of Parent and Child and they reccommended me to do a search on the internet. I was very fortunate to have purchased a KEYKatcher. The ability to read my daughter's e-mail has helped us to make the right decision about the school she would attend last September..."

I mean, is there any useful use for this device at all?

Re:Just slightly OT

[REBloomfield]

we actually use something similar in the school i work at. Students are monitored by the logger, if it finds a word or phrase in our database, then a screenshot is sent to us, and we can then watch the student in real time over VNC.

eg. student types in http://192.168.0.1/admin then we know about it (ficticious example: idea is that the kid is going somewhere he shouldn't).

Re:Just slightly OT

[Liselle]

I can't think of anything that's terribly legal. I knew there was a reason I never do anything important on publically-accessible terminals. I guess it's a nice device to own if you're a bad parent with a tinfoil hat.

The question in the back of my mind on this article though: what would they have done if it was a software keylogger, instead of a hardware one? Do the wiretap laws still apply in the same capacity? I understand from TFA that the fact that it logged emails made him a target for it.

Re:Just slightly OT

[mirko]

So, they'll begin typ1ng l1k3 w4r3z m0f035 t0 /\v01d b31ng tr4x0rr3d by n4z1s ?

Re:Just slightly OT

[Chess_the_cat]

I mean, is there any useful use for this device at all?

Definitely. If you're a writer of some kind, install a KeyKatcher and you've got an instant backup of everything you've written. If your word processor crashes, no problem; fire up KeyKatcher and cut and paste everything you've lost. Beautiful stuff.

Re:Just slightly OT

[REBloomfield]

we're not trying to read what they're doing, it's frankly of no interest, we're more concerned with *what* they're doing. For example (again) They have no need to ever run a .com file, so if it comes up in the log, i can find out why, and deal with it. Typ1ng l1k3 7h15 will achieve bugger all if they actually want to use the system...

Re:Just slightly OT

[Vellmont]

Good to hear that Big Brother is alive and well in our schools. This kind of thing just makes me sick. Is it appropriate to have computers monitor the phone line in a school for keywords or phrases, and then listen in when they're detected?

Re:Just slightly OT

I mean, is there any useful use for this device at all?

No. Not unless you think like this:

Dear god, think of the children. WON'T SOMEBODY THINK OF THE CHILDREN?

The correct solution is called parenting. There is no substitute for parental supervision and being involved with your children's activities. You wouldn't let a child watch whatever TV station they want, completely unsupervised - so why would you do the same with an internet-enabled computer? Call me old fashioned, but I don't even think a child should be allowed access to a net-connected computer unless it's in a shared, plainly visible family room environment.

Using tricks to snoop on your kids like this will breed an attitude of distrust and paranoia. You'll also only find out what they're up to after the event. Instead of working against them, you should actively work with them.

Plus, with a software solution - you actually have to check the logs from time to time. If you care so little that you'd rather a piece of software babysat your child, eventually you'll stop reading the logs because that involves effort.

Re:Just slightly OT

[eclectro]

Actually, kids in schools can not prevent the search of their lockers, as the school owns the lockers. I imagine it is this same logic that is extended to computers owned by the school.

The same unfortunately is applicable to many places of employment. Owning the equipment gives employers the right to monitor it. I believe that this was decided in the supreme court.

You should never assume that you have privacy on equipment you do not own.

Re:Just slightly OT

[Vellmont]

Duty of care? The internet is everywhere, not just schools. You can order up some nice heroin on the phone too, but there's no "duty of care" because you provide a phone line.

Are you going to bug the bathrooms to find out if anyone is making drug deals? What's so special about the internet that you feel you should monitor usage on such a personal level?

Re:Just slightly OT

[Mose250]

Not really - what's the difference between this and just having a teacher walk around and glance over the kids' shoulders? The fact that VNC is used instead of a pair of eyes? Computers in schools have never been a place for completely anonymous internet access.

Re:Just slightly OT

[Liselle]

Just pray that you haven't done anything with your mouse, moved around the cursor, formatted the text, used any weird keyboard shortcuts, or ducked out to send an IM to your girlfriend. The data on the keylogger could be a little bit munged with that bit of randomness added. :D

Re:Just slightly OT

[loyalsonofrutgers]

I agree. Especially in states where the state constitution provides an explicit right to privacy (for example, Alaska, a notoriously libertarian state). There is a big, big difference between filtering internet content and monitoring an individual. I recall when I was a freshman in high school the ELP (gifted program) lab computers had a program to take a screenshot every so many seconds and save them to be reviewed. It turns out that it was a student "administrator" who had installed it and who reviewed the screenshots. THAT was a lawsuit waiting to happen.

Re:Just slightly OT

it is possible to type .com without typing the letters in order or even next to each other. just use the mouse and reposition the cursor between each key. i hope the students don't know you are using keyloggers, because if they do and don't want to be caught then you are going to quickly teach them how to obfuscate their typing.

Re:Just slightly OT

[Vellmont]

So if the school owns a phone they can listen in on all calls? It may be legal for the school to do the monitoring, but that doesn't mean it's the right thing to do. I find it frightening that a generation can grow up with the expectation of being monitored constantly.

