Keystroke Loggers Catch a Break
The KEYkatcher keystroke logger is 4 centimeters long, costs $69, and can store 32,000 keystrokes when it is connected to the cable that runs between a keyboard and a computer. And according to a recent court decision in California, if an employee steals information by installing one on a coworker’s computer, that does not violate federal wiretap laws. But that decision may not stand.
Larry Ropp, who worked at an insurance company, installed the KEYkatcher on a secretary’s computer to gather information about what he alleged were illegal practices by his company. When his action was discovered, the U.S. Attorney’s Office in Los Angeles brought the case to a federal grand jury, which indicted him for illegally intercepting electronic communications.
But Judge Gary Feess of the United States District Court for the Central District of California dismissed the wiretapping charge, stating that the Wiretap Act refers only to electronic communications made through a “system that affects interstate or foreign commerce.”
In his written opinion the judge concluded that “the transmission of keystrokes from a keyboard to a computer’s processing unit is not the transmission of an electronic signal by a system that affects interstate commerce, and therefore does not constitute an ‘electronic communication’ within the meaning of the statute.”
The ruling raises concerns about such thefts of information, and the government is already seeking a rehearing. If that fails, it could bring the case to the court of appeals, says Orin Kerr, associate professor at The George Washington University School of Law.
No one should view this case as giving employees a legal right to use keyloggers to steal intellectual property with impunity, says Kerr. “It’s still a state crime even if this case is upheld.”
The decision also raises questions about the way that privacy concerns are pitted against wiretapping laws that are difficult to interpret when it comes to computers, says Mark Rasch, chief security counsel at managed-security-services provider Solutionary.
Rasch notes that in a 2001 case, United States v. Scarfo, the FBI placed a keystroke logger on a computer to help crack a password-protected file, and the government successfully argued that only data sent through the modem and across the Internet was considered an electronic communication, and that something that was simply being typed—for example, a word-processing document not being transmitted across the Internet—was not.
“These kinds of distinctions recognize how the wiretap law needs to be rewritten,” Rasch says. He also cites the investigation of convicted spy Brian Regan. In that case, the government avoided the wiretap issue by installing a hidden camera in Regan’s office. It was pointed at his computer screen and thus captured everything he typed.
“Clearly that camera which is capturing my e-mail as I’m sending it is not intercepting a communication in transmission,” he says. “By focusing exclusively on narrow technology that’s employed, as opposed to the privacy interests that affect it, courts are essentially gutting privacy rights online.”