In-Depth

Q&A: Unleashing Surveillance

Fine-combing PCs in real time

• By Mathew Schwartz
• 04/23/2003

Although it’s a touchy subject, most employees sign computer security policies allowing employers to monitor anything they do. Yet most organizations—some government agencies aside—won’t actually monitor employees until there’s first evidence of wrongdoing. At that point, they often use a hardware or software monitoring program. One such program, reputed to be difficult to defeat, is WinWhatWhere. Security Strategies sat down with Richard Eaton, president and chief designer of WinWhatWhere Corp. in Kennewick, Wash., to talk about the technology and ethics of monitoring employees.

Do your corporate clients monitor all PCs all the time, or just when they suspect mischief?

At that point, it’s most ineffective—the damage is done. What they really need to be doing is running all the time and just not looking at the data. But usually I will hear, "We’re having trouble with an employee," and that’s when it will get installed.

Can’t people just write their own tools to do this?

You can write a keystroke logger in about a half hour, but the hard part is staying hidden, not impacting the processes, memory, or disk space. Screenshots cache into memory and save to disk later. Also, if you’re running Chinese/Korean/Japanese, this will pick up the characters effectively, and that’s no small feat, because they’re double-byte sets. Hardware keystroke loggers interpret the key that was pressed, not the double-byte character.

What about using this as a way to undo your mistakes or recover data from application crashes?

A lot of small companies will run it on all computers at all times. In places like labs, they’re running it all the time to have an audit trail of what was changed in a spreadsheet, and why, in case the FDA comes calling. We’ve also had people in the business of intellectual property creation running this on all PCs in the background, with everyone knowing it, and again it’s to have this audit trail if anyone tries to sue them.

Do companies have to advise employees when WinWhatWhere is being used on them?

Legally speaking, they don’t have to do anything, but ethically they do. And I think as a course of business they do tell them that they are being monitored or might be monitored.

How do they do that?

At the start of day, [WinWhatWhere] can come up with a policy statement that says you can be monitored, and they click OK. Or those can be turned off. If you want to stop the use of a computer as a malicious tool, then tell them. But if you want to humiliate them, don’t say anything. So tell them.

What do WinWhatWhere reports look like?

It’s a spreadsheet, and it’s just line after line in chronological order of everything that has happened—you’ll see time, date, URL, elapsed time, contents of an e-mail they read, chat sessions, and everything that they typed. If there’s a Web cam attached, it’s got screen shots too. That’s handy, because at times there were people saying, “That wasn’t me sitting at my computer,” and you can show them what they were wearing that day. Then you can narrow the data down by using all sorts of filtering built into the reports.

Should I be suspicious when a Web cam appears on my desk?

“Ignore me, I’m a pencil sharpener.” I have a way to turn off the red lights on those that activate when recording, if they’re so equipped.

That’s a lot of data to be monitored.

You can have the program send you an e-mail when certain words are typed. But really its main purpose is to gather all of this main data, and I would think that after the fact is when you want to go aback and look at it.

The FBI was in the news for using this. What about Title III wiretap restrictions on intercepting electronic communications?

There’s an option that says, if you’re connected to the Internet, don’t do any monitoring. So for law enforcement, FBI, all that, as long as it’s not intercepting live transmissions over the Internet or over the modem, it’s fine. Otherwise it gets into wiretapping.

Can’t users just search out the WinWhatWhere files and remove them?

Well, another thing this program does that you don’t see elsewhere is on occasion it will pick up, rename itself and move. With our previous version, people started listing the names of the modules online, so you could rename it manually and try to deactivate that. Our program also watches out for programs watching out for it—and we take appropriate action.

Can’t a user just manually kill the Windows process?

It’s more than one process, and their job is to make sure the other processes are running. You wouldn’t have time to kill both of them before they’d restart themselves.

How do IT administrators deploy your software?

We have a deploy utility, it allows you to pre-configure the software, and you put this in the log-in script for any PC. A lot of times, I’m a little too naive in terms of what people would want to use the system for. But now the executable is almost 4 MBs in size, I’ve done that to stop abuse by people who shouldn’t be installing this on other people’s computers [such as jealous spouses]. Amazingly enough, people will still click on the large executable, though.

What’s in the WinWhatWhere future?

More detail, and making it more enterprise specific; it’s going to be fed into a much larger database—something like Oracle or SQL—so you could have it on thousands of computers playing on a single database. Right now, you can plug a couple of hundred users into one database, and have multiple databases.

Beyond the PC, is this like a sniffer, monitoring IP-level network traffic to and from the PC?

No, I don’t sniff anything.

With monitoring, how much is enough?

A lot of times, we’ve been chastised for having too much detail, and I think that’s the point of the program, to have too much detail.

Editor's Note: Sound off. What do you think about monitoring? Should companies monitor everything an employee does on a PC, so it’s available if and when there’s evidence of malice—or is that Orwellian overkill? E-mail us: jpowell@esj.com.