The FBI has used a secret form of spyware in a series of investigations designed to nab extortionists, database-deleting hackers, child molesters, and hitmen, according to documents obtained by CNET News.
One suspect used Microsoft's Hotmail to send bomb and anthrax threats to an undercover government investigator; another demanded a payment of $10,000 a month to stop cutting cables; a third was an alleged European hitman who was soliciting for business from a Hushmail.com account.
CNET News obtained the documents -- totaling hundreds of pages, although nearly all of them were heavily redacted -- this week through a Freedom of Information Act request to the FBI.
The FBI spyware, called CIPAV, came to light in July 2007 through court documents that showed how the bureau used it to nab a teenager who was e-mailing bomb threats to a high school near Olympia, Wash. (CIPAV stands for Computer and Internet Protocol Address Verifier.)
A June 2007 memo says that the FBI's Deployment Operations Personnel were instructed to "deploy a CIPAV to geophysically locate the subject issuing bomb threats to the Timberline High School, Lacy, Washington. The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on MySpace.com."
An affidavit written by FBI Special Agent Norman Sanders at the time said that CIPAV is able to send "network-level messages" containing the target computer's IP address, Ethernet MAC address, environment variables, the last-visited Web site, and other registry-type information including the name of the registered owner of the computer and the operating system's serial number.
The FOIA documents indicate that the FBI turns to CIPAV when a suspect is communicating with police or a crime victim through e-mail and is using an anonymizing service to conceal his computer's Internet protocol address. If an anonymizing service had not been used, then a subpoena to the e-mail provider would normally be sufficient.
CIPAV lets the FBI trick a suspect's computer into identifying itself to police, much as an exploding dye packet might identify a bank robber.
One document from March 2007 indicates that the FBI originally used a simple technique known as a "Web bug." Written by the Justice Department's Computer Crime and Intellectual Property Section, it says "some investigators have begun to use an investigative technique referred to as an 'Internet Protocol Address Verifier' (IPAV), a/k/a a 'Web bug.'"
Then the bureau appears to have shifted to actual software, once known as Magic Lantern (possibly a Trojan Horse) and then CIPAV.
One example of CIPAV's use came in a March 2006 request to the FBI's Cryptologic and Electronic Analysis Unit. It said a victim's Hotmail account is controlled by a suspect who "is extorting the victim because the account had personal info in it. Subject wants victim to set up an e-gold.com account and transfer $10,000 there and then email the userid/pwd to the subject."
Another was an August 2005 request saying a hacker deleted a company's database and "is extorting the victim company for payment to restore it."
If CIPAV could be detected before being installed by antivirus software, a criminal suspect may be able to avoid having his Internet address divulged to the police. A 2007 CNET News survey of the major antispyware vendors found that that not one company acknowledged cooperating unofficially with government agencies.
A U.S. District Court refused to impose an outright ban on the sale of RemoteSpy keylogger spyware, but the court has barred its parent company from marketing the product for deceptive purposes while it considers a complaint from the FTC that the software may violate the FTC Act.
The U.S. District Court for the Middle District of Florida, Orlando Division, had previously issued a temporary restraining order against Florida-based CyberSpy Software, halting the sales of RemoteSpy. However, the court on November 25 issued a more narrowly tailored preliminary injunction (PDF).
CyberSpy altered the RemoteSpy Web site to comply with the injunction, and as of December 3, RemoteSpy was once again available for sale and users could access their accounts.
The Federal Trade Commission filed a complaint (PDF) against CyberSpy Software on November 5, alleging the company has violated the FTC Act by selling software that can be deployed remotely by someone other than the owner or authorized user of a computer, can be installed without the owner's knowledge, and can used to surreptitiously collect and disclose personal information. The FTC also claims CyberSpy unfairly collected and stored personal information gathered with RemoteSpy.
The commission asked the court to permanently ban the sale of RemoteSpy and require CyberSpy to pay restitution for any injury to consumers resulting from violations of the FTC Act.
The preliminary injunction, in place while the FTC's case against CyberSpy is pending, orders the company and its CEO Tracer Spence to stop promoting, selling, or distributing RemoteSpy by "suggesting to customers that it may be, or is intended to be, surreptitiously installed on a computer without the knowledge or consent of the computer's owner." The defendants are also barred from providing others with the means to falsely represent a keylogger program as an innocuous file, such as photos or music.
"RemoteSpy is designed to be installed without the knowledge or consent of the owner or authorized user of a computer, and defendants' marketing touts this function," the court stated in its injunction. "In light of these marketing efforts, the potential for devastating abuse far outweighs the possibility of benign use."
CyberSpy is seeking to dismiss the entire lawsuit.
"The FTC claims our software should be illegal because someone, somewhere might abuse it," Spence said in a release, "but computer monitoring software is just like any other surveillance technology: There is nothing inherently illegal about binoculars, hidden cameras, or directional microphones, for example, but people can use those tools to break the law."
- prev
- 1
- next
