What is a keylogger
Software keylogger can be used in various scenarios and are very helpful for its users when used wisely. Whether it is called a keylogger, spyware or monitoring software, it can be the equivalent of digital surveillance, revealing every click on the keyboard, private conversations on dating platforms like Tinder or common social media platforms like facebook, furthermore as an add-on also possibly pictures of the user’s screen (https://www.mcafee.com/blogs/consumer/family-safety/what-is-a-keylogger/). This usage of the keylogger can be recommend especially in the following scenarios:
Are Keyloggers Legal?*
Criminals can potentially install keyloggers on public computers hoping that individuals will login to personal accounts, thereby giving the hackers the information needed to commit identity theft with potential unauthorized purchases to wrong addresses on platforms like amazon.com, wire fraud, or just plain old stealing money from a bank account. When it comes to the legal usage of the software or the hardware, generally, keyloggers, like other hacking software and hardware, are legal to own or possess. However, installing it on a third party without their personal knowledge computer can expose you to legal trouble. Of course, legitimate uses do exist for keyloggers as well. Parents can monitor their children’s online activity (https://www.komando.com/downloads/watch-your-kids-install-a-keylogger-on-your-windows-pc/501940/) or law enforcement may use it to analyze and track incidents linked to the use of personal computers (https://www.cnet.com/news/feds-use-keylogger-to-thwart-pgp-hushmail/), and employers can make sure their employees are working on their tasks they are supposed to do instead of surfing the web all day and not contributing to the company’s success.
What court rulings exist with keyloggers?
There have been numerous court rulings on the specific usage of keylogger software. Below you find examples of court rulings in the US, Great Britain as well as in Germany.
A federal judge in Los Angeles has dismissed charges against a California man who used a keystroke logger to spy on his employer, ruling that use of such a device does not violate federal wiretap law (https://www.securityfocus.com/news/9978). Larry Ropp, a former claims adjuster for a U.S. insurance company, was caught using a keylogging software installed on a secretary's computer while secretly helping consumer attorneys gather information against his employer, Bristol West Insurance Group. A grand jury in Los Angeles then later indicted Ropp, in what prosecutors trumpeted as the first federal criminal prosecution for the use of a hardware keystroke logger. The indictment charged a violation of the federal wiretap statute, which makes it illegal to covertly intercept electronic communications transmitted "over a system that affects interstate or foreign commerce." Prosecutors maintained that the tapped PC was covered by the statute because it was connected to Bristol West's national computer network, and the secretary had composed electronic mail messages on it. But district court judge Gary Feess disagreed, and granted a defense motion to dismiss the indictment.
The judge ruled that the interception of keystrokes between the keyboard and the computer's CPU did not meet the "interstate or foreign commerce" clause in the federal Wiretap Act, even if some of those keystrokes were banging out e-mail. "[T]his court finds it difficult to conclude that the acquisition of internal computer signals that constitute part of the process of preparing a message for transmission would violate the Act." "The network connection is irrelevant to the transmissions, which could have been made on a stand-alone computer that had no link at all to the internet or any other external network," Feess wrote. "Thus, although defendant engaged in a gross invasion of privacy ... his conduct did not violate the Wiretap Act.
While this may be unfortunate, only Congress can cover bases untouched." The court based its decision in part on a controversial ruling by the First Circuit Court of Appeals earlier that threw out wiretapping charges against Branford Councilman, a former vice president of an online bookseller who provided customers with free e-mail accounts, then set up a system that made covert copies of some messages for his later perusal. Feess found that here, as in the Councilman case, the e-mail was not intercepted as it traveled over the network. Electronic privacy groups have joined with government prosecutors to try and overturn the Councilman ruling, which is now under review by a larger panel of judges. In a statement following his indictment, the employee admitted using the keylogger, which he has purchased online off the Internet. But he defended his action as necessary to expose improper anti-consumer practices at the company.
In this matter the court also cited a 2001 case in which a federal judge in Newark, New Jersey ruled that the FBI did not violate the Wiretap Act when it installed a covert keylogger on the computer of a organized crime suspect. This demonstrates one more time the helpful usage of the software.
While monitoring employees' computer and internet usage seems like an assault of employee privacy, the U.S. Supreme Court ruled in 2010 that it is legal for companies to monitor employees' actions while they are regularly working or using company equipment, including laptops, pagers, USB drives and mobile devices (https://www.supremecourt.gov/opinions/09pdf/08-1332.pdf). However, there have never been any regulations on the type of programs companies can use to monitor employees. This means you can use software programs that capture keystrokes and capture passwords; however, there is some ethical controversy surrounding whether these features should be used or not.
