Two years before the Bavarian state in Germany began using a controversial spy tool to gather evidence from suspect computers, German authorities approached the Federal Bureau of Investigation to discuss a similar tool the U.S. law enforcement agency was using.
The information is interesting in light of recent questions raised about the legality and security of spyware that German authorities have been using to gather evidence from criminal suspects.
Bavarian authorities reportedly began using their spyware in 2009. It’s not known if that spyware is based on the FBI’s, but in July 2007, German authorities contacted the FBI seeking information about its tool.
The request came just days after Threat Level first reported that the FBI had used its so-called “computer and internet protocol address verifier,” or CIPAV, tool to track bomb threats that a 15-year-old student had e-mailed to a Washington state high school. It was the first time the FBI’s use of an internet spy tool was publicly disclosed in connection to a specific case.
The FBI’s assistant legal attache in Frankfurt, Germany, sent an email to Bureau colleagues(.pdf) on July 24, 2007, writing, “I am embarrassed to be approaching you again with a request from the Germans . . . but they now have asked us about CIPAV (Computer Internet Protocol Address Verifier) software, allegedly used by the Bu[reau].”
The email was among a trove of documents that the Electronic Frontier Foundation received this year in response to a 2007 Freedom of Information Act the organization filed to request more information about CIPAV. There are no e-mails in the documents to indicate how the FBI responded to the German government’s request.
Under German law, authorities can use spyware to monitor criminals, but its use is supposed to be limited to the interception of internet telephony and to serious criminal cases.
Members of the Berlin-based Chaos Computer Club, however, examined the so-called R2D2 keylogging Trojan after getting hold of a copy of it, and discovered that it was doing much more than it was legally supposed to do. In addition to monitoring Skype calls and recording keystrokes to capture e-mail and instant messaging communications, the Trojan had the ability to take screenshots and activate a computer’s microphone and webcam to allow someone to remotely spy on activities in a room. Furthermore, the program includes a backdoor that would allow authorities to remotely update the program with additional functionality.
The backdoor, CCC found, also contains several security vulnerabilities that makes any system on which the spyware is installed potentially vulnerable to takeover by other parties who could commandeer the spyware for their own purposes. Commands sent to the Trojan are not encrypted, and the spyware requires no authentication between the Trojan and the system communicating with it, meaning that anyone could take remote control of the spyware to spy on a user, plant evidence on his machine or even impersonate a law enforcement Trojan to communicate with law enforcement systems.
Bavaria Interior Minister Joachim Herrman confirmed this week that officials began using the spyware in 2009, but insisted authorities acted within the law. Three other states — Baden-Wurttemberg, Brandenburg and Lower Saxony — have also confirmed using spyware, though it’s unclear if they used the same Trojan that CCC found.
A recent news report in Germany revealed details about some of the cases in which Bavarian authorities used the spyware. One case involved a group suspected of illegally selling pharmaceutical products and narcotics. In this case, the malware collected 60,000 screenshots, according to the German publication Süddeutsche Zeitung.
A second case involved a group of online scammers who successfully conned about 120,000 people out of 10 million Euros by selling them electrical appliances that never got delivered. A third case targeted a group of thieves who sold stolen clothes and other products overseas.
Germany’s Justice Minister Sabine Leutheusser-Schnarrenberger has called for an investigation to determine if authorities used the spyware properly.
The FBI’s use of its spyware has yet to be investigated. Documents obtained by Threat Level under the Freedom of Information Act showed that the FBI had deployed the CIPAV in a wide variety of cases — from major hacker investigations, to a case involving someone who posed as an FBI agent online. The program at one point became so popular with federal law enforcement agents, that Justice Department lawyers warned that overuse could result in electronic evidence being thrown out of court in some cases.
“While the technique is of indisputable value in certain kinds of cases, we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit,” notes a formerly classified 2002 memo from the Justice Department’s Computer Crime and Intellectual Property Section.
Image courtesy ABCNews.com