Features

Security services once tapped the phone lines of terrorists and organised criminals to gather evidence against them. But in today's high-tech world, email is as big a part of people's lives as the telephone.

Though now supposedly retired in favour of commercial packages, the FBI's shadowy Carnivore system was the first publicly exposed 'policeware' system to sit on the network at an ISP and sniff packets just as a phone tap could. Though exposed in 2001, this wasn't the first time the FBI had used software to spy on suspects.

In an affidavit filed in the US Supreme Court in October 2001, FBI deputy assistant director Randall Murch admitted the bureau had officially used keylogging in 2000. A New Jersey loan shark and gambling racketeer called Nicodemo Scarfo Jr received a lengthy jail sentence after agents broke into his office and secretly installed a keylogger on his computer. This enabled them to capture encryption keys to decrypt emails and gather evidence against him.

The FBI planned enhancements to the original Carnivore system, under the code name Cyber Knight. In 2001, the Electronic Privacy Information Center got wind of these enhancements and filed a request under the US Freedom of Information act to find out more. Despite having large areas blacked out, the declassified documents they received showed one such enhancement to be a keylogger called Magic Lantern, the existence of which the FBI confirmed publicly on 12th December 2001.

Despite stories that Carnivore is retired, Magic Lantern lives on and, in a world where enemies of the state no longer wear uniforms, many see such techniques as a legitimate way to prosecute in the war on terrorism. The only problem has been how to deploy keyloggers in ways that stand up in court.

As with the Scarfo case, agents could install a keylogger after gaining physical access to the system, but a defence counsel could argue that along with the software they had also planted evidence. The Feds needed a method of infection above reproach. According to a report into Carnivore by MSNBC's Bob Sullivan, in most cases they just need to send an email claiming to be from someone known to the suspect. Criminal masterminds are as susceptible to opening enticing attachments and infecting their systems as the rest of us.

Magic Lantern records instant messaging and chatroom traffic and can even detect the numbers entered on a VoIP keypad. Because of this, agents can still build up a picture of a criminal organisation even if they can't hear the actual words spoken.

More controversial than the deployment of snooping software by the security services are the public announcements by some anti-virus companies that they will ignore Magic Lantern-like systems while still detecting other keyloggers. One that has explicitly refused, however, is UK-based Sophos.

"Malicious code is malicious code," said Graham Cluely, senior technology consultant for Sophos, when Magic Lantern first became public knowledge. "If a customer suspects they may be under surveillance and sends a Trojan horse to us, we're going to provide protection against it."

	1 UK-based Sophos seeks to provide protection against all keylogging Trojans