Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.
When Ferris Bueller took his famous “Day Off,” he entrusted his best friend Cameron’s father’s 1961 Ferrari 250GT California (“less than 100 made”) to parking lot attendant Richard Edson. When they returned to the parking lot, they found that the valet had — to put it mildly – taken a joyride with the car.
The new Chevy Corvette has what might be termed “Ferris Bueller” mode, whereby the owner can stealthily monitor what the Richard Edsons of the world are doing with their cars. In addition to monitoring speed, braking and other use, the Ferris Bueller mode can also monitor the contents of communications of people inside the car.
The theory behind an indictment against a software vendor, returned by the United States Attorney’s Office for the Eastern District of Virginia on September 29 would make the advertising, sale, marketing or delivery of a 2015 Corvette a crime.
It would also potentially criminalize parental monitoring of their kids, employers monitoring of employees, or even the creation, storage or retrieval of logs. The law has a broad sweep.
Lawful vs. Unlawful Monitoring
Federal law generally prohibits the “unlawful” interception of communications — terms that lawyers love. First, there’s the problem of defining “interception” or more accurately under the law “interception in transmission.” When you “read” an e-mail, you don’t technically “intercept” it.
You copy it, and the other copy goes on its merry way to the recipient. That’s because e-mail is “store and forward” technology. Same for all things TCP/IP. The “storage” may be only for a few microseconds, but still. The law turns on things like that.
Interception has its own technical legal definition as well. You “intercept” a communication when you engage in the “aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” So anything that “acquires” the contents of a communication, “intercepts” it. Remember that definition — it will be important later.
Finally, not all “interceptions” are illegal. Under federal law telephone providers can “intercept” (meaning acquire contents of communications) in the ordinary course of providing services. Or the government can “intercept” with a wiretap order or similar document.
And, of course under federal law, you can “intercept” your own communications — what the law calls “one party” consent. If any one party to the communications consents to the “interception” it’s ok to the feds. That’s what allows your boss to read your email — you consented when you joined the company.
That is, unless you live in California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, or Washington State. In those states, all parties to the communication must consent to the “interception.”
So the vast majority of interceptions — that is the vast majority of acquisitions of the contents of communications — are likely perfectly legal. Your boss does it, your broker does it. Your IT department does it.
But the government is now alleging that the software they are using to do this is illegal. And the company that made, advertised, distributed or installed the software is committing a crime.
StealthGenie Indictment
On September 29, the United States Attorney’s Office in Alexandria Virginia released an indictment of the Pakistani distributor of web monitoring software “StealthGenie.” At the time DOJ Criminal Divisions Assistant Attorney General Leslie Caldwell proclaimed that the indictment was a milestone because, “Selling spyware is not just reprehensible, it’s a crime.”
StealthGenie is a software program that is designed to allow the installer to monitor the actions and activities of the person or persons who are using the device on which the program is installed. This can be a computer, cell phone or other device. It is designed to be difficult to detect and difficult to remove. The DOJ press release touting the indictment noted:
The indictment alleges that StealthGenie’s capabilities included the following: it recorded all incoming/outgoing voice calls; it intercepted calls on the phone to be monitored while they take place; it allowed the purchaser to call the phone and activate it at any time to monitor all surrounding conversations within a 15-foot radius; and it allowed the purchaser to monitor the user’s incoming and outgoing e-mail messages and SMS messages, incoming voice-mail messages, address book, calendar, photographs, and videos. All of these functions were enabled without the knowledge of the user of the phone.
Akbar and his co-conspirators allegedly programmed StealthGenie to synchronize communications intercepted by the app with the customer’s account so that the customer could review intercepted communications almost immediately from any computer with access to the Internet. To install the app, a purchaser needed to obtain physical control over the phone to be monitored for only a few minutes. The purchaser could then review communications intercepted from the monitored phone without ever again having physical control over the phone. Akbar and others alleged designed StealthGenie to be undetectable to users of the phone.
So? LogMeIn does this. Remote access programs can do this. I am allowed to do this on my own phone. I can do this on my kids phone. My employer can do this on my BYOD phone. Hundreds of programs can capture the contents of communications.
Hell, the command copy *.* does that. Everything described in this paragraph can be perfectly legal to do. Without a warrant. But selling, marketing or even possessing the technology to do that is a crime. At least according to DOJ. And that’s a problem.
Not that selling devices to secretly and illegally record other peoples communications is good. It’s not. It’s bad. And should be prohibited. Unfortunately, that’s not what the statute under which StealthGenie was prosecuted says.
The law permits the surreptitious interception of communications. In fact, it’s done all the time. The law prohibits the surreptitious interception of communications without the express or implied consent of one party in most circumstances.
It’s like saying smashing in a window is OK (if for example it’s your own window) but selling hammers is not.
Akbar was indicted under a federal statute, 18 USC 2512 which makes it a crime to manufacture, distribute or even advertise software, hardware or other device if it is “primarily useful” for the surreptitious interception of communications.
Notice that “surreptitious” interception is not the same thing as unlawful interception. The statute in full provides that it is a crime to “send[] through the mail, or send[] or carries in interstate or foreign commerce, [manufacture, assemble, possesses, or sell.. or place in any newspaper, magazine, handbill, or other publication or disseminate by electronic means any advertisement] for any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.
