Security software vendors may soon side with US government authorities and intentionally fail to report "certain spyware" to customers if ordered by a court to remain quiet, according to a survey of leading firms.
In a case decided earlier this month by the 9th US Circuit Court of Appeals, federal agents used spyware with a keystroke logger to record the typing of a suspect who used encryption to scramble his communications.
But would that government spyware used in that investigation actually be detected by security software? Or would security companies intentionally fail to report it?
To answer that question, ZDNet Australia's sister site CNET News.com conducted a survey. We asked three questions of 13 security companies, ranging from tiny ones to corporations like Microsoft and IBM.
When there is no answer listed for a specific question, the company chose not to answer it. In some cases we followed up with additional questions. The survey was conducted over the past week.
AVG/Grisoft
Responses from Fran Bosecker, spokeswoman for Grisoft, which publishes the AVG Anti-Virus, AVG Anti-Spyware, and AVG Anti-Rootkit programs, many of which are free. Grisoft has offices in the United States, Czech Republic, and Cyprus.
Q: Has Grisoft/AVG ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?
Bosecker: Not to the best of my knowledge in the US or Europe.
Is it Grisoft/AVG's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?
Bosecker: So far this is the policy, also based on the valid legislature.
Do these policies vary depending on the country (the US vs others, for instance)?
Bosecker: Yes. Current AVG policy is to flag trojans that exhibit these types of actions. With that said, AVG will of course consider all laws, regulations and compliance rules set forth by the nations and/or local governments to the best of our abilities.
We understand that you have to comply with applicable laws and regulations. But do any laws and regulations currently require security companies to ignore spyware/malware/key loggers placed on computers by governmental agencies?
Bosecker: None that we're aware of in the US or Europe, or at least no law enforcement or agency has asked that we ignore any.
Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?
Bosecker: No
Check Point
Responses from Allison Wagda, director of public relations at Check Point Software, which makes the ZoneAlarm security software, including a Vista version announced last month. Other Check Point products provide disk encryption, firewalls and intrusion detection.
Has Check Point ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?
Wagda: No, we've never been approached with such a request.
Is it Check Point's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?
Wagda: Our goal is to detect malicious software. ZoneAlarm does so by detecting certain behaviours (such as keystroke logging) and alerting the user. We do have a policy whereby legal, legitimate software programs from any third-party vendor can be "whitelisted" from detection upon request. We would afford law enforcement the same courtesy.
In a follow-up conversation, we asked Check Point under what circumstances they would afford that "courtesy".
Wagda: We've never been in the situation, but if the request fell outside of our typical parameters for whitelisting (ie having a signed certificate, among other things), then we'd consider on a case-by-case basis.
Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?
Wagda: Not to our knowledge.
Computer Associates
Response from Jessica Cassidy, a spokeswoman for Computer Associates, which makes software such as PestScan and CA Anti-Virus.
Have you ever had any discussions with any government agency, not counting conversations related to a lawful court order signed by a judge, about not detecting spyware or keystroke loggers installed by a police or intelligence agency?
Cassidy: No.
Is it your policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?
Cassidy: The simple answer is yes. CA builds detections for all spyware and keystroke loggers that fail to pass our published scorecard criteria. Following is a link to our spyware scorecard.
I may well be completely wrong here but it is my sincere feeling/position that while the Internet was apparently first concieved in the US,that doesn't give the US government any right to claim ownership.Nor any other government either..I abhor the arrogance and self-centredness of the US laying claim to anything and everything with their "Our way or the highway" attitudes.The Internet is there for everyone to use that pays for the service and we ought to be able to go where we wish,do what we wish with confidence and the protections we pay for from on-line security firms.I've never visited any of the available porn sites and don't intend to,never done any gambling or anything else that I feel is distasteful,including the thousands of chatrooms.Being nearly 70 and having had a computer since 1981 before there was an Internet,it is ghastly to me that any "government" could/would have/seize the right to SPY on any of my activities.To me,most all of the problems throughout the world today,including the Internet are all laying at the feet of the disgusting US Administration.If they would stick to their own shores,mind their own damned business,we would not BE in the terrible situations we're in today..