Uncovering the 'Spy' Network: Is Spyware
Watching Your Library Computers?
By Daniel Fidel Ferrer
and Mary Mead
Spyware is considered
by some people to be their worst nightmare. It is a new strain of software
and hardware that has some good applications but a high potential for misuse.
It is so devious that it could be installed and running on your computer without
your even being aware of it. At its worst, it can expose every single keystroke
and bit of data on an installed machinepotentially compromising credit
card information, social security numbers, and passwords.
In the early 1970s, programs already existed to emulate logon scripts for
computer terminals connected to mainframes, in order to capture individuals'
user IDs and passwords. This happened years before what is now known as the
World Wide Web, back when people believed that what they typed on a dumb terminal
was private and safe. Nowadays, we have a growing awareness of how little privacy
we do in fact have when we use computers at the library, at home, or at the
office. Still, too few people know about the dangers of spyware, which enables
people to access the information stored on a computer or to log keystrokes,
and then use the data for surveillance or illegal activities.
We recently tested spyware and anti-spyware software in our academic library
because we wanted to give our students hands-on experience as to what these
applications are capable of. We also purchased some hardware devices that have
the ability to log all keystrokes. (Because we feel that key-logging hardware
can be extremely dangerous, for our protection we keep ours locked in a vault.)
We found that the spyware we installed was very successful in capturing everything
we typed, including passwords. Seeing this was enough to scare usand
We hope that in the near future our librarians will be informed enough to
make patrons aware that there is a risk involved whenever they use the libraries'
public computers. Involving our library staff to help educate patrons and teach
them how to protect their computers from becoming infected has become very
important to us.
What Is Spyware and How Does It Get on a Computer?
Spyware is also known as scumware, exploitationware, and snoopware. Available
both as software and as hardware devices, it is used for the sole purpose of
tracking and recording your computer actions. This is not limited only to what
you are looking at on the Internet or to a specific Web browser; it can also
record what you do offline and even what you key into a spreadsheet or a word
processing program. The information that you or your patrons type can be secretly
logged and sent to any e-mail address on the Internet. Unfortunately, it's
unlikely that you or a patron will even know if spyware is running.
How does such a program get onto your computer in the first place? A potential
thief doesn't need physical access to your machine; a security hole such as
an unpatched Microsoft Windows operating system or server is the perfect way
for someone to gain admission.
You may inadvertently download spyware with free software by simply clicking
on the "Yes, I Agree" button without taking the time to read the license. Or,
you may receive an e-mail with a Trojan horse virus included. (In the virus
family, Trojan horses cause the most damage. They can send themselves to everyone
in your e-mail address book, erase or modify files, download another Trojan
horse that is configured to steal your passwords, and allow the virus creator
to take over your computer and remotely control it.) In some cases, your employer,
a colleague, or even the government may employ such software to monitor your
Hardware: Key Loggers
Spyware can also be hardware, such as a small device that is placed between
the keyboard and the computer. This device is most often called a key logger
because it logs everything you type on the keyboard. Even looking at the device,
you would probably think it was part of the original equipment or a keyboard
extension cable. Of course, attaching a key-logging device requires physical
access to your machine. It is very easy to installit only takes about
20 seconds. There is no need to install additional software, as the devices
use either Notepad or WordPad to decode the information. For this reason, anti-spyware
applications, which look for software, cannot detect key loggers.
When an intruder has the information she desires, all she needs to do is
unhook the device and connect it to any computer to extract the data to find
out what you were doing. A device attached between the keyboard and the computer
is not the only key-logging item on the market. There are also key-logger keyboards
that look so much like ordinary keyboards that using one, you might not even
realize it has key-logging hardware built into it. Some hardware devices can
log up to 2 million keystrokes, and they range in price from $50 to $200. As
with most technology, the prices are dropping.
I Spy: Using Spyware as an Agent for Good
Spyware can be a useful tool. As a parent, you can use it to monitor your
children's actions while they're on the Internet, from what Web sites they
visit to what games they are playing to what e-mail vendors they are using.
