SCN: Privacy

[Steve]

x-no-archive: yes

===========================

Keystroke Loggers Save E-Mail Rants, Raising Workplace Privacy 
Concerns  

by Michael J. McCarthy


(Wall Street Journal)---The American workplace has been put on 
notice that office computers can be monitored. But who could have 
imagined the keystroke cops?  

In a new threat to personal privacy on the job, some companies 
have begun using surveillance software that covertly monitors and 
records each keystroke an employee makes: every letter, every 
comma, every revision, every flick of the fingertip, regardless of 
whether the data is ever saved in a file or transmitted over a 
corporate computer network. As they harvest those bits and bytes, 
the new programs, priced at as little as $99, give employers access 
to workers' unvarnished thoughts -- and the potential to use that 
information for their own ends.  

Say you draft a rant to the boss or a client, and then, thinking better 
of it, delete the whole thing. Too late. One by one, all the keystrokes 
have been sucked up and stored on your computer's hard drive or 
sent as e-mail that a computer-system administrator or manager can 
retrieve at his convenience.  

Last December, Poplar Grove Airport in northern Illinois suspected 
that one of its employees might be running a business of his own 
from his office PC. So the privately run airport bought a "keystroke 
logger" called Silent Watch and a license permitting it to install the 
program on six of the airport's computers. Along the way, however, 
the electronic stakeout snared some other workers.  

Describing her career ambitions, a young office worker seemed to 
have no clue her employer could delve so deeply into her computer. 
Soon after arriving at her desk on Christmas Eve morning -- at 
9:24:09, to be precise-she poured out her soul on a blank page of 
Microsoft Word.  

"I plan to obtain flight time by instructing and/or flying commuter 
planes," she wrote. She then backspaced over "planes," and 
substituted "jets." As she tapped away, it became apparent she was 
drafting a scholarship application for a flight-science program at 
Western Michigan University. "I know this is the career I want to 
pursue and the moen" -- she backspaced over the "en"-and typed 
"ney."  

After correcting that typo, according to the airport's keystroke log, 
she stopped again, backspaced over the word "money" and changed 
it to "scholarship." So the sentence then began, "I know this is the 
career I want to pursue and the scholarship I would receive ..."  

This wasn't an e-mail or a document she sent over the company's 
network. It was a work in progress, a draft, reconstructed letter by 
letter, typos and all.  

"We used to tell our people we could monitor everything -- even 
before we really could -- just as a deterrent," says Chris Pauli, the 
airport's computer-system administrator. "Now we really can."  

"When else can you peer into someone's raw thought process?" 
asks Peter A. Steinmeyer, a lawyer at Epstein Becker & Green in 
Chicago who has studied Internet and privacy issues and who 
represents management clients. Nonetheless, he says, while an 
employee may try to argue that he reasonably expected his "draft" 
thoughts to remain his own, courts have consistently held that 
communications written on company-provided computers aren't 
private under current law.  

"There's no legal qualm about it," says Richard Eaton, who wrote 
and now sells a keystroke-capturing program called Investigator. 
"There may be an ethical one."  

Mr. Eaton says his company, WinWhatWhere Corp., Kennewick, 
Wash., has sold more than 5,000 Investigator software licenses 
since the product was launched in August 1998. Customers, he 
adds, include Exxon Mobil Corp., Delta Air Lines and Ernst & Young 
LLP. Lockheed Martin Corp. says it is considering using the 
software for "ethics investigations."  

For all its sleuthing capabilities, Investigator is nothing more than a 
shiny silver CD-ROM that costs $99 or less with volume discounts. 
Mr. Eaton, who developed the program, burns the CDs right in his 
home, which is also company headquarters.  

"At first, I thought it was controversial," says the 47-year-old 
entrepreneur, who sports close-cropped hair and a diamond-stud 
earring. "Slimy," he adds.  

The keystroke tracker evolved from a program he had been selling 
to help companies measure how much time computer users were 
spending on various projects. But after clients kept asking for 
keystroke surveillance, he says, "I saw there is a legitimate security 
need for it."  

The keystroke software is part of a new "offline" workplace battle. 
Many companies are concluding that they may be missing computer 
mischief that doesn't involve the Internet or the corporate network, 
both of which they can monitor. Right at their desktop PCs, 
employees could be copying sales leads or pornography to or from 
disks or CD-ROMs, or downloading bookkeeping software to run 
their own businesses -- all of which could elude conventional 
surveillance methods.  