Re:Just slightly OT

[orthogonal]

I can't think of anything that's terribly legal

Well, there are very few cases, but... I installed a (software) key logger on my own box in order to get the raw data needed to figure out my personal letter frequency in typing -- the standard English frequency wouldn't apply, as I do a lot of C and C++ coding. (How often do you see semi-colons, let alone curly braces, in standard English writing?)

A nice side benefit is that I could review the key log -- to see if anyone else had been using my computer.

Re:Just slightly OT

[Slamtilt]

I take it you're not a parent. Find one who wouldn't be concerned that we offered filter free, non-monitored use of the internet.

I'm a parent, and I wouldn't send my kids to a school with a policy like yours. That policy is not, by the way, the same as offering "filter-free, non-monitored use of the internet". There are ways of achieving a safe and humane environment without logging every keystroke, and it's disingenuous to imply that there aren't.

Re:Just slightly OT

I suppose you have clear rules for students then? So everyone surely knows that they should not try to run .com files etc. ? Or is this surveillance done in great secrecy to avoid provocating students with some accurate set of rules?

Re:Just slightly OT

[maxwell+demon]

You mean like www.microsoft.com or someone@hotmail.com?

And BTW, for running a .com file, it suffices to just type the name without the ".com"!

Re:Just slightly OT

[REBloomfield]

yeah, they're called policies, and they are signed by the students, and by the students parents, and they are available for all. When they log on, they are reminded that their actions will be monitored, and they consent to this before they are given access.

Re:Just slightly OT

[dwave]

They promote their product as a technical solution to a social problem? I don't think this will work.

Friends with children who are computer literate often ask me if there's a way to limit the log on time for the children's accounts. I've no children myself but I always advice against the technical way. If there's an apparent problem (homework not being done properly, neglect of friends, socialising with the wrong kind of people etc.) parents have to dedicate time to their kids and find an agreement together. Just installing spyware and barriers won't work.

Besides, parents often underestimate their kids' knowledge and creativity to jump technicals obstacles. And I'm sure there a quite a few children who have root account on their daddy's Windows box and know a lot more about computers than dad ever would.

Re:Just slightly OT

[azaris]

You should never assume that you have privacy on equipment you do not own.

OK, then I suppose you'd be fine with a clothing store videoing their customers in the changing room and selling the tapes on the Internet. After all, those people have no expectation of privacy since they don't own the store.

Similarly, an ISP would be permitted to decrypt the passwords of their clients, rummage through the data stored on their servers and see if there's anything useful or naughty in there.

We must concede that the question of privacy is not a line drawn in sand but rather one drawn in water, so making blanket statements like yours is not a sensible approach to the issue. Each case must be considered on an individual basis.

Re:Just slightly OT

[maximilln]

Just because you sign a policy agreeing to slavery doesn't make it legal or ethical.

Every single person who uses the excuse "I can play God because you signed the policy agreement" should be bludgeoned to a pulp with wet noodles.

Why wet noodles? It'll take longer to achieve the pulp stage and sting more.

Re:Just slightly OT

[Vellmont]

No.

If you're talking to a trusted friend/family member about something personal (traumatic event in your life for instance) and someone walks in the room, do you modify your behavior? Of course. Does that mean you shouldn't have been talking about it? Of course not. People do have legitimate reasons to keep secrets. Doing so isn't evidence that what you were talking about or doing is wrong.

Re:Just slightly OT

people don't seem to understand the difference between a school and a government.

We don't want a "big brother" style government, but this means that we have to allow smaller entities, schools, parents, companies, etc to determine what's best for them, separately.

So if your school wants to monitor it's students..great.

If your school pushes an agenda for the governemnt to nationalize school monitoring...that sucks.

An absence of federal policy doesn't mean a free for all...in fact it may mean some rather stringent local policies. Keep it local.

Re:Just slightly OT

[leonardluen]

there are still ways to obfuscate this.

things start getting really messy here, but kids are quite resourceful. i was in school once, i seem to remember that some of use knew more about the security systems on the computers (including the admin passwords) than a number of the people running them.

so what if it grabs the text from the window i am working in...there are ways around this so i can still dl www.naughtypictures.com or run a certain command and not get caught.

for example i just have to write a little program or script that will dl it for me through a proxy and then save it to hd or homearea as prettyflowers.jpg then open file and no one was caught.

i guess my point is that whatever you do is not enough for someone sufficiently motivated to do something they shouldn't be

Re:Just slightly OT

[Cr3d3nd0]

As a matter of fact I just found a maybe not so much legal, as a justifiable use for a keylogger. My girfriend lives at home with her mom, 6 year old brother, and her mom's boyfriend. Being the geek I am I took the time to help clean their system of spyware and the like when I ran into a few child pornography pictures in the recycle bin. Seeing as they have a 6 year old child living there I wanted to keep an eye on their system to find out where the pictures had come from. Sure enough three days later I got a log in the email of the boyfriend chatting with a young child online. I informed the mother, and the police and now the asshole is up on child porn charges. Obviously they couldn't use the keylog information but the fact that the pictures were on there was enough.

Re:Just slightly OT

[eclectro]

I did not imply that I am fine with anything.

I am just stating fact. It's true that it would be wrong for companies to place video equipment in changing rooms and bathrooms, and in fact there are laws specifically preventing this.

