It's not only digital criminals who like to secretly infect people's computers with invasive malware. In fact, the FBI likes malware so much, it created its own special brand. We don't know much about it, but now that the US Department of Justice is pushing for policy changes that will allow the FBI to install spyware on citizens' computers even more easily, it's time to take a closer look.
Malware is a broad term for malicious computer code like viruses and Trojan horses. It's called spyware when it's used to snoop on and track someone else's digital behaviour without their knowledge. Thieves like it because it's an easy route to gain enough information on someone to leech off their bank accounts or steal their identity. The FBI likes it because it can help pinpoint people crouching behind their keyboards to commit crimes.
The FBI's bespoke surveillance malware — called Computer and IP Address Verifier (CIPAV) — is designed to track criminal suspects by logging their IP address, MAC address, computer programs running, operating system details, browser details and other identifying computer information.
As far as spyware goes, it's unusually circumscribed — unlike consumer keylogging and social media snooping surveillance tools, CIPAV isn't able to spy on the entire computer at will, just a narrow list of identifiers. That means it's a weirdly weak invader, but that's a deliberate, built-in privacy protection, a way to keep the FBI's spyware ostensibly legal.
Despite limitations, the FBI's spyware capabilities are hugely powerful. As the Washington Post pointed out:
The most powerful FBI surveillance software can covertly download files, photographs and stored emails, or even gather real-time images by activating cameras connected to computers, say court documents and people familiar with this technology.
Yet there's been zilch in the news about this government malware since 2013.
The FBI's basement baby
The FBI keeps its malware deployment on the down low low. The few official documents available that provide spyware details use take care to reveal as little as possible.
"The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardise other ongoing investigations and/or future use of the technique," an FBI agent's affidavit reads.
So the FBI says it can't explain exactly how CIPAV works because then the bad guys will figure it out and get away. If this argument sounds stale, it's because it's the same wobbly rationale the FBI uses to keep its heavy-handed cell phone tracking practices secret.
What we do know about CIPAV largely stems from court documents from one 2007 case. The FBI installed its malware on a teenaged bomb-threat suspect's computer by tricking him into clicking on a phishing message on MySpace by impersonating Associated Press journalists. The FBI created a fake news article that contained malware about the bomb threats and sent it to the suspect in hopes that he'd click on it.
And the first and only semi-confirmed CIPAV attack discovered "in the wild", before it was documented in a court case, happened in 2013, when researchers fingered the FBI as the source of a malware attack on Freedom Hosting, the anonymous hidden service notorious for hosting child porn. (The FBI later confirmed this.)
Another FBI spyware was used in 2013 to inject surveillance malware into a Colorado bomb threat suspect's Yahoo email account. We know that the spyware allowed the FBI to see the webpages the suspect was visiting, which means it had a wider range of capabilities than CIPAV.
You may be wondering, who cares about the privacy of bomb threat suspects and pedophiles? It's not exactly a sympathetic clan. The issue here isn't that known pedophiles shouldn't be tracked or that there's a general problem with the FBI using warrants to narrowly track suspects of terrible crimes — that's what it's supposed to do! The issue is that the FBI's current setup leaves too much room for to violate the privacy of people who aren't suspects, and too many unanswered questions about its powerful spy tools.
Take the Freedom Hosting case for instance. All of the sites that used the anonymous server, including many that had absolutely nothing to do with child porn, were hit with the FBI's spyware. In the case of the Colorado bomb threat, the FBI screwed up and originally received a warrant to spy on the wrong email address thanks to a typo, meaning some random person whose only crime was accidentally choosing an email address similar to a wanted criminal had their computer vulnerable to intensive FBI spying. The FBI saw no reason to fess up to spying on innocent people in those cases.
And since the FBI can use spyware to go after "zombified" computers infected with botnets, it could end up putting spyware on peoples' computers just because someone else had already infected them with malware. This is like the FBI searching your house without telling you because a criminal had already broken in earlier.
We want to know more
What little we know about the FBI's history with spyware raises questions. For instance, there was internal confusion about how to deploy spyware that suggests that the FBI hasn't been sure how much it intruded on privacy. While the agency now requires a warrant and a Pen/Trap order to use CIPAV, documents obtained by the Electronic Frontier Foundation show several FBI agents discussed deploying the spyware without warrants before finally asking for clarification in 2007.
Since we know the FBI has been using spyware since 2001, that's six years before the FBI cemented its policy. How many other lingering privacy questions are still being debated about legal spyware use internally? And shouldn't Congress and the general public be able to participate in these privacy debates? Shouldn't people have the right to know if their computer has been accidentally snooped on, or if they have acquired government-issued spyware as collateral damage?
In some courts, the FBI's requests for spyware warrants have been rejected. A Texas federal magistrate wouldn't allow spyware deployment, for instance, because law enforcement couldn't pinpoint the computer's location. But if the DoJ procedural change on the table goes through, agents will no longer have to pinpoint a location. They will also be able to figure out which judges are more lenient on their snooping tactics and go to them with their warrant requests, since the change would allow judge to authorise warrants for these searches even outside their jurisdiction.
The extent to which we're being kept in the dark about government spyware is not necessary. As is the case with Stingrays, the mobile phone trackers used covertly by the FBI, the level of secrecy means no one is able to give the program a thorough look-over to make sure it's not violating our privacy rights.
Of course the FBI requires some secrecy to keep its tools safe. But there's a persistent lack of discussion about general and past tactics, which no longer or never did impair federal agents from doing their jobs. That lack of discussion is good for the FBI: They don't have to explain their tactics or screw-ups. But the public should be able to debate when law enforcement's phishing expeditions turn into illegal fishing expeditions.