SUBSCRIBE NOW!

Vol. 23 No. 5 — May 2003

In the early 1970s, programs already existed to emulate logon scripts for computer terminals connected to mainframes, in order to capture individuals' user IDs and passwords. This happened years before what is now known as the World Wide Web, back when people believed that what they typed on a dumb terminal was private and safe. Nowadays, we have a growing awareness of how little privacy we do in fact have when we use computers at the library, at home, or at the office. Still, too few people know about the dangers of spyware, which enables people to access the information stored on a computer or to log keystrokes, and then use the data for surveillance or illegal activities.

We recently tested spyware and anti-spyware software in our academic library because we wanted to give our students hands-on experience as to what these applications are capable of. We also purchased some hardware devices that have the ability to log all keystrokes. (Because we feel that key-logging hardware can be extremely dangerous, for our protection we keep ours locked in a vault.) We found that the spyware we installed was very successful in capturing everything we typed, including passwords. Seeing this was enough to scare us—and our students!

We hope that in the near future our librarians will be informed enough to make patrons aware that there is a risk involved whenever they use the libraries' public computers. Involving our library staff to help educate patrons and teach them how to protect their computers from becoming infected has become very important to us.

What Is Spyware and How Does It Get on a Computer?

Spyware is also known as scumware, exploitationware, and snoopware. Available both as software and as hardware devices, it is used for the sole purpose of tracking and recording your computer actions. This is not limited only to what you are looking at on the Internet or to a specific Web browser; it can also record what you do offline and even what you key into a spreadsheet or a word processing program. The information that you or your patrons type can be secretly logged and sent to any e-mail address on the Internet. Unfortunately, it's unlikely that you or a patron will even know if spyware is running.

How does such a program get onto your computer in the first place? A potential thief doesn't need physical access to your machine; a security hole such as an unpatched Microsoft Windows operating system or server is the perfect way for someone to gain admission.

You may inadvertently download spyware with free software by simply clicking on the "Yes, I Agree" button without taking the time to read the license. Or, you may receive an e-mail with a Trojan horse virus included. (In the virus family, Trojan horses cause the most damage. They can send themselves to everyone in your e-mail address book, erase or modify files, download another Trojan horse that is configured to steal your passwords, and allow the virus creator to take over your computer and remotely control it.) In some cases, your employer, a colleague, or even the government may employ such software to monitor your Internet activities.

Hardware: Key Loggers

Spyware can also be hardware, such as a small device that is placed between the keyboard and the computer. This device is most often called a key logger because it logs everything you type on the keyboard. Even looking at the device, you would probably think it was part of the original equipment or a keyboard extension cable. Of course, attaching a key-logging device requires physical access to your machine. It is very easy to install—it only takes about 20 seconds. There is no need to install additional software, as the devices use either Notepad or WordPad to decode the information. For this reason, anti-spyware applications, which look for software, cannot detect key loggers.

When an intruder has the information she desires, all she needs to do is unhook the device and connect it to any computer to extract the data to find out what you were doing. A device attached between the keyboard and the computer is not the only key-logging item on the market. There are also key-logger keyboards that look so much like ordinary keyboards that using one, you might not even realize it has key-logging hardware built into it. Some hardware devices can log up to 2 million keystrokes, and they range in price from $50 to $200. As with most technology, the prices are dropping.

I Spy: Using Spyware as an Agent for Good

Spyware can be a useful tool. As a parent, you can use it to monitor your children's actions while they're on the Internet, from what Web sites they visit to what games they are playing to what e-mail vendors they are using. Employers can use it to track employees' Internet and e-mail use.

In libraries, we can use spyware to track illegal activities on our computers, such as patrons or staff using them to cyberstalk, to launch hacker attacks, to make purchases with stolen credit cards, or to view inappropriate or indecent materials (as defined by our individual libraries and the law). However, if you decide to install it on library computers, make staff and patrons aware of that fact and give the reason why. You should always let computer users know you intend to watch their movements prior to installation.