You can be sure that you are covered by five different cameras as you enter and leave changing rooms. Also, most stores have spies close to these areas.

So much as ISPs and computer privacy is concerned, I wouldn't say they have the right to do anything. but that does not mean they don't have some capability and can use it covertly. One example might be is if you are a spammer.

Also as you know, the FBI can intercept much of your email traffic with carnivore if they wanted to, and because of the patriot act they do not need to get a court order to do so anymore.

Privacy is not a constitutional right. Modern electronics means that we as citizens are going to monitored and watched more than ever before.

Re:Just slightly OT

[The_Unforgiven]

Which presents one obvious conclusion, of course.

The last generation were weaklings, and we need less sleep. :)

If you'll excuse me now, I have to drink a 6-pack of Coke. That annoying yawn is returning...

Re:Just slightly OT

[Huogo]

I've found that booting to a Knoppix CD, then connecting to a proxy on my webserver through an SSH tunnel is a very good way to avoid being monitored. NetOp (basically VNC) won't work, VNC won't work, watching my history won't work, and the server logs won't work. All the data is encrypted, with nothing running client side to monitor me. Only way is for someone to look over my shoulder.

Re:Just slightly OT

[Atzanteol]

Oh for chrissakes. The original poster was monitoring children in a classroom. Children! Children are supposed to be monitored. You want an 11-year old going to images.google.com and typing in this new word 'lesbian' he's heard so much of (in Massachusetts at least)? We all know what's going to come up, and it's a bit more educational that many would like.

What if the childs surfing for porn? Emailing a friend about commiting suicide? Chatting with perverts? Planning a murder of a teacher? You think these things aren't done?

What's coming to this country when 11-year olds have a "right to privacy"? What kind of parent puts that much faith in a child? Hell, why bother parenting at all then?

Re:Just slightly OT

[maximilln]

How about spending more effort on identifying and neutralizing teenage cliques which inevitably lead to scapegoating and witchhunting?

I know. Once again it's easier to blame the kids than it is to take responsibility for being armchair parents--omniscient and impotent at the same time.

Re:Just slightly OT

[maximilln]

Why does everyone use Columbine as an excuse to increase Big Brotherism?

Anyone with an ounce of honest thought realizes that watchful Big Brother wouldn't have prevented Columbine. Watchful Big Brother always sides with the majority popular clique. If anything watchful Big Brother would've helped the priveleged students antagonize their scapegoat prey and would've brought the whole situation to a head much earlier.

Which isn't a bad thing. Armchair parents and water-cooler gossips needed a wakeup call. I don't condone the end result of those actions but, in all honesty, the clique nature of our social system is just begging for it.

Re:Just slightly OT

[D-Cypell]

British kids are getting less sleep than their parents' generation

Yeah!! Damn kids, they should be doing exactly what their parents were doing at their age...

Taking lots of mind altering drugs and having unprotected sex with complete strangers!!

What is the world coming to!

Why is it that every generation feels the need to tell the next how much they lacked discipline! Thats part of being a kid! Consider it compensation for the next 45-50 years you will be stuck behind a desk.

Re:Just slightly OT

[dave420]

and when the user types in ptt:h/1/290816...a/dinm and uses drag-and-drop/cut'n'paste to rearrange the letters and then press enter, your keystroke logger knows all about that, right?

I'm sure it works well for you, but don't put all your trust in it. It's ridiculously easy to fool something like that - ridiculously easy.

Wouldn't it be better to use policies and actually restrict their actions, as opposed to trying to half-ass guess when they're doing something wrong so you can send out the heavies? It's kinda like an automated CCTV system that looks for people in black/white striped tops, wearing masks and carrying black bags with dollar signs on... The sort of students who know how to get round stuff like that are the ones you want to be watching. Ironic, really... By using that approach to security, you've made yourself less secure.

Re:Just slightly OT

[maximilln]

If you're relying on a keystroke logger to clue you in to children who have problems with any of these issues then let it go. You're already too late.

If parents and mentors were even close to taking responsibility for their children they'd pick up on these issues long before a keylogger alerts them to it.

Ode to a generation that is completely self-absorbed until the last possible moment when "DANGER WILL ROBINSON" is blaring over loudspeakers.

Re:Just slightly OT

[eclectro]

Why does everyone use Columbine as an excuse to increase Big Brotherism?

Most of it is pathological. Parents and school administrators are scared. So naturally they will do anything they can think of to prevent another Columbine from happening. More cops and cameras in schools are the first things that comes to mind.

But I think you touched upon a larger issue. Since 9/11 we as a nation have lived in a constant state of fear, much of it irrational.

Where do we stop and look at ourselves and ask what are we giving up in the name of security?

I hope more people ask that question.

Re:Just slightly OT

[Catbeller]

MEMO: Privacy and Intellectual Property Protection Policy of NorthByNorthwestern University

Anyone (hereafter referred to as "we") in the employ of NBNWU designated by appropriate management can monitor any activities of any student, employee, or casual visitor to to your dorm at any time. We reserve the right to record any activities, up to and including really gymnastic-quality sex. We reserve the right to distribute said information and cool tapes if we want to. Get over it.

If you (student/employee/casual sex encounter) do not like this, we suggest therapy for your sad case of paranoia.

If you (student) do not like this, you are free to quit this institution and become free to obtain any employment you desire in the fast-growing field of janitorial work.

We reserve the right to give your ass up to the Feds on command. Or even if we feel they may be interested. Or if you seem suspicious to us in any way.

We feel that you (student/employee/casual encounter) should feel safer in the hands of a benevolent power such as We; what are you complaining about, hippy? Something to hide? Hmm?

We are broke, and are of necessity closing down Student Health Services for lack of funds. This will not deter us from investing 23 million dollars in an all-campus surveillance system necessitiated by the vicious attack on one of our coeds by Millie the pit-poodle.

All independent ad-hoc "dark" networks, and of course independently created wireless networks are forbidden as they violate the purpose of maintaining the public safety of NBNWU; unmonitored communications are sadly reliquated to the distant past. 9-11 9-11 9-11, and of course, 9-11.

We at NBNWU also feel that consistent with our finest traditions of preparing our graduates for the rigors of the working world, our students should acclimate themselves to the weekly anal examinations, virginity and drug tests, and loyalty oaths prepared by your loving administration. We love our President, our God, and our Alumni Association.

Your tuition will be raised by 15% this year. If you have a problem with this, take it up with the 10,000 people waiting to get in behind your expelled butt.

Re:Just slightly OT

[viking099]

You're assuming they allow booting off a device that isn't the primary hard drive.
How many people who know anything about computer security actually continue to allow non-internal hard drive booting on a system that is intended for general use after it's set up and installed?

Not many, I'd hope. :-)

Re:Just slightly OT

[elmegil]

You've never had to deal with rule breakers, have you? It's not a matter of "playing God" in most cases, it's a matter of making sure that the rules are adhered to. If all you do is sit back and repeat the rules, and are only able to do anything about the most flagrant rulebreakers, all you end up doing is pushing the real troublesome ones underground. Policies should not only say "you agree to be monitored" but also what you can do if you think you've been mistreated, and provide real relief if you are.

As a former university sysadmin, there were times when we would find out someone was breaking the rules, but to enforce them we had to have real evidence. This involved surveillance, usually electronic/email. We then made our case to the dean of students, and if they agreed that the rules were broken, punishment was handed out. The student always had the ability to appeal to higher authorities if they thought they'd been mistreated or the punishment was too harsh. Enough checks and balances that it was never abused; we didn't snoop on students who had not done anything to arouse suspicion, and I can't recall any cases where we went to any great depths investigating anyone who wasn't found to be guilty of enough of an infraction to justify our time.

That said, I think continuous keystroke logging is excessive and likely more prone to abuse, but still, there is NOT any absolute guarantee of privacy, even if I'm using my own equipment. That's why the FBI can go to a judge and get permission to wiretap a suspect (let's leave aside the fact that I believe that PATRIOT has gutted a lot of the appropriate checks and balances in this system). The other side of that is that you can't just wiretap someone because you want to, and getting back OT, that's what happened here. Regardless of how noble the cause, the means was illegal.

Re:Just slightly OT

[I+confirm+I'm+not+a]

Getting serious (slightly...) for a minute... I don't feel that "my" generation needs to tell the younger generation that "they lack discipline". That's just passing the buck. It's my generation's responsibility to *provide* discipline - even if that means saying "you can stay up all night surfing pr0n once you leave home/reach 18/run away and join the circus - and not before!

But yeah, back to the humour... I'm just bitter!

Re:Just slightly OT

[maximilln]

-----
You've never had to deal with rule breakers, have you?
-----
This sums up my whole issue with Big Brother techniques such as keyloggers.

Even former university sysadmins play favorites. Teachers play favorites, parents play favorites, PEOPLE IN GENERAL play favorites. While playing favorites is a natural part of human existence there's no good to come of installing more and more systems to further antagonize those who aren't the favorite.

In our society the people writing the rules are far too priveleged and too well protected. A natural usefulness of rulebreakers is to identify which rules need to be revised or reconsidered. With all of these Big Brother techniques to catch rule breakers the moment they move a finger the wrong direction we'll never refine our system of rules. We continue adding rules and more rules and more rules. It's only logical that, in a system that never repeals or revises rules but onoy adds them, it will be possible to selectively enforce the rules not for the sake of order but to advance personal agendas.

Let's face it. Until we constructively figure out a way to get out of our descending spiral of zero tolerance and moral elitism (often defined and enforced by those who are the biggest hypocrites) then our society is and will continue to be _broken_. Keyloggers aren't going to fix it. Keyloggers are only going to help make it more broken.

Re:Just slightly OT

[eclectro]

I'll remember that when I watch the fireworks the next fourth of July. For all the good it will do me.

Evidently I don't have enough privacy rights to stop the government from searching through my library records, seeing what books I buy, or reading my emails in the name of stopping terrorism (and doing so without a court order). Thanks to the patriot act.

Then there is Total Information Awareness reborn which is the marrying of commercial and government databases to rob me of even more privacy, and echelon.

So privacy is a nice idea, but unfortunately, that is all that it is.

Our government is out of control in more ways than one.

Re:Just slightly OT

[dogfart]

You should never assume that you have privacy on equipment you do not own.

And since most people own damn little, they effectively have no privacy. Should your landlord have the same right to monitor their tenants? Suppose someone is sneaking in an overnight visitor in violation of the lease? Should the landlord be able to monitor your communications to find this out? They own the building, you don't.

Privacy rights that extend only as far as you own the computer equipment are effectively useless, as they would cease to exist once your networked data travels outside your property boundary. After all, the phone/cable company owns the wires, and you are using their equipment.

Re:Just slightly OT

[MrScience]

Unless you used something hardware based... say, the KeyCatcher mentioned in an above post. In which case it catches all keypresses, whether you're running OS/2, BEOS, in the BIOS, or Linux.

Of course, since I type in Dvorak, it wouldn't be able to figure out what the heck I'm typing (since I use a software driver to convert a QWERTY keyboard).

Re:Just slightly OT

[maximilln]

-----
Did you miss the part where the student has recourse to a higher body if they felt they had been unfairly singled out?
-----
I didn't miss it. I ignored it. Our system of zero tolerance and well protected rulemakers leaves no real breathing room for recourse.

We shouldn't give up on enforcing rules. We should better define which rules need to be enforced. This is _the_ central problem in our current society. A vast majority of people are busy writing rules and more rules and more rules to justify their high-horse of righteousness.

Stop and think about the following:
Is this really a rule that we will want on the books ten years from now?
Is this really a rule that we have the ethical right to enforce?
Is there potential for abuse in this rule?
Can we better spend our time refining existing rules than adding new rules?

If you've done any complex programming you would understand what I'm getting at. Any idiot with a text editor can write more code and more code and more code. It takes a good programmer to go back and rewrite code to be faster, better, more efficient, more effective, and more productive.

Here in the US we don't have a demand for good politicians. We only have a demand for politicians that can make more rules. In essence, the US political system is writing a crappy operating system with more band-aid style approaches such as key loggers. They never go back to see that the real problem is with the existing US Code. It's causing more page faults than any army of keyloggers can fix.

Re:Just slightly OT

[wwest4]

> after Columbine and increasing crime waves in
> schools you will see cameras everywhere.

and worse - there were cameras at columbine, recording the shooting but not preventing anything.

Re:Just slightly OT

[DarkVader]

A public school IS the government... There is NO difference.

Re:Just slightly OT

[daksis]

It doesn't make for a safer environment. It makes for an environment that *seems* safer. Coercion is the lowest common denominator of co-operation. It works only so long as the will of the coerced is broken. So the kid who's going to find a copy of the anarchist cookbook surfs for it at home, instead of at school. He's still going to come into the school trench coat and six guns blazing and people are still going to wonder "why?". All safety is an illusion. And snooping on the online activities of children seems a pretty low way to give the parents piece of mind.

What would happen if the school spent as much time attempting to provide for the moral development of their charges as they did policing their online activities?

Federal wiretapping charges?

[pinkUZI]

When is the last time you remember hearing about an indictment for actual wiretapping? Doesn't it seem like people get away with wiretapping regularly? I'm thinking about things like the illegally recorded phone conversations with Monica Lewinsky. Or does the law specify exemption if it is done for a good cause?

Re:Federal wiretapping charges?

[eclectro]

Wiretapping laws actually vary from state to state. Some states allow you to secretly record a conversation as long as you are a part of that conversation. A few states do not allow this - you have to tell people you are recording them.

In this instance, the guy at the insurance company was not a party to the conversations going on. Therefore he was obviously in danger of violating the law.

Being a whistleblower means that you call up the FBI and you let them do the investigating. Here, he was playing the role of the FBI.

Unfortunate mistake, considering that his former employers probably were/are scumbags.

Re:Federal wiretapping charges?

[pinkUZI]

How can " federal" wiretapping laws vary from state to state? Either the laws he broke are federal laws and the so the charges are federal or they were state laws and the article should read "California wiretapping charges."

Re:Federal wiretapping charges?

[eclectro]

How can "federal" wiretapping laws vary from state to state? Either the laws he broke are federal laws and the so the charges are federal or they were state laws and the article should read "California wiretapping charges."

Wiretapping laws vary state to state.

There are also federal wiretapping laws covering much the same thing. They are not mutually exclusive. It just happens that some states extend federal law.

This guy was investigated by a federal grand jury, hence federal law applies to him.

But so does state law, and he could be charged under that too. Like Linda Tripp was for recording Monica Lewinsky's calls.

Re:Federal wiretapping charges?

[Lord+Kano]

I have always wondered if one party stating this fact makes it legal for the other party, in this case the consumer, to also record the conversation.

That's a good question. When I worked for DishNetwork we were instructed to stop talking if the customer said that the were recording the conversation. We were instructed to tell them that we didn't give our permission for them to record us, right before we stopped talking. We were also instructed that legally they HAD to stop recording us once we said that...

But that never made sense to me, we're all aware that any given call COULD be recorded and monitored. I would guess it varies from state to state, but it didn't sound right to me. If we get the right to monitor the call by making the announcement, all parties are aware of the possibility, and consent to US monitoring the call, then how in the hell can that same right not extend to the other party of the call?

LK

This is why

[lxs]

This is why you should always check your keyboard cable on your work-PC.

Not only does it keep you secure, but you might score a brand-new keylogger for free.

What a contradiction!

