A Dark Side to the FBI's Magic Lantern

The agency may be developing data-tracking software that can be slipped into a computer without warning -- or a search warrant

By Alex Salkever

The Web has been abuzz recently with rumors of a new tool in the FBI's cyberarsenal. A half-dozen reputable news organizations have published stories about the so-called "Magic Lantern" -- software that supposedly tracks every keystroke made on a computer. No one, including me, has been able to get on-the-record confirmation.

Still, its existence is plausible enough to raise serious privacy concerns, particularly in light of the FBI's aggressive development and use of such cybersnooping technologies as Carnivore. That's the device law-enforcement personnel have installed at Internet service providers to record e-mail and Web page logs from specific account holders.

YOU'VE GOT SNOOP MAIL.

  As it's been described, Magic Lantern appears to be several steps beyond Carnivore -- and not just because of the information it gathers. In computer security parlance, Magic Lantern is a "Trojan Horse" technology -- it represents itself as one thing in order to mask its true purpose.

Magic Lantern quite literally installs itself on a user's computer. The FBI could e-mail this tiny program, disguised as a message from friends or family, to a suspect. The recipient wouldn't even have to open the e-mail to activate the program. As long as it lands in the mailbox, it is capable of sending data logs back to the FBI periodically.

The goal of the Magic Lantern is to allow law enforcement to obtain the passwords needed to lock and unlock the encryption programs that scramble data and render it unreadable. These programs, which are freely distributed on the Web, have proven a frustrating roadblock to law enforcement's efforts to gather and sift through the vast amounts of communications data coursing across global networks. So rather than crack the encryption itself, a daunting task, the FBI will be able to detect the passwords by reading through the keystroke logs.

GANGLAND PRECEDENT.

  The Bureau has already used keystroke-logging technology to snoop passwords from the fingers of Nicodemo Scarfo, an alleged mobster who used encryption to protect his hard drive from prying eyes (see BW Online, 8/23/01, "Needed: Wiretap Laws for a Wired World"). FBI agents planted some sort of key-sniffing technology on Scarfo's machine when they gained physical access to his computer as part of a search warrant. Scarfo's attorney has asked a federal judge to force the FBI to reveal how its technology works, but the FBI is contesting the request and a decision is still pending.

One of the things that scares me about Magic Lantern -- or similar technologies -- is it could alter my machine without my consent. My computer is my castle. Sure, it's cluttered, and sometimes it melts down when I turn on too many applications. But it's my domain -- and I should have the ultimate control over what runs there, and how. The addition of a small plug-in that isn't compatible with, say, my antivirus program, could cause system crashes or loss of data. Change the code and you could change the performance, even the very nature of the machine. It would be like adding a new piece of plumbing to a house without warning the owner that it might freeze in the winter.

It scares me for another reason. Because the tool involves covert installation of software on someone's PC with no physical intervention, it could conceivably allow law enforcement to circumvent wire-tapping restrictions. Such laws remain murky in the realm of computers, e-mail, Web surfing, and storing data on hard drives.

NOT ALONE.

  O.K., maybe I'm overreacting a bit-- at least about my computer getting messed up. It's not like I've done anything that would attract the attention of law enforcement. And the likelihood of Magic Lantern or similar programs causing significant damage is slight. After all, the whole point is to keep the machine up and running so that law enforcement can gather information on a suspect.

According to security experts, technologies similar to Magic Lantern are easy to find in the computer underground. A keystroke-logging Trojan Horse dubbed "Badtrans" is spreading over the Internet. Many big corporations are already using keystroke technologies on their networks as a legal safeguard and to keep an eye on problem employees. So why shouldn't the FBI be able to take advantage of such technology in pursuit of crooks and terrorists?

I think they should be able to under certain circumstances: from a distance, via a Carnivore-like system, and with proper judicial oversight. I can understand why the authorities might want to bug my phone, read my e-mail, and watch where I surf on the Internet.

Magic Lantern crosses the line, however, if it allows law enforcement to permanently alter my PC -- my personal property -- without either my knowledge or the appropriate oversight. Sure, it might represent a step forward in technology. But if not used properly, it could be a step backward on privacy.

Salkever covers computer security issues twice a month in his Security Net column, only on BW Online

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.
LEARN MORE