Wednesday, May 01, 2013

Texas judge blocks FBI's webcam-controlling malware

Pursuing criminal hacking groups is high on the FBI’s list of priorities—but the bureau is adopting some hacking techniques of its own. And a Texas judge isn’t happy about it. On Monday, a judge denied an FBI request to install a spy Trojan on a computer in an unknown location in order to track down a suspected fraudster. The order rejecting the request revealed that the FBI wanted to use the surveillance tool to covertly infiltrate the computer and take photographs of its user through his or her webcam. The plan also included recording Internet activity, user location, email contents, chat messaging logs, photographs, documents, and passwords. As the Wall Street Journal reported, Houston magistrate Judge Stephen Smith said that he could not approve the “extremely intrusive” tactic because the FBI did not know the location or identity of the suspect and could not guarantee the spy software would not end up targeting innocents. Smith wrote in a 13-page memorandum:

 What if the Target Computer is located in a public library, an Internet café, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme? What if the counterfeit email address is used for legitimate reasons by others unconnected to the criminal conspiracy? What if the email address is accessed by more than one computer, or by a cell phone and other digital devices? There may well be sufficient answers to these questions, but the Government’s application does not supply them. 

 Perhaps what is most interesting is the level of detail the memorandum discloses about the surveillance technology at the FBI’s disposal. Back in 2007, the bureau was revealed to be using a spyware that could infect computers and gather IP addresses, the last visited website address, and a range of other metadata. But the spy Trojan disclosed in the Houston documents is far more advanced, capable of copying content and turning a person’s webcam effectively into a surveillance camera. According to Smith:

 [T]he Government’s data extraction software will activate the Target Computer’s built-in-camera and snap photographs sufficient to identify the persons using the computer. The Government couches its description of this technique in terms of “photo monitoring,” as opposed to video surveillance, but this is a distinction without a difference. In between snapping photographs, the Government will have real time access to the camera’s video feed.




No comments: