News Blog Subscribe to News Blog
July 10, 2007 4:45 AM PDT

Feds use keylogger to thwart PGP, Hushmail

Posted by Declan McCullagh

A recent court case provides a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect's home or office, implanting keystroke-logging software, and spying on what happens from afar.

An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif., office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives' contents and inject a keystroke logger into the computers.

That was necessary, according to DEA Agent Greg Coffey, because the suspects were using PGP and the encrypted Web e-mail service Hushmail.com. Coffey asserted that the DEA needed "real-time and meaningful access" to "monitor the keystrokes" for PGP and Hushmail passphrases.

The aggressive surveillance techniques employed by the DEA were part of a case that resulted in a ruling on Friday (PDF) by the 9th Circuit Court of Appeals, which primarily dealt with Internet surveillance through a wiretap conducted on a PacBell (now AT&T) business DSL line used by the defendants. More on that below.

The DEA's pursuit of alleged Ecstasy manufacturers Mark Forrester and Dennis Alba differs from the first known police use of key-logging software, which snared reputed mobster Nicodemo Scarfo in 1999. In the Scarfo case, the FBI said in an unclassified affidavit (PDF) at the time, a keylogger that also was planted in a black bag job was disabled when the Internet connection became active.

Note requirement for 'real-time' access / Excerpt from DEA Agent Greg Coffey affidavit

Not much more is known about the DEA's keylogger in the Forrester-Alba case. An affidavit prepared by DEA agent Coffey in July 2001 asks for permission to enter the Escondido office "by breaking and entering, if necessary, for the purpose of installing, maintaining, and removing software tools" that "will enable agents to capture and record all keyboard keystrokes."

Note there's no evidence the DEA used the FBI's keystroke logger known as Magic Lantern, which reportedly can be installed remotely by taking advantage of operating system vulnerabilities without having agents physically break into an office.

Keyloggers are hardly unusual nowadays, of course. In 2003, a former Boston College student was indicted for allegedly installing key-logging software on campus computers. More recent surveys indicate that plenty of workplaces are infected by spyware with key-logging abilities.

Who created PGP? It was actually Phil Zimmermann. / Excerpt from DEA Agent Greg Coffey affidavit

Keyloggers: Unresolved questions
The use of keyloggers by police, however, seems to be uncommon: A search on Monday through legal databases for terms such as "keylogger" turned up only the Scarfo and Forrester-Alba cases.

When used by police, they raise novel legal issues. That's because it's not entirely clear in what circumstances they're permitted under the U.S. Constitution and wiretap laws (which is why, in the Scarfo case, the FBI cleverly ducked this issue by, according to sworn testimony, disabling the keylogger when the modem was in use).

Even so, Scarfo's defense attorney claimed that a keylogger is akin to a "general warrant" permitting the DEA to seize "any record, including e-mail, simply because it was typed on a computer." General warrants are prohibited by the Fourth Amendment, which requires that warrants specify the "things to be seized." Another potential legal obstacle is whether wiretap laws apply--including their requirement of minimizing the interception of irrelevant conversations.

A federal judge eventually ruled that the unique design made the Scarfo logger permissible. But in the Forrester-Alba case, because Alba did not challenge the keylogger directly, the 9th Circuit never weighed in.

DEA claims that alleged Ecstasy/MDMA lab operators use encryption frequently / Excerpt from DEA Agent Greg Coffey affidavit

Eavesdropping without probable cause
Instead, the 9th Circuit spent much of its time evaluating whether government agents can eavesdrop on the Internet addresses Americans visit and the e-mail address of their correspondents without obtaining a search warrant first.

The judges' conclusion: federal agents did not violate the Fourth Amendment when spying on the Escondido DSL line without any evidence of criminal wrongdoing on his behalf, a legal standard known as probable cause. All the feds must do is prove the information is "relevant" to an ongoing investigation.

The wiretap was done at PacBell's connection facility at 650 Robinson Rd. in San Diego. The DEA obtained what's known as a "mirror port," a feature that many network switches made by companies including Cisco Systems include for troubleshooting purposes.

A mirror port duplicates all the Internet traffic of one user to a second port on the same switch, without the suspect being alerted that electronic surveillance is under way. The scheme is probably easier to accomplish with a static Internet Protocol (IP) address, which is what the Escondido case involved.

According to the DEA, only IP addresses of Web sites (such as 216.239.122.200 instead of cnet.com) and e-mail headers are captured, and not the rest of the communication stream. That, they argue, makes it akin to existing precedent dealing with pen registers, which capture telephone numbers dialed and are permitted without any proof of probable cause of wrongdoing.

The 9th Circuit agreed, ruling on Friday that "e-mail and Internet users have no expectation of privacy in the To/From addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties." This follows the lead of a Massachusetts judge who said much the same thing in November 2005.

Both Forrester and Alba were sentenced to 30 years in prison (PDF) on charges including conspiracy to manufacture and distribute Ecstasy. In a decision made on unrelated grounds, however, the 9th Circuit reversed Forrester's conviction and partially reversed Alba's. Forrester faces retrial.

Recent posts from News Blog
Google offers YouTube video software for Macs
China hit with 7.8 earthquake
Vote for Patent Reform Act taken off Senate's calendar
There might be gold for techies in Tinseltown
Advice for techies who want to star in Hollywood
Add a Comment (Log in or register) 15 comments (Page 1 of 1)
Clarification
by tpkoons July 10, 2007 6:50 AM PDT
The mirror port Declan speaks of is no more difficult with a dynamic IP. The mirror port copies the data from one physical port to another where the monitoring gear is. If the IP changes the physical port remains the same.
Reply to this comment View reply
Ok, this actually makes sense
by scdecade July 10, 2007 7:58 AM PDT
Installing a tracking device on a suspected criminal after a search warrent has been approved. Huh! What a strange and mysterious concept. So after providing a reasonable argument for suspecting someone might be up to something nefarious, a judge approved this action and it was effective at monitoring encrypted computer usage. I just can't believe it. Wouldn't it be better to hire thousands of mindless beauracrats to monitor all internet traffic and then arrest anyone that tries to use encryption?
Reply to this comment
Copy and paste
by richardishere July 10, 2007 9:46 AM PDT
Just be compulsive with copy and paste. Cope articles and other material randomly so you fill up the logger.
Reply to this comment
Wow, key logger, our government is high tech, LMOA
by bobby_brady July 10, 2007 9:56 AM PDT
What a joke our government is.
Reply to this comment
Pushing legality
by NYRBERRY July 10, 2007 10:03 AM PDT
So had they copyrighted their data, wouldn't the DMCA cover this as illegal? Circumventing encryption... Hmm... Shady territory we get into here. As far as port mirroring... Just encrypt your traffic, it'll stick law enforcement back to installing a keylogger (as all little script kiddies already do)
Reply to this comment View reply
Spooky!
by SeizeCTRL July 10, 2007 11:04 AM PDT
Makes me want to start using Live Boot CDs or booting off USB drive. Sounds like 1984 is arriving a tad later than expected.
Reply to this comment
Powered by Jive Software
advertisement

  • About News Blog

  • Recent posts on technology, trends, and more.

Add this feed to your online news reader
Google
Yahoo
MSN

News Blog topics

Latest from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Defense in Depth by Robert Vamosi Covering the latest in computer viruses and computer crime.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Iconoclast by Declan McCullagh Exploring the intersection of politics and technology.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On TechRepublic: Top 5 operating systems you never used
Advanced
search
advertisementStart Doing More with Windows Mobile
Advanced
search
Visit other CNET Networks sites: