As far as spyware goes, it’s unusually circumscribed—unlike consumer keylogging and social media snooping surveillance tools, CIPAV isn’t able to spy on the entire computer at will, just a narrow list of identifiers. That means it’s a weirdly weak invader, but that’s a deliberate, built-in privacy protection, a way to keep the FBI’s spyware ostensibly legal.
Despite limitations, the FBI’s spyware capabilities are hugely powerful. As the Washington Post pointed out:
The most powerful FBI surveillance software can covertly download files, photographs and stored e-mails, or even gather real-time images by activating cameras connected to computers, say court documents and people familiar with this technology.
Yet there’s been zilch in the news about this government malware since 2013.
The FBI’s basement baby
The FBI keeps its malware deployment on the down low low. The few official documents available that provide spyware details use take care to reveal as little as possible.
“The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique,” an FBI agent’s affidavit reads.
So the FBI says it can’t explain exactly how CIPAV works because then the bad guys will figure it out and get away. If this argument sounds stale, it’s because it’s the same wobbly rationale the FBI uses to keep its heavy-handed cell phone tracking practices secret.
What we do know about CIPAV largely stems from court documents from one 2007 case. The FBI installed its malware on a teenaged bomb-threat suspect’s computer by tricking him into clicking on a phishing message on MySpace by impersonating Associated Press journalists. The FBI created a fake news article that contained malware about the bomb threats and sent it to the suspect in hopes that he’d click on it.
And the first and only semi-confirmed CIPAV attack discovered “in the wild,” before it was documented in a court case, happened in 2013, when researchers fingered the FBI as the source of a malware attack on Freedom Hosting, the anonymous hidden service notorious for hosting child porn. (The FBI later confirmed this.)
Another FBI spyware was used in 2013 to inject surveillance malware into a Colorado bomb threat suspect’s Yahoo email account. We know that the spyware allowed the FBI to see the webpages the suspect was visiting, which means it had a wider range of capabilities than CIPAV.
You may be wondering, who cares about the privacy of bomb threat suspects and pedophiles? It’s not exactly a sympathetic clan. The issue here isn’t that known pedophiles shouldn’t be tracked or that there’s a general problem with the FBI using warrants to narrowly track suspects of terrible crimes—that’s what it’s supposed to do! The issue is that the FBI’s current setup leaves too much room for to violate the privacy of people who aren’t suspects, and too many unanswered questions about its powerful spy tools.
Take the Freedom Hosting case for instance. All of the sites that used the anonymous server, including many that had absolutely nothing to do with child porn, were hit with the FBI’s spyware. In the case of the Colorado bomb threat, the FBI screwed up and originally received a warrant to spy on the wrong email address thanks to a typo, meaning some random person whose only crime was accidentally choosing an email address similar to a wanted criminal had their computer vulnerable to intensive FBI spying. The FBI saw no reason to fess up to spying on innocent people in those cases.
And since the FBI can use spyware to go after “zombified” computers infected with botnets, it could end up putting spyware on peoples’ computers just because someone else had already infected them with malware. This is like the FBI searching your house without telling you because a criminal had already broken in earlier.
We want to know more
What little we know about the FBI’s history with spyware raises questions. For instance, there was internal confusion about how to deploy spyware that suggests that the FBI hasn’t been sure how much it intruded on privacy. While the agency now requires a warrant and a Pen/Trap order to use CIPAV, documents obtained by the Electronic Frontier Foundation show several FBI agents discussed deploying the spyware without warrants before finally asking for clarification in 2007.
Since we know the FBI has been using spyware since 2001, that’s six years before the FBI cemented its policy. How many other lingering privacy questions are still being debated about legal spyware use internally? And shouldn’t Congress and the general public be able to participate in these privacy debates? Shouldn’t people have the right to know if their computer has been accidentally snooped on, or if they’ve acquired government-issued spyware as collateral damage?""
No comments:
Post a Comment