Forwarded From: blueskyat_private Originally From: SpyKingat_private There has been a lot of talk about PC security lately with the release of programs like Back Oriface and the multitude of keystroke logging programs available on the net. Many computer systems administrators, security personnel and even parents use keystroke logging programs as a means of monitoring employees, system intruders and children. Is it legal? According to U.S. Code section 2512 it may not be... U.S.Code 2512 states: >Except as otherwise specifically provided in this chapter, any person who intentionally - >(a) sends through the mail, or sends or carries in interstate or foreign commerce, any >electronic, mechanical, or other device, knowing or having reason to know that the >design of such device renders it primarily useful for the purpose of the surreptitious >interception of wire, oral, or electronic communications; >(b) manufactures, assembles, possesses, or sells any electronic, mechanical, or other >device, knowing or having reason to know that the design of such device renders it >primarily useful for the purpose of the surreptitious interception of wire, oral, or >electronic communications, and that such device or any component thereof has been >or will be sent through the mail or transported in interstate or foreign commerce; or >(c) places in any newspaper, magazine, handbill, or other publication any >advertisement of - (i) any electronic, mechanical, or other device knowing or having >reason to know that the design of such device renders it primarily useful for the purpose >of the surreptitious interception of wire, oral, or electronic communications; or >(ii) any other electronic, mechanical, or other device, where such advertisement >promotes the use of such device for the purpose of the surreptitious interception of wire, >oral, or electronic communications, knowing or having reason to know that such >advertisement will be sent through the mail or transported in interstate or foreign >commerce, shall be fined under this title or imprisoned not more than five years, or >both. " Hmm... primarily useful for the purpose of surreptitious interception of electronic communications... What else is a keystroke recorder good for? See the problem? According to this law the design, manufacture, possession and use of this software is illegal. Just advertising it for sale is also a felony... Lets say you wanted to keep an eye on your spouse... Maybe you think she is spending too much time in the chat rooms... You decide to put a keystroke recorder on YOUR PC that SHE uses... is it legal? Under this law? I think not... How about checking on your children to see what they are up to on the net? Wouldn't it be the same as a telephone recorder attached to your phone line and hidden in the basement to record your spouse? Thats a felony isn't it? Quite a few folks have been prosecuted for it... and convicted when caught... A short time ago a teenager was caught using a "program" that recorded keystrokes that allowed him access to AOL user names and passwords. He was convicted under THIS SAME LAW and is now awaiting sentencing in Southern District of New York. The sentence he faces is 5 years in jail and a $250,000. fine... A few years ago CERT broadcasted an advisory that warned system adminstrators that keystroke monitoring may be illegal and advised them to place a warning to users of the system. >The CERT Coordination Center has received information from the United States >Department of Justice, General Litigation and Legal Advice Section, Criminal Division, >regarding keystroke monitoring by computer systems administrators, as a method of >protecting computer systems from unauthorized access. >The information that follows is based on the Justice Department's advice to all federal >agencies. CERT strongly suggests adding a notice banner such as the one included >below to all systems. Sites not covered by U.S. law should consult their legal counsel. >The legality of such monitoring is governed by 18 U.S.C. section 2510 et seq. That >statute was last amended in 1986, years before the words "virus" and "worm" became >part of our everyday vocabulary. Therefore, not surprisingly, the statute does not >directly address the propriety of keystroke monitoring by system administrators. " Hmmm... so that means that your possession and use of keystroke monitoring software may be a felony under this existing law... Lets examine this CERT advisory a little more... >Attorneys for the Department have engaged in a review of the statute and its legislative >history. We believe that such keystroke monitoring of intruders may be defensible >under the statute. However, the statute does not expressly authorize such monitoring. >Moreover, no court has yet had an opportunity to rule on this issue. If the courts were >to decide that such monitoring is improper, it would potentially give rise to both criminal >and civil liability for system administrators. "May be defensible"? So in other words its the SysAdmin left holding the bag and gambling 5 years of their lives... According to the latest statistics at <http://www.cultdeadcow.com> over 50,000 people have downloaded Back Oriface alone! There are several sites on the net that allow free shareware downloads of their keystroke loggers... According to this federal law they are felons... both the creators of such software and the people who download and use the software... Something has to give... I recognize the legitimate use for this software... most on this list will also... it is a necessary tool for a variety of legitimate purposes... Our "technically challenged lawmakers" must get their heads out of their "you know where"... and change these laws so they allow legitimate computer, security and investigative personnel the tools to do their job... -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:46 PDT