Thinking Out Loud: You Assumed 'Erase'
Wiped Out That Rant Against the Boss? Nope --- Keystroke Loggers Save It, So
Companies Can Peek Inside Employees' Heads ---
'Moen...Money...Scholarship'
The American workplace has been put on
notice that office computers can be monitored. But who could have imagined the
keystroke cops?
In a new threat to personal privacy on the
job, some companies have begun using surveillance software that covertly
monitors and records each keystroke an employee makes: every letter, every
comma, every revision, every flick of the fingertip, regardless of whether the
data is ever saved in a file or transmitted over a corporate computer network.
As they harvest those bits and bytes, the new programs, priced at as little as
$99, give employers access to workers' unvarnished thoughts -- and the potential
to use that information for their own ends. Say you draft a rant to the boss or a
client, and then, thinking better of it, delete the whole thing. Too late. One
by one, all the keystrokes have been sucked up and stored on your computer's
hard drive or sent as e-mail that a computer-system administrator or manager can
retrieve at his convenience.
Last December, Poplar Grove Airport in
northern Illinois suspected that one of its employees might be running a
business of his own from his office PC. So the privately run airport bought a
"keystroke logger" called Silent Watch and a license permitting it to install
the program on six of the airport's computers. Along the way, however, the
electronic stakeout snared some other workers.
Describing her career ambitions, a young
office worker seemed to have no clue her employer could delve so deeply into her
computer. Soon after arriving at her desk on Christmas Eve morning -- at
9:24:09, to be precise -- she poured out her soul on a blank page of Microsoft
Word.
"I plan to obtain flight time by
instructing and/or flying commuter planes," she wrote. She then backspaced over
"planes," and substituted "jets." As she tapped away, it became apparent she was
drafting a scholarship application for a flight-science program at Western
Michigan University. "I know this is the career I want to pursue and the moen"
-- she backspaced over the "en" -- and typed "ney."
After correcting that typo, according to
the airport's keystroke log, she stopped again, backspaced over the word "money"
and changed it to "scholarship." So the sentence then began, "I know this is the
career I want to pursue and the scholarship I would receive . . ."
This wasn't an e-mail or a document she
sent over the company's network. It was a work in progress, a draft,
reconstructed letter by letter, typos and all.
"We used to tell our people we could
monitor everything -- even before we really could -- just as a deterrent," says
Chris Pauli, the airport's computer-system administrator. "Now we really can."
"When else can you peer into someone's raw
thought process?" asks Peter A. Steinmeyer, a lawyer at Epstein Becker &
Green in Chicago who has studied Internet and privacy issues and who represents
management clients. Nonetheless, he says, while an employee may try to argue
that he reasonably expected his "draft" thoughts to remain his own, courts have
consistently held that communications written on company-provided computers
aren't private under current law.
"There's no legal qualm about it," says
Richard Eaton, who wrote and now sells a keystroke-capturing program called
Investigator. "There may be an ethical one."
Mr. Eaton says his company, WinWhatWhere
Corp., Kennewick, Wash., has sold more than 5,000 Investigator software licenses
since the product was launched in August 1998. Customers, he adds, include Exxon
Mobil Corp., Delta Air Lines and Ernst & Young LLP. Lockheed Martin Corp.
says it is considering using the software for "ethics investigations."
For all its sleuthing capabilities,
Investigator is nothing more than a shiny silver CD-ROM that costs $99 or less
with volume discounts. Mr. Eaton, who developed the program, burns the CDs right
in his home, which is also company headquarters.
"At first, I thought it was controversial,"
says the 47-year-old entrepreneur, who sports close-cropped hair and a
diamond-stud earring. "Slimy," he adds.
The keystroke tracker evolved from a
program he had been selling to help companies measure how much time computer
users were spending on various projects. But after clients kept asking for
keystroke surveillance, he says, "I saw there is a legitimate security need for
it."
The keystroke software is part of a new
"offline" workplace battle. Many companies are concluding that they may be
missing computer mischief that doesn't involve the Internet or the corporate
network, both of which they can monitor. Right at their desktop PCs, employees
could be copying sales leads or pornography to or from disks or CD-ROMs, or
downloading bookkeeping software to run their own businesses -- all of which
could elude conventional surveillance methods.
But some uses are strictly personal. Many
people have bought the Investigator program, Mr. Eaton says, to run down
suspicions that their spouses are being unfaithful in Internet chat rooms. They
simply download the software, then later see exactly what their partners were
typing. One mother ordered it to check on her teenage children's computer use
while she was away on vacation.
The Investigator program is designed to be
covert. It doesn't show up as an icon on the screen, and is hard to find among
computer files even when someone specifically searches for it. It is usually
installed on a worker's computer after hours, but it can also be disguised in an
e-mail attachment for an unsuspecting employee to download as an "upgrade."
