Is Keylogging Legal?
In the hierarchy of security, keyloggers were once considered small potatoes. The threat was deemed unlikely, and almost fanciful. Not anymore. Keyloggers are everywhere. For those new to the area, a keylogger does just what it sounds like — records keystrokes — which can then be played back. For those who can remember, it’s similar to a typewriter ribbon, which had an imprint of every key pressed and their order - a literal scroll of all the work done on that keyboard. Only digital keyloggers are a heck of a lot easier to read back.
Keylog output is scary — plain text of your IDs and passwords, your instant messaging, your private emails - it’s all there.
There are two types of keyloggers - software programs and hardware. The software programs can be detected (usually) with anti-virus/spam or even specialty keylogger-detecting software. The hardware loggers are much tougher. To catch these, you need to do a visual inspection of your keyboard and check for a dongle like this but even worse is one of these - the keylogger is inside the keyboard. (makes me wonder about trying to ’sniff’ my wireless keyboard/mouse combo… looks like it can be done, thanks to this article…)If you Google “keylogger”, you get nearly 10 million hits, and more Ads than I want to count. This is a very popular product area.
The legal status of keyloggers is somewhat vague. It looks like back in 2004 a Federal Judge in California dismissed a keylogger case basically saying that keyloggers don’t violate the Federal wiretapping laws. Linked. So that leaves us with no laws that explicitly deal with keyloggers. It looks like until then those of you with tin-foil hats might also want to start using a ‘virtual keyboard‘ since the Feds have already used keyloggers to get PGP and encrypted email, here (with good reason).
I believe there are both “good” and “bad” uses for keyloggers. Keyloggers absolutely violate personal privacy, no question. Use of keyloggers, when targeted and with a warrant, is a “good” use - we want to catch the bad guys, and a judge reviews the issues. Monitoring your OWN assets is valid (your business or your home computer). If it’s a business, users should be informed (via policy or signage). If its family, I’ll leave it up to your own ethics.
Monitoring someone else’s assets with a keylogger, without their explicit permission should be illegal. Where’s the outrage?
More background and stats on this issue here
Charles, excellent article. From a programming standpoint, we use keyloggers to record keystrokes so that we can programatically replicate a user’s action. These are sometimes nicely called “Windows Macro Tools”, but they are keyloggers and keyboard/mouse replicators with a scripting language built around them. The ROI of these tools is high (they basically replace the manual effort) and their usage is one time. But they lend credence to your point above…a programmer could log your keystrokes (including what sites at work you log into) and AUTOMATICALLY login to you systems and take a peek around.
I think keylogging has a lot of valid uses — Testing is a major one. But using keylogging for covert surveillance is wrong.