OLYMPIA, WA — The FBI created a fake online newspaper article, masquerading as the Seattle Times, and used it to covertly install spyware on a targeted individual’s computer and gather his personal information.
The FBI’s controversial tactics were recently brought to light as the Electronic Frontier Foundation (EFF) obtained federal documents detailing the little-known program.
Officially, the program is dubbed the Computer and Internet Protocol Address Verifier (CIPAV). The bureau uses the software to infect a target computer — unbeknown to its operator — with a program that will silently report to the government about the user’s activities and other information.
The CIPAV provides the FBI — at a minimum — with the ability to obtain targets’ IP addresses, MAC addresses, open ports, operating systems, running programs, installed application registration and version information, default web browser, and a log of time-stamped internet browsing history.
When hackers use these tactics to steal identities, the software is dubbed “malware” or “spyware.”
The program first publicly surfaced in 2007, when the FBI used its program to target a juvenile who had allegedly placed hoax bomb threats at his high school. To infect the teen suspect’s computer with the CIPAV, the FBI concocted a fake article and disguised it as a report from the Associated Press.
The plan would fail if link wasn’t clicked, so the FBI made the article personally relevant to the suspect. An FBI agent then delivered the malicious link to the suspect as a comment on his MySpace page. In clicking the link, the teen gave the FBI software the chance to exploit vulnerabilities in his computer and covertly install the CIPAV.
The ploy worked, and the FBI netted 15-year-old Josh Glazebrook and slapped him with several federal felonies.
The U.S. government has been using similar hacking tactics since at least the early 2000’s. Wired Magazine uncovered a revealing DOJ memo that expressed concern over the excessive use of the spying technique:
“While the technique is of indisputable value in certain kinds of cases, we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit,” reads a formerly-classified March 7, 2002 memo from the Justice Department’s Computer Crime and Intellectual Property Section.
The Associated Press and Seattle Times did not appreciate their credibility being jeopardized for the sake of law enforcement. The AP stated that its name was “misappropriated,” and called the ploy “unacceptable.”
“Who’s going to trust that we are who we say we are,” asked Seattle Times editor Kathy Best. “It affects our ability to be a government watchdog, it affects our ability to be an effective news organization.”
With the arsenal of surveillance techniques at the disposal of the U.S. government, it is hard for Americans to feel any semblance of privacy remaining intact.