Spy v. Spy

How much simpler it is to record your spouse/lover/significant other's every keystroke and know for sure what he or she is up to without ever leaving the comfort of your computer station. Adultery is as old as time, but who would have guessed that cyber-adultery would be a commonplace phenomenon and often the genesis of divorce?
Spyware has made the notion of peeping through keyholes wonderfully quaint.

The legality of spyware is murky at best. Courts have spoken of it only infrequently, so there is precious little guidance. How does a lawyer advise the client who wants to employ spyware or who already has? How does a lawyer advise the client who believes a spouse has used spyware to conduct surveillance on his or her computer usage? It is a dicey business, and fraught with risk for lawyer and client alike.

Before plunging into the legality of spyware in domestic relations cases, let us set the stage.

What constitutes spyware?

Generally speaking, spyware is software installed on a computer without the target user's knowledge and meant to monitor the user's conduct. Most of the time, in domestic practice the target is e-mail and chat rooms, but the software will record everything the user does, including financial record keeping, using a word processing program to draft letters to counsel, or the keeping of business records. Some spyware is used to gather personal information such as passwords and credit card and Social Security numbers, all useful for those interested in fraud and identify theft. Some spyware programs will hijack your Web browser, reset your home page, add toolbars, alter search results, or send pop-up ads that cannot be closed, all intended to hawk some vendor's products.

Spyware has become insidiously clever. Many programs come with a reinstaller; as soon as you attempt to remove it, it reloads itself. Many forms of spyware hide in Windows files and even mimic the file names so that the average user would have no idea that the files are, in fact, shielding spyware. The latest wrinkle with spyware is that it can turn the infected machine into a spam zombie. This means that your computer is used as a relay point to send spam messages without your knowledge.

Spyware is software installed on a computer without the target user's knowledge and meant to monitor the user's conduct

What is adware?

Those who are responsible for adware will have conniptions if you tell them their products are spyware but, in fact, they usually are, even though a lesser form of it. If you click something and agree to install adware, it cannot be classified as spyware. However, if you (or very likely, your children) want to install a neat screen saver, cool game, or swap music/movie files via a peer-to-peer (P2P) sharing program, chances are the downloader will never read the user agreement and will simply hit "I agree."

This is how most adware finds its way into a computer. Mind you, there are other more insidious ways as well, including "drive-by downloads" from Web sites, malicious cookies, etc. True adware, however, isn't meant to steal your personal financial information or monitor your love life. Usually, it is used to send information about your surfing and buying habits to assist marketers generally and to target you, in
particular, especially with pop-up ads, spam, and their unwelcome brethren.

What is supportware?

A recently coined term, supportware refers to software that has some of the attributes of spyware, but doesn't properly belong in the spyware class. This would include such things as cookies, onscreen pop-up reminders, program update utilities, and Internet browser security features. Each of these may require a computer program to monitor the use of the computer and to collect some information about the user or the computer.

As legislators have struggled to define spyware, the supportware issue has become particularly nettlesome. There is a growing constituency concerned with preventing "bad acts" as opposed to trying to define "bad software."

Indicators that spyware may be present:

o A sudden proliferation of pop-up ads,

o A change in the Internet home page,

o The appearance of new toolbars,

o The appearance of new icons in the system tray at the bottom of your computer screen,

o Random error messages,

o The appearance of new programs in the start-up group,

o A marked sluggishness in computer performance,

o A sudden tendency of the computer to lock up or blue screen,

o A significant increase in hard-drive activity.

Who is likely to have it?

The more correct question is who doesn't have spyware? Although studies disagree, it is clear that from 80 to 95 percent of all computers have some form of spyware on them. In November 2004, America Online and the National Cyber Security Alliance released a study in which 77 percent of computer users felt they were safe from spyware. In point of fact, 80 percent of their systems were infected with spyware. If you look at your computer and think it's looking back at you, it may well be doing exactly that.

Keystroke loggers (programs that monitor every keystroke) are rarer. They seem to have three primary uses: business spying, relationship spying, and monitoring children.

One of the more interesting studies was done by Internet service provider EarthLink. It demonstrated the pervasiveness of spyware by scanning the PCs of almost 2.1 million Internet users. The survey revealed the existence of nearly 54.8 million applications deemed to be spyware on the users' computers, almost all of which had been installed without the owner's knowledge.

