The FBI may or may not have portable, password-stealing devices, the agency said in response to a Freedom of Information Act request.
“The mere acknowledgment of whether or not the FBI has any such records in and of itself would disclose techniques, procedures and/or guidelines that could reasonably be expected to risk of circumvention of the law,” the agency said in response to a records submitted by Motherboard. “Thus, the FBI neither confirms nor denies the existence of any records.”
Related Story: http://www.washingtonexaminer.com/article/2575339
The request, described in a Monday report, sought to find whether the agency owned any “app interception systems,” which are portable physical boxes capable of stealing passwords for technology such as social media, email accounts, and smartphones.
The devices are manufactured mainly by three companies: Wintego, based in the United Kingdom, and Magen 100 and Rayzone Group, both headquartered in Israel.
A brochure for one of the surveillance products, Rayzone’s “InterApp,” describes what it is able to capture. Some of the promised information includes user email addresses, passwords and content; Twitter, Facebook and other social media passwords; photos; and personal information that includes gender, age, address and education. The product requires “minimum training,” adds the brochure, with “no technical skills required.”
Related Story: http://www.washingtonexaminer.com/article/2571457
The FBI’s response applied to Rayzone and Magen 100. It has yet to respond to a separate request regarding Wintego. In contrast with that agency, the Drug Enforcement Agency said it held no responsive documents about any of the companies.
The devices, which are regulated by arms control law, are difficult for non-state actors to obtain. Rayzone explicitly notes that buyers must obtain authorization pursuant to Israeli law.
However, the revelation does call into question the scope and legality of FBI surveillance. The Justice Department last year placed restrictions on the use of similar devices known as IMSI catchers, which are aimed at obtaining a much more limited set of data that does not include content or passwords. The FBI has been required to obtain a warrant prior to using IMSI catchers since that change was made.
