recommended reading

FBI spyware continuously trolls suspects' surfing

A computer bug akin to spyware, developed by the FBI to trace the source of cyber crimes remains permanent on a suspect's machine, according to previously Secret documents recently released under the Freedom of Information Act.

The Electronic Frontier Foundation, a privacy group, obtained various emails and records confirming the use of the tracking device, called the Computer and Internet Protocol Address Verifier, after the technology publication Wired first reported its existence in 2007. The new documents also show that the worm continuously retrieves data whenever the targeted computer is online. The papers reveal the names of agencies outside the FBI, including the Air Force, that have sought to use the software. And they show uncertainty among government officials about the legal procedures for seeking permission to use the application.

"The tool will stay persistent on the compromised computer and . . . [every] time the computer connects to the Internet, we will capture the [court-approved] information," a special agent in the FBI's cryptologic and electronic analysis unit wrote in one June 2007 email. The agent was emphasizing to a colleague "the importance of telling the judge" about these traits, presumably in a request to deploy the spyware.

The worm can collect the user's Internet protocol address, or network location; media access control address, a unique code for each piece of computer hardware that connects to a network such as a Wi-Fi card; and certain data, the name of which is redacted, that "can assist with identifying computer users, computer software installed, computer hardware installed, [redacted]," an Oct. 2005 message stated. A separate 2005 email regarding an installation in Honolulu indicates the spyware also can record open communication ports, a list of programs running, the operating system's serial number, type of browser, current login name, and the website the target last visited.

"When you put all the information together you can actually tell a lot about the person," said Jennifer Lynch, a staff attorney with the foundation who focuses on government accountability litigation. "You can figure out [the city] where the person is visiting a website from, through an IP address."

Investigators, however, do not appear to be acquiring the actual text of the suspect's communications and other transactions, she said.

The device seems to be effective, having reportedly helped catch a hacker who broke into systems at Cisco, NASA's Jet Propulsion Laboratory and various other U.S. national laboratories in 2005. The tool also supposedly was used to ensnare a sexual predator endangering the life of a teenager.

About five years ago, agents determined the tool could aid in hunting down a perpetrator who was threatening a residence over the Internet: "Victim's family being harassed via email from subject and subject slandering victim to victim's clients," one of the newly released documents noted. The agent assigned to the case was awaiting subpoenaed information to bolster probable cause for a search warrant to deploy the tracker.

"If the FBI and other agencies are complying with the law on how they are using this device, then I think it's an important tool to use," Lynch said. "I would never want the FBI to not catch criminals . . . What we need to get on the FBI about is that they are using the proper authority" and eventually deactivating the software.

Foundation officials have raised concerns about documents showing that FBI agents at times employed inconsistent methods for gaining authorization to install the tracer. Their email messages talk about using a "trespasser exception" to avoid obtaining a warrant. One message recommends citing the "All Writs Act, 28 U.S.C. § 1651(a)." The group noted that one September 2007 message indicates some agents felt spyware searches do not require any legal process.

"There seems like there was a lot of back-and-forth," Lynch said.

The 2007 email stated, "I still think that use of [redacted] is consensual monitoring without need for process; In my mind, no different than sitting in a chat room and tracking participants; on/off times or for that matter sitting on P2P networks and find out who is offering KP" -- in a likely reference to law enforcement's practice of searching through file-sharing networks for sex offenders exchanging child pornography.

The FBI apparently settled on a two-pronged approach that includes attaining a search warrant for accessing the computer and a so-called pen/trap order for collecting the data, foundation officials said.

Based on the new information, the group has some reservations about the broad application of the tool throughout the federal government. One January 2006 email discusses a situation where the Air Force Office of Special Investigations was awaiting approval from "the Air Force General" to deploy a device. A July 2007 email bore the subject line "JTF-GNO Request for FBI Tool" and discussed interest from the Joint Task Force-Global Network Operations, a Defense Department cybersecurity organization, and the Naval Criminal Investigative Service.

FBI officials, too, have been troubled by outsiders using their technology, according to the documents. As far back as March 2002 a law enforcement official reported that the indisputably valuable tool "is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit." In the JTF-GNO email, the FBI sender was "weary to just hand over our tools to another [government] agency without any oversight or protection for our tool/technique."

FBI officials declined to comment on the newly-released files.

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.