FBI fakes newspaper webpage to catch student making bomb threats

The plan to catch the person making bomb threats against a high school in Lacey, Washington in 2007 sounded innovative. People who make those kinds of threats often like to revel in the publicity they create, and the FBI set a trap for the suspect using that theory. Investigators created a fake Associated Press story and embedded it and a link to a fake Seattle Times webpage in a message on the suspect’s (presumably anonymous) MySpace account. When the juvenile suspect clicked the link, the FBI traced his computer and made an arrest.

Everyone’s happy, right? The potential terrorist has been caught, the high school and its students are safe, and the operation didn’t require an overwhelming law-enforcement response. Sounds like a win-win to everyone not affiliated with the Seattle Times and the Electronic Frontier Foundation (EFF), which exposed the operation. The newspaper is not amused by the covert operation:

The deception was publicized Monday when Christopher Soghoian, the principal technologist for the American Civil Liberties Union in Washington, D.C., revealed it on Twitter.

In an interview, Soghoian called the incident “outrageous” and said the practice could result in “significant collateral damage to the public trust” if law enforcement begins co-opting the media for its purposes. …

“We are outraged that the FBI, with the apparent assistance of the U.S. Attorney’s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect,” said Seattle Times Editor Kathy Best.

“Not only does that cross a line, it erases it,” she said.

“Our reputation and our ability to do our job as a government watchdog are based on trust. Nothing is more fundamental to that trust than our independence — from law enforcement, from government, from corporations and from all other special interests,” Best said. “The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.”

With whom, exactly? The only people who knew of the deception were the suspect and the FBI prior to EFF and the ACLU reporting on the incident, and the Times amplifying the story through its own reporting — seven years later. The ACLU isn’t happy about it either, equating the operation with the attempts to use medical personnel in Pakistan as a cover to find Osama bin Laden:

Christopher Soghoian, the ACLU principal technologist who tweeted the revelation Monday, said he felt the move was as big of a violation of public trust as the sham vaccination program that the U.S. government famously ran in Pakistan to gather intelligence about Osama bin Laden’s whereabouts.

“Impersonating the press is just as outrageous as impersonating doctors. The press plays such a vital role in our democracy and if people believe that clicking on a link to a newspaper is going to get them infected with FBI malware, they may be hesitant to read certain articles,” he said.

The objection in that case wasn’t an intrusion on civil liberties, but the potential to put real medical missionaries at risk in terror-impacted areas. That became all too real when attempts to vaccinate against polio ended up thwarted by the Taliban after the bin Laden operation, but what’s the risk here? That people won’t open spam? The FBI says the newspaper has its priorities out of order:

The special agent in charge of the FBI in Seattle defended the technique, according to The Seattle Times.

“Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University,” Frank Montoya Jr. said in a statement, referring to recent fatal school shootings in the Seattle area. “We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting.

“Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat,” he said.

The readers of the Seattle Times seem a little unclear on the source of the outrage, too. The comments are only accessible for those who have a user account, but one is easy (and free) to create. Several of their commenters note that the Times itself harvests user data to target them for advertising, which is standard practice for websites but still a bit of a non-sequitur in relation to this story. The Times, after all, chooses to use its own resources for that purpose, which is different than having the FBI using the Times’ reputation for their own investigative purposes.

However, as a few commenters noted, it’s not as if the FBI set up a competing web page and drew readers away, nor did they act without court supervision:

If the FBI had hacked the Seattle Times website to plant this fake story and malware, then the newspaper would have something to complain about. But this was a discrete action, a fake web page that was never in general circulation, never linked to the Seattle Times site at all, and sent only to the suspect. And all done under authority of a search warrant.

The web page set up by the FBI had one viewer — the suspect. They didn’t promote it as a way to snare the Times’ readers or steal traffic away from their site, nor does this impact public perception of their work. They had a legitimate crime to investigate and made sure the operation was narrowly targeted to the potential suspect. It may raise some questions about how far the FBI and other law-enforcement agencies can go in this direction, but (a) the courts are capable of dealing with that question through the warrant and trial process, and (b) this case doesn’t intrude on the Times’ operation at all. It’s worth noting, but this didn’t cross any lines, let alone erase them.