Keylogger and Monitoring Software – Legal?
A call we get often is that from people is that someone (usually an ex-spouse) has installed monitoring software or keylogger on their computer or cell phone, if we can detect it, and what, if any are the legal implications of these types of software.
These types of programs have legitimate uses. They can be used to ensure that employees are using company resources in an appropriate manner or our kids aren’t doing the things on their phones that we hope they aren’t. However like any good tool these software programs also have nefarious uses.
There is a special provision in the Oklahoma Computer Crimes Act for a Parent/Guardian monitoring a child under their care as amended 11/1/2013:
21 OS 1953 (D):
“Nothing in the Oklahoma Computer Crimes Act shall be construed to prohibit the monitoring of computer usage of, or the denial of computer or Internet access to, a child by a parent, legal guardian, legal custodian, or foster parent. As used in this subsection, “child” shall mean any person less than eighteen (18) years of age.”
Interestingly enough, there is nothing else in the Oklahoma Computer Crimes act that specifically addresses “monitoring” computer usage. However, there are provisions in the law that could be applied to monitoring. The entire Oklahoma Computer Crimes Act is listed at the end of this article.
Violations of the Oklahoma Computer Crimes Act with Respect to Monitoring Software or Keyloggers
The Oklahoma Computer Crimes Act is 21 OS 1953. Looking at each line item of violations of the act in respect to monitoring software or keyloggers:
1. Willfully, and without authorization, gain or attempt to gain access to and damage, modify, alter, delete, destroy, copy, make use of, disclose or take possession of a computer, computer system, computer network or any other property;
It could be argued that using monitoring software or a key logger is creating a “copy” of data on a computer system.
2. Use a computer, computer system, computer network or any other property as hereinbefore defined for the purpose of devising or executing a scheme or artifice with the intent to defraud, deceive, extort or for the purpose of controlling or obtaining money, property, services or other thing of value by means of a false or fraudulent pretense or representation;
Item 2 of the Computer Crimes Act speaks to trying to gain money. Is there a profit to be made?
3. Willfully exceed the limits of authorization and damage, modify, alter, destroy, copy, delete, disclose or take possession of a computer, computer system, computer network or any other property;
It could be easily argued that monitoring software or a keylogger, especially one with rootkit technology, exceeds the limits of authorization.
4. Willfully and without authorization, gain or attempt to gain access to a computer, computer system, computer network or any other property;
One of the most common things that is done with a keylogger is the capture of username and passwords. While not a direct violation of this law, the data obtained from a keylogger and its how it is used may be.
5. Willfully and without authorization use or cause to be used computer services;
This one is easy. Monitoring Software or a keylogger will use computer resources in the background.
6. Willfully and without authorization disrupt or cause the disruption of computer services or deny or cause the denial of access or other computer services to an authorized user of a computer, computer system or computer network;
Often times monitoring software or keyloggers will lock up or slow down a computer.
7. Willfully and without authorization provide or assist in providing a means of accessing a computer, computer system or computer network in violation of this section;
This is a case of how the data captured with monitoring software or a keylogger is actually used. For example, someone captures a password using a keylogger, and gives that password to someone else.
8. Willfully use a computer, computer system, or computer network to annoy, abuse, threaten, or harass another person; and
“Harass” is a funny word in Oklahoma law that doesn’t always mean what people think it does. It’s basically a less serious version of stalking. It’s not difficult to make a case that installing computer monitoring software on a machine is a form a stalking.
9. Willfully use a computer, computer system, or computer network to put another person in fear of physical harm or death.
This is about the only provision in the Oklahoma Computer Crimes act that’s hard to directly make monitoring software or keyloggers case for the violation of law.
Eavesdropping and wiretapping laws may also apply but we’re not going to discuss those here.
The bottom line is, using monitoring software or keyloggers on a computer or system that you don’t have ownership interest in is definitely a violation of the law.
Always consult an attorney if you have any legal questions.
by Mark Davis, Ph.D., CISSP, CCFP