FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats

July 18, 2007 — -- FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV.

Sanders wrote that the spyware program gathers a wide range of information, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.

Related Stories

Man kills wife, 3 kids in mass shooting: Police

• Apr 23, 12:35 PM

Trump, NY AG resolve dispute over $175M bond

• Apr 22, 12:14 PM

OJ Simpson dies at 76

• Apr 11, 6:32 PM

The CIPAV then settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days. Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance -- which does not capture the content of the communications -- can be conducted without a wiretap warrant, because internet users have no "reasonable expectation of privacy" in the data when using the internet.

According to the affidavit, the CIPAV sends all the data it collects to a central FBI server located somewhere in eastern Virginia. The server's precise location wasn't specified, but previous FBI internet surveillance technology -- notably its Carnivore packet-sniffing hardware -- was developed and run out of the bureau's technology laboratory at the FBI Academy in Quantico, Virginia.

The FBI's national office referred an inquiry about the CIPAV to a spokeswoman for the FBI Laboratory in Quantico, who declined to comment on the technology.