Consider changing your browser to FireFox, which will also minimize "drive-by" downloads

Commonly used spyware

These days, there are so many spyware manufacturers that it is nearly impossible to list them all. They have such names as ComputerGOD, Keyboard Cop, SpyAgent, Looxee, Spector Pro, PC Spy, PAL KeyLogPro, and Ghost Keylogger. They have different features and have slightly different operating characteristics but are all intended to spy on someone else's computer use-stealthily. There are also good hardware keystroke loggers such as KeyKatcher, a small dongle-like device that fits in between the keyboard and the PC. It's a modern day "bug" with a memory capacity of 32K, 64K, or 128K, able to store several weeks' worth of typing after which it can be removed and all the text downloaded onto another machine. The drawback, obviously, is that the person placing the KeyKatcher must have continuous physical access to the machine. Thus, KeyKatcher is most commonly used by husbands and wives residing together.

Many of the programs act like cameras, taking a picture of whatever is on the screen every few seconds. The picture playback is like a herky-jerky film from the 1920s. Many of the programs will send the log files of the activity to an e-mail address for "play back." How much does spyware cost? Not much, $30 to $100 is a common range, and cheap for a heinous invasion of privacy.

Programs that work

Among the highest rated are Spy Sweeper, Ad-aware Pro, Spyware Eliminator, AntiSpy, XoftSpy, and Spyware Doctor. Beware, though, for no one program will catch all spyware. Experts recommend running two or three antispyware programs weekly to maximize your chances of eliminating all spyware on your system. Many of the programs run in the $30 to $40 range.

Too many people believe that up-to-date antivirus software will do the trick. Wrong. A lesser number feel safe if they've checked the installed programs listing, the add/remove panel, the standard start-up area, and they've pressed Control Alt Delete simultaneously on their computer without anything mysterious showing up. Also wrong. The entire point of spyware is to cloak itself so that standard methodologies will not detect it.

Besides having good antispyware programs, you want to make sure your operating system and Web browsing software are updated regularly to close vulnerabilities that may have been patched by the manufacturer. Also, download free software only from sites you know and trust.

Read the license agreements of any software you download. Keep your browser security setting at "medium" or higher to minimize "drive-by downloads." Don't click on links in pop-up windows, they may contain spyware. Don't click on links in spam, which often carry spyware. Make use of personal firewalls on home machines. Consider changing your browser to FireFox, which will also minimize "drive-by" downloads.

Which federal laws apply?

As of June 2005, no federal law regulates spyware. In May, the House of Representatives passed two bills designed to punish those who install spyware on a computer without the owner's knowledge. After abandoning efforts to merge the two measures into a single bill, the House voted 395-1 to pass legislation that would send some spyware distributors to jail for up to five years, and 393-4 in favor of another bill that would impose heavy fines on people and companies that install spyware on computers without the owner's permission.

The House passed two nearly identical bills in October 2004, but concerns in the Senate, including how best to punish spyware purveyors while protecting legitimate businesses, prevented passage. The Spy Act requires businesses to obtain permission from the computer owner before placing programs on a machine, an opt-in procedure. Technology companies generally prefer "opt-out" language that allows consumers to request that programs not be uploaded to their computers, but doesn't force companies to ask permission every time. It would prohibit unauthorized software from changing a browser's default home page, changing its security settings, logging keystrokes and activity, and delivering advertisements that the user can't close without turning the machine off or ending the browser session. The bill also outlaws some of the most insidious practices associated with spyware, including many of the gimmicks used to trick people into installing the programs. Violators could be fined up to $3 million per violation. Many spyware functions would be defined as unfair business practices subject to Federal Trade Commission fines.

The Internet Spyware Prevention Act has been less controversial. It focuses on some spyware distributors' more overtly criminal activities and imposes jail terms of up to five years on those who use software to illegally gain access to a computer.

Other antispyware legislation has been floating around, and it is difficult to predict which versions will triumph. However, all of them would preempt similar state laws. Attempts have been made to apply the antiwiretap laws to spyware, but they have not fared well. The current state of the case law is distinctly unhelpful.

The most confusing recent development came in U.S. v. Councilman, 373 F.3d 197 (1st Cir. Jun 29, 2004), in which the First Circuit in Massachusetts ruled that Bradford C. Councilman did not violate criminal wiretap laws when he secretly copied and read the e-mail of his customers in order to monitor their transactions. Councilman, owner of a Web site selling rare and out-of-print books, offered book dealer/customers e-mail accounts through his site. However, Councilman installed surreptitious code that intercepted and copied any e-mail that came to them from his competitor Amazon.com.

Although Councilman did not prevent the mail from reaching recipients, he read thousands of copied messages to find out what books customers were looking for and to gain a commercial advantage over Amazon. Authorities charged Councilman with violating the Electronic Communications Privacy Act (ECPA), which governs the unauthorized interception of communications. But the court found that because the e-mails were already in the random access memory of the defendant's computer system when he copied them, he did not intercept them in transit over wires and therefore did not violate the ECPA, even though he copied messages before the intended recipients read them.

The court ruled that the messages were in storage rather than in transit and acknowledged that the ECPA, written before the advent of the Internet, might be inadequate to address modern communication methods. ( Read the decision.

To further confuse matters, the First Circuit then voted to rehear the case en banc and vacated the judgment, 385 F.3d 793 (1st Cir. Oct. 5, 2004).

Where does that leave us?

No one knows. A further decision in U.S. v. Ropp, 2004 WL 2823039 (C.D. Cal. Oct. 7, 2004), held categorically that the use of a hardware spyware device (KeyKatcher) did not violate the ECPA because the transmission of keystrokes from a keyboard to a computer's processing unit is not the transmission of an electronic signal by a system that affects interstate commerce and, therefore, does not constitute an "electronic communication" within the meaning of the statute.

What about state laws?

Three kinds of laws can make spyware illegal: antispyware laws, computer privacy laws, and computer trespass laws.

In 2004, California and Utah enacted legislation designed to outlaw spyware. California's law prohibits willfully loading unauthorized computer software onto a computer and using the software to (1) take control of the computer, as specified; (2) modify certain settings relating to the computer's access to or use of the Internet, as specified; (3) collect, through intentionally deceptive means, personally identifiable information, as defined; (4) prevent, without authorization, an authorized user's reasonable efforts to block the installation of or disable software, as specified; (5) intentionally misrepresent that the software will be uninstalled or disabled by an authorized user's action; or (6) through intentionally deceptive means remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer. The law also prohibits inducing computer users to install a software component by intentionally misrepresenting that it is necessary for security or privacy to open, view, or play a particular type of content. (California S.C. 1436.)

Utah, which took a crack at spyware and had it kiboshed by the courts, now has a new antispyware law. Utah's 2005 Spyware Control Act, signed into law in March 2005, clears a software provider from liability under the laws of Utah if it removes, disables, or blocks a program that the provider reasonably or in good faith believes violates other provisions of the Utah statute or otherwise collects certain information without consent.

Admonish clients to assume that every e-mail they write will show up on the front page of The New York Times

Antispyware legislation is currently pending in a number of other states. Virginia has both a computer trespass and privacy statute so that spyware is a definite no-no, even if the computer is a joint asset. A quick scan of other states reveals similar laws in Kansas, Tennessee, Rhode Island, Washington, and North Carolina. Clearly, attorneys must be cognizant of the laws in their own jurisdiction.

Although this article focuses on the area of domestic relations, it should be noted that two states, Connecticut and Delaware, require employers to notify employees prior to monitoring e-mail or Internet access. (Delaware Code § 19-7-705 and General Statutes of Connecticut §§ 31-48d.)

A Massachusetts anecdote

Mayor Mary Anne Clancy (Newburyport, Mass.) is a married mother of three who engaged in a brief cyber-dalliance with a married gym teacher. She never intended to consummate the relationship and did not intend her e-mails to become public. Her husband Brian discovered the cyber-tryst via spyware, tracked down the teacher, and clocked him. The entire sordid mess became fodder for the local newspapers, which were undoubtedly pleased to have such racy headlines.