[windex]

According to this politech posting by bernieS, it appears that the feds are going to be doing a little bit of double backing.

It raises an important question, I think: are keyloggers wiretapping devices? They don't involve telecommunications lines directly, so can they be considered in the same class?

Some food for thought.

Re:What a contradiction!

[SmackCrackandPot]

A keyboard is a two way communication device. The inputs are the keys you press, and the outputs are the num lock/caps lock and scroll lock lights. In theory, you could use a keyboard to communicate with another person using Morse code with the space bar to send and the num lock light to receive them.

Re:What a contradiction!

[_LORAX_]

Obviously you missed the parent posting's point.

In New York federal investigators used a search warrant ( sneek and peek ) to install a keylogger on a mob boss's computer to steal his pgp keys. They DID NOT HAVE A WIRETAP WARRANT. You can now see the contradiction inherent in this prosecution. Go after this guy and possibly let a mob boss off on appeal because the information they used to convict him is now tainted.

Of course if they had gotten a wiretap warrant in the first place this would not have been a problem, but they did not have the evidence to get wiretap only a search warrant they have differnt levels of proof of illegal doings

It sounds like he went to far...

[MyNameIsFred]

While his heart may have been in the right place, it sounds like he went to far. Once the class action suits started, once the state of Calif. started investigating, there was very little need for his cloak and dagger actions. The courts could have done the work. If he felt that they were tampering with evidence, destroying evidence, or not providing everything the courts demanded he could have come forward. In my view, he put his own neck on the line in a wreckless way.

Oh, so it's "okay"

[the_skywise]

He was collecting the names of all the insurance company's clients... So uh... so he could notify them of their ability to join the class action lawsuit!

He was... he was helping the government investigate a corrupt company, yeah! He was James Bond! Saving the innocent from themselves!

Yeah... he had no intention whatsoever of joining a competing company and stealing the client list.

Good.

"In what prosecutors say is the first case of its kind, a former insurance claims manager was indicted on federal wiretapping charges for allegedly installing a keystroke logger on another employee's computer ..."

Good. It is not the decision for just any man to make, on when to invade someones privacy. (Most) Laws exist for a reason. This man broke one. Hopefully he'll spend some time in jail.

Wiretap law - 18 USC Section 2511

[sczimme]

Read all about it here.

Certainly contravenes EU law

[heironymouscoward]

The EU convention on cybercrime, which is law in most (all?) EU countries since 2000 prohibits the interception of private electronic communications. A key logger would certainly fall into this category.

However, there have been very few convictions under these laws, only a couple of "hacking" cases in the UK afaiaa.

It's not only about domestic/workplace espionage. Spyware vendors (a species that rates somewhere between slimemolds and spammers) use similar techniques to spy on and report back on people's use of their computer.

This guy is an idiot.....

[Doc+Squidly]

....He got busted when he call the company to get the device back!
Not the smartest thing to do. He deservse whatever he gets.

Re:This guy is an idiot.....

[I+confirm+I'm+not+a]

Ah, but if we start basing justice on lack-of-smarts, there's no telling who'd end up with what they "deservse" ;)

Re:This guy is an idiot.....

[transient]

Reminds me of a guy here at work who asked our backup administrator to restore his stash of porn on our file server. He lasted about 30 minutes after that.

What if...

[RandoMBU]

They were to apply federal wiretapping laws to spyware? If an unauthorized piece of software transmits information about my activities to a third party without my knowledge... that sounds like wiretapping to me.

Re:What if...

[DaHat]

In the majority of those cases, you as the user are agreeing to the installation of the spyware.

There is nothing wrong with monitoring yourself.

Remember, this case is about an individual installing monitoring other people with out their consent or knowledge.

In theory, if spyware were installed with out a note in the EULA saying so, and no other "I agree to let you know everything I do and where I go"... then yes, you could get them for wiretapping.

Yeah!

[the_skywise]

I better go with a wireless keyboard! That'll stop people from capturing my keystrokes!

I've used a keyboard logger

[spidergoat2]

We had a consultant (former employee) work at a branch office. The owner said to keep an eye on them. I want to the branch office and told every employee that I was installing a keyboard logger and why. When the consultant (former employee) logged on, they had no idea they were being tracked. I discovered they had a back door account and were logging into a supervisor account. Good or bad, I discovered the holes in my system.

Lessons learned...

I have to agree that this sort of behaviour is absolutely inevitable in nowadays everyday life. In the past it was called "social control" where small communities monitored each other's behaviour to see if somebody wasn't stepping out of line. If they would, due psychological force could be executed to get them in line again ("gossip"). Now this practice has mainly gone away simply because there are less and less small communities, and thus we need to monitor other people by different means. Ofcourse, in due time virtual communities will take over the "social control" thing in a comparable way, but it's not there yet.

In the meantime, we shall have to rely on the usual methods of camera's, microphones, keyloggers and traitors. I think we can learn a lot from former Soviet-Russia and sortlike countries that have executed this behaviour in great practical ways...

thinkgeek disclaimer?

[circletimessquare]

so when is the disclaimer going up at thinkgeek?

http://www.thinkgeek.com/gadgets/electronic/5a05/

disclaimer: please do not buy this product and use it for what you think you were going to use it for, thank you... same with that x10 camera you were thinking about too, while we're at it

Re:Tight Security

[maxwell+demon]

And how exactly does running xlock prevent anyone from putting hardware in between keyboard and PC?

