Feds Fumble Spyware StoryIf Spyware Is Illegal, Why Do Cops Give It Away?
If selling spyware is illegal, is it OK to give it away for free?
See Also: A Toolkit for CISOs
The U.S. Department of Justice this week trumpeted the FBI's arrest of Hammad Akbar, the Pakistan-based CEO of InvoCode, which sells a mobile spyware app called StealthGenie and claims to have more than 100,000 customers.
The statute has a real problem, because it makes it illegal to make software that's designed to allow somebody to do something that's legal.
Spyware is software that covertly captures information from a device and then may transmit that information to an external server.
Announcing the Akbar indictment on Sept. 29, Leslie R. Caldwell, the assistant attorney general for the Justice Department's Criminal Division, said: "Selling spyware is not just reprehensible, it's a crime." Likewise, Andrew McCabe, the assistant director in charge at the FBI's Washington field office, warned that the software could be abused by "potential stalkers and criminals."
The case sounds clear cut: Distributing spyware is bad. But just one day after the indictment against Akbar was publicly unsealed, the Electronic Frontier Foundation published a report detailing how police chiefs, sheriffs and district attorneys have, for years, been giving families a software program called ComputerCop.
All told, 245 law enforcement agencies across 35 states - plus the U.S. Marshals - used public funds to buy and distribute the software for free, the EFF says, often at "Internet Safety" events held in schools and libraries.
But there's a wrinkle, EFF says: "As official as it looks, ComputerCop is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies."
Furthermore, EFF says ComputerCop records all keystrokes - entered by an adult, child, friend or guest - on any Windows PC or laptop, then transmits them in unencrypted format to a third-party server. That's a practice information security experts regularly warn against, because anyone with packet-sniffing software could intercept the plaintext data, for example, when a laptop is connected to a public Wi-Fi point.
Of course, this freely available software could also be abused by stalkers and criminals.
Thriving Spyware Market
There are dozens of such programs on the market, says threat-intelligence firm iSight Partners in a recent report. "While some of these apps are developed by underground actors, many are produced by apparently reputable companies and marketed to law enforcement agencies."
Some experts promote the use of spyware by parents. For example, Dr. Phil - Philip McGraw - advises parents to 'monitor your child's Internet and cell phone activity,'" and recommends four specific monitoring applications.
Government guidance, however, is less clear. The FBI, for example, in its Parent's Guide to Internet Safety, recommends parents "monitor your child's access to all types of live electronic communications - i.e., chat rooms, instant messages, Internet Relay Chat, etc. - and monitor your child's e-mail." While the bureau doesn't tell parents how to do that, it's tough to monitor communications without using monitoring software.
Law Is "A Bloody Mess"
But the government's case against Akbar could, potentially, be one step toward criminalizing the very monitoring behavior that many, including law enforcement agencies, are recommending, says security and privacy expert Mark Rasch, a former federal prosecutor who created the computer crime unit at the Department of Justice.
"Akbar was indicted under a federal statute, 18 USC 2512, which makes it a crime to manufacture, distribute or even advertise software, hardware or other device if it is 'primarily useful' for the surreptitious interception of communications," Rasch says.
That law doesn't distinguish between legal or illegal interception. Instead, it regards all interception as being illegal. And instead of pursuing rule-breakers, the Justice Department is now using that law to target the maker of a tool that could be put to both legal and illegal uses, all of which creates "a bloody mess," Rasch says. "The statute has a real problem, because it makes it illegal to make software that's designed to allow somebody to do something that's legal."
Never mind that aside from that one statute, the "vast majority" of cases in which people intercept communications "are likely perfectly legal," Rasch says, based on other laws. Some regulations, for example from the U.S. Securities and Exchange Commission, even mandate such monitoring for some businesses.
Congress could fix this legal quandary, Rasch points out, by altering the statute to make it far more clear about when it's illegal to intercept communications using spyware, as well as when developing, advertising, selling and using spyware is legal.
So what do you think? How should Congress address this issue, if at all? Share your comments in the space below.