But some uses are strictly personal. Many people have bought the 
Investigator program, Mr. Eaton says, to run down suspicions that 
their spouses are being unfaithful in Internet chat rooms. They 
simply download the software, then later see exactly what their 
partners were typing. One mother ordered it to check on her teenage 
children's computer use while she was away on vacation.  

The Investigator program is designed to be covert. It doesn't show 
up as an icon on the screen, and is hard to find among computer 
files even when someone specifically searches for it. It is usually 
installed on a worker's computer after hours, but it can also be 
disguised in an e-mail attachment for an unsuspecting employee to 
download as an "upgrade."  

Recently, however, Mr. Eaton has added an onscreen notice, 
informing the user that the PC could be monitored -- an alert a 
systems manager can choose to have automatically displayed or 
not. "If your purpose is to humiliate them, then don't tell them," Mr. 
Eaton says. "If you want to stop abuse, tell them. Usually the threat 
alone is enough."  

Once Investigator is installed, the computer manager can choose 
"alert" words like "boss" or "union" or specific names. Then any 
time they appear in the text of an e-mail, note or memo, those 
documents will be automatically e-mailed over a company's 
computer network to the employee's supervisor or other designee. 
(On a stand-alone computer, the document would have to be 
retrieved directly from the hard drive.)  

On the WinWhatWhere Web site's "We Get Mail" section is an e-
mail from Michael Nogrady, a computer technician. "Maybe 
someday you will be ashamed," he writes. "Who knows, some 
people will do anything for a dollar. I am not saying this to be cruel, 
just asking if you have looked at this program morally."  

Says Mr. Eaton, "I don't want to violate privacy -- I like my privacy. 
But I don't want to be in a position of deciding who gets it and who 
doesn't."  

Customers generally don't have much to say about Investigator. 
Exxon says it has a long-standing policy of not discussing products 
it uses, lest it seem like an endorsement. Accounting firm Ernst & 
Young confirms that it uses Investigator, but won't say how widely 
or for what purpose. A spokesman for Delta says the airline's 
information-technology division bought one copy of the software last 
year and used it for internal testing "in one tiny area" of the division. 
"We decided it's not something we want to pursue. It died a pretty 
quick death," the spokesman says. "We don't want to be a police 
agency."  

While Mr. Eaton insists Investigator poses no legal problems, he 
says his lawyer suggested he include a disclaimer in the licensing 
agreement: "Any use of this software in conjunction with any 
hardware, device or apparatus to surreptitiously intercept wire, oral 
or electronic communications may violate state and federal laws."  

Mr. Eaton refuses to discuss the specifics of how the software 
intercepts keystrokes, and does so even before they reach the 
author's screen. He does say, however, that Investigator is hooked 
into the system before something called the "keyboard driver."  

When a key is depressed, that action alone doesn't create the 
corresponding letter on the monitor. Rather, pressing the "A" key, 
say, causes a slight surge in the electrical current in a circuit board 
below. Within 0.2 millisecond, a processor embedded in the 
keyboard begins to generate a "scan code" for that key. It is then 
sent to the keyboard driver, which translates it and tells the monitor 
to display an "A." This roundabout route allows for keyboards with 
foreign alphabets.  

For sleuthing purposes, the fraction the route requires is time 
enough to intercept the codes as they travel between the keys and 
the monitor. The tiny time lag is important because sophisticated 
hackers sometimes encrypt messages to outwit computer-system 
administrators. Investigator, though, merely captures each 
keystroke before it can be encoded.  

A similar alphabetic interchange underlay last December's intrigue 
at Poplar Grove Airport. About six months earlier, the airport and an 
affiliate, Emery Air Charter Inc., in nearby Rockford, Ill., had hired a 
programmer to design Web sites and work on special projects for 
both companies at a salary of about $50,000. Both businesses, 
which have about 120 workers combined, were growing rapidly, 
building hangars for private pilots, running charter flights and 
offering refueling and other aviation services.  

