By now, we should all know that federal law enforcement is using keyloggers in surveillance activities, and a court ruled it constitutional -- even without probable cause. What this means to the general public is that the U.S. Constitution provides absolutely no protection against law enforcement eavesdropping on our digital lives. Somehow, the fact that it's a computer means none of the usual rules apply.
Many TechRepublic regulars will also be aware of the fact that CNET News.com has published the results of a survey of 13 security software providers that questions their policies toward law enforcement malware -- specifically spyware, such as keyloggers. The results were varied and interesting.
The questions CNET asked were simple. Paraphrased, they were:
- Has any law enforcement or government agency approached your company about putting spyware on your customers' computers without a court order and intentionally failing to detect it?
- Would your company, at law enforcement request, help hide such spyware from its customers?
- Has your company ever received a court order instructing it to comply with law enforcement wishes in this regard?
Including follow-up questions for clarification in some cases, some of the respondents were asked more questions than the others, but at least those three basics were covered. You should form your own opinions of the answers, of course -- after reading the article about the survey.
I've decided to provide a bar graph for a quick and easy look at how, in my estimation, each of the surveyed security vendors fared in terms of trustworthiness as a provider of security software:
In the interests of full disclosure, my rating system for the trustworthiness of each security software vendor in regard to protecting against federal law enforcement malware (aka "fedware") -- from 0 to 10 -- looks like this:
- Not a known malware maker: 1 point
- Claims about security software behavior are verifiable: 1 point
- Did not give an offensive answer to the question about contact by law enforcement: 1 point
- Gave a meaningful, non-suspicious answer to the question about contact by law enforcement: 1 point
- Did not give an offensive answer to the question about alerting users to fedware: 1 point
- Gave a meaningful, non-suspicious answer to the question about alerting users to fedware: 1 point
- Gave an informative answer to the question about alerting users to fedware: 1 point
- Gave an answer to the question about alerting users to fedware that inspired confidence and displayed great integrity: 1 point
- Did not give an offensive answer to the question about a court order: 1 point
- Gave a meaningful, non-suspicious answer to the question about a court order: 1 point
Keep in mind that, in this list, each point that can be gained for the answer to a given question depends on having already gained a point for the question just preceding it. For instance, you can't get a point for a meaningful, non-suspicious answer if your answer actually offends the sensibilities of a responsible security professional. The exception is that it is possible to miss the point for giving a meaningful answer on any of the three questions without missing the point for avoiding offensive answers, simply by failing to answer the question in a manner that does not appear to be a conscious evasion.
Two of these companies, eEye and Sana, scored a 9 out of 10. Considering that there is no way to verify the claims about the behavior of the software with regard to fedware in any of these cases -- all of these companies use closed source, proprietary software that is actually illegal to reverse-engineer under terms of the DMCA -- it is unfortunately impossible for any of them to score a perfect 10 here.
In addition, there is no test suite of which I'm aware for checking the response of this software to various pieces of federal law enforcement malware. As such, there is one point that all vendors missed. Meanwhile, the one point that every single vendor received was the point for avoiding giving an offensive answer to the question about alerting users to the presence of "fedware" on their computers.
Obviously, the scoring system I used is quite subjective. You may very well come to different conclusions about how some of these vendors should rate, even using the same scoring guidelines I listed above -- but I thought carefully about each question, in relation to each vendor, and provided the most objectively valid answers I could.
The results of this survey, summarized and abstracted in the above bar graph, should be on your mind the next time you consider purchasing security software or renewing a software subscription from one of these vendors.