Do You Know Who’s Watching You?
Darryl and Donna had a pretty good life until the new computer arrived in their home last October. The couple live with their two young daughters in a small Manitoba town, the sort where the joke runs that “if you don’t know what’s happening in your life, ask your neighbour.” Even so, Darryl (who insisted their names be changed for this article) wasn’t about to confide in any neighbours when his spouse of 15 years began, as he puts it, “acting funny,” soon after the computer’s arrival. Housework went undone, he says, while Donna sat by the hour at the screen. In mid-January, gnawing suspicion finally overcame him. Charging $69 (U.S.) to his credit card, Darryl downloaded some software from the Internet and in minutes installed it on the family PC. Then he went to bed and left the machine to his wife.
“I got up at five the next morning,” Darryl said a week later, his voice trembling over the telephone. “I went and turned on the computer. And I saw what I didn’t want to see.” The program from Vero Beach, Fla.-based SpectorSoft Corp. had done exactly what it promised. In heartbreaking detail, it had recorded every single move
Donna made online, every Web page she visited and every remark she typed into a chat window. Including the explicit sex talk she had shared with several men.
Welcome to the age of anywhere, anytime, any body surveillance. Like some darker version of Tang and Teflon, technologies first conceived by national spy agencies and the military are now being retooled as security products for home and business. Civilian programmers have been busy creating entirely new breeds of spyware to exploit the inherent vulnerabilities of the digital environment. As hardware prices drop and software flits effortlessly across the Net, privacy-busting tools once the sole preserve of the CIA and the KGB are turning up at the 7-Eleven, in the office cubicle—and the bedroom. To keep them at bay, privacy experts foresee a future lifted from the pages of a Tom Clancy novel: every citizen with a secret key to encrypt his cyber-thoughts, and multiple identities to conceal his true one.
Those doing the spying are not only the villains of the imagination, however. True, new technologies for surveillance (and concealment) have found eager fans among organized criminals. True again that the Internet has created a global playground for creeps and perverts. Cheap spy gear and the Net have even come together to spawn a disturbing new epidemic of technologically enhanced voyeurism amid the explosion of online porn (page 24).
It could be your boss, your government' your sppuse, or a sexual creep. As feclfflofcgy explodes, the law can’t keep up.
But companies are also spying, on workers as well as on customers. Governments in several countries have given themselves new rights to snoop on their citizens. Parents have found new ways to keep an electronic eye on their kids. And in small but growing numbers, husbands are cyber-spying on wives, wives on husbands. Sales of the program Darryl used to catch Donna have tripled in the past year. The American Management Association says two out of every three U.S. companies monitor employees online. Even as fearless a fellow as former RCMP commissioner Norman Inkster, who now runs KPMG Investigation and Security Inc., admits: “It all gets a little scary. There is a point where one needs to be concerned Big Brother is watching.”
Unlike the malignant state agency of Orwell’s fiction, though, the new millennium has democratized surveillance. Anyone can spy. That is particularly evident in the plummeting price and widening availability of covert audio and video surveillance devices. Drop in to Spy-Central, on Vancouver’s Robson Street, or any store like it in any Canadian
surveillance picmres to faces (and names) contained in digital mug-shot files. Many casinos deploy similar software to identify and keep out known cheats. At January’s Super Bowl in Tampa, Fla., authorities scanned the faces of 100,000 people entering the stadium, identifying 19 with criminal records.
But it is the Internet where privacy’s defences are most porous. From legitimate scrutiny by employers, to the schemes of sexual predators, the Net’s digital underpinnings and culture of anonymity expose users to a jungle of online risks. Some are truly terrifying. “Cyber-stalking is a very big complaint,” says Det. Bruce Headridge of the Organized Crime Agency of British Columbia, based in the Vancouver suburb of Delta. Complaints have doubled in the past year, he says, frequently after a contact made in a chat room turned sour. A common stalker ploy is to send copies of indiscreet e-mail to employers, in hopes of having the victim fired. More frightening for one U.S. woman was a stalker who sent out dozens of e-mails claiming she fantasized about being raped. Says Headridge: “She actually had someone come to the door and say they wanted to rape her.”
The Net has also unleashed a spate of what investigators call “lurings”—instances of older men (and occasionally women)
The Net has unleashed a spate of lurings’ in which older
men (or even women) secretly target young girls and boys
city, and you might stroll out with a charming Art Deco mantel clock. Concealed behind the face is a video camera. Cost: about $300. Sound recorders hidden in pens go for under $200. Explains Elmer Ventura, one of Spy-Central’s owners: “A lot of business people are walking into meetings and recording everything. Then, I have a few clients who come in every three or four months, empty the shelves onto the counter and pay cash for everything.”
Other new technologies are extending the capabilities of those ubiquitous video security monitors. By one popular estimate, they record the image of every urban Canadian an average of 15 times a day. As the cameras have proliferated, the sheer volume of images threatens to overwhelm those watching. To the rescue comes biometric software able to match the images to vast databases of photo IDs. Police in British Columbia and Ontario both use computer programs to match
using the Internet to target vulnerable young girls and boys, whom they then persuade to leave home and join them. “In one three-month period,” says Det. Noreen Waters of the Vancouver police, “we had five children lured away from home in British Columbia—that we know of.” In one case, a 58-year-old man from Oregon introduced himself to a 12-year-old boy from the B.C. interior as another 12-yearold, eventually persuading his target to buy a bus ticket to Seatde (the youngster’s father intervened before he boarded the bus, and the Oregon man was arrested). In another, a 21year-old Saskatchewan woman convinced a 14-year-old B.C. boy to run away from home with her; they lived in her car until police found them and arrested her. The lurers each took advantage of anonymity on the Internet to disarm their victims in the artificial intimacy of online chat rooms. “If a stranger came to your door wearing a bag over his head,” suggests Waters, “and said they wanted to spend hours every day with your daughter in her bedroom with the door closed, would you let them in? Yet every day, parents are allowing strangers into their kids’ bedrooms through the Internet.”
Criminals hide their own identity online; they can also steal yours—or at least enough personal information to masquerade as you. Data banks containing credit-card information are high on hacker target lists—and routinely breached. Last month, police heard from three Halifax computer companies that someone was using credit-card accounts to make unauthorized purchases. The card numbers turned out to have been stolen from databases in the United States and Britain—by hackers in Eastern Europe. At other times, Web sites ranging from Airmiles.ca to Yahoo! have accidentally exposed sensitive customer data. Small wonder as many as 90 per cent of consumers surveyed say privacy concerns deter them from shopping online.
Misuse of e-mail need not be criminal to be painful. A 26-year-old Briton, Claire Swire, was mortified just before Christmas when her boyfriend, Bradley Chait, passed a sexy e-mail message she had sent him on to several friends—who then forwarded it further to what became a readership of millions. The affair hit the London tabloids; Swire went into hiding. In June, 1999, Canadian Forces naval Capt. David Marshall lost his command of CFB Esquimalt on Vancouver Island, after flirtatious e-mail exchanged with a woman other than his wife surfaced in a local paper.
Those misfortunes reflect as much on individual judgment as on the nature of the Net. But determined digital intruders have more specialized tools at their disposal. Back Orifice is one program hackers can use over the Net to seize control ofWindows-based personal computers (a program called Timbuctu has similar powers over Macintosh machines). Once activated, Back Orifice lets the remote hacker treat the target computer as his own, accessing password files and even controlling attached devices. Boasts Det. Headridge, who has mastered the software: “You know those nice little cameras everybody’s got on their PCs? I can turn it on. If it’s in your bedroom, I can film whatever you’re doing.”
A creepy new trend targets PCs with so-called always-on high-speed connections to the Net. Using Back Orifice or a similar program, hackers can install additional software that makes the machines act as Internet servers. One scam is to store child pornography on unused space on the target PC’s hard drive—or on Web pages associated with its Internet account. In effect, the PC’s owner is now the unwitting host of an illegal porn site.
