Editor’s Note: A previously published version of this story inaccurately reported that the FBI had created a fake Seattle Times Web site in order to learn the identity of a school-bombing suspect. Agents consulted the Seattle Times site for guidance in creating their phony article, which did not use the newspaper’s name, FBI officials said.
News outlets and privacy advocates reacted sharply Tuesday to the revelation that the FBI in 2007 tricked a school-bombing suspect into revealing his whereabouts by getting him to click on a link to a fake Associated Press article infected with tracking software.
“We are extremely concerned and find it unacceptable that the FBI misappropriated the name of The Associated Press and published a false story attributed to AP,” spokesman Paul Colford said in a statement. “This ploy violated AP’s name and undermined AP’s credibility.”
The disclosure came when American Civil Liberties Union chief technologist Christopher Soghoian on Monday spotted and tweeted out a reference to the ruse in a set of documents obtained in 2011 by another privacy organization under the Freedom of Information Act.
The news follows a story this month that the Drug Enforcement Administration created a phony Facebook account in a New York woman’s name as a way to identify other suspects in an alleged drug ring. The fake page included photos of the woman in a bra and underwear. The Justice Department is reviewing the DEA case.
In the latest incident, the FBI Seattle field office created a false AP news story with headlines that served as click bait: “Bomb threat at high school downplayed by local police department” and “Technology savvy student holds Timberline High School hostage.”
The agents sent a link to the story in a private message to the owner of an anonymous MySpace account who was believed to have been making bomb threats against Timberline High. By clicking on the link, the suspect unwittingly downloaded a piece of malware, a computer bug that enabled agents to identify his Internet protocol address.
The suspect, who was 15 years old at the time, later pleaded guilty to making bomb threats. The Washington Post typically does not name juveniles in criminal proceedings.
“Of course the FBI should investigate bomb threats to schools, but the ends do not justify the means,” Soghoian said. “It’s a dangerous road impersonating the media. If people do not trust the news media, then our democracy cannot function properly.”
Deception has long been used in law enforcement, but the DEA and FBI cases raise the question of what are the limits of undercover operations in cyberspace.
FBI officials on Tuesday said they were researching the policy on whether an agent could impersonate a news organization. Privately, one law enforcement official said such a tactic “is very risky” because “there really should be no question about the truthfulness of your identity as a reporter.”
The FBI field office in Seattle in a statement defended the practice as one used infrequently and to prevent tragedy.
“Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University,” said Frank Montoya Jr., the special agent in charge of the FBI in Seattle, referring to recent fatal school shootings. “We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting.”
Marcus Thomas, who was assistant director of the division at the time, said that he was not aware of the Seattle field office’s ruse, though the e-mails obtained by the Electronic Frontier Foundation show that at least three individuals at the FBI’s Operational Technology Division, which created the software tool, were sent an e-mail from the field office with the proposed news article.
“I don’t have a problem with [the tactic] personally if it was approved at a proper level,” he said. “I wouldn’t want any sensitive technique like that used without seeking Justice Department or high-level FBI approval.”
OTD created the tool, which allowed the agents to obtain the suspect’s IP address through software surreptitiously installed on the suspect’s computer. Agents have used the “network investigative technique” in other cases, including one involving a Colorado bomb suspect. They obtain warrants to search a suspect’s computer but generally do not inform the judge of an intent to hack the computer to install the malware. In the Seattle case, they also did not alert the judge of their plan to mimic the media.
Elizabeth Joh, a law professor at the University of California at Davis, said the FBI’s undercover operations fall under attorney general guidelines published in 2002. They include a general standard that the bureau must weigh the risks and benefits of any particular operation, including harm to third parties.
“Here, this isn’t a fictional individual” which was mimicked, she said. “This is the press and that, in some ways, is really alarming.”
Adam Goldman contributed to this report.