Consent

[Detritus]

While they may have consented, did they really have a choice about the matter? They have to be in school. They may not be able to pass their classes without the use of the computer.

As adults, they may be presented with similar policies. Only this time, they have the "choice" of consenting or losing their job.

The law, in its majestic equality, forbids rich and poor alike to sleep under bridges, beg in the streets or steal bread.

-- Anatole France

Re:Consent

[STrinity]

While they may have consented, did they really have a choice about the matter? They have to be in school. They may not be able to pass their classes without the use of the computer.

Of course they don't. They're students. When were you ever given a choice in school -- "Well, you can read The Scarlet Letter, or you can play with your gameboy." This is no different from teachers walking around the classroom to make sure everyone's doing their assignment.

Robin Hood

[JSkills]

First off, there are a couple of links to articles describing what happened, the Security Focus article was the most informative.

So we've got this guy working for an insurance company who decides to inform the Dept. of Insurance that they are cancelling policies unlawfully. This is a good thing and brave of him to do it. Hopefully his motivations were purely good and not just because he was pissed he didn't get a raise last year or something.

And let's face it, insurance companies are the some of the worst kinds of organizations in corporate America. They collect huge sums of money via premiums - that are based in people's fear that something terrible could happen. And then as soon as you need them (you have an accident, someone in your family gets ill, etc.), they immediately initate every effort to not pay you in your time of need. I know it's how they do business, but it's a disgrace. I have experienced this first hand more than once ...

Back to the story, the guy then plants a keystroke logger on a secretary's PC in order to collect further info for his crusade and to aid lawyers in a class action suit against his company. He obviously crossed a line here. And in the middle of this, he finds himself fired (curious). So he asks a former co-worker to retrieve the logger for him? And of course being a good insurance company employee, she rats him out.

I applaud his intentions, if they were indeed based in fairness and the public good. He did get carried away for sure by planting the bug. But I can't believe the stupidity of (1) admitting he planted it to a former co-worker and (2) expecting her to help him retrieve it and f--k the company she still worked for. I guess he really was a bit of a dreamer ...

Software keyloggers

[maximilln]

Why do I get the impression that this article specifically avoids mentioning software keyloggers? Whether or not they're currently illegal under the law shouldn't they be?

Ain't That A &!^(#

[dnoyeb]

Aint that a bitch.

I was just thinking last year how stupid these insurance companies were for always sending cancellation notice as opposed to a bill. (I live in Michigan.) So when I actually get a cancellation notice I don't know if its simply a bill, or an actual cancellation notice.

I have never received a bill from an insurance company, only cancellation notices, and I've been with at least 5 different ones. What more info is needed? we know they do this.

For those who didnt RTFA, Ropp was trying to get the list of people who they pulled this fast one on, from the companies password protected (DMCA anyone?) database.

More power to you Ropp. If the government mandates one must buy something, that thing should be heavily regulated by the government. racket.

My keylogger experience

[kwandar]

I was working for the President of a company who seemed to have information about others that left me wondering. So, I ran a program, (I believe it was Spycop), to scan for anything nefarious on my computer. Nothing found, fortunately.

However I shared this program with a colleague and she ran it and found a keylogger that would send emails from her company laptop, to a blind email account. He apparently had a thing for her roomate, a former employee, and was using this to spy.

My colleague was shocked that this would happen, but as it appeared to have been non-functional for a while due to internet login issues, she didn't say anything, and I told her what to delete to kill the program from running.

That way, any deletion of the software could at least appear to be accidental.

That does it!

[theLOUDroom]

From now on, I'm only doing text input with charmap!

Sure it may be a little slower, but hey, I'm paid by the hour!

Almost .... there ...

[Jahf]

Should keylogging a co-worked be illegal? Yes (though if it is done by your employer and you signed consent then no, just like phone monitoring ... free will works both ways).

Should keylogging be considered wiretapping? NO. It is a distinctly different technology and all lumping things together does is make it easier to confuse the issue the next time someone wants a warrant to do something -similar-.

Keylogging, network interception and a whole host of other things are still quite different from basic phone taps. They should be given a distinct category that can be properly defined.

If anything, the expectation of privacy on the line between your computer and your keyboard is MUCH higher than any expectation people have today for phones (when was the last time you started typing and realized someone else was typing on your computer as well ... VNC not included :).

Plus, you can't expect that by listening in on a phone you are going to regularly hear someone's social security # (my bank uses it for my login id ... idiots), their credit card # (amazon), or their root password. Keylogging is far more invasive.

In the end I think the guy should be penalized more than wiretapping, but not -as- a wiretapper.

Re:Tight Security

[DrugCheese]

By obviously not reading the article first ...

Re:Panties in a bind

[mrtrumbe]

Yes, it is quite resonable to monitor kids at school. In fact, I would hope that my kids were supervised the majority of the time while at school (depending on their age, of course). Teachers should know what the kids are doing and prevent kids from doing inappropriate things. The thing is, supervising kids takes a lot of work, just like being a good parent. The two jobs are actually very similar, at least in the amount of attention and care that should be given to the kids. And in the case of a teacher, they are being paid to not only teach the children, but to appropriately supervise them.

