It's not only hackers who sneak spyware onto unsuspecting peoples' computers. The FBI does it too, and has been for years.
Heavily redacted documents obtained by Wired magazine under the Freedom of Information Act show that the FBI has been using software it calls CIPAV — Computer and Internet Protocol Address Verifier — for nearly a decade.
Agents lure the target, usually someone who's concealing his Internet Protocol (IP) address to mask his identity, into clicking on a certain Web site, which infects his machine with the CIPAV software.
CIPAV then "phones home" to tell the FBI the target's IP address, operating system and serial number, installed software, list of recently visited Web sites, registered name and a whole lot of other stuff that's whited out in the documents.
It's been successfully used against suspected extortionists, sexual predators, bioterrorists and even one person thought to be impersonating an FBI agent.
One network of hackers who targeted a bank resisted downloading CIPAV, indicating that some, but eventually not all, of its members were wise to the FBI's ways. In another case, a hacker who'd gotten into servers at NASA and government labs turned out to be a Swedish 16-year-old.
CIPAV proved so immediately useful that way back in March 2002, a formerly classified Justice Department memo warned that "we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit."
Those concerns were unfounded: The spyware was still being used in 2006, according to the files, and presumably may still be today, unless it's been superseded by something even more sneaky and powerful.
Lest any privacy advocates be alarmed, the FBI got court orders each and every time they deployed CIPAV, even going to the Foreign Intelligence and Surveillance court several times when overseas targets were involved.