A recent ruling by a US court has raised concerns over whether antivirus software vendors intentionally overlook secret spyware placed in their products by the police.
In a case disclosed earlier this month, US federal agencies used keylogger spyware within antivirus software to preserve the computer records of a drug suspect. The US police referred to it as "government software" (fedware).
CNET conducted a survey of 13 major antivirus software vendors and found that none of the companies openly admitted to collaborating with government agencies. However, there are indications that if these vendors receive a court order requiring them to remain silent, some antivirus vendors would not warn users about the presence of government software in their products.
Most of the surveyed vendors, from small companies to Symantec and IBM, stated they had never received such a court order. The investigated antivirus software vendors included: AVG/Grisoft, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec, Trend Micro, and Websense. Among them, McAfee and Microsoft refused to answer questions.
Currently, in the US, only two criminal cases involve the use of keyloggers by the police, so relevant important legal regulations remain unresolved. However, keylogger software manufacturers have stated that law enforcement and investigative agencies are long-time buyers, partly because keyloggers can bypass the increasingly common communication and hard drive encryption settings. Both Windows Vista and Apple's OS X operating systems have built-in encryption measures.
Some of the surveyed vendors strongly emphasized their commitment to protecting user privacy. Marc Maiffret, founder and CTO of eEye Digital Security, said: "Our customers pay us to protect them from various forms of malicious code. It's not our responsibility to enforce the law, so we have not and will not give a green light to law enforcement's spyware or other tools." eEye sells Blink Personal for $25, which includes antivirus and anti-spyware features.
Other companies took a more neutral stance. Check Point, the maker of ZoneAlarm software, said they would provide federal agencies the same treatment as third-party vendors if they requested to be on the "whiteboard list" (exemption list). However, a spokesperson for the company stated that Check Point has never given a green light to government agency software.
Reports about antivirus software vendors allowing government software are not baseless. In 2001, the Associated Press reported that McAfee had cooperated with the FBI to ensure that government software was not flagged as malware by its antivirus program. McAfee later claimed that the report was incorrect.
By the end of that year, the FBI confirmed that it was developing spyware called "Magic Lantern" to remotely inject keyloggers into users' computers via viruses.
The shadow of government agencies and backdoors in tech products have long been intertwined secretly. In 1995, the Baltimore Sun revealed that the US National Security Agency had persuaded Switzerland's Crypto AG company to install backdoors in its encryption devices.
In his 1982 book "The Puzzle Palace," James Bamford described how the predecessor of the US National Security Agency had forcibly required Western Union, RCA, and ITT Communications to translate telegrams for it since 1945.
Last year, the BBC reported that the UK government may have held talks with Microsoft, but Microsoft vowed that it would not add backdoors to the encryption functions of Windows Vista.
Even if government agencies like the FBI and DEA do not force security companies to give a green light to government software, security experts predict that such court orders are just a matter of time.
Under current law, does the police have such authority? Kevin Bankston, a lawyer at the Electronic Frontier Foundation, believes that the government should clarify related laws. He said: "There is no precedent for such rulings."
Part of the "Wiretap Act" stipulates that courts can require providers of wired or electronic communication services, homeowners, managers, etc., to assist the government in electronic surveillance.
Theoretically, government agencies could even request a court order for security vendors to release spyware as an automatic update to their products. Most modern security vendors and operating system vendors, like Microsoft and Apple, regularly provide patches. Although this requires meticulous technical setup, it is technically feasible...