The exceptions are if you are a “provider of wire or electronic communication service” or an “officer, agent, or employee of, or a person under contract with, the United States, a State, or a political subdivision thereof.”
Think about that. It’s a crime to make, sell, possess or market software that is “primarily useful” for intercepting communications unless you are already under contract with the government or are a provider of telecom services.
So all of the programs designed to combat insider threat by monitoring communications, all the big data analytic programs that “obtain the contents of” communications, all the remote access programs that are “primarily useful” for accessing computers to read communications, all the software used by banks, call centers, broker-dealers and others, all the deep dive analysis programs — all of them are illegal to “manufacture” advertise or sell.
Similarly, all of the programs that are intended to keep kids safe by permitting parents to monitor their children’s activities are illegal — even for the parents to possess. Programs like MSpy, TeenSafe, WebWatcher, SpyAgent, ContentProtect, eBlaster, CyberSitter, NetNanny, CyberPatrol and others.
In fact, Dr. Phil (Philip McGraw) advises parents to “Monitor Your Child’s Internet and Cell Phone Activity.” Dr. Phil helpfully provides links to a host of downloadable software that parents can use to do such monitoring. The FBI Cyber division recommends that parents “Monitor your child’s access to all types of live electronic communications (i.e., chat rooms, instant messages, Internet Relay Chat, etc.), and monitor your child’s e-mail.”
But if you posses software to do this, you go to the slammer. The National Center for Missing and Exploited Children similarly recommends that parents monitor their children’s Internet activities and communications — often surreptitiously.
This is because the statute makes it a crime to manufacture software which is “primarily useful” for surreptitious interception, not for unlawful interception. Surreptitious means stealthy.
Like when your boss reads your e-mail off the server as opposed to reading it off your PC. (it’s possible that your boss could be considered a provider of telecom facilities under the statute, but also likely that they wouldn’t.)
This is not the first time that the government has gone after producers of certain kinds of spyware. In November, 2008 the Federal Trade Commission obtained a cease and desist order against the manufacturer of the so-called “RemoteSpy” software program.
In August of 2005, the government indicted the manufacturer of a program called “LoverSpy” under the same statute as used here, and the owner of the company Carlos Enrique Perez-Melara, eventually was put on the FBI’s “Ten Most Wanted” cybercriminal list.
Earlier this year, Dr. Steven Curley, from Houston, Texas, a well respected Cancer researcher was indicted for using a program called eBlaster in the course of a divorce proceeding against his wife to surreptitiously obtain copies of her electronic communications. In one extraordinary case, a criminal defense lawyer used technology to lawfully intercept communications of potential government witnesses in Guyana, and was going to use the contents of these lawfully intercepted communications to impeach the witnesses at a federal trial in New York.
The interception equipment was actually purchased by the Guyanese government, and provided to lawyer’s client to assist the Guyanese government in fighting crime. The New York federal prosecutors demanded that the defense lawyer produce not only the “original” intercepted communications, but also the device used to intercept them.
When the defense lawyer, complying with the DOJ demand had the interception equipment shipped to NY from Guyana, he was arrested and convicted of “importing” a device that was “primarily useful” for the surreptitious interception of communications. The court noted, “when Congress enacted § 2512, it did not build in an exception for defense counsel who import and possess interception devices solely for the purpose of defending their clients. Perhaps it thought prosecutors would never exercise their discretion to bring such a charge. If so, it thought wrong, as [the lawyers] were indicted for obtaining and possessing the very equipment the Khan prosecutors had repeatedly inquired about.”
The prosecutors went further to argue that not only was the hardware used to intercept the communications illegal to possess, but so was the laptop computer which stored the intercepted communications, as part of the overall “device.”
Finally, in the context of a relationship gone sour, one lover placed a software program called “WebWatcher” on the computer of the other. The impacted computer user sued not the paramour, but rather the manufacturer of the software program itself.
In Luis v. Zang, (SD Ohio 2013) the court found that the “manufacturing” statute did not confer a right to sue (you can be prosecuted, but not sued) and that the manufacturer was not civilly liable for the use of their software by third parties, but also rejected the manufacturer’s claim that their software did not “intercept” communications.
So it’s a bloody mess.
Law enforcement cannot purchase, possess, import or obtain devices for surreptitious interception unless the product was manufactured under contract with the government. COTS is CRIME.
Broker dealers can’t use software to lawfully monitor their employees (surreptitiously) unless the broker dealer is also a telecom provider. Parents who monitor their kids’ activities have conspired to possess or distribute unlawful software. Any software which is “primarily useful” for even lawfully “obtaining the contents” of communications is a crime under the statute, and anyone possessing such software faces severe criminal sanctions.
Congress can fix this. They need to change one word. Instead of making it a crime to possess devices (including software) to “surreptitiously” intercept communications, they just need to make it a crime to manufacture devices to “unlawfully” intercept communications.
But that would require Congress to act. While Ferris Bueller asked “The question isn’t “what are we going to do,” the question is “what aren’t we going to do?”” for Congress the question these days is more often, “what are we not going to do.”