Monday, August 20, 2007

FBI Uses Spyware To Track Bomb Hoax


The search warrant authorizing the use of the FBI's secret spyware application, called CIPAV, was sought in the case of Josh Glazebrook, a student at Timberline High School in Washington. The information collected by CIPAV led to the arrest of Glazebrook, who pleaded guilty to identity theft, felony harassment, and making bomb threats.


A recently released FBI affidavit in the prosecution of a suspected bomb hoaxer has revealed the development and deployment of an FBI spyware program called the Computer & Internet Protocol Address Verifier (CIPAV).

According to Special Agent Norm B. Sanders, Jr., who applied for an affidavit authorizing the use of CIPAV, the program is capable of secretly sending to the FBI information about a computer's IP and MAC addresses, other environment variables, and certain registry-type information.

Lauren Weinstein, cofounder of People for Internet Responsibility and moderator of the Privacy Forum, said he was not surprised by the information contained in the affidavit.

"Look, many people have known or suspected for a significant time that various agencies are using this technique for surveillance," he said. "It was inevitable that this type of software tool would be developed by law enforcement, particularly given the advances in techniques for concealing and encrypting electronic information."

Bomb Hoax Investigation

The search warrant authorizing the use of CIPAV was sought in the case of 15-year-old Josh Glazebrook, a student at Timberline High School in Washington who was suspected of making bomb threats. A handwritten note containing a threat was discovered on May 30, and the high school subsequently received e-mail threats and was hit by a denial-of-service attack.

A week later, another student reported receiving an invitation from a MySpace account with the handle "Timberlinebombinfo," asking her to post a link to the bomb threats on her MySpace page. She reported the invitation to local law enforcement, which subsequently learned that 33 students had received a similar invitation.

When the FBI traced the IP address of the e-mail and MySpace accounts, they were led to a hijacked computer in the National Institute of Nuclear Physics in Italy. Having reached a dead end, they determined that the next step was to send CIPAV to the e-mail address from which the bomb threats were sent.

The information collected by CIPAV led to the arrest of Glazebrook, who pleaded guilty on Monday to identity theft, felony harassment, and making bomb threats. He was sentenced to 90 days in juvenile detention.

CIPAV a Powerful Weapon

While noting that the Glazebrook case is not particularly remarkable, Weinstein said that it does raise concerns about the power of CIPAV and what types of information is being gathered by law enforcement. "Once you've got something like this on someone's computer," he noted, "you can basically do anything and learn everything about what that person is doing."

The recent revelations about the scope of the FBI's use of National Security Letters, Weinstein said, undermines the overall confidence in security Relevant Products/Services and law enforcement agencies, and raises questions about whether a program like CIPAV will only be used as the FBI says it is being used. National Security Letters are subpoenas allowing FBI agents to require phone companies, banks, credit agencies, and ISPs to turn over customer records.

"If techniques like this are going to be used by the FBI and other agencies," Weinstein said, "then we need to have 100 percent trust in the agencies about when such tools will be deployed and under what circumstances. That's the challenge for this society."