FBI ordered to reveal PC snooping technique

A federal court ordered the U.S. Department of Justice (DOJ) on Tuesday to reveal technology used to track the computer keystrokes of a suspect in a case that observers say has an impact on privacy in this era of IT surveillance.

In May 1999, FBI agents snuck into the New Jersey office of Nicodemo S. Scarfo Jr., according to court records.

They went not to tap his phone but to plant a device to record his keystrokes and glean the password for an encrypted file, according to the records. The DOJ, working with the FBI, is charging Scarfo with racketeering, illegal gambling and loan sharking as a member of what they call a Mafia crime family.

When agents had previously raided the computer system, they discovered a file named "factors" that was protected with PGP encryption, according to the records. Suspecting the file contained records of gambling debts to support their loan-sharking investigation, but unable to crack the encryption, agents installed the key logger to get the password as Scarfo typed. The cracked file later became key evidence in the government's case.

What the court doesn't know is how the key-logger system works; the government said national security prevents it from disclosing its methods. But U.S. District Court Judge Nicholas H. Politan wants a better explanation. Politan called the FBI's computer keystroke-log printout "gobbledygook" and ordered (download PDF) the government to explain the technology used within the next 10 days.

The case has broad implications in the escalating debate about technology and privacy in the U.S. The government asserts that revealing the technology used to learn Scarfo's PGP password would endanger the lives of U.S. agents and hurt ongoing investigations of foreign intelligence agents. But a software designer said it's unlikely that a keystroke-logging program itself contains especially sensitive technology.

"It's not rocket science. ... I sure hope our tax dollars didn't go to their top scientists to spend all their time developing a keystroke logger," said Richard Eaton, president of WinWhatWhere Corp., a Kennewick, Wash.-based software company that makes keystroke logging tools. "They said the methodology is the security issue. ... It could be the way the data is transmitted out of the system. I don't know if it was e-mailed out of there or what."

Court records describe the key-logger system as "software, firmware and/or hardware." Lawyers on both sides are under a court order not to speak publicly about the case.

The warrant given to the FBI to secretly install the key-logging system and learn Scarfo's PGP password specifically prohibited monitoring of Scarfo's Internet traffic. Internet communications are legally similar to phone conversations and require a warrant for a wiretap, which must meet a higher burden of justification.

Politan's ruling may shape the boundaries for legal guidelines for IT surveillance technology, especially the government's use of emerging surveillance technology like the FBI's e-mail monitoring system, formerly known as Carnivore (see story).

"In some ways, the law hasn't kept pace with the effect of intrusive technology," said David Sobel, general counsel for the Electronic Privacy Information Center, a nonprofit advocacy group in Washington. "In some cases, law enforcement is exploiting the gap between the development of new technology and its evaluation by the court."

The case troubles him, he said, because of the FBI's desire to keep the technology secret.

"The government is making the case that they can install sophisticated technology on computers and make a national security claim" to keep it secret, he said. If it became a routinely accepted argument for preventing its disclosure to defendants in court, "it would radically alter our concept of due process and the rights of criminal defendants."

Related stories:

Copyright © 2001 IDG Communications, Inc.

Shop Tech Products at Amazon