FBI spyware continuously trolls suspects' surfing

A computer bug akin to spyware, developed by the FBI to trace the source of cyber crimes remains permanent on a suspect's machine, according to previously Secret documents recently released under the Freedom of Information Act.

The Electronic Frontier Foundation, a privacy group, obtained various emails and records confirming the use of the tracking device, called the Computer and Internet Protocol Address Verifier, after the technology publication Wired first reported its existence in 2007. The new documents also show that the worm continuously retrieves data whenever the targeted computer is online. The papers reveal the names of agencies outside the FBI, including the Air Force, that have sought to use the software. And they show uncertainty among government officials about the legal procedures for seeking permission to use the application.

"The tool will stay persistent on the compromised computer and . . . [every] time the computer connects to the Internet, we will capture the [court-approved] information," a special agent in the FBI's cryptologic and electronic analysis unit wrote in one June 2007 email. The agent was emphasizing to a colleague "the importance of telling the judge" about these traits, presumably in a request to deploy the spyware.

The worm can collect the user's Internet protocol address, or network location; media access control address, a unique code for each piece of computer hardware that connects to a network such as a Wi-Fi card; and certain data, the name of which is redacted, that "can assist with identifying computer users, computer software installed, computer hardware installed, [redacted]," an Oct. 2005 message stated. A separate 2005 email regarding an installation in Honolulu indicates the spyware also can record open communication ports, a list of programs running, the operating system's serial number, type of browser, current login name, and the website the target last visited.

"When you put all the information together you can actually tell a lot about the person," said Jennifer Lynch, a staff attorney with the foundation who focuses on government accountability litigation. "You can figure out [the city] where the person is visiting a website from, through an IP address."

Investigators, however, do not appear to be acquiring the actual text of the suspect's communications and other transactions, she said.

The device seems to be effective, having reportedly helped catch a hacker who broke into systems at Cisco, NASA's Jet Propulsion Laboratory and various other U.S. national laboratories in 2005. The tool also supposedly was used to ensnare a sexual predator endangering the life of a teenager.

About five years ago, agents determined the tool could aid in hunting down a perpetrator who was threatening a residence over the Internet: "Victim's family being harassed via email from subject and subject slandering victim to victim's clients," one of the newly released documents noted. The agent assigned to the case was awaiting subpoenaed information to bolster probable cause for a search warrant to deploy the tracker.

"If the FBI and other agencies are complying with the law on how they are using this device, then I think it's an important tool to use," Lynch said. "I would never want the FBI to not catch criminals . . . What we need to get on the FBI about is that they are using the proper authority" and eventually deactivating the software.

Foundation officials have raised concerns about documents showing that FBI agents at times employed inconsistent methods for gaining authorization to install the tracer. Their email messages talk about using a "trespasser exception" to avoid obtaining a warrant. One message recommends citing the "All Writs Act, 28 U.S.C. § 1651(a)." The group noted that one September 2007 message indicates some agents felt spyware searches do not require any legal process.

"There seems like there was a lot of back-and-forth," Lynch said.

The 2007 email stated, "I still think that use of [redacted] is consensual monitoring without need for process; In my mind, no different than sitting in a chat room and tracking participants; on/off times or for that matter sitting on P2P networks and find out who is offering KP" -- in a likely reference to law enforcement's practice of searching through file-sharing networks for sex offenders exchanging child pornography.

The FBI apparently settled on a two-pronged approach that includes attaining a search warrant for accessing the computer and a so-called pen/trap order for collecting the data, foundation officials said.

Based on the new information, the group has some reservations about the broad application of the tool throughout the federal government. One January 2006 email discusses a situation where the Air Force Office of Special Investigations was awaiting approval from "the Air Force General" to deploy a device. A July 2007 email bore the subject line "JTF-GNO Request for FBI Tool" and discussed interest from the Joint Task Force-Global Network Operations, a Defense Department cybersecurity organization, and the Naval Criminal Investigative Service.

FBI officials, too, have been troubled by outsiders using their technology, according to the documents. As far back as March 2002 a law enforcement official reported that the indisputably valuable tool "is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit." In the JTF-GNO email, the FBI sender was "weary to just hand over our tools to another [government] agency without any oversight or protection for our tool/technique."

FBI officials declined to comment on the newly-released files.