It is always wise to admonish clients to assume that every e-mail they write will show up on the front page of The New York Times, a billboard on their local highway, and that their mothers will read it. If all of that is OK with them, then they can hit the "send" button.

What are clients up to?

If you want to check out what your clients are reading online, just type "cheating spouse" into Google and prepare yourself for a slime bath. One typical site is www.chatcheaters.com, which contains real life stories, ads for keystroke loggers, advice on how to catch cheaters, and even a PI and lawyer directory.

Most of the time, clients will have surfed the Net on this subject and purchased/installed/used spyware before they ever consult an attorney. They will arrive in your office with printouts of e-mails that scorch your eyebrows as you read them. They are generally quite pleased with their resourcefulness and blissfully unaware that they may have broken a law.

Odds are great that federal law will criminalize this behavior very soon

The common belief is that "the computer belongs to both of us so I can do anything I want." When told that they may have broken a law, they become ashen-faced and are stunned to think that the "guilty" party now may have a cause of action against the "victim."

Mind you, most online affairs are only online. The best guess is that about 30 percent cross the line from virtual to reality. This is of scant comfort to a spouse reading a mate's highly sexual e-mail, but it is important for attorneys to separate adultery from cyber-sex that hasn't crossed the line to adultery. Being a cyber-cuckold doesn't have the same legal status, however painful that may be.

What else may your client be up to? Not uncommonly these days, they may have installed a GPS vehicle tracker. For instance, check out the Millennium Plus device offered at www.wherethehellismyspouse.com.

If it sounds like the facts warrant it, you'll want to have a forensic technologist find and document the spyware's existence. This software is so squirrelly that the evidence a layperson can get, if any, is so fragmentary as to be worthless in court. It is far better to hire an expert to find and document the spyware. This will derail the argument that the spouse or a friend planted the evidence.

What to tell a spying client

Take the spyware off. Now. No excuses. Even if you live in a state where the software may be legal, and many lawyers do not live in such states, odds are great that federal law will criminalize this behavior very soon. It also is true that the Councilman decision may be overturned and that even current federal law against the interception of electronic communications may apply to the use of spyware.

Be prepared for arguments. Over and over again, we must patiently explain that it doesn't matter if the computer is owned jointly. In our state of Virginia, you may search a spouse's car, briefcase, and wallet, but a specific statute grants each individual a right of computer privacy. If that right is violated, the offender is subject to both criminal and civil penalties.

It is a fact of life that many clients seem unable to "pull the plug" on their spying. Remarkably enough, the spying itself often becomes an addiction, and the perpetrator is unwilling or unable to break the habit. It may be necessary to be quite forceful, up to and including indicating that you will withdraw from the case if possible criminal conduct continues.

When it comes to the marital computer, the answer is always: No spyware. Wrong solution, and it will likely end up getting the client in trouble rather than the spouse who is actually engaging in bad conduct. The first thing you'll want to do is have a forensic image made of the computer. This can be done while the spouse is at work or away on a business trip.

Generally, if a computer is received in the morning, a forensic technologist can make and verify the image, returning the computer in the afternoon. At this point, at least you have a record. You will not want to authorize the technologist to analyze the image until a court order has been received, which will protect both attorney and client against any civil or criminal claim of computer trespass or invasion of computer privacy. If the court order is not a current possibility, and perhaps no divorce action is underway as yet, you still have a forensic image to examine when the time is right and you have the court's imprimatur.

Who wins the duel?

The ultimate spy versus spy duel involves a situation where husband is monitoring wife and wife is monitoring husband. It's rare, but it has happened. Who wins the duel? Generally, the victor is the first to install the spyware on an unsuspecting spouse's computer. Then the spyware logs the installation of the new spyware. Game over. FA

Is Spyware on Your Computer?

Take a free systems audit at www.webroot.com/services/spyaudit_03.htm. You may be surprised at the results.

Sharon D. Nelson is president, and John W. Simek is vice president of Sensei Enterprises, Inc., a computer forensics and legal technology firm based in Fairfax, Virginia. They can be reached at sensei@senseient.com. A version of this article appeared in Law Practice, Oct.-Nov. 2005.

Published in Family Advocate, Volume 28, No. 3, Winter 2006. © 2006 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.