Seven years ago, the FBI used a kind of spyware known as a CIPAV to track down and arrest a 15-year-old hacker who was sending bomb threats to a high school near Olympia. Old news for privacy watchdogs. But today, ACLU analyst Christopher Soghoian trawled through an arcane set of the bureau's records and came across something startling: in order to get the suspect's computer infected with the spyware, the documents suggest the FBI sent a message to him that masqueraded as an e-mail from the Seattle Times.
"Here is the email link in the style of the Seattle Times," wrote one FBI agent, whose name is redacted. "Below is the news article we would like to send containing the CIPAV," wrote another. The e-mail includes a message, a headline, a link, and subscription information all purporting to represent an Associated Press article carried online by the Seattle Times. According to WIRED editor Kevin Poulsen, the message acted as a phishing attack and was sent to the young man's MySpace account, "luring him to read an article about himself at a custom url."
The HTML behind the link would presumably redirect the viewer to an FBI server, which would infect the computer with spyware (CIPAV stands for Computer & Internet Protocol Address Verifier) allowing the government to track the computer's "IP address, MAC address, list of running programs, operating system, Internet browser used, language used, the registered computer name, the currently logged-in username, and more," according to Ars Technica.
"I remember reading about it at the time and wondering, 'How do they get people to click on their stupid links?'" says Soghoian, the ACLU's principal technologist.
The suspect, identified only as Josh in court records because he was a juvenile, was arrested following the apparently successful use of the CIPAV. But, Soghoian says, "The ends don't justify the means. I'm not saying that the FBI shouldn't be investigating people who threaten to bomb schools. But impersonating the media is a really dangerous line to cross."
The editor of theSeattle Times, Kathy Best, says they just learned about this and are seeking answers from the FBI and the US Attorney's Office. "We are outraged that the FBI misappropriated the name of the Seattle Times to secretly install spyware on the computer of a crime suspect," Best says in an e-mailed statement. "Not only does that cross the line, it erases it... We hope that this mistake in judgment by the FBI was a one-time aberration and not a symptom of a deeper lack of respect for the role of a free press in society."
Soghoian likened the FBI's apparent ploy to the CIA's 2011 fake vaccine campaign in Pakistan, which was in reality a front for intelligence gathering. The CIA pledged not to engage in any future deceptive public health campaigns last year.
Frank Montoya Jr., the special agent in charge of the FBI's Seattle office, said in a statement: “Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University. We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting. Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat. We were fortunate that information provided by the public gave us the opportunity to step in to a potentially dangerous situation before it was too late.”
And agency spokesperson Ayn Dietrich-Williams declined, for now, to disclose further details about how the fake e-mail was designed, writing: "I’m sure you’ll understand that in order to safeguard the FBI’s ability to effectively detect, disrupt, and dismantle threats to the public, we must be judicious in how we discuss investigative techniques."
Here's the Times' full statement:
We, like you, just learned of this and are seeking answers ourselves from the FBI and the U.S. Attorney’s office.
But we are outraged that the FBI misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect. Not only does that cross the line, it erases it.
Our reputation—and our ability to do our job as a government watchdog—is based on trust. And nothing is more fundamental to that trust than our independence from law enforcement, from government, from corporations and from all other special interests. The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.