WATPA: FW: Snoop Software Gains Power and Raises Privacy Concerns (NY Times)

Unfortunately, we're going to see more of this kind of software.

--------------------------------

http://www.nytimes.com/2003/10/10/technology/10SPY.html

October 10, 2003
Snoop Software Gains Power and Raises Privacy Concerns
By JOHN SCHWARTZ
Earlier this year, Rick Eaton did something unusual in the world of high
technology: he made his product weaker.
Mr. Eaton is the founder of TrueActive, which makes a computer program that
buyers can install on a target computer and monitor everything that the
machine's user does on the PC.
Spying with software has been around for several years but Mr. Eaton decided
that one new feature in his program crossed a line between monitoring and
snooping.
That feature is called "silent deploy," which allows the buyer to place the
program on someone else's computer secretly via e-mail, without having
physical access to the machine. To Mr. Eaton, that constituted an invitation
to install unethical and even illegal wiretaps. He made the change, he said,
"so we could live with ourselves."
Such principles seem almost quaint in a market where the products seem to
grow more powerful and intrusive all the time. Other makers of "snoopware" —
as opposed to the software known as "spyware" that many businesses use to
monitor the activities of Web site visitors and to send them pop-up ads —
enthusiastically pitch their products' ability to be installed remotely.
They typically skirt the ethical and legal issues with fig-leaf disclaimers
and check-off boxes where buyers promise not to violate the law.
Privacy experts are not buying such arguments. Marc Rotenberg, who heads the
Electronic Privacy Information Center in Washington, contended that selling
software that can tap people's communications without their knowledge
violated the Electronic Communications Privacy Act. "I don't think there's
any question that they are violating the federal law," he said. The
disclaimers, he said, "fail the straight-face test."
Law enforcement officials seem to agree. According to Chris Johnson, a
federal prosecutor in Los Angeles, the F.B.I. recently began an
investigation in California into the maker of one program, LoverSpy, that
advertises heavily via junk e-mail, or spam.
LoverSpy promises to let buyers "Spy on anyone by sending them an e-mail
greeting card!" Federal officials note that federal laws on wiretapping make
it illegal even to advertise illegal wiretap products — and a little-noted
change to the law last year expanded its scope explicitly to include
advertising on the Internet.
There are more than a dozen snooping programs on the market, and their
makers say they are used legally by employers to monitor workers' Internet
use, by parents to follow their children's online wanderings, and by
husbands and wives to catch cheating mates.
Mr. Eaton's program has even been used by the F.B.I., with approval of the
courts, to capture hackers. The programs include "key loggers" that capture
keystrokes, and can record what's onscreen, even turn on a computer's Webcam
so that the user can sneak a peek at the target — and get the information
and images back via the Internet.
"You don't have to be an F.B.I. agent or a computer genius to use this
stuff," said Richard Smith, a privacy and security expert who is concerned
about the rise of the products. "You just point and click."
And so a new market has emerged: criminals are using such programs on public
computer terminals at copy shops and libraries to harvest credit card
numbers, computer passwords and personal financial information. A New York
man, Juju Jiang, recently pleaded guilty to planting monitoring software on
computers at branches of Kinko's.
In a case filed yesterday, federal prosecutors in Boston accused a
19-year-old college student, Van Dinh, of using a keystroke-logging program
to capture the investment account password of a man in Westboro, Mass.
Prosecutors say Mr. Dinh then used the victim's account to unload stock
options that Mr. Dinh owned and that would otherwise have caused him a large
loss.
Last year the Secret Service warned colleges and universities that
key-logger systems had been found on public computers in schools in Arizona,
Texas, Florida and California. And earlier this year a former Boston College
student, Douglas Boudreau, pleaded guilty to charges that he had installed
key-loggers on machines at the school to create student ID and debit cards
that allowed him to steal about $2,000 worth of goods and services.
"Anybody who routinely uses a computer that isn't their own ought to be
thinking, `who's looking over my shoulder?' " said Ross Stapleton-Gray, a
computer consultant who has worked for the University of California system.
Jerry Brady, the chief technical officer of Guardent, a computer security
firm, said, "You can assume that most hotel and airport lounge computers
have had keystroke loggers installed at one time or another," whether
because of commercial snoopware or key-loggers installed by viruses and
worms.
Little wonder, then, that a mini-industry has grown up to detect and defuse
the programs. Software with names like TrapWare and NetCop are designed
specifically to combat monitoring programs, but the most recent versions of
more traditional computer security products like Norton Antivirus from
Symantec and McAfee VirusScan from Network Associates
</redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/
nyt-com/html-companyprofile.asp&symb=NET> have been upgraded to search for
digital snoops as well. Finding snoopware is "a logical extension to what
antivirus software is already doing," said Tom Powledge of Symantec.
The companies that say they make products for legitimate uses bristle at the
suggestion that their products are used illegally, except in a few
exceptional cases.
Doug Fowler, the president of Spectorsoft, makes three snooping programs,
including eBlaster, which can be installed remotely. He said the product was
used legitimately by parents whose children were away at school, and by
companies with far-flung field offices. The product can be used for
nefarious purposes, he admits, but he added: "A car can run somebody over.
That doesn't mean you design a car to run over somebody."
He says he has no respect for the company that puts out LoverSpy and
advertises its remote-spying abilities online. "Lines have to be drawn
somewhere in this world," he said.
The creators and marketers of LoverSpy, who were traced through Internet
registries and comments they have made in online discussions, did not
respond to over a dozen phone calls and e-mail messages.
Mr. Eaton, the TrueActive founder, said that while he had worked closely
with law enforcement, the decision to hamstring his program, which is called
WinWhatWhere, was not based on worries about possible liability. "It was an
ethical problem," he said. Mr. Eaton also noted that the feature demanded a
disproportionate amount of attention from his technical support staff.
His company, he said, will "actively help anyone that thinks or has found
our software illegally installed." Besides, he added, "this kind of program
has a bad enough reputation without this kind of stuff."
One executive of a computer security company said that the situation was
getting worse. "We're definitely seeing quite the ramp-up in the number, and
the sophistication, and the malicious intent of monitoring software in
recent months," said Bryson Gordon, the senior product manager for the
McAfee consumer security division and the company's chief spam prevention
officer.
But at least one program, he said, may not pose a real threat — of spying,
at least. Mr. Gordon said that his company's security researchers, working
with the Justice Department, were unable to find any actual working software
that could be downloaded from the LoverSpy site after paying the fee.
He seemed less than stunned by the notion that a product advertised via spam
might not be all that it was claimed to be. "You can't be all that
surprised," he said.
Copyright 2003 </ref/membercenter/help/copyright.html> The New York Times
Company <http://www.nytco.com/>
Received on Sat Oct 11 17:16:56 2003