Sunday Times takes flak for kids Net study

The Sunday Times drew flak from the internet community last week when it asked readers to take part in a "unique study" to see what children got up to online.

What got privacy advocates' backs up was the fact that the survey required the installation of an invisible keylogger, which tracks all activity on the machine.

Surfsafe2001 claims to be "the first nationwide survey and analysis of children's behaviour online", and is conducted using what some might call "spyware".

"We ask you to download a free piece of software, which will record your child's computer activity for a fortnight," the paper said.

It also advised that "to obtain a true sample of internet activity" it is necessary "not to alert the child to the software and so defeat the object of the exercise".

But satirical news site Need To Know pointed out that by installing the keylogger without consent is not only in breach of the Marketing Research Council's code of practice, but it may also be criminally illegal under the RIP Act.

And the buck doesn't stop there. One tech-savvy victim, or just a concerned hacker, has looked at the keylogger in question, WordWatcher, and discovered that it may pose a security risk.

It logs all user activity, including passwords and credit card details, to an unencrypted, word-readable file. It also stores the administrator's (parent's) password in plain text in the registry too, so that someone who knows where to look will have no problem accessing all the data captured by the tool.

"It could be misused easily. It collects URLs and can harvest anything entered by keyboard, like credit card details entered into bank websites," said the user who discovered the security flaws.

"The company who sells it has a program which can stop it being installed on a public terminal, but you have to mail them and ask for it," he added, after suggesting that the tool could be installed on public access terminals to gather passwords.

A website with details on how to bypass the program has been set up here, carrying the reassuring, or not so reassuring, as the case may be, message: "You are a mum or dad or guardian reading this because you've seen the URL in your WordWatcher stash. Looks like you've been found out. How about talking to your son or daughter instead of spying on them."