But not everyone sneaking around online is a bad guy. Last fall, Montreal police traced communiqués claiming responsibility for a series of bombing attacks on Second Cup coffee shops—targeted for their use of English—to a Microsoft Hotmail account. Former FLQ terrorist Rhéal Mathieu has since been charged in the attacks.
Police in every major country have pressed for new powers to intercept what travels over the Internet. In 1999, Australia gave its authorities the right to enter homes surreptitiously to hack into suspects’ computers. More recently, British and U.S. police won government blessing for their plans to install eavesdropping devices in Internet service providers’ premises. The devices—ominously code-named “Carnivore” in the American case—act much like telephone taps, allowing police to intercept e-mail on its way to and from a specified Internet address. Canada has yet to give its police similar authority, but a report released last October by the normally super-secret federal Communications Security Establishment argued that e-mail interception “may be required” for the CSE to protect government computer networks against viruses.
Internet ‘cookies’ sent by a Web site can track every
other site the computer visits—and report back
The RCMP would also like expanded powers. “Are we in a position to intercept Internet communications? Not really,” concedes Chief Supt. Pierre-Yves Bourduas, the forces Moncton, N.B.-based Atlantic organized crime unit boss. “We haven’t got the capabilities.” Instead, Canadian police can only present a court warrant authorizing them to examine whatever traffic logs an Internet service provider may keep.
On the other hand, the same anonymity that empowers predators on the Net can be put to use by their pursuers. A little over two years ago, former B.C. MLA George Kerster exchanged e-mail with someone who claimed to have a “curious and undeveloped” 11 -year-old girl available for sex. In subsequent e-mails, Kerster expressed his interest in meeting her—for a price. On Jan. 12, 1999, Kerster met a woman claiming to be the girl’s mother at an East Vancouver fastfood joint and followed her to a hotel to consummate the deal. It was only there he learned he had been corresponding with police. Last week, a B.C. Supreme Court judge found Kerster guilty of attempting to obtain the sexual services of a minor.
Business has also found uses for online surveillance. Some are controversial, but most are also clearly sanctioned by law. Many Web sites place tiny scraps of program code, called “cookies,” onto the computers of Web surfers who visit. The code identifies the computer so the site can recognize it as a repeat customer if it returns. But many cookies also track every other site the computer visits—and report back to their owners. Last June, New Jersey Web site operator Chris Specht took on giant America Online Inc. (now the even more gargantuan AOL Time Warner) in court, claiming its Netscape Communicator browser conducted “continuing surveillance” of its users. That case continues, but last month,
the U.S. Federal Trade Commission abandoned an investigation into complaints that New York Citybased DoubleClick, the Internet’s biggest advertising agency, improperly used cookies to track customers.
Canadian law offers consumers more privacy protection than American statutes—but is also untested.
The Personal Information Protection and Electronic Documents Act came into force at the beginning of January. It requires federally regulated companies— and all others eventually—to get consumers’ consent before collecting information about them. But the law has yet to face fire in court. And its power to protect Canadians in dealings with big American players like Amazon or eBay is uncertain at best.
Whatever your e-store is up to, however, your boss’s right to spy on you is, legally speaking, well-nigh unassailable. “The standard is the old concept of the master-servant relationship,” explains Paul KentSnowsell, a Vancouver lawyer who specializes in Internet cases. “It has always been cause for dismissal if m you’re not using company time to do company | work.” Last August, Dow Chemical Co. fired 74 em? ployees in Texas and Michigan for using their comI puters to circulate pornography—joining the 28 per % cent of surveyed U.S. companies that have already fired workers for e-mail abuse. Several outfits sell programs to monitor workers’ Internet transactions—often bundled with other software designed to protect corporate networks against virus attacks. But according to Robert Lendvai, marketing director for one vendor, Ottawa’s Kyberpass Corp., while Canadian corporations routinely invoke anti-viral firewall features, only about one in five activates the monitoring powers.
Consumer versions of corporate firewalls that deter some kinds of intrusion are available. Blacklce, Norton Anti-Virus and McAfee VirusScan are among popular software packages that protect home PC users from programs like Back Orifice. Many such home firewalls also let users disable commercial cookies.