Recently, however, Mr. Eaton has added an
onscreen notice, informing the user that the PC could be monitored -- an alert a
systems manager can choose to have automatically displayed or not. "If your
purpose is to humiliate them, then don't tell them," Mr. Eaton says. "If you
want to stop abuse, tell them. Usually the threat alone is enough."
Once Investigator is installed, the
computer manager can choose "alert" words like "boss" or "union" or specific
names. Then any time they appear in the text of an e-mail, note or memo, those
documents will be automatically e-mailed over a company's computer network to
the employee's supervisor or other designee. (On a stand-alone computer, the
document would have to be retrieved directly from the hard drive.)
On the WinWhatWhere Web site's "We Get
Mail" section is an e-mail from Michael Nogrady, a computer technician. "Maybe
someday you will be ashamed," he writes. "Who knows, some people will do
anything for a dollar. I am not saying this to be cruel, just asking if you have
looked at this program morally."
Says Mr. Eaton, "I don't want to violate
privacy -- I like my privacy. But I don't want to be in a position of deciding
who gets it and who doesn't."
Customers generally don't have much to say
about Investigator. Exxon says it has a longstanding policy of not discussing
products it uses, lest it seem like an endorsement. Accounting firm Ernst &
Young confirms that it uses Investigator, but won't say how widely or for what
purpose. A spokesman for Delta says the airline's
information-technology division bought one copy of the software
last year and used it for internal testing "in one tiny area" of the division.
"We decided it's not something we want to pursue. It died a pretty quick death,"
the spokesman says. "We don't want to be a police agency."
While Mr. Eaton insists Investigator poses
no legal problems, he says his lawyer suggested he include a disclaimer in the
licensing agreement: "Any use of this software in conjunction with any hardware,
device or apparatus to surreptitiously intercept wire, oral or electronic
communications may violate state and federal laws."
Mr. Eaton refuses to discuss the specifics
of how the software intercepts keystrokes, and does so even before they reach
the author's screen. He does say, however, that Investigator is hooked into the
system before something called the "keyboard driver."
When a key is depressed, that action alone
doesn't create the corresponding letter on the monitor. Rather, pressing the "A"
key, say, causes a slight surge in the electrical current in a circuit board
below. Within 0.2 millisecond, a processor embedded in the keyboard begins to
generate a "scan code" for that key. It is then sent to the keyboard driver,
which translates it and tells the monitor to display an "A." This roundabout
route allows for keyboards with foreign alphabets.
For sleuthing purposes, the fraction the
route requires is time enough to intercept the codes as they travel between the
keys and the monitor. The tiny time lag is important because sophisticated
hackers sometimes encrypt messages to outwit computer-system administrators.
Investigator, though, merely captures each keystroke before it can be encoded.
A similar alphabetic interchange underlay
last December's intrigue at Poplar Grove Airport. About six months earlier, the
airport and an affiliate, Emery Air Charter Inc., in nearby Rockford, Ill., had
hired a programmer to design Web sites and work on special projects for both
companies at a salary of about $50,000. Both businesses, which have about 120
workers combined, were growing rapidly, building hangars for private pilots,
running charter flights and offering refueling and other aviation services.
But for weeks, says Steve Thomas, the
47-year-old chief executive and owner of both businesses, their programmer was
missing in action. He disappeared into his office and produced almost nothing.
Mr. Pauli, the chief financial officer who doubles as system administrator,
would stop by to check on him. But Mr. Pauli says the man "would always blank
off his screen so I couldn't see what he was doing."
When pressed, they say, the man was vague
about his progress. "He was always busy, and we couldn't tell on what," says Mr.
Pauli, 30. "But I could see he was storing things on a CD-ROM."
Worried the man might be "trying to pirate
some of our strategies and secrets," Mr. Pauli says, he and Mr. Thomas huddled.
"We couldn't tap the phones -- it's illegal. We explored a camera to videotape
him," Mr. Thomas recalls.
One surveillance camera they looked at cost
$3,500. But they couldn't figure out how to position it to get good
computer-screen resolution or how to conceal it. Besides, Mr. Thomas adds, "we
weren't certain about the legality."
Then Mr. Pauli went on the Internet and
found the maker of Silent Watch. Adavi Inc., Dunkirk, Md., says it has sold more
than 1,000 copies of the $159 monitoring program, which it started marketing
last July. Aside from keystroke logging, the desktop-monitoring software can be
programmed to send to a manager's screen via e-mail a replica of precisely what
is on an employee's screen at any given moment -- text, graphics and all. Adavi
says it has big corporate clients, but that they are adamant in their refusal to
be identified.
Shelling out $237 for six licenses to
Silent Watch -- "very affordable," says Mr. Pauli -- he installed the software
on the computer of the mysterious programmer and on five others. In no time, the
key-stroke logs revealed the man was making repeated visits to pornographic Web
sites, and sending and receiving numerous sexually explicit e-mails, which he
channeled through Internet mail servers outside the airport's scrutiny.
