By Mark Rasch
In January 1999, agents of the FBI raided the offices of Nicodemo S. Scarfo, a reputed Philadelphia underworld figure, searching for evidence of illegal gambling operations. Armed with a search warrant, the agents searched for and seized files contained on his computer, including a single file that was encrypted using the commercial software PGP.
According to documents later filed with the court, the government believed that the encrypted file was relevant to the gambling investigation, and that it was covered by the court order. Unfortunately, as the government told the court, their "normal investigative procedures to decrypt the codes" were unsuccessful. The government was then in a quandary.
In an effort to decipher the contents of the previously seized encrypted file, the government, on May 8, 1999, applied to a Untied States Magistrate Judge C. Donald Haneke for a court order permitting them to install what they described as a "keystroke logger" on Scarfo's computer. The government, under the laws that permit search and seizure, and under the court's inherent authority to issue orders to effectuate its own powers, requested authority from the court to install "software, firmware and/or hardware" to "monitor the inputted data on Nicodemo S. Scarfo's computer" to attempt to capture the PGP pass phrase.
The government went further, asking the court to excuse it from the normal requirements that it leave a copy of the search warrant after conducting the search, and permitting what is sometimes called a "no-knock" warrant. Based upon the government's affidavits and submissions, the magistrate signed an order, based on a finding of probable cause to believe there was evidence of a crime in the encrypted file, permitting the government to enter Scarfo's office, install the key logger and capture keystrokes.
The court described the program as a "specialized computer program to search for and seize computer passwords and keys." The key logger was in place for two months, after which the court permitted the government to retrieve the output. Contained in the output file was only 45 pages of keystrokes, including literally hundreds of keystrokes such as or similar "nonsense" characters.
On the last entry of the last page of the key log file was an entry that included Scarfo's PGP pass phrase, which by happenstance, was his father's federal Bureau of Prisons ID number. The government then used this information to decrypt the encrypted file.
Earlier this year, in a courthouse in Newark, New Jersey, Scarfo's lawyers moved to suppress the results of the search made by the key logger as being both an unreasonable search and seizure, and an illegal wiretap. They also requested that the government reveal precisely what the key logger was, how it worked, what it searched for, and how it seized evidence --- matters never disclosed to the magistrate who issued the order that it be installed.
Because the federal rules governing criminal discovery provide very limited disclosure requirements, the government refused to disclose any details about the key logger. The government also stated that "the FBI's key logger system is a highly sensitive law enforcement search and seizure technique" and that disclosure of the technique would compromise both law enforcement investigations and national security.
This was accompanied by a lengthy affidavit from the head of the FBI laboratory, indicating that only 30 people in the world were privy to the inner working of the key logger system, and that disclosure would invariably injure ongoing investigations. Moreover, the government contended in a pleading filed with the New Jersey judge, the laws regarding electronic wiretaps were not implicated in this case because the key logger was configured not to capture communications emanating from Scarfo's computer via modem to the outside world.
The Federal District Judge disagreed, and ordered the government to demonstrate precisely how national security would be implicated if the materials were disclosed. The government responded by asserting that the key logger system itself was "classified" and therefore invoked provisions of federal law that limit or preclude the disclosure of classified information. At present, no disclosure has been made to the defense or to the court about how the key logger worked.
LEGAL REGIME. Did the government overreach in this case? Was the installation and monitoring of the key logger program a violation of the federal wiretap law?
Clearly the government had a legitimate interest in conducting a criminal investigation of Nicky Scarfo. The magistrate found probable cause to search the computer and to seize the pass phrase. Courts routinely permit the installation of hidden video cameras or surveillance. Indeed, only days after the government filed its classified motion, they revealed in another case that they had installed a hidden camera at a TRW's offices to monitor Brian P. Regan, suspected of spying for Libya, and to watch him sending emails containing classified information.
But there are limits to government surveillance. There are essentially three limitations on the scope of government searches and seizures. They are the Fourth Amendment itself, federal rules on the issuance of search warrants, and federal laws regarding "electronic surveillance."
