Security

'Thank You For Your Interest in the FBI'

Yesterday, the FBI lab spokeswoman I mentioned in my article on the FBI’s spyware — who had declined to comment on the technology for my story — called me back again and suggested I submit a list of written questions. So I did. She just sent me an e-mail, though, that doesn’t seem to leave […]

Fbi_logo_2

Yesterday, the FBI lab spokeswoman I mentioned in my article on the FBI's spyware -- who had declined to comment on the technology for my story -- called me back again and suggested I submit a list of written questions. So I did. She just sent me an e-mail, though, that doesn't seem to leave much hope that I'll get any answers. It's really the last line that does it.

I received your e-mail requesting an interview, regarding the FBI's use of the CIPAV technology, for an article you are writing for Wired News. As we discussed, traditionally, the FBI does not discuss investigative techniques. That said I will be happy to forward your request to FBI Headquarters for their consideration.

I will get back in touch with you as soon as I have information to share regarding your request.

Thank you for your interest in the FBI.

Here are the questions I posed.

  • How often is a CIPAV used?
  • When did the FBI start using CIPAV, or similar technology? (By "similar technology" I mean software tools that are delivered electronically to a target, not hardware, surveillance tools in general, sniffers or CALEA gear).
  • Was the CIPAV capability developed internally at the FBI, or by a contractor?
  • When the period of time that a CIPAV is authorized expires, does it remain on the target computer?
  • What steps, if any, has the FBI taken to ensure that a CIPAV or similar technology doesn't leave a target computer at increased vulnerability to subsequent or concurrent unauthorized access?
  • What kind of investigations has the CIPAV assisted in?
  • Does the CIPAV have the capability, if so configured, to record keystrokes? Generally, does the FBI have the ability to electronically and surreptitiously deliver monitoring software to a target's PC that records keystrokes?
  • If yes, under what legal authority does the FBI use that capability?
  • How does the CIPAV get on a target computer? (Via publicly known operating system vulnerabilities? Private vulnerabilities known to the FBI? A backdoor or signing key provided by the operating system maker or another software vendor? Etc..)
  • Has Microsoft or another consumer software maker modified any of its products for the purpose of making deployment of CIPAVs possible, or more feasible? Or has such a company provided the FBI with confidential information -- such as unpublished security holes -- for this purpose?
  • Has the FBI or Justice Department asked computer security or anti-virus firms to avoid detecting a CIPAV, or similar technology? Have any such companies voluntarily done so? Has the FBI or Justice Department sought or obtained court orders to that effect?
  • Does use of a CIPAV implicate 18 U.S.C. 1030?
  • Under what legal authorities has the FBI used this technology?
  • Do other law enforcement agencies have access to the CIPAV technology?
  • Are there any agency guidelines putting limitations on when or under what circumstances the FBI may deploy a CIPAV?
  • When in pen register mode, the CIPAV is described as operating for 60 days only. Is this a hard-coded limit in the CIPAV, or can it be configured to continue operation beyond that date? Or does the FBI manually shut it down after 60 days?
  • Is the CIPAV "Magic Lantern"?

We'll see if my FOIA request has better luck.

(Image: ABC News)