This week’s outrage over the FBI’s impersonation of The Seattle Times (and Associated Press) may prove a good example of why it’s important to wait until the facts are known before reacting — or overreacting. Outrage on the Internet often grows when only a partial story is told — this is especially true with Twitter’s 140 character limit — just enough to inflame but not enough to inform.
I consider myself very far left politically — I’m also a privacy advocate and a supporter of amnesty for Edward Snowden. But rather than jump on the bandwagon of Internet outrage over the FBI’s actions, I see this as just the type of court-backed, surgical law enforcement that we should be encouraging. In fact, the tactics of this operation are refreshing for their precision in light of outrageous NSA data collection practices and the appearance of Seattle’s own WiFi data traps.
What really happened
Here’s what the FBI actually did. Back in 2007, it sought to identify the owner of an anonymous MySpace page that was bragging about a Timberline High School bomb threat. An undercover agent sent a MySpace email to the account owner that included a fake news article blurb and a link to a web page that downloaded software (known as CIPAV) that helped the agency identify the suspect and subvert his computer. The link text said simply “article.” The URL itself did not contain any approximation of The Seattle Times or Associated Press but the website did show a fake Associated Press blurb. Furthermore and most importantly, the FBI obtained a warrant before executing these activities.
I spoke with Seattle FBI Spokesperson Ayn Dietrich-Williams who confirmed these facts.
Specifically, the FBI did not:
- Publish a link to malware anywhere the general public would likely have seen it. In fact, the CIPAV effectiveness is reduced if significant numbers of people click the link.
- It did not create a fake Seattle Times web page
- It did not subvert The Seattle Times website in any way.
Subsequent reports have clarified aspects of the story along these lines, correcting elements of the initial reports. Special Agent in Charge Frank Montoya, Jr., of the FBI’s Seattle Division emphasized, “There was no connection to The Seattle Times in the execution of the technique.”
In 2009, I used a similar technique to help capture Wired reporter Evan Ratliff who’d vanished as part of a contest the magazine held to see if people could disappear in the Internet age. I built a fake media publication on Facebook called Vanish Team and regularly tweeted about articles there to the #vanish hashtag that Ratliff was known to be following. While Ratliff regularly used the anonymous TOR network to protect his IP address, he did not do so while using Facebook as it was unusably slow and he didn’t realize IP tracking was possible within the social network. The technique helped me track Ratliff from Denver’s Stapleton airport, to Atlanta and finally to New Orleans where I recruited local help to go find him on the ground.
A targeted investigative technique
This technique is called a honeypot. It’s similar to what the FBI did to identify the anonymous MySpace account holder but its action was precisely targeted via email to a single MySpace account. This isn’t outrageous, it’s smart effective law enforcement.
The greatest risk to the public was if the suspect publicly shared the link with others on MySpace, causing them to download the CIPAV software and get caught up in the investigation. Dietrich-Williams told me that the FBI’s present day operations must all comply with the Domestic Investigations and Operations Guide which actually was not created until 2008.
To the average person in the Internet age of beheadings and ebola panic, bomb threats may seem like the act of crazy people who almost never follow through, but it’s the FBI’s unenviable responsibility to pursue them to their conclusion. And, Internet farce has slowly been landing closer and closer to home. Just this week, a Seattle student brought an actual molotov cocktail to school and was arrested. And, we’ve had three tragic school shootings in the Northwest this year.
Earlier today, the knee-jerk indignation from The Seattle Times seemed opportunistic to me — but now I realize it, too, was simply caught up in the outrage — reacting before gathering the facts.
The AP jumped on the agency as well. “We are extremely concerned and find it unacceptable that the FBI misappropriated the name of The Associated Press and published a false story attributed to AP,” said Paul Colford, Director of AP Media Relations. “This ploy violated AP’s name and undermined AP’s credibility.”
I also care deeply for journalism and the integrity of the fourth estate. But the facts of this case don’t upset me. I for one side with the court and with law enforcement on this case.
Would the Twitterverse been just as upset if the FBI had impersonated Buzzfeed? How about Fox News?
If the FBI had published the AP blurb more widely where the public might have been fooled, I would have been more concerned and wanted to know why they chose the tactic over others. But they didn’t. This was a precisely targeted attack to identify the suspect who issued a serious violent threat.
I think everyone who’s pounced on the FBI for this story, including the press, should take a deep breath here, review the facts of the case and reconsider their response. In an age of unconstitutional blanket data collection, we should support precisely targeted ops like this one.
Disclosure: many years ago, I was socially acquainted (through soccer) with the FBI agent involved, Agent Norm Sanders. In 2009, when my website was hacked, I turned to him for assistance. Though I haven’t seen him for years, he struck me at the time as the kind of person you want in law enforcement — smart, low key and he gave me the impression of someone with clear integrity.