But they are largely impotent against an emerging strain of domestic spyware that pushes the ethical debate onto sensitive new ground. As many as half a dozen products that secretly monitor every key struck on a target PC are available over the Internet for as little as $27. The man who created the software Darryl used defends his work. SpectorSoft president Doug Fowler says he first wrote the program to give small companies the same oversight powers as larger ones, and to help parents monitor their children online. And some buyers use the software for exactly such purposes. Six months ago, retired Toronto businessman Wilson Markle put Fowlers software on the PCs his 18-year-old daughter and 15-year-old son each have in their bedrooms. So far, he says, the daily reports he receives have given him nothing to worry about.
But Spectors president acknowledges that spying on your spouse has turned out to be his products “killer app.” After Fowler experimentally offered a copy to catch “cheating husbands” in an auction on eBay in July, 1999, he says, “our sales tripled within 60 days.” He admits the lopsided response troubles him: “I’d rather parents were using it to watch the kids at home.” Nonetheless, he argues, “there is a lot of online infidelity. It’s easy to get addicted to it and it’s not easy to stop.” He claims that a third of people who engage in online affairs eventually move their liaisons into the real world.
Such spyware remains in a legal grey zone. The phenomenon is too new to have been addressed directly in law. But analysts say Spector and its ilk are likely legal when deployed on a home computer the spyware-user owns (as well as on work computers when installed by the employer). But other applications could violate some provinces’ privacyprotection statutes. For his part, Wilson Markle says he would remove the software from his daughter’s computer if she left home to attend university. And he acknowledges reservations about the program’s covert operation. “Even if you’re a very experienced person,” says Markle, who has a
background in computer surveillance, “you won’t find it.”
There may be no simple defence against being spied on by your near and dear. But tools are emerging to reduce the vulnerability of private e-mail, and to help solve the flip side of the “lurer” problem: how to prove you really are who you say you are online. Several vendors sell software that will encrypt digital documents and, if you like, sign them with a nearly unbreakable code identifying you as the sender. One version is available from Canada Post for as little as 65 cents a message. Ottawa, meanwhile, plans to announce later this year what form of digital proof of identity it will endorse for citizens who want to access federal services online. Bureaucrats are currently debating whether to assign every Canadian a unique “digital identity certificate,” or to bow to concerns that such a single identifier might—like social insurance numbers—be prey to abuse.
For those who don’t wish to be followed online by trails of e-commerce cookies, so-called anonymizing software, sold by companies like Canada’s Zero Knowledge Inc., create digital pseudonyms that subscribers use to surf the Web anonymously. Alex Fowler, the Montreal company’s San Franciscobased vice-president for “policy and advocacy,” foresees a day in the near future when every citizen maintains multiple identities for different online activities—one to shop, another to deal with government and perhaps several more for use in chat rooms—as the only means of keeping some control over what they reveal about themselves. “People realize there are all these different aspects to their identity online,” says Fowler (no relation to Doug). “Identity management is a skill not many of us have today, but we’ll all have to develop it.”
Fowler the privacy advocate and Inkster the ex-cop share a common fear. Both worry that the reach of surveillance technology is expanding far faster than most ordinary citizens know—and that it could soon become even more frighteningly all-embracing. For Fowler, a key battleground is the arcane world of technical standards groups, where engineers and interest groups—but seldom the public—set the rules that ensure that everything from Internet servers to cellphones can be closely monitored. To Inkster, controlling the creeps and the criminals means accepting new means of surveillance—but only with checks and balances to protect individual privacy. “In the past, we could sometimes make a certain assumption of privacy,” Inkster reflects, “because we knew the technology couldn’t be there. Now the technology is there. The question becomes, will the law ever catch up?”
To parent Markle, there is no doubt: the race is over and technology has won. “Anybody who doesn’t have a thing to hide has no problem,” he says. “Those who do have something to hide will have a problem. I take comfort in that.” Darryl is not so sure. “This program,” he says, “I praise it and I curse it.” Fish bowls may be fascinating to watch. They are likely to be less enjoyable to live in.
To tell your story of an online invasion of privacy