Feds’ ‘request for comment’ to school bomb threat teen was loaded with malware
No rules were broken when an FBI agent posed as a journalist to infect a criminal suspect’s PC with spyware, says a US watchdog.
And the Feds can do it again, provided they get the undercover operation signed off by their higher-ups.
Way back in June 2007, 15-year-old Charles Jenkins used a Gmail account to send a bomb threat to Timberline High School, near Seattle, Washington, sparking an evacuation. Jenkins also flooded Timberline’s network with a 24-hour distributed denial-of-service attack for good measure.
Over the next few days, the teen sent a string of bomb claims to senior staff, using various Gmail accounts, triggering daily evacuations of the school.
The messages were sent from IP addresses in Europe, suggesting the sender was working behind anonymizing proxy servers.
After the kid also created a MySpace page to boast about the threats, the Feds realized they were dealing with a classic attention-loving narcissist, and a cunning plan was concocted: a piece of spyware, dubbed a Computer and Internet Protocol Address Verifier (CIPAV), would be injected onto Jenkins’ PC to unmask him.
An agent, pretending to be an Associated Press editor, would send a message to the owner of the MySpace profile asking him for an interview.
That message would contain a link to a webpage dressed up as a legit article. Hidden in that page is code that installs spyware on the machine, collecting information such as the public IP address, MAC address, details of the logged-in user, and so on.
All this data is sent back to the FBI’s servers for processing.
The Feds followed standard procedure and were granted a search warrant by a court – their application to the judge did not detail exactly how the operation would be carried out, simply that the CIPAV would be installed “through an electronic messaging program from an account controlled by the FBI,” and that it would “conduct a one-time search of the activating computer.”
Thus, FBI Special Agent Mason Grant messaged Jenkins with a link to a fake Seattle Times webpage asking if it was accurate and if the teen had any comment.
Interestingly, even though the boy clicked on the link, the CIPAV failed to run due to undisclosed settings in his browser.
In a followup Gmail chat with the undercover agent, Jenkins clicked on a link to some images, supplied by Grant, and the surveillance-ware was deployed.
This coughed up his real public IP addresses, leading the FBI to his parents’ home, where he was arrested and confessed.
The Feds’ involvement in the case only came to light in 2014 when the EFF revealed Agent Grant had posed as an AP journalist.
The newswire subsequently sued the federal government.
Now, the Office of the Inspector General at the US Department of Justice has this week published a report on the whole affair [PDF] and concluded that everything was done by the book – although under policy changes in June this year, a similar operation today would require the green light from a string of senior staff.
That policy tweak was made following the revelations from the Jenkins’ case, and provides clearer guidance for undercover agents impersonating news media professionals.
Here’s the highlights of the report:
We found that Department and FBI policies in effect in 2007 did not prohibit agents from impersonating journalists or from posing as a member of a news organization, nor was there any requirement that agents seek special approval to engage in such undercover activities.
The only policies in effect at the time that might have required elevated consideration regarding the FBI’s plans turned on whether the undercover activity involved a “sensitive circumstance.”
We concluded, given the lack of clarity in the policy language, that making a determination whether a situation was a “sensitive circumstance” was a challenging one and that the judgments made by the agents were not unreasonable given the lack of clarity.
We also found that prior to the adoption of the new interim policy in June 2016, FBI policy would not have prohibited FBI employees from engaging in the undercover activities agents conducted during the 2007 Timberline investigation.
The new interim policy, however, clearly prohibits FBI employees from engaging in an undercover activity in which they represent, pose, or claim to be members of the news media, unless the activity is authorized as part of an undercover operation.
In order for such an operation to be authorized, the undercover application must first be approved by the head of the FBI field office submitting the application to FBIHQ, reviewed by the Undercover Review Committee at FBIHQ, and approved by the Deputy Director, after consultation with the Deputy Attorney General.
In the end, a serial bomb hoaxer was collared and carted off after a mostly well-executed operation.
But the use of spyware delivered through web links is problematic. Many things can go wrong – imagine the chaos if the link was shared on social networks, infecting any number of systems, and if the shared payload fell into the hands of miscreants to reverse engineer and exploit privately.
This is on top of concerns that injected snitchware is potentially inadmissible in court due to the secrecy and security issues surrounding the code. ®