All of this is a far cry from using electronic spy tools to secretly monitor the children's activities. What kind of message does it send to the kids? "Be good! Because if you don't, we are always watching. No matter where you go, we are watching!" Is that really the lesson we want to teach the children? Be good, not for the sake of being a good person, but for the sake of not getting caught.

And that is the difference between appropriate supervision and eletronic surveillance. With the former, the goal is to teach the children, mold them by example and through good leadership, and let the keep their individuality and allow them to experiment within appropriate bounds. With the latter, its simply trying to keep kids away from things which *could* be bad for them.

In short, if a school thinks it needs to install this kind of electronic monitoring system, I think it is indicative of a lack of appropriate supervision and/or quality teachers.

My kids' teacher should know what my child is doing (approximately) without resorting to spying.

Taft

Re:how can you tell if KeyK. is running?

[Crash+Culligan]

can someone post some info on how to detect the app? (my empl is blocking access to the site).

First off, see if your employer doesn't want you getting any information about the program. They might try to prevent this by blocking access to the si... oh, wait...

Does this contradict the Scarfo case?

[Dr.+Blue]

Seems like the feds are contradicting themselves (I guess that's not a huge surprise). In the Scarfo case, the FBI claimed they didn't need a wiretap approval to put a keystroke logger on Scarfo's computer because they were only monitoring internal communications between the keyboard and the computer. Thus it wasn't a wiretap.

Now the government is prosecuting someone for doing the exact same thing. Has anyone else noticed this contradiction, or am I missing some important distinction?

Re:Does this contradict the Scarfo case?

[GPLDAN]

No, you are right on track. So far, nobody in this thread has talked about whistleblower protection laws, or previous court cases regarding the act of keyboard logging. I am going to look into it, because I think you are right.

Re:Does this contradict the Scarfo case?

[_LORAX_]

Yes,

For those that don't know...

In New York federal investigators used a search warrant to physically alter Scarfo's computer to install a hardware keyboard logger so that they could retrieve his pgp passwords This search warrant was a sneek and peek. They then went back in a month and took the computer on another search warrant.

At no time did they have a wiretap warrant, they claimed that they didn't need one. This case seems like they are contradicting themselves in several ways. By prosecuting this grey hat, they may be giving Scarfo grounds for an appeal of his conviction based on the fact that the evidence was tainted.

The reason this is important is that the requirements are more stringent for a wiretap warrant then for a search warrant, if they had had proper evidence they would have use it to get a wiretap, but they didn't.

Re:Does this contradict the Scarfo case?

[evilviper]

In the Scarfo case, the FBI claimed they didn't need a wiretap approval to put a keystroke logger on Scarfo's computer because they were only monitoring internal communications between the keyboard and the computer. Thus it wasn't a wiretap.

Sorry, but you missed the boat. In that case, the key logger was designed so that it would be DISABLED when it detected an internet connection. A keylogger that doesn't disable itself will capture keystrokes being sent over the internet, which then becomes a wire-tap.

Great Idea

[darllikesdong]

I also run a keylogger on each of my employees' computers. It's a great way to get free new porn passwords.

Didn't this guy watch Mission Impossible?

[SpaceShaver]

"As always, if you are killed or captured the secretary will disavow any knowledge of your actions. This tape will self-distruct in five seconds" (Tape bursts into flames.)

I've been fired too!

[deweywsu]

I recently got fired from an electronics engineering company in the town of Pullman, WA. I feel like I was treated unfairly, in that I was fired because I agreed to an electronic use policy that stated that the computer I used and anything send from it was able to be monitored. About 11 months ago, I broke up with my girlfriend. I really loved the girl, and hoped to clear up misunderstandings that led to the breakup. However, as these things go, sometimes the prettiest of comments are not said to one another. She said some things I don't think any person should hear. Sadly, and I'm not proud of it at all, I said some things back (of course wanting to uphold my pride, not really thinking that at the time I was only shooting myself in the foot, not only with what little was left of our relationship, but the fact that I was doing it from a company computer). About 3 weeks ago, my hard drive failed. I called our IS department, who came out to deliver a new drive. I erased the old one after I had transfered my files off it. Shortly therafter, they came to pick it up, saying they didn't want it to get into circulation again since it was damaged. Someone must have been thouroughly bored and decided to start a little investigation of my personal data by reconstructing what was on the drive. (Although I deleted files, I didn't reformat...my bad). Shortly after dropping off the old drive, I was told I was fired, because the company had viewed conversations to my ex that were automatically logged by MSN messenger. I'm still quite perterbed that they pulled this out almost a year after it happened. Also, the point was brought up...what gives them the right to monitor a computer, whether they own it or not, when they certainly can't do that with a phone?! How much of our lives are to remain ours, and private when we go to work? The reason they gave was that it put the "company's servers at risk". Hmm. Okay. Obviosuly not that much if nothing has happened, and it's been a year. I wrote the owner of the company, who I greatly respected, who handed it back to the HR department, who verified that they would not re-hire me, despite my personal life issues that led me to do this. On one hand, I see their point in not re-hiring, in that if you do it for one, you give grounds to have to do it for all. From another though, does this stink a little of improper HR and IT practices to anyone but me? -J