Employers can use it to track employees' Internet and e-mail use.
In libraries, we can use spyware to track illegal activities on our computers,
such as patrons or staff using them to cyberstalk, to launch hacker attacks,
to make purchases with stolen credit cards, or to view inappropriate or indecent
materials (as defined by our individual libraries and the law). However, if
you decide to install it on library computers, make staff and patrons aware
of that fact and give the reason why. You should always let computer users
know you intend to watch their movements prior to installation.
There are also potential law-related reasons to install spyware. It can help
track copyright abusers, cyberstalkers, online harassing or hate e-mail and/or
chat users, and illegal activities, or it could even find out who is inquiring
about bomb-making information. Spyware can monitor employees suspected of resource
misuse and/or corporate spying. All of the above actions may be covered under
current laws of cybercrime (see http://www.cybercrime.gov).
License to Spy: The Legal Challenges
More often, however, spyware is used for others' gain or for surveillance
without notification, legal or otherwise.
When you download spyware with other programs, marketers may use it to monitor
what sites you visit on the Internet and to collect your personal information
in order to send you pop-up adds and banners that relate to your interests.
This practice is currently considered legal, but recent court actions have
In the summer of 2000, several news articles accused NetZip's Download Demon
of containing spyware.1 The articles stated that
14 million people had used the Download Demon before someone discovered that
embedded spyware was sending reports back to the company of every file downloaded
from anywhere on the Internet. (Download Demon was later licensed by RealNetworks
and renamed to RealDownload; the software was also licensed by Netscape/AOL
and called Netscape Smart Download. A class action suit against Netscape was
filed on June 30, 2000, and is currently making its way through the courts.2)
We find it extremely frightening to think that companies, particularly those
using software as ubiquitous as the Download Demon, may be watching and tracking
all of the Web sites that their users visit.
One of the first successful legal actions taken against a company with spyware
embedded in its software was by the state of Michigan against eGames, Inc.
in September 2000. Michigan Attorney General Jennifer M. Granholm alleged that
eGames had not adequately warned consumers that its software (which was available
via CD-ROM or online download) included a spyware program thatenabled a third-party
advertiser to secretly track consumers' actions while browsing on the Internet.
In January 2001, eGames agreed to remove all third-party software from future
versions and to not gather personally identifiable data without consumers'
Another legal use of spyware that is coming under scrutiny is the FBI's monitoring
of the Internet. The FBI uses a network application called Carnivore to keep
an eye on e-mail messages going through Internet service providers, and it
uses a spyware program called Magic Lantern for key logging. The FBI is not
alone in monitoring the Internet, either; other U.S. governmental agencies
are also out there examining computer activities.
Spyware presents serious security implications for library staff computers,
as well. A member of the staff could install it onto a machine to watch the
activities of another staff member. Anyone with physical access to your computer
could use a hardware device to spy on your computer activities without your
To address individuals' privacy concerns regarding their use of the Internet,
two bills (H.R. 112 and S. 197) introduced in the 107th Congress would require
notification of spyware use.4 As of March 2003,
no action had been taken on either bill. According to the Federal Trade Commission,
transmittal of what you thought was private and personal information to someone
without your informed consent is considered unauthorized monitoring of computer
activities, and is illegal.
Undercover and Undetected
OK, so spyware can be used to track every activity you and your patrons do
on a computer. The really ugly news is that it is not clear with current
technology if there is a way to stop theft via spyware and to protect patrons
when they use library computers. Currently, most anti-virus software does not
even check for it.
Moreover, encrypted connections, used by Web sites that require credit card
and account information (such as amazon.com and online banks), are completely
open to spyware. This is because it can grab sensitive information prior to
its even reaching the Internet. Still, it is best to send information across
the Internet using encrypted programs whenever possible. A relative to spyware
called a sniffer program can capture unencrypted data on a network. This gives
the FBI and your local network administrators the ability to track your actions
while you are on the Internet. Some examples of encrypted applications are
secure shell telnet, secure FTP, and encrypted e-mail messages.
