The Electronic Frontier Foundation (EFF) has received documents from the Federal Bureau of Investigation that detail the agency's use of electronic surveillance software in the course of criminal investigations.
The documents were released in response to a 2007 Freedom of Information Act request submitted by the EFF regarding reports the FBI was using "secret spyware" to track emails during an investigation into bomb threats against a Washington high school.
The documents outline the Bureau's use of the Computer and Internet Protocol Address Verifier (CIPAV) tool, also referred to as a "web bug", that may have been utilized as far back as 2001.
The documents do not specifically discuss how the software is installed on target computers, but previous reports indicate that the tool may be distributed via browser vulnerabilities similar to those exploited by malicious malware and that the software was deployed in the Washington bomb threat case by way of internal messaging sent through the social network MySpace.
The software allows the FBI to collect the following information when installed on a target computer:
- IP Address
- Media Access Control (MAC) address
- "Browser environment variables"
- Open communication ports
- List of the programs running
- Operating system type, version, and serial number
- Browser type and version
- Language encoding
- The URL that the target computer was previously connected to
- Registered computer name
- Registered company name
- Currently logged in user name
- Other information that would assist with "identifying computer users, computer software installed, [and] computer hardware installed"
It is not clear how many government entities may be employing the CIPAV tool, but the documents EFF received show the software has been used in multiple FBI investigations, and that the Air Force, the Naval Criminal Investigative Service and the Joint Task Force-Global Network Operations have all expressed interest in the software.
The documents show that the FBI considers the CIPAV tool to be proprietary, and that the Bureau is concerned about the legal ramifications of wider use of the software by other government agencies.
One email in the documents the EFF received from the FBI states "we are seeing indications that [CIPAV] is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression without any countervailing benefit)," while another email states "[I] am weary [sic] to just hand over our tools to another Gov't agency without any oversight or protection for our tool/technique."
Emails released to the EFF also show the FBI debated whether the use of the tool required a court order or other mandates, finally deciding to follow a two-part protocol comprised of securing a search warrant to authorize access to a computer and then securing a Pen/Trap order to authorize the ongoing surveillance with the spyware.