The Wall Street Journal reports on a trend of spy targets using counter-spy technology:
Crooks are parking vans outside people’s homes to steal bank-account passwords and credit-card numbers, using programs that tap into Wi-Fi connections. Paparazzi hide cameras and microphones in private jets, hoping to record embarrassing celebrity video. Corporate spies plant keystroke-recording software in executives’ laptops and listen in on phone conversations as they travel.
Now, people are deploying counter-spy technology to fight back. Some celebrities and corporate executives get regular sweeps of their offices, limos and private jets in search of hidden devices. Others hire security experts to safeguard their phones and home computers. And corporate security experts are advising businesspeople on how to keep company secrets safe while traveling abroad.
Besides the usual tiny cameras and hidden microphones, other kinds of spyware include: key loggers (software that tracks keys typed in order to get passwords or other data); GPS-tracking devices (which track your physical location); and wi-fi interception (which monitors your online activities). As technology advances, commercial spyware has become cheaper and smaller. The easy-to-hide surveillance gadgets have been increasing in popularity, but there are questions surrounding the legality of the use of such technology.
On Wednesday, the Senate Committee on Commerce, Science, and Transportation held a hearing on the issue, “Impact and Policy Implications of Spyware on Consumers and Businesses.” A Federal Trade Commission official, consumer advocates, and industry representatives testified.
(Disclosure: I worked for several years at the Electronic Privacy Information Center; its executive director testified (pdf) at the hearing. EPIC also has filed a complaint (pdf) with the Federal Trade Commission alleging that companies that sell such spyware engage in unfair and deceptive trade practices by promoting illegal surveillance activities.)
The Senate hearing focused on, S. 1625, "the Counter Spy Act," which would give the FTC the “authority to prosecute the unauthorized installation of software on consumers’ computers and require disclosure to users of the features of any software being installed that could pose a threat to privacy. The bill would pre-empt state law in most cases,” according to Government Computer News . The consumer privacy advocates supported the goal of the bill, but urged against federal preemption of stronger state laws. They also highlighted overly broad exclusions and immunities in the law.
Consumer advocacy group Americans for Fair Electronic Commerce Transactions (AFFECT) testified (pdf) Subsection 6(a)(10) “would permit a provider to monitor or interact with an individual’s computer, or Internet or other network connection or service for the ‘detection or prevention of the unauthorized use of software fraudulent or other illegal activities.’” This raises privacy and security questions such as, “What is the process for authenticating the identity of the person using the software? And what are the standards for determining whether that person has the authority to perform a certain operation, and who decides?”
AFFECT also testified that S. 1625 would allow software providers to surreptitiously monitor a user’s computer and “permit unilateral remote disablement” of a user’s computer:
This language would allow a software vendor to surreptitiously download code onto a user’s computer and freely violate the user’s privacy by monitoring everything on his or her computer, as long as it did so under the guise of looking for unauthorized use, fraudulent, or illegal activities. It would allow the provider to set itself up as an ad hoc police force to conduct warrantless searches and to act as judge and jury to conduct unilateral seizures. Private entities do not and should not have the right to conduct law enforcement activities.
More troubling is the fact that the language of Subsection 6(a)(10) would effectively allow a software provider to unilaterally decide to remotely shut down the user’s computer or Internet or other network connection or service. But whether the use of a particular software is “unauthorized,” “fraudulent,” or “illegal” is often subject to legitimate dispute and merits some judicial consideration before a provider is allowed to unilaterally employ a drastic remedy like remote disablement.