DOJ Defends FBI Agent Posing as Journalist to Infect Suspect’s Computer with Malware

British police say they arrested a teenager for a series of hacking attacks targeting top officials at the CIA, FBI, Homeland Security, the White House and other federal agencies
AFP/File Thomas Samson

The Justice Department recently released its “Review of the FBI’s Impersonation of a Journalist in a Criminal Investigation,” and it has concluded the 2007 operation was legally and ethically acceptable undercover work.

This conclusion probably won’t sit well with media organizations, which have vociferously protested the undercover sting over the ensuing decade, or with privacy advocates worried about law enforcement’s growing fascination with malware.

As the report summarizes, the FBI’s Seattle cybercrime task force was asked by local law enforcement to assist with the case of a 15-year-old student who was emailing bomb threats to the staff of Timberline High School, prompting daily evacuations of the school.

The suspect was careful to hide his identity and location by using proxy servers to send his threats, so the FBI assigned an undercover agent to contact him, posing as a reporter for the Associated Press. The agent was able to trick the suspect into clicking on a link to a fake news article, which revealed his location. He was then arrested and confessed to sending the bomb threats.

The details of this exercise in phishing – the favored tactic of both black- and white-hat hackers in which a personalized appeal, such as email seemingly originating from a trusted friend, convinces the target to download viral software or click on links to malicious websites – remained unknown until 2014, when the Seattle Times revealed the FBI agent working the case had pretended to be a reporter. (The fake web page that tricked the bomb-threat suspect into giving up his location was made to resemble the Seattle Times.)

This prompted a letter of protest from the Associated Press to the Attorney General (Eric Holder, at the time) and a number of angry editorials from newspapers, followed by a response from FBI Direct James Comey defending his agency’s investigative technique.

Comey argued that impersonating a reporter and deploying malware to identify the suspect were “proper and appropriate under  FBI guidelines at the time,” and indeed remained valid, although he said they would now “probably require higher level approvals than in 2007.”

Acting on behalf of 25 news organizations, the Reporters Committee for Freedom of the Press challenged these assertions, complaining that impersonating a reporter undermined media credibility and independence. The Committee also argued that Comey was wrong about whether such tactics violated FBI guidelines.

The Justice Department’s Inspector General reviewed the matter and has concluded the FBI’s policies circa 2007 did not directly address the tactic of masquerading as a journalist, so the operation “did not violate undercover policies in place at the time.”

However, the Inspector General did find that “certain investigative decisions made concerning communications the undercover agent sent to the individual suspected of making the bomb threats could have increased the level of approval required under FBI policy,” and faulted the investigative team for failing to consider this possibility.

As for the current state of affairs, the DOJ report notes that an interim policy went into effect in June 2016 that “clearly prohibits FBI employees from engaging in undercover activity in which the represent, pose, or claim to be members of the news media,” unless the activity is authorized by the head of the FBI field office in question, the Undercover Review Committee at FBI headquarters, and the Deputy Director of the FBI, who is required to consult with the Deputy Attorney General.

The Inspector General recommended making this interim policy permanent, calling it “a significant improvement to policies that existed in 2007 during the Timberline investigation.”

Furthermore, it was recommended that the Bureau “consider the appropriate level of review required before FBI employees in a criminal investigation use the name of third-party organizations or businesses without their knowledge or consent,” whether those third parties are media organizations or not.

For operations that involve impersonating a media organization, the IG said investigators should be mindful that suspects could believe they have entered into a “privileged relationship” with undercover agents pretending to be reporters.

Motherboard recalls that one of the criticisms raised in 2014 was that suspects presented with fake web pages by FBI investigators could easily re-post those pages through social media, potentially exposing thousands of people to what Associated Press General Counsel Karen Kaiser described as “essentially a piece of government disinformation” posted in the name of a media organization.

Such concerns might also extend to the Network Investigation Tools – i.e. surveillance websites or malware – the FBI uses in these operations. The most controversial case along those lines at the moment involved a Dark Web child-pornography site called Playpen, which the FBI controlled for several weeks in a (very successful) bid to identify kiddie-porn consumers by infecting their computers with viral code as they visited the site. Playpen was a hidden site that innocent users were highly unlikely to stumble across by accident, but other investigations could carry a much higher risk of booby-trapped files or websites spreading through social media.

The Justice Department report briefly considered the First Amendment implications of undercover agents pretending to be journalists, noting that such activity could potentially “impair newsgathering activities” by “making it less likely that sources will share information with journalists.”

In fact, the Timberline bomb-threat suspect rejected several contact efforts by the undercover agent until the agent sent an email claiming that “as a member of the press, I would rather not know who you are, as writers are not allowed to reveal their sources.”

The agents say they weren’t trying to establish an ersatz “confidential relationship” with the suspect, but that message rather explicitly does offer such a relationship. The FBI essentially called no-harm, no-foul by saying they only needed to trick the suspect into clicking on a single link to a fake news article, with no plan to engage in “protracted discussions” or establish any ongoing relationship with him.