FBI Uses Spyware to Capture Cyber Criminals

It doesn't carry quite the same weight as the Warren Commission report and it might even contain more redactions than the Nixon tape transcripts, but recently-released FBI documents obtained by Wired News via the Freedom of Information Act (FOIA) prove that the FBI has been using its own version of spyware for years to catch cyber-criminals. The spyware goes by the moniker, "Computer and Internet Protocol Address Verifier" (CIPAV), and has apparently has been in use by the FBI since at least 2004.

CIPAV first came to public attention in 2007 when it was mentioned in an FBI affidavit that Wired News had obtained. The affidavit was filed in the U.S. District Court in the Western District of Washington, and it was a request for a search warrant to use the spyware "to track the source of e-mailed bomb threats against" Timberline High School in Washington State. The affidavit was granted, the FBI successfully infected the anonymous source's computer, and they soon discovered his identity. A 15-year old student at the school, Josh Glazebrook, was arrested; indicted; "pleaded guilty to making bomb threats, identity theft and felony harassment;" served time in a juvenile detention center; ordered to pay restitution to the school; was expelled from school; and was ordered to stay away from computers for two years.

As to how CIPAV works, that information is still classified. However, as to what CIPAV does, the 2007 affidavit went into some detail:

"The spyware program gathers a wide range of information, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.

The CIPAV then settles into a silent 'pen register' mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days."

Wired uploaded the 152-pages of declassified FBI documents to Scribd 
None of the collected information actually includes any personal contents of the infected computer or its transmissions, such as actual files or documents, e-mails or IMs, or logged keystrokes. This was likely done on purpose so as to avoid the perception of too much of an invasion of privacy, which could potentially increase the chances that collected evidence could be thrown out in a court case.

Even so, one of the documents that just came to light is a memo from as far back as 2002, which indicated the FBI was concerned that the overuse and potential inappropriate use of its cyber-surveillance techniques (this likely pre-dates the creation of the CIPAV spyware) in investigations might lead to the suppression of evidence:

"As many of you know, some investigators have begun to use and investigative technique referred to as an 'Internet Protocol Address Verifier" [REDCACTED], a/k/a a "[REDCACTED]" While the technique is of indisputable value in certain kinds of cases, we are seeking indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and risk of suppression) without any countervailing benefit."

The recently-released documents also disclose that CIPAV was used in a number of other investigations--including one as far back as 2004 where a man was cutting communications lines in Boston and was extorting service providers to pay him to cease his sabotage. Other investigations that utilized CIPAV include that of a sexual predator, a hitman, someone impersonating an FBI chief, people making threats, hackers, and other extortionists.

In at least a number of these incidents, the perpetrators were using anonymizers and proxy servers to escape detection. Apparently, CIPAV is very good at circumventing the very techniques implemented by anonymizers and proxy servers.

"The documents shed some light on how the FBI sneaks the CIPAV onto a target's machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link."

Another fact disclosed in the released documents, as pointed out by Wired News, is that all the documented cases of the FBI's use of CIPAV were done so through legal search warrants. This does not mean, however, that the FBI has always sought search warrants for its investigations using CIPAV. In fact, a potentially precedent-setting appeals case from 2007, United States v. Forrester, states that some information, such as "IP addresses of websites a person has visited and to/from addresses from a person's emails" can be legally obtained without a needing a warrant. While the FBI provided over 152 pages of heavily redacted documents to Wired News as a result of the FIOA request, there were an additional 623 pages that were not handed over. These other pages might very well contain information of CIPAV-based investigations that were conducted without legal search warrants.