FBI Spyware Continuously Trolls Suspects' Surfing

Nextgov
By Aliya Sternstein

A computer bug akin to spyware, developed by the FBI to trace the source of cyber crimes remains permanent on a suspect's machine, according to previously Secret documents recently released under the Freedom of Information Act.

The Electronic Frontier Foundation, a privacy group, obtained various emails and records confirming the use of the tracking device, called the Computer and Internet Protocol Address Verifier, after the technology publication Wired first reported its existence in 2007. The new documents also show that the worm continuously retrieves data whenever the targeted computer is online. The papers reveal the names of agencies outside the FBI, including the Air Force, that have sought to use the software. And they show uncertainty among government officials about the legal procedures for seeking permission to use the application.

"The tool will stay persistent on the compromised computer and . . . [every] time the computer connects to the Internet, we will capture the [court-approved] information," a special agent in the FBI's cryptologic and electronic analysis unit wrote in one June 2007 email. The agent was emphasizing to a colleague "the importance of telling the judge" about these traits, presumably in a request to deploy the spyware.

The worm can collect the user's Internet protocol address, or network location; media access control address, a unique code for each piece of computer hardware that connects to a network such as a Wi-Fi card; and certain data, the name of which is redacted, that "can assist with identifying computer users, computer software installed, computer hardware installed, [redacted]," an Oct. 2005 message stated. A separate 2005 email regarding an installation in Honolulu indicates the spyware also can record open communication ports, a list of programs running, the operating system's serial number, type of browser, current login name, and the website the target last visited.

"When you put all the information together you can actually tell a lot about the person," said Jennifer Lynch, a staff attorney with the foundation who focuses on government accountability litigation. "You can figure out [the city] where the person is visiting a website from, through an IP address."

Investigators, however, do not appear to be acquiring the actual text of the suspect's communications and other transactions, she said.

The device seems to be effective, having reportedly helped catch a hacker who broke into systems at Cisco, NASA's Jet Propulsion Laboratory and various other U.S. national laboratories in 2005. The tool also supposedly was used to ensnare a sexual predator endangering the life of a teenager.

About five years ago, agents determined the tool could aid in hunting down a perpetrator who was threatening a residence over the Internet: "Victim's family being harassed via email from subject and subject slandering victim to victim's clients," one of the newly released documents noted. The agent assigned to the case was awaiting subpoenaed information to bolster probable cause for a search warrant to deploy the tracker.

"If the FBI and other agencies are complying with the law on how they are using this device, then I think it's an important tool to use," Lynch said. "I would never want the FBI to not catch criminals . . . What we need to get on the FBI about is that they are using the proper authority" and eventually deactivating the software.

Foundation officials have raised concerns about documents showing that FBI agents at times employed inconsistent methods for gaining authorization to install the tracer. Their email messages talk about using a "trespasser exception" to avoid obtaining a warrant. One message recommends citing the "All Writs Act, 28 U.S.C. § 1651(a)." The group noted that one September 2007 message indicates some agents felt spyware searches do not require any legal process.

"There seems like there was a lot of back-and-forth," Lynch said.

The 2007 email stated, "I still think that use of [redacted] is consensual monitoring without need for process; In my mind, no different than sitting in a chat room and tracking participants; on/off times or for that matter sitting on P2P networks and find out who is offering KP" -- in a likely reference to law enforcement's practice of searching through file-sharing networks for sex offenders exchanging child pornography.

The FBI apparently settled on a two-pronged approach that includes attaining a search warrant for accessing the computer and a so-called pen/trap order for collecting the data, foundation officials said.

Based on the new information, the group has some reservations about the broad application of the tool throughout the federal government. One January 2006 email discusses a situation where the Air Force Office of Special Investigations was awaiting approval from "the Air Force General" to deploy a device. A July 2007 email bore the subject line "JTF-GNO Request for FBI Tool" and discussed interest from the Joint Task Force-Global Network Operations, a Defense Department cybersecurity organization, and the Naval Criminal Investigative Service.

FBI officials, too, have been troubled by outsiders using their technology, according to the documents. As far back as March 2002 a law enforcement official reported that the indisputably valuable tool "is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit." In the JTF-GNO email, the FBI sender was "weary to just hand over our tools to another [government] agency without any oversight or protection for our tool/technique."

FBI officials declined to comment on the newly-released files.
Stay up-to-date with federal technology news alerts and analysis - sign up for Nextgov's email newsletters.

[REPRINT]

FBI Chastised by Court for Lying About Existence of Surveillance Records

Commentary by Jennifer Lynch

An order last week from the U.S. District Court for the Central District of California has revealed the FBI lied to the court about the existence of records requested under the Freedom of Information Act (FOIA), taking the position that FOIA allows it to withhold information from the court whenever it thinks this is in the interest of national security. Using the strongest possible language, the court disagreed: “The Government cannot, under any circumstance, affirmatively mislead the Court.” Islamic Shura Council of S. Cal. v. FBI (“Shura Council I”), No. 07-1088, 3 (C.D. Cal. April 27, 2011) (emphasis added).