There are also potential law-related reasons to install spyware. It can help track copyright abusers, cyberstalkers, online harassing or hate e-mail and/or chat users, and illegal activities, or it could even find out who is inquiring about bomb-making information. Spyware can monitor employees suspected of resource misuse and/or corporate spying. All of the above actions may be covered under current laws of cybercrime (see http://www.cybercrime.gov).

License to Spy: The Legal Challenges

More often, however, spyware is used for others' gain or for surveillance without notification, legal or otherwise.

When you download spyware with other programs, marketers may use it to monitor what sites you visit on the Internet and to collect your personal information in order to send you pop-up adds and banners that relate to your interests. This practice is currently considered legal, but recent court actions have challenged it.

In the summer of 2000, several news articles accused NetZip's Download Demon of containing spyware.¹ The articles stated that 14 million people had used the Download Demon before someone discovered that embedded spyware was sending reports back to the company of every file downloaded from anywhere on the Internet. (Download Demon was later licensed by RealNetworks and renamed to RealDownload; the software was also licensed by Netscape/AOL and called Netscape Smart Download. A class action suit against Netscape was filed on June 30, 2000, and is currently making its way through the courts.²) We find it extremely frightening to think that companies, particularly those using software as ubiquitous as the Download Demon, may be watching and tracking all of the Web sites that their users visit.

One of the first successful legal actions taken against a company with spyware embedded in its software was by the state of Michigan against eGames, Inc. in September 2000. Michigan Attorney General Jennifer M. Granholm alleged that eGames had not adequately warned consumers that its software (which was available via CD-ROM or online download) included a spyware program thatenabled a third-party advertiser to secretly track consumers' actions while browsing on the Internet. In January 2001, eGames agreed to remove all third-party software from future versions and to not gather personally identifiable data without consumers' consent.³

Another legal use of spyware that is coming under scrutiny is the FBI's monitoring of the Internet. The FBI uses a network application called Carnivore to keep an eye on e-mail messages going through Internet service providers, and it uses a spyware program called Magic Lantern for key logging. The FBI is not alone in monitoring the Internet, either; other U.S. governmental agencies are also out there examining computer activities.

Spyware presents serious security implications for library staff computers, as well. A member of the staff could install it onto a machine to watch the activities of another staff member. Anyone with physical access to your computer could use a hardware device to spy on your computer activities without your knowing it.

To address individuals' privacy concerns regarding their use of the Internet, two bills (H.R. 112 and S. 197) introduced in the 107th Congress would require notification of spyware use.⁴ As of March 2003, no action had been taken on either bill. According to the Federal Trade Commission, transmittal of what you thought was private and personal information to someone without your informed consent is considered unauthorized monitoring of computer activities, and is illegal.

Undercover and Undetected

OK, so spyware can be used to track every activity you and your patrons do on a computer. The really ugly news is that it is not clear with current technology if there is a way to stop theft via spyware and to protect patrons when they use library computers. Currently, most anti-virus software does not even check for it.

Moreover, encrypted connections, used by Web sites that require credit card and account information (such as amazon.com and online banks), are completely open to spyware. This is because it can grab sensitive information prior to its even reaching the Internet. Still, it is best to send information across the Internet using encrypted programs whenever possible. A relative to spyware called a sniffer program can capture unencrypted data on a network. This gives the FBI and your local network administrators the ability to track your actions while you are on the Internet. Some examples of encrypted applications are secure shell telnet, secure FTP, and encrypted e-mail messages.

How Can You Protect the Computers in Your Library?

On the patron computers in our library, we block the downloading of known spyware programs using a combination of firewall and software applications. You can block remote installation of spyware by 1) using the Windows XP firewall, and 2) installing a firewall from a third party such as ZoneAlarm, BlackIce, CheckIt, etc. After you install a firewall, test it online with a program called ShieldsUP (https://grc.com/x/ne.dll?bh0bkyd2) to check for possible security holes and accessible computer ports.