"We were relieved our business wasn't being
compromised," says Mr. Thomas, but the programmer had to be confronted, and
fired. Messrs. Thomas and Pauli planned a sting. After monitoring the keystroke
log for several days, they say, they could see he routinely visited the
"inappropriate" sites early in the day.
So early one morning in late December, they
prepared to swoop. As Mr. Pauli watched the keystrokes spit out on the Toshiba
laptop computer in the CEO's office, Mr. Thomas grabbed a manila folder and
posted himself outside the closed door of the man's office, just down the hall.
When Mr. Pauli was certain the man had a pornographic page on display, he gave
the CEO the high sign, and Mr. Thomas flung the door open. He says the man
rapidly opened another screen to cover the window he had been viewing.
After asking him what he was working on,
Mr. Thomas says he insisted the man show him what was behind the window
"maximized" on his screen. After objecting, the man finally complied, and Mr.
Thomas says, he saw something he will only describe as "raunchy."
Mr. Thomas then launched into a
dressing-down. "I have whole logs here," he recalls saying, thrusting out the
folder, which was filled with printouts. "We don't pay you for that. You don't
work here anymore. Get your things, and get off the property," he remembers
telling the programmer, whom he refuses to identify, but who he says appeared
stunned. "His jaw dropped," Mr. Thomas says.
A few days later, he says, the airport got
a fax from the man that threatened legal retaliation. "We talked about it, and
then ignored it," Mr. Thomas says. "We never heard from him again."
Since then, the company has acquired an
additional 19 licenses for Silent Watch. Mr. Pauli says he uses them mostly to
trouble-shoot computer glitches. With them, he adds, he discovered that some
employees were downloading a video game called Mercenary during their weekend
work shifts. "I printed out the installing logs, and then showed them to their
immediate supervisors," he says. "There hasn't been a problem since."
Mr. Pauli says he generally is using Silent
Watch to keep an eye on computer misuse that hurts productivity, adding, "I
don't care if they type personal letters."
Neither does the software. A couple of days
after December's sting operation, Silent Watch was soaking up the scholarship
plea of the office worker, who the company declines to name but who it says
received a verbal reprimand for doing personal chores on company time. "In
addition to taking lessons," her note said at one point, "I worked at an airport
to learn the 'behind the scenes' " -- she then backspaced over that, changing it
to say" -- to learn the other aspects of aviation besides flying."
---
Journal Link: For an issue briefing and an
online discussion about Web privacy, see The Wall Street Journal Interactive
Edition at http://wsj.com
--- A
Personal Work in Progress
By Michael J. McCarthy
Staff Reporter of
The Wall Street Journal
03/07/2000
The Wall Street
Journal
A1
(Copyright (c) 2000, Dow Jones & Company, Inc.)
Part of a Poplar Grove Airport office worker's
college-scholarship
application, as recorded
-- typos and all -- by Adavi Inc.'s Silent
Watch software.
Start Session 12/24/1999 9:23:51 AM
Opened Microsoft
Word 12/24/1999 9:24:09 AM
Activated Microsoft Word 12/24/1999 9:24:09
AM
Activated Microsoft Word 12/24/1999 9:25:01 AM
AVIATION IS FVERY
IMPORTANT TO MEA VERY IMPORTQNANT PRAR TOT OF MYLI
LIFE. I HAVE BEEN INTERESTE D IN AVVIATIONFLYING AND THE
INAVIATION
INDUSTRY FOR MOST OF MY IFELIFE. R
QUITE A WHILE. AT A VERY UYOUND G
AGE A, I
FLEW IN
Activated Microsoft Word 12/24/1999 9:30:20AM
ON MAJOR ARIRLINES AND THOROGUUGHLY
EENJOYED TRAVELING. I CONITINUED
MY INTEREST
AS I GOT OLDER BY TAKING LESSONS AT A LOCAL AIPRORPORT.
AS A SENIOR IN HIGH SCHOOL, I OBTAINED MY PRIVATE
PILOT L;ILICENSE. I
FLEW AT A NEARBY
AIRPO9RT DURING URING SCHOOL HOURS AS AN INTER WORK
EXPERIENCE. EVERY WEEK EVERY WEEK I RS TO ACQUI4ERE THIS RATING.
THROUGH ITHIS OPPORTUNITY, I KNEW THAT
FLYING WAS THE CAREER I WIHSHED
TO PURSUE. I
CHOSE WESTERN MIHCIICHIGAN UNIVERSITY TO FURTHER MY
EDUACATION IN FLIGHT FLIGHT SCIENCE. THE PROGRAM WA
SEEMED
Copyright © 2000 Dow Jones &
Company, Inc. All Rights Reserved.