recommended reading

FBI spyware continuously trolls suspects' surfing

A computer bug akin to spyware, developed by the FBI to trace the source of cyber crimes remains permanent on a suspect's machine, according to previously Secret documents recently released under the Freedom of Information Act.

The Electronic Frontier Foundation, a privacy group, obtained various emails and records confirming the use of the tracking device, called the Computer and Internet Protocol Address Verifier, after the technology publication Wired first reported its existence in 2007. The new documents also show that the worm continuously retrieves data whenever the targeted computer is online. The papers reveal the names of agencies outside the FBI, including the Air Force, that have sought to use the software. And they show uncertainty among government officials about the legal procedures for seeking permission to use the application.

"The tool will stay persistent on the compromised computer and . . . [every] time the computer connects to the Internet, we will capture the [court-approved] information," a special agent in the FBI's cryptologic and electronic analysis unit wrote in one June 2007 email. The agent was emphasizing to a colleague "the importance of telling the judge" about these traits, presumably in a request to deploy the spyware.

The worm can collect the user's Internet protocol address, or network location; media access control address, a unique code for each piece of computer hardware that connects to a network such as a Wi-Fi card; and certain data, the name of which is redacted, that "can assist with identifying computer users, computer software installed, computer hardware installed, [redacted]," an Oct. 2005 message stated. A separate 2005 email regarding an installation in Honolulu indicates the spyware also can record open communication ports, a list of programs running, the operating system's serial number, type of browser, current login name, and the website the target last visited.

"When you put all the information together you can actually tell a lot about the person," said Jennifer Lynch, a staff attorney with the foundation who focuses on government accountability litigation. "You can figure out [the city] where the person is visiting a website from, through an IP address."

Investigators, however, do not appear to be acquiring the actual text of the suspect's communications and other transactions, she said.

The device seems to be effective, having reportedly helped catch a hacker who broke into systems at Cisco, NASA's Jet Propulsion Laboratory and various other U.S. national laboratories in 2005. The tool also supposedly was used to ensnare a sexual predator endangering the life of a teenager.

About five years ago, agents determined the tool could aid in hunting down a perpetrator who was threatening a residence over the Internet: "Victim's family being harassed via email from subject and subject slandering victim to victim's clients," one of the newly released documents noted. The agent assigned to the case was awaiting subpoenaed information to bolster probable cause for a search warrant to deploy the tracker.

"If the FBI and other agencies are complying with the law on how they are using this device, then I think it's an important tool to use," Lynch said. "I would never want the FBI to not catch criminals . . . What we need to get on the FBI about is that they are using the proper authority" and eventually deactivating the software.

Foundation officials have raised concerns about documents showing that FBI agents at times employed inconsistent methods for gaining authorization to install the tracer. Their email messages talk about using a "trespasser exception" to avoid obtaining a warrant. One message recommends citing the "All Writs Act, 28 U.S.C. § 1651(a)." The group noted that one September 2007 message indicates some agents felt spyware searches do not require any legal process.

"There seems like there was a lot of back-and-forth," Lynch said.

The 2007 email stated, "I still think that use of [redacted] is consensual monitoring without need for process; In my mind, no different than sitting in a chat room and tracking participants; on/off times or for that matter sitting on P2P networks and find out who is offering KP" -- in a likely reference to law enforcement's practice of searching through file-sharing networks for sex offenders exchanging child pornography.

The FBI apparently settled on a two-pronged approach that includes attaining a search warrant for accessing the computer and a so-called pen/trap order for collecting the data, foundation officials said.

Based on the new information, the group has some reservations about the broad application of the tool throughout the federal government. One January 2006 email discusses a situation where the Air Force Office of Special Investigations was awaiting approval from "the Air Force General" to deploy a device. A July 2007 email bore the subject line "JTF-GNO Request for FBI Tool" and discussed interest from the Joint Task Force-Global Network Operations, a Defense Department cybersecurity organization, and the Naval Criminal Investigative Service.

FBI officials, too, have been troubled by outsiders using their technology, according to the documents. As far back as March 2002 a law enforcement official reported that the indisputably valuable tool "is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit." In the JTF-GNO email, the FBI sender was "weary to just hand over our tools to another [government] agency without any oversight or protection for our tool/technique."

FBI officials declined to comment on the newly-released files.

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.