Further, you can try to keep computers and patrons protected by 1) tightening up software with security patches, 2) using a firewall, 3) installing antivirus software and keeping it up-to-date with the latest signatures, and 4) warning patrons not to input personal and confidential information on library computers.

You can check your library computers and attempt to detect spyware software that might be running by installing anti-spyware and anti-adware applications before opening any programs. (See the sidebar "How Do You Clean Spyware from Your Systems?" for information about such applications.) Like antivirus software, anti-spyware software must be updated often. One problem we currently face is that new spyware packages become available every day, and we don't have the time to search the Web and check out what has been released on a daily basis. To check for hardware devices, you need to regularly look at the computer's keyboard connection to see if there is any extra hardware attached.

In October 2002, IBM announced its Embedded Security Subsystem, security technology consisting of hardware and software. It is a more secure—and more costly—choice than software alone. According to IBM, it

... consists of both a hardware component, the cryptographic security chip, which supports key storage, privacy encryption and digital signatures for authentication of identity, and a downloadable software component, Client Security Software, which interfaces to the user and to other software applications.⁵

This could be a solution for protecting your information, but it is certainly still in the early stages. It's not yet ubiquitous in computing, and it's expensive to implement.

You may think you could expect some privacy when you use a computer in the library, the workplace, in an Internet cafe, or even in your home, but this is not necessarily the case. It is easier than you may think for people to track confidential information, and for now there is no cost-effective solution. We try to block spyware from being installed on our library computers, but new applications that we do not know about crop up all the time.

Because spyware is becoming increasingly complex, it's important to be more careful than ever before about what you do on the Internet, on library computers, and on your own computers. Therefore, you need to inform library patrons about the hazards of spyware. Ultimately, you should engage in personal and private activities only on a computer that you own—and you should encourage and train your patrons to do the same.

How Do You Clean Spyware from Your Systems? The following Web sites offer information and software to help you to determine whether you had or have an unwanted intruder, and in some cases can clean invasive software from your system: Ad-Aware Free spyware detection http://www.lavasoftUSA.com Anti-Keylogger Detects and deactivates spyware http://www.anti-keyloggers.com SpyBot Search and Destroy Searches your hard disk for spyware and removes it or replaces it with empty dummies http://www.pcworld.com/downloads/ file_description/0,fid,22262,00.asp Spychecker Online spyware database http://www.spychecker.com Spyware Online Keeps you up-to-date on the latest methods for protecting your children and yourself http://www.spywareonline.org Trojan Monitor A component of a program called "The Cleaner," which detects and removes Trojan horse viruses http://www.moosoft.com Who's Watching Me Scans your computer for spyware http://www.trapware.com

References

1. Gibson, Steve. "The Anatomy of File Download Spyware." July 14, 2000. http://grc.com/downloaders.htm.
Greene, Thomas C. "RealNetworks admits to new spyware bug." The Register, July 25, 2000: http://www.theregister.co.uk/content/1/12167.html.

2. Granholm, Jennifer M., State of Michigan Attorney General. Press Release Jan. 10, 2001: http://www.ag.state.mi.us/press_release/pr10203.htm.

3. Hudson, John. "Demographic Profiling: A Euphemism for Corporate Spying." Dec. 3, 2002. http://www.acm.org/ubiquity/views/j_hudson_1.html.

4. 107th Congress, H.R. 112: "Electronic Privacy Protection Act: To prohibit the making, sale or use of an information-collection device without proper labeling or notice and consent." http://thomas.loc.gov.
107th Congress, S. 197: "Spyware Control and Privacy Protection Act of 2001."
http://thomas.loc.gov.

5. IBM Press Release Oct. 4, 2002:
http://www-916.ibm.com/press/prnews.nsf/jan/
EC6DA46336675C2185256C4800556D1C.