Federal and State Wiretap Act Regulation of Keyloggers in the Workplace

Written by Susanna Lichter Edited by Laura Fishwick Editorial Policy “CyberPatrol, ” “SniperSpy,” and “IamBigbrother” are the names of keyloggers that might be installed on your office computer. These easy to use and inexpensive hardware or software devices record keystrokes and allow a monitor to access email, and other password-protected accounts of an unsuspecting typist. Employers are using keyloggers more often in the workplace to oversee employees without their knowledge. Managers argue that computer surveillance is important to ensure productivity, but alternative tools like website blockers, remote desktop access and time audits allow employers to determine whether an employee deviated from her task without risking the same breach of trust or employee humiliation associated with keyloggers. Although keyloggers facilitate a major invasion of privacy, they are legal in many jurisdictions. There is currently no federal law that has been interpreted to prohibit their surreptitious use. The Electronic Communications Privacy Act (ECPA), which includes the Federal Wiretap Act (FWA) and the Stored Communication Act (SCA), could potentially prevent keystroke theft, but thus far the protections it offers have not been extended to keyloggers. However, there is evidence that this may soon change. Several recent cases have suggested a broader interpretation of the ECPA than what has previously been held. Additionally, in the absence of a consensus about federal law prohibiting keyloggers, some courts have interpreted state statutes to protect the public from having their strokes stolen. The conflict of interpretations between jurisdictions leaves people in many states vulnerable to invasive employer spying. It also creates a lack of clarity for employers and employees regarding what is considered lawful conduct. The surreptitious use of keyloggers should be subjected to wider regulation by state or federal law. In a few cases courts have diverged from precedent and adopted this position. The Limited Interpretation of the Federal Wiretap Act In September 2011, the Southern District Court of Indiana heard the case of a woman whose privacy was violated through the use of a keylogger. The defendants in Rene v. G.F. Fishers, Inc authorized plaintiff Lisa Rene to access her personal checking account and personal email from an office computer without disclosing to her that they had equipped the computer with keylogger software. Id. The software allowed the defendants to obtain passwords for Rene's personal accounts, which they viewed, forwarded, and discussed amongst themselves. Id. Rene sued G.F. Fishers, claiming their actions violated the FWA, the SCA, and the Indiana Wiretap Act (IWA). Id. The FWA claim was dismissed. The FWA punishes a person who “intentionally intercepts” an “electronic communication.” 18 U.S.C. § 2511(1)(a) (2011). Rene argued that the defendants violated the FWA by intercepting her keystrokes as she typed her passwords on the computer. Rene at *2. However, the court found that the capture of keystrokes does not constitute “interception” as understood by the FWA. Id. at *2. Though the statute does not compel this interpretation, courts have generally determined the FWA requires interception happen “contemporaneously” with transmission of the information.¹ The “contemporaneous” requirement was part of the definition of interception with respect to wire and oral communications prior to the enactment of the ECPA and was originally intended to keep answering machine tapes seized by police from falling within the scope of the law. U.S. v. Turk. When the ECPA amended the FWA to include electronic communications, several courts concluded that Congress intended the “contemporaneous” requirement be retained. See Konop v. Hawaiian Airlines Inc. for a summary of early cases. Because many keyloggers store the captured information on their host computer to be subsequently retrieved by a monitor, Rene could not demonstrate that the information seized was contemporaneously transmitted in violation of the FWA. The court also concluded that Rene's keystrokes failed to meet the FWA's requirements for “electronic communication,” Rene at *2, defined by the FWA as signs and signals, etc. “transmitted...by a...system that affects interstate or foreign commerce.” 18 U.S.C. §2510(12)(2011). Since the keylogger did not transmit Rene’s private information beyond the office computer, the court found that Rene’s employers’ action did not implicate a system affecting interstate or foreign commerce. This interpretation of the Commerce Clause was developed in United States v. Scarfo, and United States v. Ropp, two of the first cases to address the legality of keyloggers. In Scarfo a New Jersey federal court ruled that the FBI's use of a keylogger to “eavesdrop” during an investigation into mob boss Nicodemo Scarfo's alleged criminal gambling and loan sharking activities was not in violation of the FWA. The FBI claimed they did not record any of Scarfo's keystrokes while his computer was connected to a modem; therefore, a system that affected interstate commerce was not involved. Scarfo at 582. However, the presence of a network connection may not be sufficient to put keylogger use in violation of the FWA. In Ropp a California district court found that an employer did not violate the FWA even when the keylogger he installed was not disabled while the computer had a network connection. The court determined that “the reasoning used in Scarfo is flawed in some respects” and opted for an even narrower construction of the statute. Ropp at 835. The court considered the possibility that any computer with a modem could be considered a system that affects interstate commerce and concluded that “[a]lthough this system is connected to a larger system–the network–which affects interstate or foreign commerce, the transmission in issue did not involve that system. The network connection is irrelevant.” Id. at 838. The court found the statute required not only that the system be capable of affecting interstate commerce at the time of interception, but that those capabilities be incorporated to the keystroke capture. The Rene court agreed with this interpretation of the FWA. Rene at *3. Counter-arguments in favor of finding that keyloggers fall within the Commerce Clause were rejected by the Ropp and Rene courts. These two courts could have adopted a more holistic view of the system in which the keylogger becomes integrated with the computer it is installed on. If the keylogger had not been installed on a networked computer the employee would not have been typing her email and checking account passwords for the keylogger to record. These courts instead found the connection was incidental, opting for a compartmental view of the system, and concluding the keylogger's function was decidedly separate from the computer's powerful networking function despite knowledge that the network function was precisely what the employer was seeking to exploit. The Ropp court defended its position by insisting that only Congress should be covering new technological terrain, but in the seven years since Ropp legislation has become more inadequate as keylogger technology has become more invasive. Id. at 838. Newer keyloggers available to average consumers offer complete remote access, allowing a monitor to harvest stolen keystrokes online.