Forwarded From: bluesky@rcia.com
Originally From: SpyKing@thecodex.com
There has been a lot of talk about PC security lately with the release of
programs like Back Oriface and the multitude of keystroke logging programs
available on the net.
Many computer systems administrators, security personnel and even parents
use keystroke logging programs as a means of monitoring employees, system
intruders and children. Is it legal?
According to U.S. Code section 2512 it may not be...
U.S.Code 2512 states:
>Except as otherwise specifically provided in this chapter, any person who
intentionally -
>(a) sends through the mail, or sends or carries in interstate or foreign
commerce, any >electronic, mechanical, or other device, knowing or having
reason to know that the >design of such device renders it primarily useful
for the purpose of the surreptitious >interception of wire, oral, or
electronic communications;
>(b) manufactures, assembles, possesses, or sells any electronic,
mechanical, or other >device, knowing or having reason to know that the
design of such device renders it >primarily useful for the purpose of the
surreptitious interception of wire, oral, or >electronic communications,
and that such device or any component thereof has been >or will be sent
through the mail or transported in interstate or foreign commerce; or
>(c) places in any newspaper, magazine, handbill, or other publication any
>advertisement of - (i) any electronic, mechanical, or other device
knowing or having >reason to know that the design of such device renders
it primarily useful for the purpose >of the surreptitious interception of
wire, oral, or electronic communications; or
>(ii) any other electronic, mechanical, or other device, where such
advertisement >promotes the use of such device for the purpose of the
surreptitious interception of wire, >oral, or electronic communications,
knowing or having reason to know that such >advertisement will be sent
through the mail or transported in interstate or foreign >commerce, shall
be fined under this title or imprisoned not more than five years, or
>both. "
Hmm... primarily useful for the purpose of surreptitious interception of
electronic communications... What else is a keystroke recorder good for?
See the problem?
According to this law the design, manufacture, possession and use of this
software is illegal. Just advertising it for sale is also a felony...
Lets say you wanted to keep an eye on your spouse... Maybe you think she
is spending too much time in the chat rooms... You decide to put a
keystroke recorder on YOUR PC that SHE uses... is it legal? Under this
law? I think not...
How about checking on your children to see what they are up to on the net?
Wouldn't it be the same as a telephone recorder attached to your phone
line and hidden in the basement to record your spouse? Thats a felony
isn't it? Quite a few folks have been prosecuted for it... and convicted
when caught...
A short time ago a teenager was caught using a "program" that recorded
keystrokes that allowed him access to AOL user names and passwords. He was
convicted under THIS SAME LAW and is now awaiting sentencing in Southern
District of New York.
The sentence he faces is 5 years in jail and a $250,000. fine...
A few years ago CERT broadcasted an advisory that warned system
adminstrators that keystroke monitoring may be illegal and advised them to
place a warning to users of the system.
>The CERT Coordination Center has received information from the United
States >Department of Justice, General Litigation and Legal Advice
Section, Criminal Division, >regarding keystroke monitoring by computer
systems administrators, as a method of >protecting computer systems from
unauthorized access.
>The information that follows is based on the Justice Department's advice
to all federal >agencies. CERT strongly suggests adding a notice banner
such as the one included >below to all systems. Sites not covered by U.S.
law should consult their legal counsel.
>The legality of such monitoring is governed by 18 U.S.C. section 2510 et
seq. That >statute was last amended in 1986, years before the words
"virus" and "worm" became >part of our everyday vocabulary. Therefore,
not surprisingly, the statute does not >directly address the propriety of
keystroke monitoring by system administrators. "
Hmmm... so that means that your possession and use of keystroke monitoring
software may be a felony under this existing law... Lets examine this CERT
advisory a little more...
>Attorneys for the Department have engaged in a review of the statute and
its legislative >history. We believe that such keystroke monitoring of
intruders may be defensible >under the statute. However, the statute does
not expressly authorize such monitoring. >Moreover, no court has yet had
an opportunity to rule on this issue. If the courts were >to decide that
such monitoring is improper, it would potentially give rise to both
criminal >and civil liability for system administrators.
"May be defensible"? So in other words its the SysAdmin left holding the
bag and gambling 5 years of their lives...
According to the latest statistics at <http://www.cultdeadcow.com> over
50,000 people have downloaded Back Oriface alone! There are several sites
on the net that allow free shareware downloads of their keystroke
loggers...
According to this federal law they are felons... both the creators of such
software and the people who download and use the software...
Something has to give... I recognize the legitimate use for this
software... most on this list will also... it is a necessary tool for a
variety of legitimate purposes...
Our "technically challenged lawmakers" must get their heads out of their
"you know where"... and change these laws so they allow legitimate
computer, security and investigative personnel the tools to do their
job...
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Thu Aug 20 09:44:08 1998