The FBI is using its own hacking programs for installing malware and spyware on the computers of suspected terrorists or child pornographers, a tactic that is drawing attention in the wake of disclosures about the domestic online surveillance of Americans.
Among the programs is one known by various names, including the Remote Operations Unit and Remote Assistance Team, which uses private contractors to do the actual hacking of suspects. The contractors can send a virus, worm or other malware to a suspect's computer, giving law enforcement control of a wide range of activities, from turning a computer's webcam on and off to searching for documents on the machine, says Christopher Soghoian, principal technologist for the ACLU's Speech, Privacy and Technology Project.
"In the last few years the FBI has created a team that has solely focused on delivering what we call malware — viruses and worms — to people's computers to get control of them," he told NBC News.
The FBI was contacted Monday by NBC News for comment, but has not yet responded. If we hear back, we will update this story. The agency, believed to be behind a recent large-scale malware attack, declined to comment to the Wall Street Journal about the hacking issue. Meanwhile, CNET reports that the FBI has reportedly developed software to help intercept "metadata" — information like the websites visited and email addressed used by an individual — and it wants Internet providers to allow the agency to install the software, but is meeting with resistance.
Mark Rasch, former head of the Department of Justice's Computer Crimes Unit who has worked with the FBI in the past, said the existence of the hacking team is well-known, and that there are other similar teams, coordinating with private contractors.
"There's a whole bunch of groups in the FBI that do this," Rasch, now an independent consultant, told NBC News. "There's one that interfaces with telephone companies, another with Internet providers. These guys make 'critters' — malware, a bug, virus, a worm — that can infect the computer, the cellphone ... any kind of communication device."
However, he said, the FBI is obtaining court-approved warrants or wiretap orders to do the surveillance.
"If I'm going to turn on your camera on your laptop, I'm going to need to go through the same legal process that I would need in order to install a camera in your house," he said. "There are exceptions to the warrant requirement, but I would be surprised if they were doing this without a warrant or some kind of legal process."
Soghoian said he is not so sure that is the case. "We don't know much about what legal standards they follow," he said.
Earlier this year, he said, "we learned that the FBI had gone to a federal magistrate in Texas to ask for a warrant authorizing the delivery of malware that would take over a target's webcam, and download files from their computer. That judge said no, because he believed that covert webcam use required a wiretap order not just a warrant. The judge was also concerned that the government hadn't identified how it would make sure that only the court-approved target of the surveillance would be spied on, and not anyone else."
Alan Butler, appellate advocacy counsel for the Electronic Privacy Information Center, told NBC News that while the "government's access to hacking tools has been known for some time," until recently it "was not clear that they were being used in domestic criminal investigations."
"I don't think it is clear that a warrant or judicial order is sufficient to support the use of intrusive hacking tools," he said in an email. "These tools can cause damage to hardware and software, and allow the monitoring of personal communications and even audio-visual surveillance surrounding electronic device."
Butler believes the FBI's "authority to use these hacking tools has not been clearly established, and there should be a public review of the legality of this program."
Soghoian agrees. "What I'm focused on is that we haven't had a proper debate on this. There was no law giving the FBI authority to do this."
Rasch says the "real problem isn't the FBI or the law; it's technology," and the nature of malware, or "critters" that are "hard to control."
Malware does not discern who is using a device and the innocent may wind up getting hurt, or having their privacy invaded as collateral damage in cyber-spying.
"It's hard for me to write a virus that will only capture your actions on a computer without also capturing your kids using it to do their homework or your daughter getting undressed in front of a Web camera," he said.