² This keylogger software is capable of transmitting the captured keystroke information to a website where the typist can be monitored in real time. These keyloggers both use a network connection more directly and intercept more plainly in accordance with the dominant FWA interpretations. This new technology calls attention to what could be an arbitrary distinction made in FWA interpretations. The difference between nabbing an employee's keystrokes contemporaneously with transmission or a short while later does not seem significant if the keystrokes provide the same access. This could explain why the legislature did not include the “contemporaneous” provision when drafting the FWA. The Inadequacy of Regulating Keyloggers Under the SCA Plaintiffs filing claims involving keyloggers can bring suit under both the FWA and SCA. Though Rene's FWA claim was dismissed, her SCA claim survived summary judgment. According to the court, obtaining her passwords through a keylogger did not violate federal law, but using a password to read her email might. Rene at *6. However, SCA claims, which address the unauthorized accessing of “electronic communication while it is in electronic storage,” do not provide a reliable alternative to federal or state keylogger regulation because courts do not agree on how the SCA should be applied to email. 18 U.S.C. § 2701(a) (2011). Due to ambiguity in the law, the crucial question in many cases to determine whether emails are in “electronic storage” is whether the emails have previously been read. Courts have gone in many different directions addressing whether accessing someone's email is an SCA violation, with some tending towards prohibition under the SCA³ and others less inclined to extend SCA coverage.⁴ The kaleidoscope of decisions means that SCA claims are unpredictable and don't offer a substitution for FWA claims in this context. SCA claims also do not prevent pirating into the myriad password accounts to which a keylogger can provide access, such as checking accounts and networking sites. “Affecting Commerce”: Broader Interpretations of the FWA The narrow interpretation of the Commerce Clause and the “contemporaneous” interception requirement has led to the defeat of numerous claims of FWA and state wiretap act violations involving keyloggers.⁵ It has also been noted by commentators as paramount to why the ECPA is ineffective for keylogger oversight.⁶ There are indications, however, that this interpretation of the FWA may be losing its strong hold. At least one court has been critical of the Ropp interpretation of the FWA. In Potter v. Havlicek, a case of spousal spying using a keylogger, an Ohio district court found that the Ropp court read the statute too narrowly by requiring the communication to be traveling in interstate commerce, as opposed to merely affecting interstate commerce. Id. at *8. The Havlicek court held that messages sent on a networked computer, consisting of keystrokes, do affect interstate commerce. Therefore, the Commerce Clause requirement might be fulfilled. Id. at *9. This interpretation has gathered some momentum in keylogger cases. Brahmana v. Lembo, a California workplace spyware case involving a keylogger and “network analyzers” (which allow for the keystrokes to be recorded over a network) cited the Havlicek interpretation and likewise suggested that the Ropp court read the FWA too narrowly. The District Court for the North District of California concluded that the “means of monitoring” might support the finding that the keystrokes had affected interstate commerce and allowed the claim to go to discovery. Id. at 3. In Langston v. Langston, a Texas district court indicated that the case law on the legality of keyloggers is unclear and referenced Brahmana and Havlicek as courts that have found that keyloggers could constitute electronic communications sufficient to violate the ECPA. Id. at n.*22. These decisions allude to a possible shift in the willingness of courts to protect the privacy rights of individuals from surreptitious keystroke theft under federal law. Broader Interpretations of State Wiretap Acts State wiretap acts lack the impediment of the interstate Commerce Clause, and thus their applicability hinges on the interpretation of a different set of terms. In Rene the court found that keystroke theft might constitute a violation of the IWA absent the “affecting interstate commerce” language. Id. at *4. The defendant in Rene argued that because Rene's FWA claim failed, her claim under the IWA must also fail, because the definition of “intercept” under the IWA is “nearly identical” to the definition of interception under the FWA. Id. at *4. The court in Rene rejected the defendant's argument, stating that while the provisions may echo each other, the definitions are “hardly identical”. Rene at *4. The IWA defines “intercept” as “the intentional recording or acquisition of the contents of an electronic communication by a person other than a sender or receiver of that communication, without the consent of the sender or receiver” with “electronic communication” not requiring that the system at issue affect interstate commerce, as the FWA does, and without the contemporaneous requirement grafted on it. Ind.Code 35–33.5–1–5. In State v. Walters, the defendant's roommates installed a keylogger on his computer to read his emails. The New Hampshire superior court hearing the case found that keyloggers installed surreptitiously violate New Hampshire wiretap l egislation, which defines intercept as “the aural or other acquisition of, or the recording of, the contents of any telecommunication or oral communication.” N.H. Rev. Stat. Ann. § 570-A:1. The court explained the keylogger allowed the roommates to “intercept and record the defendant's Internet user password” in violation of the statute. Walters at *1. In Rich v. Rich Leslie Rich installed a keylogger on his wife's computer unbeknownst to her. The keylogger not only copied passwords but entire blocks of text as she typed. Rich's wife sued claiming that the Massachusetts Wiretap Act, which prohibits the interception of oral or wire communications, can be applied to cases involving keyloggers. Id. at *1. Again, the defendant argued that because the FWA does not cover keyloggers, nor should the MWA, because of the interception requirement. Id. at *4. “Intercept” as defined by the MWA means to “secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication ...” Id. at *5 (citing G.L.c. 272, § 99B(4)). The Massachusetts superior court found that even under the narrow federal FWA reading, in which the keylogger programs typically were used only to learn passwords, Leslie's acquisition would constitute interception, because the communications were not stored in email and retrieved later but copied in their entirety and, therefore, contemporaneous with transmission. Narrower Interpretations of State Wiretap Acts Although unburdened by the Commerce Clause, some states have chosen not to extend coverage of their wiretap acts to keyloggers installed without knowledge or consent. The Pennsylvania Wiretap Act has been interpreted not to prohibit the use of keyloggers.⁷ Pennsylvania courts have interpreted “intercept” to have the same meaning in the PWA as it does in the FWA including the “contemporaneous” requirement, although the statute does not on its face require it. 18 Pa.C.S.A. § 5703. See Lane v. CBS Broad. Inc. (“If a keylogger does not intercept electronic communications under the federal act, it cannot be deemed to do so under the terms of the parallel state statutes.”) Similarly, the Louisiana District Court interpreted the the Louisiana Electronic Surveillance Act to exclude the regulation of keyloggers. Becker v. Toca at *6. These cases illustrate that subtle differences in wording or interpretation can permit wholly different results in the success of state law claims. An additional complication is that, due to limited case law in this area, many states have privacy statutes that have not been tested by difficult cases. Conclusion Courts in some jurisdictions have declined to take the step to prohibit the surreptitious use of keyloggers, despite the apparent option to apply state legislation. This posture leaves individuals vulnerable to having their private information exploited by their employers. The most cohesive way to fortify employee privacy rights against keyloggers would be for courts to interpret the FWA more broadly. In the absence of ECPA coverage, states should examine their statutes and consider the public policies they are mean to protect. Given alternative methods of surveillance, lack of federal regulation, and advancing technology, extending state statutes is necessary and just.

