EFF recently received documents from the FBI that reveal details about the depth of the agency's electronic surveillance capabilities and call into question the FBI's controversial effort to push Congress to expand the Communications Assistance to Law Enforcement Act (CALEA) for greater access to communications data. The documents we received were sent to us in response to a Freedom of Information Act (FOIA) request we filed back in 2007 after Wired reported on evidence that the FBI was able to use “secret spyware” to track the source of e-mailed bomb threats against a Washington state high school. The documents discuss a tool called a "web bug" or a "Computer and Internet Protocol Address Verifier" (CIPAV),1 which seems to have been in use since at least 2001.2
What is CIPAV and How Does It Work?
The documents discuss technology that, when installed on a target's computer, allows the FBI to collect the following information:
- IP Address
- Media Access Control (MAC) address
- "Browser environment variables"
- Open communication ports
- List of the programs running
- Operating system type, version, and serial number
- Browser type and version
- Language encoding
- The URL that the target computer was previously connected to
- Registered computer name
- Registered company name
- Currently logged in user name
- Other information that would assist with "identifying computer users, computer software installed, [and] computer hardware installed"3
Where Has CIPAV Been Used and What Legal Process Does the FBI Rely On to Use It?
It is clear from the documents we received that the FBI—and likely other federal agencies—have used this tool a lot. According the documents, the FBI has used CIPAV in cases across the country—from Denver, El Paso, and Honolulu in 2005; to Philadelphia, California, and Houston in 2006; to Cincinnati and Miami in 2007. In fact, one stack of documents we received consists entirely of requests from FBI offices around the country to the agency's Cryptologic and Electronic Analysis Unit ("CEAU") for help installing the device.6
The FBI has been using the tool in domestic criminal investigations as well as in FISA cases,7 and the FISA Court appears to have questioned the propriety of the tool.8 Other agencies, and even other countries have shown interest in the tool, indicating its effectiveness. Emails from 2006 discuss interest from the Air Force,9 the Naval Criminal Investigative Service10 and the Joint Task Force-Global Network Operations,11 while another email from 2007 discusses interest from the German government.12