While the federal government doesn't place restrictions on employee internet monitoring, some individual states in the US have protections in place. An increasing number of states will require employers to notify their workers if they monitor online activity, including emails, screenshots and keystrokes. You can disclose this within your use policy, the employee handbook, as part of an IT use policy, or simply send out an email reminder to employees. Also, employee monitoring software (and how employers use it) could be impacted by the passage of new data privacy laws in the U.S. The California Consumer Privacy Act (CCPA), for example, includes provisions that give individual employees the right to request certain businesses disclose the personal information that has been collected about them. Businesses could also be required to notify individual employees when personal information has been collected and how that information is being used. These provisions could extend to employee monitoring and require a revisiting of company policy. If your business is subject to the CCPA or similar data privacy regulation, consider whether the employee data you are collecting serves a clear business purpose. Consider as well how long you need to store that data in addition to ensuring it is properly protected from data breaches. Failure to prepare in accordance with data privacy laws could result in fines.
However, there are also absolute illegal activities that can pursued with keylogger software. For example, the Justice Department has accused Chinese spies of hacking into several of US tech and industry giants like IBM as well as state institutions like NASA in order to acquire confidential top-secret information in the areas of aviation, space and satellite technology, manufacturing, pharmaceutical gas exploration. We strongly advise not to take part in illegal activities like this. (https://techcrunch.com/2018/12/20/us-indictment-tech-hacks-chinese/).
The Federal Labor Court in Germany ruled recently that employers must not monitor their employees using a keylogger software, unless the employee is suspected of having committed a criminal offence or a serious breach of duty. (https://www.twobirds.com/en/news/articles/2017/germany/employee-monitoring-by-keylogger-software-unlawful-except-in-case-of-severe-suspicions). According to the Federal Labor Court’s decision, such monitoring by the employer affects the privacy of the monitored employee. What needs to be kept in mind is that Germany has a really strict law regarding employee data protection. This topic is becoming increasingly important in the daily practice as a result of a gradually digitalized working environment. Data are not only produced when working at modern workstations using IT-infrastructures but also at various conceivable work steps involving the use of technical aids.
Due to the constitutionally protected informational self-determination in Germany, the collection, processing, and use of an employee's personal data by an employer is legally permitted in certain cases only and prohibited in all others. Infringements may lead to fines. German employers should therefore ensure they observe data protection regulations and make the company's internal processes compliant. This applies in particular as the General Data Protection Regulation (GDPR), by which data privacy laws have been revised and strengthened, entered into force as of May 25, 2018.
As previously mentioned, the laws and privacy acts differ from country to country. In the UK it is absolutely legal for individuals and companies to utilize keylogger software on any computer that they rightfully own. Many companies in the UK have a disclaimer in their employee manuals that specifically states that they have the right to monitor all employee activity in the case of suspicion and otherwise. (http://geckomonitor.com/blog/2013/03/are-keyloggers-legal-or-illegal/).
How employers should protect themselves legally to use keylogger software?
Because someone who installs keylogger software must have administrative rights on the system that it is being installed on, this gives them full access and license to do so as they see fit. Because employers can argue that there are legitimate reasons as to why activity on a computer needs to be monitored and surveyed, the practice of utilizing them is deemed as legal and in many cases, necessary. Companies have the right to protect their personal assets and information from being misused and shared and thus, using that argument alone will bypass any one employee from arguing that it is an invasion of privacy.
Employers should specify their company policies in order to gain more safety using a keylogger in the working environment. In view of the open wording of the BDSG, companies should conclude their own company policies with regard to any other type of data collection or use that may be relevant for the employment relationship, including
The legally compliant drafting of such company policies often causes problems to companies and organizations in Germany. In particular, where the staff representative body takes a tough stance in the negotiations. In this case you should consult a legal advisor in order to have full knowledge about the legal situation.
We really hope that we can help you with this article to gain more comfort and security in using a professional keylogging software. For further thoughts on this topic and questions regarding the wolfeye keylogger software that we provide we would be very thankful if you get in touch with us.
*Please make sure that we cannot provide legally binding advice. For detailed question in your specific area you should consult a professional lawyer; It is illegal in instances where the information obtained is used in an unlawful way, for example as a way to collect passwords or using bank account information in an effort to steal personal funds.