[1] Miller v. Meyers, 766 F. Supp. 2d 919, 923-24 (W.D. Ark. 2011), Lane v. CBS Broad. Inc., 612 F. Supp. 2d 623 (E.D. Pa. 2009), Konop v. Hawaiian Airlines Inc., 302 F.3d 868, 878 (9th Cir. 2002), Steve Jackson Games, Inc. v. U.S. Secret Serv., 36 F.3d 457, 458 (5th Cir. 1994).

[2] http://www.topsecretsoftware.com/realtime-spy.html

[3] Jennings v. Jennings, 389 S.C. 190, 697 S.E.2d 671, 678 (S.C.Ct.App.2010), Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457, 461 (5th Cir.1994), Theofel v. Farey–Jones, 359 F.3d 1066, 1071, 1075–76 (9th Cir.2004).

[4] Crispin v. Christian Audigier, Inc., 717 F.Supp.2d 965, 987 (C.D.Cal.2010), United States v. Weaver, 636 F.Supp.2d 769, 773 (C.D.Ill.2009).

[5] Miller v. Meyers, 766 F. Supp. 2d 919, 923-24 (W.D. Ark. 2011), Lane v. CBS Broad. Inc., 612 F. Supp. 2d 623 (E.D. Pa. 2009), State v. Poling, 2010-Ohio-5429, 160 Ohio Misc. 2d 84, 88, 938 N.E.2d 1118, 1122.

[6] Paul Koob, Not Enough Fingers in the Dam: A Call for Federal Regulation of Keyloggers, 28 Temp. J. Sci. Tech. & Envtl. L. 125 (2009), Patricia L. Bellia, Spyware and the Limits of Surveillance Law, 20 Berkeley Tech. L.J. 1283, 1285 (2005).

[7] Lane v. CBS Broadcasting Inc., 2008 WL 8475407 (Pa.Com.Pl.), Com. v. Proetto, 2001 PA Super. 95, 771 A.2d 823 (Pa. Super. Ct. 2001) aff'd, 575 Pa. 511, 837 A.2d 1163 (2003).