The Fourth Amendment by its terms provides that: "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Thus, the Constitution requires that the conduct be considered a "search" or seizure, that it be reasonable, and that if searched pursuant to a warrant, there be a finding by a neutral and detached magistrate that there is probable cause.
Finally, the Constitution mandates that there be specificity --- that the warrant provide sufficient detail about what is to be searched for and seized --- and not merely act as a "general warrant."
Complaints that the government violated Scarfo's privacy by installing the key logger are likely to be unavailing. All search warrants violate privacy --- that is the essential nature of a court ordered search. The court made a finding, which the government agents are generally entitled to rely upon unless secured in bad faith, that the PGP file was likely evidence of a crime and therefore could be seized.
The magistrate further found that the key logger was a reasonable method for obtaining the pass phrase, and that a covert "search" for the pass phrase was appropriate. The government therefore contends that, under the Fourth Amendment itself, the "search" was reasonable, supported by a warrant and affidavits, and based upon probable cause.
What distinguishes this case from most Fourth Amendment cases is the fact that the items to be searched for and seized did not exist at the time the court order was in effect. The government did not describe to the magistrate how the key logger would accomplish the minimization requirements inherent in the Fourth Amendment.
How, for example, could the key logger distinguish between a PGP pass phrase (covered by the seizure order) and a letter to Scarfo's attorney (protected by attorney client privilege)? Was the "minimization" to be accomplished after the fact --- that is, all keystrokes were to be captured, but government agents would only read the ones that were relevant to the court order? Indeed, the government's affidavit in support of the key logger order is remarkable in its lack of detail about what is presumably a new and legally untested technology.
In a recent case involving the government's use of infrared monitors to peer virtually inside a home without a warrant to determine whether a suspect was using heat lamps to grow marijuana, the United States Supreme Court ruled that the invasive use of new technology violated the Fourth Amendment. In doing so, the Court relied heavily on specific findings about the nature of the infrared device, precisely what it did, how it worked, and what it was able to capture, in determining the extent to which it invaded privacy.
No such information was provided by the government, either to the Magistrate or the District Court to effectively evaluate the use of this new keystroke logging technology. Indeed, the Magistrate was never told that the technology he was authorizing was classified for national security purposes, and that its disclosure would result in irreparable harm to national security. It was effectively described as a run of the mill search warrant.
SEARCH WARRANTS AND WIRETAP. The Federal Rules of Criminal Procedure generally requires at the time of a search that the person searched be provided with a copy of the warrant and an inventory of what was seized. In the Scarfo case, it is unclear when the search and seizure occurred. Was it when the key logger was installed? Did each keystroke log constitute a separate search? Was the search accomplished when the government retrieved the log files, or only when government agents examined the results of the logs?
In the Scarfo case, the government specifically requested that the magistrate excuse the requirements of notice and disclosure, and the court did so. Thus, the failure to leave an inventory or provide notice was lawfully excused, but the metaphysical question of when the search occurred or whether it was "reasonable" remains unanswered.
The most difficult aspect of the case is the application of the federal wiretap law and the Electronic Communications Privacy Act to the government's actions. Federal law distinguishes between a "search" for evidence of a crime and an "interception" of either aural or electronic communications.
For example, if the government has probable cause to believe that there is evidence of a crime contained on your computer, they may obtain a simple search warrant for that computer, with no need for a wiretap order, even if there are emails or other "communications" contained on the hard drive.
If, on the other hand the government wants to read your emails in transmission, (or listen to your telephone calls, or install an audio "bug" in your house) it must obtain a special order, called a Title III order which severely limits what the government can do. The order must be approved by high-level Justice Department officials, can only be effective for 30 days at a time, and significant efforts must be made to ensure that only matters covered by the court order are examined.
Further complicating the issue is the fact that the law may distinguish between the interception of email "in transmission" and email that is stored -- even temporarily. As a general rule, for the government to obtain communications "in transmission" requires a Title III wiretap order, to obtain them in "temporary storage" requires a search warrant, and to obtain them in "permanent storage" requires a mere subpoena.
