When agents with the Seattle division of the FBI swarmed the home of a 15-year-old high school student that year and charged him with making bomb threats, media reports noted that the arrest was made possible with the use of a so-called “Computer & Internet Protocol Address Verifier” program, or CIPAV, that had been remotely installed on the individual’s machine to collect and then communicate to the authorities the user-specific information that eventually identified the suspect. The student later pleaded guilty to emailing repeated bomb threats to Timberline High School and was sentenced to 90 days in juvenile detention.
Until this week, how the FBI actually went about sneaking the CIPAV program onto the student’s computer was a matter that went unreported. After digging through a trove of emails (PDF) previously obtained through a Freedom of Information Act request by the Electronic Frontier Foundation, however, American Civil Liberties Union technologist Chris Soghoian stumbled upon details showing that authorities accomplished the installation by sending a malicious link disguised as a Seattle Times news article to a social media account used by their suspect.
“Here is the email link in the style of the Seattle Times,” reads one of dozens of internal FBI emails spotted by Soghoian on Monday as he combed through details concerning the bureau’s use of the spyware.
“[B]elow is the news article we would like to send containing the CIPAV. I am meeting with the judge at 1:30 PST and hope to deploy afterwards,” reads another.
According to the correspondence, the FBI’s plan involved sending a fake Seattle Times article to a MySpace account that was purported to be created by the person responsible for repeatedly making phony bomb threats. The link, which was supposed to direct the visitor to an Associated Press article called “Bomb threat at high school downplayed by local police department,” was hosted on a FBI computer, however, and, when clicked, covertly infected the target’s machine.
Once the MySpace user navigated to the phony Times article, the CIPAV was silently installed and soon began sending investigators information about the IP address associated with the computer’s browsing history, as well as details about other sites that were being visited and machine-specific specs that made it possible for investigators to draft charges and issue an arrest for the minor.
Although the seven-year-old operation hasn’t made headlines since the student was sentenced in July 2007, the investigation is now making waves after it was revealed through Soghoian’s discovery that not only did the FBI pose as the press to infect a suspect’s computer, but that The Seattle Times were never told by the feds that their name was used to hack a high school student.
After Soghoian fired out a barrage of tweets concerning his discovery on Monday, the Times published an article of their own — one presumably free of malware — denouncing what the paper considers to be an act of “deception” carried out by federal authorities.
“We are outraged that the FBI, with the apparent assistance of the US Attorney’s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect,” Seattle Times Editor Kathy Best said late Monday. “Not only does that cross a line, it erases it.”
“Our reputation and our ability to do our job as a government watchdog are based on trust. Nothing is more fundamental to that trust than our independence — from law enforcement, from government, from corporations and from all other special interests,” Best added. “The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.”
The FBI is standing by its behavior, however, saying in response that investigators were in the right to rely on the previously undisclosed tactic to prevent a “possible act of violence in a school setting,” even evoking a Washington state school shooting from earlier this week to defend the bureau’s actions.
“Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University,” FBI Agent Frank Montoya Jr. told Seattle’s The Stranger magazine. “We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting. Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat. We were fortunate that information provided by the public gave us the opportunity to step in to a potentially dangerous situation before it was too late.”
Others, including Soghoian, say the FBI’s action demonstrate an instance in which the bureau has gone well beyond its restraints:
The Associated Press issued a harsh denunciation of the Federal Bureau of Investigation (FBI) after the internal intelligence agency admitted one of its agents had posed as an AP reporter during a 2007 criminal investigation.
An FBI agent impersonated “an employee of the Associated Press” as part of an operation to bring charges against a young suspect believed to be delivering bomb threats at a high school in Olympia, Washington, FBI Director James Comey wrote in a letter to the New York Times on Thursday.
Kathleen Carroll, executive editor of the AP, slammed the FBI’s covert activities as “unacceptable.”
“This latest revelation of how the FBI misappropriated the trusted name of the Associated Press doubles our concern and outrage, expressed earlier to Attorney General Eric Holder, about how the agency’s unacceptable tactics undermine AP and the vital distinction between the government and the press,” Carroll said in a statement.
The AP letter sent to Holder (PDF) asks the DOJ to provide details on how many times the FBI has masqueraded as the media to pursue targets — and a promise that the practice altogether ends.
Meanwhile, the FBI director gave no assurance that such methods would not be employed again in future criminal investigations.
“That technique was proper and appropriate under Justice Department and FBI guidelines at the time. Today, the use of such an unusual technique would probably require higher-level approvals than in 2007, but it would still be lawful and, in a rare case, appropriate,” Comey wrote.
Sen. Patrick Leahy (D-Vermont), chairman of the Senate Judiciary Committee, also sent a letter (PDF) to Attorney General Eric Holder on Thursday expressing their concern over the FBI’s conduct.
“When law enforcement appropriates the identity of legitimate media institutions, it not only raises questions of copyright and trademark infringement but also potentially undermines the integrity and credibility of an independent press,” Leahy wrote in his letter to Holder.
In the letter, Leahy acknowledges that the latest correspondence comes on the heels of a similar complaint placed with the attorney general after it was revealed that the Drug Enforcement Administration created a fake Facebook profile using the images of an unsuspecting woman in order to conduct an investigation.
“As the Justice Department evaluates its investigative policies related to creating fake online profiles, I urge you to extend your review to all techniques involving federal law enforcement impersonating others without their consent,” he says in this week’s letter. “I believe the American people would expect as much.”