Senator Grassley Letter Asks Tough Questions on Law Enforcement Use of Spyware


This letter is pretty remarkable.  It is already beginning to attract some attention.

It is interesting from the perspective of both the general subject matter...


"I am writing in regard to the Federal Bureau of Investigation’s (“FBI”) use of spyware...Obviously, the use of such capabilities by the government can raise serious privacy concerns."


...but even more so for the remarkable level of detail...


"Has the FBI deployed spyware on behalf of state or local law enforcement? If so, what are the internal FBI policies and procedures related to doing so?"


"What methods does the FBI use to deploy spyware? Please list each method of deployment used in the field since 2009 and the number of times it has been used."


"Does the FBI use zero-day exploits in conjunction with its use of spyware? 

a. If so, are these zero-day exploits developed by the government or purchased externally from private companies, such as Vupen Security? 

b. If so, how much has the FBI spent on developing or purchasing zero-day exploits? Please list both the cost for in-house development and external purchases. 

c. If so, does the FBI ever notify the company that owns the exploited software of the security breach? If it does, what policies guide the timing and content of this disclosure? If it does not, why not?"


"As noted above, the FBI has acknowledged using phishing to deploy spyware, and impersonating a real media outlet in doing so. Since 2009, how many times has the FBI impersonated personnel from legitimate companies, whether media or otherwise, in deploying spyware? 

a. Which companies has it impersonated? 

b. Does the FBI notify the companies it impersonates that it has done so? If so, what policies guide the timing and content of this disclosure? If not, why not?"


"What internal audit procedures does the FBI use to ensure that spyware and related programs are used in accordance with agency policies, procedures, and the law?"


It will be interesting to see what becomes of this, but it looks like the use of spyware by law enforcement - which has largely escaped legislative oversight - is now something Congress is going to concern itself with.  

These are tough issues, and I imagine that these discussions will be heated and vigorous ones. 


Add new comment