Electronic Frontiers Foundation, EFF recently received documents from the Federal Bureau of Investigation that reveal details about the depth of the agency’s electronic surveillance capabilities and call into question the FBI’s controversial effort to push US Congress to expand the Communications Assistance to Law Enforcement Act (CALEA) for greater access to communications data. The documents received by EFF were sent in response to a Freedom of Information Act (FOIA) request EFF filed back in 2007 after Wired reported on evidence that the FBI was able to use “secret spyware” to track the source of e-mailed bomb threats against a Washington state high school. The documents discuss a tool called a “web bug” or a “Computer and Internet Protocol Address Verifier” (CIPAV), which seems to have been in use since at least 2001.
The documents discuss technology that, when installed on a target’s computer, allows the FBI to collect the following information:
- IP Address
- Media Access Control (MAC) address
- “Browser environment variables”
- Open communication ports
- List of the programs running
- Operating system type, version, and serial number
- Browser type and version
- Language encoding
- The URL that the target computer was previously connected to
- Registered computer name
- Registered company name
- Currently logged in user name
- Other information that would assist with “identifying computer users, computer software installed, [and] computer hardware installed”
It’s not clear from the documents how the FBI deploys the spyware, though Wired has reported that, in the Washington state case, the FBI may have sent a URL via MySpace’s internal messaging, pointing to code that would install the spyware by exploiting a vulnerability in the user’s browser. Although the documents discuss some problems with installing the tool in some cases, other documents note that the agency’s Crypto Unit only needs 24-48 hours to prepare deployment. And once the tool is deployed, “it stays persistent on the compromised computer and . . . every time the computer connects to the Internet, FBI will capture the information associated with the PRTT [Pen Register/Trap & Trace Order].
The FBI’s Crypto Unit appears to have viewed the CIPAV as a proprietary tool. In one email, an agent grumbled, “we are seeing indications that [CIPAV] is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression without any countervailing benefit).” In another email, an agent stated, “[I] am weary [sic] to just hand over our tools to another Gov’t agency without any oversight or protection for our tool/technique.” And a third email noted, “[w]e never discuss how we collect the [data CIPAV can collect] in the warrants/affidavits or with case agents. AUSAs, squad supervisors, outside agencies, etc.”
It appears from the documents that the FBI wasn’t sure what legal process to seek to authorize use of the spyware device. Some emails discuss trying to use a “trespasser exception” to get around a warrant, while others discuss telling the AUSA (government attorney) to cite to the “All Writs Act, 28 U.S.C. § 1651(a).” And one email suggests some agents thought the tool required no legal process at all. In that email, the FBI employee notes he considers the tool to be “consensual monitoring without need for process; in my mind, no different than sitting in a chat room and tracking participants’ on/off times; or for that matter sitting on P2P networks and finding out who is offering KP.”
Eventually, the FBI seems to have sought a legal opinion on the proper use of the tool, both from the Office of General Counsel and from the National Security Law Branch, and ultimately, the agency seems to have settled on a “two-step request” process for CIPAV deployments — a search warrant to authorize intrusion into the computer, and then a subsequent Pen/Trap order to authorize the surveillance done by the spyware.
Over the past few months, we’ve heard a lot from the FBI about its need to expand the Communications Assistance to Law Enforcement Act (CALEA), a law that that requires all telecommunications and broadband providers to be technically capable of complying with an intercept order. Federal law enforcement officials have argued that under current regulations they can’t get the information they need and want to expand CALEA to apply to communications systems like Gmail, Skype, and Facebook. However, these documents show the FBI already has numerous tools available to surveil suspects directly, rather than through each of their communications service providers. One heavily redacted email notes that the FBI has other tools that “provide the functionality of the CIPAV as well as provide other useful info that could help further the case.” Another email notes that CIPAVs are used in conjunction with email intercepts, perhaps using similar spyware-type tools. If the FBI already has endpoint surveillance-based tools for internet wiretapping, it casts serious doubt on law enforcement’s claims of “going dark.”
A device that remains “persistent” on a “compromised computer” is certainly concerning. However, if the FBI obtains a probable cause-based court order before installing tools like CIPAV, complies with the minimization requirements in federal wiretapping law by limiting the time and scope of surveillance, and removes the device once surveillance concludes, the use of these types of targeted tools for Internet surveillance would be a much more narrowly tailored solution to the FBI’s purported problems than the proposal to undermine every Internet user’s privacy and security by expanding CALEA.