While the Ninth Circuit federal court of appeals in California ruled that acquisition of temporarily stored email requires a Title III wiretap order (although the decision was "withdrawn" last week and no new order yet issued), federal appellate courts in Texas and district courts in Massachusetts and elsewhere have ruled that the interception must be while the email is "in transmission" to trigger the more stringent Title III requirements.
The law makes no provision however for the interception of communications "for transmission" but not yet "in transmission." Thus, as you type an email on the screen, but have not yet pressed the "send" button, or as you type an Instant Message on the computer but have not yet "transmitted" it, is capture of these communications an "interception in transmission?" Is the government "intercepting" Brian Regan's email when it virtually "shoulder surfs" his computer with a camera under the authority only of a search warrant and not a Title III order?
What distinguishes the Scarfo case is the fact that the key logger, while intending to capture only a PGP key typed (whether or not the modem was engaged) may also have captured keystrokes that represented communications in transmission. The government's position on the legality of this monitoring is unclear. The government may be contending that the interception of emails, web traffic or other electronic communications is permissible under the lower search warrant standard using the key logger, so long as the key logger captures the communications before they leave the computer en route to the Internet.
Alternatively, the government may be arguing that the specific file at issue in this case, the PGP pass phrase, was not in transmission, and therefore could be lawfully seized even if other matters were captured "for transmission."
The United States Supreme Court addressed a similar issue in 1942 when it ruled that the installation of an audio "bug" adjacent to a lawyer's office that would pick up the attorney's end of his conversations on the telephone did not come within the ambit of the federal interception law. The Supreme Court noted that "What is protected is the message itself throughout the course of its transmission by the instrumentality or agency of transmission." The court concluded that the listening in the next room to the words of the target as he talked into the telephone receiver was not an interception of a wire communication any more "than would have been the overhearing of the conversation by one sitting in the same room."
In this case, the court tied the target's expectation of privacy to the physical trespass necessary to invade such privacy. Because no physical trespass was required, the majority of the court in 1942 concluded, no invasion of privacy occurred. This literalistic approach was, however, rejected by the court in an electronic surveillance case in 1967 involving a tap placed on the outside of a telephone booth, and by the current Supreme Court in considering the use of the infrared monitors which required no physical trespass.
UNLEASHING THE TROJANS. If the government seriously takes the position that the interception triggered by the wiretap law and ECPA occurs only at the modem or other device, and not between the keyboard and CPU, this represents a dangerous expansion of the law that could vitiate the need for the government to ever obtain a Title III order.
Programs such as the BO2k and Sub7 Trojans, or WinWhatWhere, or Monitorer can be surreptitiously installed on a target computer and ordered to capture keystrokes, in real time, before they are transmitted to the web. They can further be used to transmit the results of these "searches" to law enforcement or intelligence agents in real time over the Internet or by direct dial-back.
If the government seriously takes the position that Title III is implicated only past the network interface, then privacy rights are effectively nullified.
For now, the government is resisting disclosure of the mechanism by which the key logger captures information as both irrelevant and protected for national security purposes. However, knowing at a minimum what the logger captures, how it captures it, when it captures it, and how it restricts what it captures, is essential for the court, the defense, and for society generally to evaluate what privacy regime applies to the new technology.
As the Supreme Court noted in the infrared search case in June of this year, "It would be foolish to contend that the degree of privacy secured to citizens by the Fourth Amendment has been entirely unaffected by the advance of technology."
Knowing what the technology is and how it works is the first step to evaluating its affect on privacy. While the government should be permitted to use legitimate surveillance techniques, their use and growth must be effectively scrutinized by the courts, the press, and the public at large with as full disclosure as possible.
Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive Systems Inc. in Reston, Virginia, a computer security and network design consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the head of the U.S. Department of Justice Computer Crime Unit and prosecuted a series of high profile computer crime cases from 1984 to 1991.