How Can You Protect the Computers in Your Library?
On the patron computers in our library, we block the downloading of known
spyware programs using a combination of firewall and software applications.
You can block remote installation of spyware by 1) using the Windows XP firewall,
and 2) installing a firewall from a third party such as ZoneAlarm, BlackIce,
CheckIt, etc. After you install a firewall, test it online with a program called
ShieldsUP (https://grc.com/x/ne.dll?bh0bkyd2) to check for possible security
holes and accessible computer ports.
Further, you can try to keep computers and patrons protected by 1) tightening
up software with security patches, 2) using a firewall, 3) installing antivirus
software and keeping it up-to-date with the latest signatures, and 4) warning
patrons not to input personal and confidential information on library computers.
You can check your library computers and attempt to detect spyware software
that might be running by installing anti-spyware and anti-adware applications
before opening any programs. (See the sidebar "How Do You Clean Spyware from
Your Systems?" for information about such applications.) Like antivirus software,
anti-spyware software must be updated often. One problem we currently face
is that new spyware packages become available every day, and we don't have
the time to search the Web and check out what has been released on a daily
basis. To check for hardware devices, you need to regularly look at the computer's
keyboard connection to see if there is any extra hardware attached.
In October 2002, IBM announced its Embedded Security Subsystem, security
technology consisting of hardware and software. It is a more secureand
more costlychoice than software alone. According to IBM, it
... consists of both a hardware component, the cryptographic security chip,
which supports key storage, privacy encryption and digital signatures for authentication
of identity, and a downloadable software component, Client Security Software,
which interfaces to the user and to other software applications.5
This could be a solution for protecting your information, but it is certainly
still in the early stages. It's not yet ubiquitous in computing, and it's expensive
You may think you could expect some privacy when you use a computer in the
library, the workplace, in an Internet cafe, or even in your home, but this
is not necessarily the case. It is easier than you may think for people to
track confidential information, and for now there is no cost-effective solution.
We try to block spyware from being installed on our library computers, but
new applications that we do not know about crop up all the time.
Because spyware is becoming increasingly complex, it's important to be more
careful than ever before about what you do on the Internet, on library computers,
and on your own computers. Therefore, you need to inform library patrons about
the hazards of spyware. Ultimately, you should engage in personal and private
activities only on a computer that you ownand you should encourage and
train your patrons to do the same.
1. Gibson, Steve. "The Anatomy of File Download Spyware." July
14, 2000. http://grc.com/downloaders.htm.
Greene, Thomas C. "RealNetworks admits to new spyware bug." The Register,
July 25, 2000: http://www.theregister.co.uk/content/1/12167.html.
2. Granholm, Jennifer M., State of Michigan Attorney
General. Press Release Jan. 10, 2001: http://www.ag.state.mi.us/press_release/pr10203.htm.
3. Hudson, John. "Demographic Profiling: A Euphemism
for Corporate Spying." Dec. 3, 2002. http://www.acm.org/ubiquity/views/j_hudson_1.html.
4. 107th Congress, H.R. 112: "Electronic Privacy Protection
Act: To prohibit the making, sale or use of an information-collection device
without proper labeling or notice and consent." http://thomas.loc.gov.
107th Congress, S. 197: "Spyware Control and Privacy Protection Act of 2001."
5. IBM Press Release Oct. 4, 2002:
Daniel Fidel Ferrer is head of the library systems department
at Central Michigan University's Charles V. Park Library in Mount Pleasant, Mich.
In 2002, as part of a building upgrade project, he added more than 500 computers
to the library. Ferrer holds M.S.L. and M.S. degrees from Western Michigan University.
His e-mail address is Daniel.Ferrer@cmich.edu and
his Web page address is www.lib.cmich.edu/bibliographers/danielferrer. Mary
Mead is a programmer/analyst at Central Michigan University's Charles
V. Park Library. In 2002, she was part of the building upgrade project and she
continues to give ongoing support for more than 500 computers. Mead has worked
in libraries for 27 years. Her e-mail address is email@example.com.