A Los Angeles-area man was indicted today for allegedly installing a tiny, almost imperceptible hardware device to spy on his boss's every keystroke, in a case that shines a spotlight on the ease with which spy technologies now can be purchased and used by consumers.
The $49.95 device, called a Key Katcher, is barely the size of a child's pinkie, but it has 46-year-old Larry Lee Ropp in a heap of trouble. Ropp, who says he was acting as a whistleblower, was indicted by a federal grand jury for illegally intercepting electronic communications and now faces up to five years in jail.
The complex case begins with a class action lawsuit that was settled last year against Ropp's employer, Bristol West Insurance Group/Coast National Insurance Company. In the settlement, the company admitted no wrongdoing but agreed to set aside $6.3 million to refund consumers who had auto insurance policies prematurely terminated. Claimants had until Sept. 15, 2003 to register as part of the class and thus be entitled to compensation.
On Sept. 3, Ropp, then a claims manager, was fired from the firm. According to his arrest warrant, he claimed at the time to be gathering information for the California Department of Insurance, and suggested he was being fired because of that. The next day, he contacted another employee at the company and asked that she recover a "toy" he had left in the company vice-president's office. He told the employee to inspect a computer used by the vice president's secretary -- on the back, she'd find a small device which looked like a male/female computer connector.
She wouldn't do it, and when Ropp tried a second employee, she got suspicious and told her boss. The insurance firm then called in computer forensics experts, which later called in the FBI.
In an affidavit signed by FBI agent Daniel Whelan, Ropp allegedly admitted to installing the device, but said the only reason he used it was "to capture the main list of Bristol customers who would fall within the Mostajo v. Coast National Insurance Company class action lawsuit." During an interview, he again claimed to be working on behalf of state insurance regulators.
Whelan's affidavit claims the California Department of Insurance never authorized Ropp's behavior.
Ropp's attorney, Craig Wilke, said Ropp had been in touch with insurance regulators and other attorneys who were involved in litigation with the company.
"There were several activities going on at the company that he believed were in bad faith," Wilke said. "He was not acting out of self interest. His motive was to blow whistle on the company."
But Ropp's motives don't actually matter, says U.S. Attorney Jim Spertus, because Ropp's actions were still illegal.
"It's irrelevant, even if the employee were a savior," Spertus said. "People can't rob banks to pay for their dying mother's cancer operations."
California attorney Mark Attwood, a whistleblower law specialist and partner at Jackson Lewis LLP, said provisions designed to protect employees who want to squeal on their firms' misbehaviors don't protect illegal activities.
"This guy was intercepting communications that were intended to be private. He may have had a good motive, but he is still breaking the law," Attwood said.
The case may cross some uncharted legal waters. Wilke said he plans to contest the charge of illegal interception of communications. Such a charge requires that a suspect listen in on conversations between two parties, and Wilke said the key logger merely intercepts data flowing from a keyboard to computer -- not communications between two parties.
21st century bug
At the center of the story is the Key Katcher, a small, dongle-like hardware device which fits in between the keyboard and the PC. It's the 21st century's equivalent of a listening "bug," albeit a bit easier to use.
With an internal 128K memory, the device can store several weeks worth of typing. The would-be spy can then just remove the device, and download all that text onto another machine. Forensic experts who looked at the Key Katcher Ropp allegedly used were able to retrieve a host of private company e-mails.
Key Katcher president Steve Allen said he's been selling the device for four years, but wouldn't say how many buyers he's had. He said he was upset that about the insurance company incident, and claims it's a legitimate device that can be used to monitor a child's activity on the Internet.
"I've tried to make this a responsible product," Allen said. "I mark the product very clearly to indicate there's a user agreement and people need to abide by it."
Internet marketing for the product describes it as a tool that's "popular with spouses trying to catch their partner cheating." The Key Katcher Web site makes clear that the user is responsible for complying with local laws.
Hardware can be sneaky
When consumers think of spyware, cheating spouses and key logging devices, they generally think of software -- which has a natural antidote in the computer world: antispyware. Many antivirus products also defend computers against spyware.
But small hardware devices are another matter. Since physical security at many companies can actually be less sophisticated than computer security, hardware-based spying can be much easier. Installing Key Katcher only requires a moment's access to the target's PC.
Tom Wolfe, a spyware industry veteran who formerly represented spyware software firm WinWhatWhere, admitted there were certain advantages to the hardware version.
"It does suppose people don't look at the back of their computer," he said. "A million years could go by and they'll never check it." Other hardware-based devices are even harder to spot, he said, including some versions that are stuck right inside the keyboard and are invisible to the naked eye.
But independent software consultant Richard Smith, who operates Computerbytesman.com, said there really isn't anything new about employees snooping around the office.
"It's not that unusual for employees to go poking around where they shouldn't a lot," Smith said. "They can go poking around on a server, get incriminating documents, that's a little more murky. But there's no legitimate reason to put on a key logger."
Attorney Mark Zwillinger, hired by Coast to conduct its internal investigation into Ropp's behavior, said he believed this was the first criminal case of its kind around the country. The U.S. Attorney's Office also suggested this was the first time a suspect had been indicted for using a key logger.
But Zwillinger said it was not the first time he'd seen a key logger while conducting corporate investigations.
"We have run across this kind of device before. Often we get the question as to whether an employer can put these on to monitor employees," he said. "I wonder why this is device is sold at all?"
Allen answers that, like any product, it can be used for good or ill.
"I've gotten a number of e-mails from people with great success, who've found out about their kid on drugs or skipping school, stuff like that," he said. "There are a lot of products that can be misused, just like a butcher knife."