3 July 2003
Wall Street Journal, July 3, 2003
By SEAN MARCINIAK
Staff Reporter of THE WALL STREET JOURNAL
The widening use of federal snooping software has been a bonanza for a handful of small companies that claim they can shield Internet users from electronic surveillance.
The two-year-old USA Patriot Act gave federal police wider Internet surveillance powers. And Pentagon counterterrorism efforts and Federal Bureau of Investigation programs like Carnivore, which can monitor e-mail and Web-surfing sessions, raised public awareness about how visible an individual's Web behavior -- or misbehavior -- can be. At the same time, several companies have developed services that disguise the identity of Internet users and encrypt their communications, leaving electronic footprints largely invisible to marketers, spammers -- and, some say, to the feds.
Lance Cottrell, founder of Anonymizer Inc., one of the best-known identity-shielding services, says his service offers complete protection from electronic snooping or subpoenas by the FBI. "We keep no record of any anonymous Web-surfing activity," says Mr. Cottrell, whose company is based in San Diego. "We would be unable to comply for any request for this."
Business is up sharply in the past year, Mr. Cottrell says, with 90,000 subscribers now paying yearly fees from $29.95 to $99.95, depending on the level of protection they want. That's quadruple the number of customers he had at the same time last year, he says.
Another provider of anonymity services, Germany's Steganos GmbH, says its business has grown as well, doubling in the past two years. Erich Jedersberger, international sales manager, estimates that 500,000 people have used the firm's anonymous Web-surfing product, a nonsubscription-based service available for a one-time fee of $24.95, while two million have used its encryption software.
Anonymizer and Steganos, like most of their competitors, are closely held and don't publicly report revenue, but independent sales figures also suggest the "privacy services" sector is growing. CNET Networks Inc., which runs an online software-sales site, said in February that it logged 1.9 million downloads, more than nine times the volume of six months earlier; in August 2002, it recorded 206,000 such downloads.
It wasn't always this way. The services were slow to catch on, and in October 2001, one of the pioneers, Montreal-based Zero-Knowledge Systems, went out of business due to lack of interest. But that same month, Congress passed the Patriot Act, freeing federal authorities to eavesdrop on a greater number of electronic communications. Among other things, the law eases the standard of proof needed for a court order and provides police with the ability to implement nationwide and roving electronic wiretaps.
The FBI became tech savvy to better carry out its new duties, and initially relied on an electronic surveillance program called Carnivore. Installed at Internet service providers such as AOL Time Warner Inc.'s America Online, the program scans signals for certain encoded text strings and traffic from selected Internet addresses. The FBI later collects the data from the ISP, analyzes them and, because Web sites and Internet providers often track which user visits what site, is able to reconstitute a second-by-second portrait of most any Internet session.
Prior to the Patriot Act, businesses like Anonymizer created identity-shielding programs to address consumer concerns about marketers, spammers and other Internet annoyances. Other interested customers likely included men and women who wished to disguise their electronic activities from spouses, and indeed some of these companies in their advertisements talked about the vulnerability of computer users who chose to visit sex chat rooms and pornography sites.
Thomas Knapp, a 36-year-old St. Louis writer, says he has nothing to hide. Still, he doesn't like the idea that federal agents might be able to track his every mouse-click. So, from time to time, he uses online privacy services like Anonymizer. "A lot of people are using these products as a form of protest," he says. "The purpose is to frustrate the idea, to tell the government, 'You can't make this work.' "
Law enforcers say they are using increasingly potent technologies, but won't discuss them. "It's not appropriate to get into technological advances," an FBI spokesman says. "It's completely inappropriate. Why would we? That would defeat the whole purpose of surveillance."
If federal agents complain about the proliferation of identity-shielding services, they don't do so publicly. Says Angela Haun, a special agent in Washington, "We respect individual rights, and of course companies have their right to free enterprise, though it does make our job a little tougher."
Computer scientists say many of the privacy technologies work. David Evans, assistant professor of computer science at the University of Virginia, says that today's encryption techniques demoralize code-breakers. "Based on a pure brute-force search, typical modern encryption systems would require not just thousands of years, but quadrillions of quadrillions of years to break," he says.
Technologies are constantly evolving, however, creating a cat-and-mouse game between those who seek to spy and those who want privacy.
"It's a war," says Grey McKenzie, founder and chief executive of SpyCop Inc., a small South Port, Fla., company that detects and removes spyware programs from a computer. "There's a war going on in your computer and people don't even know."
The latest addition to the federal armory is the FBI's Magic Lantern program, which first came to light in late 2001. Encryption and anonymity services would be useless because this bug would track a user's actions well before the shielding services kick in -- at the user's keyboard, recording every keystroke. While the FBI has generally confirmed its existence, officials haven't said whether the software has ever been employed in an investigation.
The antispyware companies acknowledged that they hadn't prepared their software to deal with the likes of Magic Lantern because they hadn't yet encountered it. But they say they're on it now -- perhaps beginning another round in their sparring match with the FBI.
All they need first is to find a sample of the program to study. "I'm going to find everything I can about it," said Adam Bothwell, the 19-year-old founder of a Cincinnati antispyware firm, Nitrous Online Inc.
Some of these companies cooperate with federal law-enforcement officials, and some have designed their systems so that they can't. Steganos says it would comply only with information requests from German courts, but that even then, its ability to provide information about its users' activity is limited. Alex Shahida, founder and chief executive of Primedius Corp., a fast-growing San Jose, Calif., service, says he would cooperate with subpoenas. Services that offer complete anonymity, he says, are open to abuse by spammers, child pornographers and identity thieves.
"Can we make people invisible?" he asks. "Yes. Nobody can do it better than we can. But am I willing to make money at the risk of national security? Absolutely not."
Write to Sean Marciniak at sean.marciniak@wsj.com