Malware is an umbrella word to describe any malicious software that does something to a computer without the user’s knowledge or authorization. When used to spy on a user’s activities, it’s called spyware, and the US Department of Justice wants new policy changes that will let the FBI install spyware on citizens’ computers, and this will let the FBI do it more easily than they have in the past, just by using probable cause.
The surveillance software is called CIPAV, or Computer and IP Address Verifier and it’s designed to track suspects by logging their IP address, MAC address, any programs currently running, details of the browser and various operating system details.
There have already been several cases in which the malware was used to target bomb threat suspects and pedophiles, which is obviously a good thing. The problem stems from the fact that there are holes in the system where innocent people could be targeted along with criminals. An example of this is the FBI using its malware to infect zombie computers that are part of a botnet, and many of those computers belong to people who have no idea their computer has been infected. Or as Gizmodo points out, “This is like the FBI searching your house without telling you because a criminal had already broken in earlier.”
The software is deliberately weak; CIPAV can’t spy on the whole computer, only a specific list of things, and this is presumably as a way to keep the malware legal, at least in the “gray area” sense of the term. News about these covert operations haven’t been widely reported on, yet as the Washington Post indicated in 2013, “Online surveillance pushes the boundaries of the constitution’s limits on searches and seizures by gathering a broad range of information, some of it without direct connection to any crime.”
The FBI won’t release details of the malware because as an FBI agent’s affidavit reveals:
In other words, criminals could figure out ways to defeat CIPAV.
If the policy changes happen, it means that judges would have the ability to grant warrants for search and seizures outside of their jurisdiction, and the FBI won’t need to prove the location of the target computer, as it has needed to do in the past in order to get a warrant.