The FBI has an elite hacker team that creates customized malware to identify or monitor high-value suspects who are adept at covering their tracks online, according to a published report.

The growing sophistication of the spyware—which can report users' geographic locations and remotely activate a computer’s camera without triggering the light that lets users know it's recording—is pushing the boundaries of constitutional limits on searches and seizures, The Washington Post reported in an article published Friday. Critics compare it to a physical search that indiscriminately seizes the entire contents of a home, rather than just those items linked to a suspected crime. Former US officials said the FBI uses the technique sparingly, in part to prevent it from being widely known.

The 2,000-word article recounts an FBI hunt for "Mo," a man who made a series of threats by e-mail, video chat, and an Internet voice service to detonate bombs at universities, airports, and hotels across a wide swath of the US last year. After tracing phone numbers and checking IP addresses used to access accounts, investigators were no closer to knowing who the man was or even where in the world he was located. Then, officials tried something new.

"The FBI’s elite hacker team designed a piece of malicious software that was to be delivered secretly when Mo signed onto his Yahoo e-mail account, from any computer anywhere in the world, according to the documents," reporters Craig Timberg and Ellen Nakashima wrote. "The goal of the software was to gather a range of information—Web sites he had visited and indicators of the location of the computer—that would allow investigators to find Mo and tie him to the bomb threats."

Later in the article, they elaborated on the attack:

Federal magistrate Judge Kathleen M. Tafoya approved the FBI’s search warrant request on Dec. 11, 2012, nearly five months after the first threatening call from Mo. The order gave the FBI two weeks to attempt to activate surveillance software sent to the texan.slayer@yahoo.com e-mail address. All investigators needed, it seemed, was for Mo to sign onto his account and, almost instantaneously, the software would start reporting information back to Quantico. The logistical hurdles proved to be even more complex than the legal ones. The first search warrant request botched the Yahoo e-mail address for Mo, mixing up a single letter and prompting the submission of a corrected request. A software update to a program the surveillance software was planning to target, meanwhile, raised fears of a malfunction, forcing the FBI to refashion its malicious software before sending it to Mo’s computer. The warrant authorizes an "Internet web link" that would download the surveillance software to Mo’s computer when he signed onto his Yahoo account. (Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.) The surveillance software was sent across the Internet on Dec. 14, 2012 — three days after the warrant was issued — but the FBI’s program didn’t function properly, according to a court document submitted in February, "The program hidden in the link sent to texan.slayer@yahoo.com never actually executed as designed," a federal agent reported in a handwritten note to the court. But, it said, Mo’s computer did send a request for information to the FBI computer, revealing two new IP addresses in the process. Both suggested that, as of last December, Mo was still in Tehran.

The article doesn't say exactly what kind of exploit FBI hackers embedded in the e-mail. The detail about the attack working as soon as Mo signed onto his account suggests it may have involved a cross-site scripting or cross-site request forgery, possibly used in combination with other techniques. That's pure speculation that could very well turn out to be wrong.

It's by no means the first time government investigators have used computer attacks to track down suspects. In 2007, encrypted e-mail provider Hushmail turned over 12 CDs-worth of e-mails from three account users in a case targeting illegal steroids distribution, a Wired journalist reported at the time. A Hushmail CTO told the publication of a general vulnerability in the service that involved the possible logging of a plain-text password when the user accessed the service. In August, The Wall Street Journal reported a federal magistrate in Houston rejected an FBI request to send surveillance software to a suspect in a different case. The plan, which involved activating a suspect's built-in camera, was "extremely intrusive" and could violate the Fourth Amendment curbs on searches and seizures, the magistrate said.

"We have transitioned into a world where law enforcement is hacking into people’s computers, and we have never had public debate,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told The Washington Post, speaking of the case against Mo. "Judges are having to make up these powers as they go along."