But for weeks, says Steve Thomas, the 47-year-old chief executive 
and owner of both businesses, their programmer was missing in 
action. He disappeared into his office and produced almost nothing. 
Mr. Pauli, the chief financial officer who doubles as system 
administrator, would stop by to check on him. But Mr. Pauli says the 
man "would always blank off his screen so I couldn't see what he 
was doing."  

When pressed, they say, the man was vague about his progress. 
"He was always busy, and we couldn't tell on what," says Mr. Pauli, 
30. "But I could see he was storing things on a CD-ROM."  

Worried the man might be "trying to pirate some of our strategies 
and secrets," Mr. Pauli says, he and Mr. Thomas huddled. "We 
couldn't tap the phones -- it's illegal. We explored a camera to 
videotape him," Mr. Thomas recalls.  

One surveillance camera they looked at cost $3,500. But they 
couldn't figure out how to position it to get good computer-screen 
resolution or how to conceal it. Besides, Mr. Thomas adds, "we 
weren't certain about the legality."  

Then Mr. Pauli went on the Internet and found the maker of Silent 
Watch. Adavi Inc., Dunkirk, Md., says it has sold more than 1,000 
copies of the $159 monitoring program, which it started marketing 
last July. Aside from keystroke logging, the desktop-monitoring 
software can be programmed to send to a manager's screen via e-
mail a replica of precisely what is on an employee's screen at any 
given moment -- text, graphics and all. Adavi says it has big 
corporate clients, but that they are adamant in their refusal to be 
identified.  

Shelling out $237 for six licenses to Silent Watch -- "very 
affordable," says Mr. Pauli -- he installed the software on the 
computer of the mysterious programmer and on five others. In no 
time, the keystroke logs revealed the man was making repeated 
visits to pornographic Web sites, and sending and receiving 
numerous sexually explicit e-mails, which he channeled through 
Internet mail servers outside the airport's scrutiny.  

"We were relieved our business wasn't being compromised," says 
Mr. Thomas, but the programmer had to be confronted, and fired. 
Messrs. Thomas and Pauli planned a sting. After monitoring the 
keystroke log for several days, they say, they could see he 
routinely visited the "inappropriate" sites early in the day.  

So early one morning in late December, they prepared to swoop. As 
Mr. Pauli watched the keystrokes spit out on the Toshiba laptop 
computer in the CEO's office, Mr. Thomas grabbed a manila folder 
and posted himself outside the closed door of the man's office, just 
down the hall. When Mr. Pauli was certain the man had a 
pornographic page on display, he gave the CEO the high sign, and 
Mr. Thomas flung the door open. He says the man rapidly opened 
another screen to cover the window he had been viewing.  

After asking him what he was working on, Mr. Thomas says he 
insisted the man show him what was behind the window 
"maximized" on his screen. After objecting, the man finally 
complied, and Mr. Thomas says, he saw something he will only 
describe as "raunchy."  

Mr. Thomas then launched into a dressing-down. "I have whole logs 
here," he recalls saying, thrusting out the folder, which was filled 
with printouts. "We don't pay you for that. You don't work here 
anymore. Get your things, and get off the property," he remembers 
telling the programmer, whom he refuses to identify, but who he 
says appeared stunned. "His jaw dropped," Mr. Thomas says.  

A few days later, he says, the airport got a fax from the man that 
threatened legal retaliation. "We talked about it, and then ignored it," 
Mr. Thomas says. "We never heard from him again."  

Since then, the company has acquired an additional 19 licenses for 
Silent Watch. Mr. Pauli says he uses them mostly to trouble-shoot 
computer glitches. With them, he adds, he discovered that some 
employees were downloading a video game called Mercenary 
during their weekend work shifts. "I printed out the installing logs, 
and then showed them to their immediate supervisors," he says. 
"There hasn't been a problem since."  

Mr. Pauli says he generally is using Silent Watch to keep an eye on 
computer misuse that hurts productivity, adding, "I don't care if they 
type personal letters."  

Neither does the software. A couple of days after December's sting 
operation, Silent Watch was soaking up the scholarship plea of the 
office worker, who the company declines to name but who it says 
received a verbal reprimand for doing personal chores on company 
time. "In addition to taking lessons," her note said at one point, "I 
worked at an airport to learn the 'behind the scenes' " -- she then 
backspaced over that, changing it to say "to learn the other aspects 
of aviation besides flying."

Copyright 2000 Dow Jones & Company, Inc.





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *