Senate and AP demand disclosure of all cases where FBI posed as media
Evidence that the FBI hacked a teenage suspect’s computer by sending spyware disguised as a link to a news report has prompted a prominent politician and the Associated Press to both ask the attorney general for an explanation.
Documents unearthed this week revealed that the FBI compromised the computer of a 15-year-old student in 2007 in an effort to positively identify the person thought responsible for sending bomb threats to a Washington state high school. Yet while questions were quickly raised after that revelation about the ethics involved in letting federal investigators conduct full-fledged hacking, how exactly the FBI installed spyware on their target’s computer — by sending the suspect a link disguised to look like an AP article published by the Seattle Times — has now alarmed not only the news wire, but a leading lawmaker in Washington.
Only days after details of the 2007 operation were disclosed this week, the AP and Sen. Patrick Leahy (D-Vermont), chairman of the Senate Judiciary Committee, both sent letters to Attorney General Eric Holder on Thursday expressing their concern over the FBI’s conduct.
“When law enforcement appropriates the identity of legitimate media institutions, it not only raises questions of copyright and trademark infringement but also potentially undermines the integrity and credibility of an independent press,” Leahy wrote in his letter to Holder.
"The FBI both misappropriated the trusted name of The Associated Press and created a situation where our credibility could have been undermined on a large scale," AP General Counsel Karen Kaiser wrote in the newswire’s letter. "The FBI may have intended this false story as a trap for only one person. However, the individual could easily have reposted this story to social networks, distributing to thousands of people, under our name, what was essentially a piece of government disinformation."
On Monday, American Civil Liberties Union principal technologist Christopher Soghoian directed his Twitter followers to a trove of internal FBI documents acquired by the Electronic Frontier Foundation concerning the bureau’s use of a “Computer & Internet Protocol Address Verifier” program, or CIPAV, used by investigations to locate suspected cybercriminals. Once successfully installed on a targeted computer, a CIPAV program can provide authorities with forensic information, including machine-specific specs, that can then, in theory, allow investigators to narrow-in on a suspect.
According to the documents spotted by Soghoian, the FBI installed a CIPAV program on the computer of a 15-year-old high school student in 2007 by sending that person a link over the website MySpace that was intended to resemble a news story hosted by the Seattle Times. The student, whose name has been withheld by RT because he was a minor at the time of the incident, was suspected of repeatedly making bomb threats directed at an area school. After authorities believed they found the MySpace profile of the person thought responsible, they sent a message to that account containing a link made to resemble an alleged AP-authored article called “Bomb threat at high school downplayed by local police department” published online by the Seattle Times. The link actually directed to a FBI computer, however, and, when clicked, covertly infected the suspect’s machine. Later, the person behind the MySpace account pleaded guilty to emailing repeated bomb threats to Timberline High School and was sentenced to 90 days in juvenile detention.
The Seattle Times said Monday that they were only made aware of the incident after Soghoian’s tweets began to circulate earlier that day.
In 2007, FBI sent malware via a link intended to look like a Seattle Times/AP story. https://t.co/Se9f0NXGd1 at pages 61-62.
— Christopher Soghoian (@csoghoian) October 27, 2014
“We are outraged that the FBI, with the apparent assistance of the US Attorney’s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect,” Seattle Times Editor Kathy Bestsaidlate Monday. “Not only does that cross a line, it erases it.”
In response, FBI Agent Frank Montoya Jr. told Seattle’s The Stranger magazine that “Every effort we made in this investigation had the goal of preventing a tragic event” and said that only rarely does the bureau conduct these types of operations.
“We were fortunate that information provided by the public gave us the opportunity to step in to a potentially dangerous situation before it was too late,” the agent said.
“I appreciate the difficult challenges faced by law enforcement by changing nature of technology and the great efforts agents across the country are making to keep our communities safe,” Leahy wrote. “Yet we cannot lose sight of the need for law enforcement to maintain the trust and confidence of the people they protect.”
In the letter, Leahy acknowledges that the latest correspondence comes on the heels of a similar complaint placed with the attorney general after it was revealed that the Drug Enforcement Administration created a fake Facebook profile using the images of an unsuspecting woman in order to conduct an investigation.
“As the Justice Department evaluates its investigative policies related to creating fake online profiles, I urge you to extend your review to all techniques involving federal law enforcement impersonating others without their consent,” he says in this week’s letter. “I believe the American people would expect as much.”
Similarly, the AP letter sent to Holder asks the DOJ to provide details on how many times the FBI has masqueraded as the media to pursue targets — and a promise that the practice altogether ends.