Even as the FBI warns US citizens that their personal data is increasingly likely to be hacked by criminals, the agency – without any public debate – is quietly ramping up its own abilities to hack anyone in the world. And, as we found out this week, their underhanded tactics are even ensnaring news organizations.
The Seattle Times and Associated Press issued angry statements to the FBI on Tuesday after the American Civil Liberties Union’s Chris Soghoian discovered that the FBI had falsified an AP story and byline, and then possibly attempted to make it look like the fake story was published on the Seattle Times website – all to deliver malware to a suspect in a criminal case. The evidence was buried in documents obtained by EFF (pages 61-62) under the Freedom of Information Act three years ago (and the emails date back even further), but no one seems to have noticed before this week.
Seattle Times editor Kathy Best said in a statement to The Stranger that the paper was “outraged” by the FBI’s apparent behavior and added: “Not only does that cross the line, it erases it… We hope that this mistake in judgment by the FBI was a one-time aberration and not a symptom of a deeper lack of respect for the role of a free press in society.” The AP followed suit, saying they were “extremely concerned and find it unacceptable” that the FBI would falsify an AP byline to deliver its malware.
After defending the practice on Monday, the FBI issued a statement Tuesday saying that, while they did fake the AP story, they did not in the end spoof the Seattle Times website. Though there are still a lot of questions that FBI seems unwilling to answer. Because the documents were heavily redacted, it’s tough to tell how the whole plan worked: we still don’t know how the FBI delivered the link (through a fake reporter or mySpace friend), to which website the link went, how many people besides the suspect clicked on it, or whether there even more impersonation going on beyond what we see in the email. And most importantly: how often do they normally impersonate news organizations and falsify articles?
Whatever the answers, impersonating news organizations is supposed to be beyond the pale for the US government. Even the CIA – of all places – has had a rule in place since the 70s barring its agents from impersonating journalists in the field. So why is the FBI allowed to pretend to be news organizations online?
In the six years since the FBI impersonated the Seattle Times and AP to hack a suspect, it’s only ramped up its exploits. Since at least 2007, the FBI has had what it calls a “Secure Technologies Exploitation Group” – which is a more polite way of saying they have a team that hacks computers.
In an extraordinary report published in August, Wired’s Kevin Poulsen detailed how the FBI has been setting up honeypots on certain websites to ensare all sorts of suspects. The websites deliver malware to every visitor of the website and will tell the FBI who has been visiting it – even if the Internet users are using anonymity tools like the Tor Browser. It’s one thing if this is being done for child porn websites – where even visiting the site is a crime – but this is yet another tactic that the FBI uses without telling us how often or against whom it’s aimed.
We do know that the FBI is attempting to alter the nationwide court rules known as the Federal Rules of Procedure, so that it will be even easier for them to hack suspects no matter where the investigation is occurring. Hastings Law professor Ahmed Ghappour recently called that effort “possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.”
But the FBI is trying to alter those rules without raising privacy advocates’ hackles (though luckily some have caught on). In their proposal, the FBI uses language like “use remote access to search electronic storage media and to seize or copy electronically stored information”. That is a euphemism for hacking, but it’d be hard to tell unless you read it 10 times. They’ve been using the same language with judges, at least one of whom has recently rejected the FBI hacking request, given the invasiveness of what they were actually doing. The judge described the FBI’s malware tool in that particular case like this:
Once installed, the software has the capacity to search the computer’s hard drive, random access memory, and other storage media; to activate the computer’s built-in camera; to generate latitude and longitude coordinates for the computer’s location; and to transmit the extracted data to FBI agents within the district.
Recently, FBI director Jim Comey complained that Apple and Googles houldn’t be encrypting Americans’ smartphones by default “without careful thought and debate”. It’d be nice if he used the same standard for the FBI’s hacking abilities – which seems to have become a go-to FBI tactic without Comey ever granting the public the right to either think or debate about it.