This case may prove relevant in EFF’s ongoing FOIA litigation against the FBI. As discussed further below, one of the issues in Shura Council was the FBI’s extensive and improper use of “outside the scope” redactions. The agency has also used these heavily in at least one of our current cases — in areas where it is highly unlikely the material blocked out is actually outside the scope of our FOIA request. (see example to the left from our case seeking records on the government’s push to expand federal surveillance laws). We’ll be writing more about that case in the coming weeks and posting the documents we received on this site soon.

Shura Council started five years ago in May 2006, after widespread reporting on the FBI’s programs targeting Muslims after September 11, 2001. At that time, several Muslim citizens and organizations in Southern California, including the Islamic Shura Council of Southern California and the Council on American Islamic Relations (CAIR), submitted a broad joint FOIA request to the FBI seeking “[a]ny records relating or referring” to themselves, “including . . . records that document any collection of information about monitoring, surveillance, observation, questioning, interrogation, investigation and/or infiltration[.]” Shura Council I at 4.

In 2008, after the FBI produced only minimal records, the requesters filed a federal lawsuit. The FBI then searched for and located additional records for nine of the plaintiffs, but these records were heavily redacted, with much of the information withheld as “outside the scope” of the plaintiffs’ FOIA request. The FBI attested, in documents and declarations it submitted under oath to the court, that these were all the records that existed about the plaintiffs and that the materials labeled “outside the scope” were “not responsive” to the plaintiffs’ FOIA request.

After court ordered the FBI to submit full versions of the records in camera, along with a new declaration about the agency’s search, the FBI revealed for the first time that it had materially and fundamentally mislead the court in its earlier filings. The unaltered versions of the documents showed that the information the agency had withheld as “outside the scope” was actually well within the scope of the plaintiffs’ FOIA request. The government also admitted it had a large number of additional responsive documents that it hadn’t told the plaintiffs or the court about. Id. at 7-8.

If these revelations weren’t bad enough, the FBI also argued FOIA allows it to mislead the court where it believes revealing information would “compromise national security.” Id. at 9. The FBI also argued, that “its initial representations to the Court were not technically false” because although the information might have been “factually” responsive to the plaintiffs’ FOIA request, it was “legally nonresponsive.” Id. at 9, n. 4 (emphasis added).

The court noted, this “argument is indefensible,” id. at 9-10, and held, “the FOIA does not permit the government to withhold responsive information from the court.” (Id.)(upheld on appeal in Islamic Shura Council of S. Cal. v. FBI, __ F.3d __, No. 09-56035, at 4280-81 (9th Cir. Mar. 30, 2011) (“Shura Council II”).1 The court stated:

The Government argues that there are times when the interests of national security require the Government to mislead the Court. The Court strongly disagrees. The Government’s duty of honesty to the Court can never be excused, no matter what the circumstance. The Court is charged with the humbling task of defending the Constitution and ensuring that the Government does not falsely accuse people, needlessly invade their privacy or wrongfully deprive them of their liberty. The Court simply cannot perform this important task if the Government lies to it. Deception perverts justice. Truth always promotes it.

(Shura Council I at 17) (emphasis added). This is an important opinion for FOIA requesters because sometimes the only protection a FOIA requester has from the government's potentially arbitrary withholding of information is a court's in camera review of the full versions of documents. If the government were allowed to withhold information from the court, this protection would be meaningless and the role of judicial oversight in FOIA cases would be compromised.

Unfortunately for the plaintiffs in Shura Council, this seems to be a hollow victory. Although the court did not restrain itself from using the strongest possible language to criticize the government’s actions (calling the FBI’s arguments “untenable,” id. at 3, “indefensible,” id. at 10, and “not credible” id. at 17) it also held that “disclosing the number and nature of the documents the Government possesses could reasonably be expected to compromise national security.” Id. 18. Therefore it did not order the government to release the records to the plaintiffs or even to reveal how many records turned up in the second search. And on appeal, the Ninth Circuit held that neither the plaintiffs nor their attorneys had the right to see the original version of the district court’s order (filed under seal) because it contained information the FBI considered to be “national security and sensitive law enforcement information.” (Shura Council II at 4286).

It seems unlikely that, five years after the plaintiffs filed their FOIA request, the release of the information the FBI has on these individuals and organizations would truly threaten national security or an ongoing criminal investigation. None of the plaintiffs appears to have been arrested or retained in conjunction with a crime or foreign terrorist plot, so it seems more likely that this is yet another example of the government valuing secrecy over transparency.

The district court’s April 27, 2011 order after remand is here, and the Ninth Circuit opinion remanding the case is here.

1. This case has a convoluted procedural history. When the district court discovered the FBI’s lies it issued an order under seal on June 23, 2009 and told the parties it would unseal the order on July 7, 2009 unless further directed by the Ninth Circuit Court of Appeals. The government immediately appealed, and the Ninth Circuit issued a stay of the district court’s ruling until it could hear the case. On March 30, 2011, the Ninth Circuit issued its opinion in Islamic Shura Council of S. Cal. v. FBI, __ F.3d __, No. 09-56035 (9th Cir. Mar. 30, 2011), vacating the district court’s sealed order and remanding to the district court to revise its order to eliminate statements the government had designated as national security and sensitive law enforcement information. On April 27, 2011, the district court issued its revised order.

Related Issues: FOIA Litigation for Accountable Government, Privacy, Transparency
https://www.eff.org/deeplinks/2011/05/fbi-chastised-court-lying-about-existence