WASHINGTON (AP) — The young hacker was told in no uncertain terms: You are safe with me.
“I am not trying to find out your true identity,” AP journalist Norm Weatherill assured the teenager in an online chat. “As a member of the Press, I would rather not know who you are as writers are not allowed to reveal their sources.”
But Norm Weatherill was no reporter. He was FBI agent Norman Sanders Jr., and the whole conversation was a trap. Within hours, the 15-year-old hacker would be in handcuffs as police swarmed his house.
The 2007 bust would put an end to 10 days of nonstop bomb threats at the hacker’s high school but would also raise a troubling question that is unanswered to this day: How often do FBI agents impersonate members of the news media?
The answer is important, says one expert who played a key role in revealing the bureau’s subterfuge, because sources need to know journalists won’t turn them in.
“Journalists play a very similar role to doctors in our society in that we trust them,” Christopher Soghoian, former chief technologist at the American Civil Liberties Union, said earlier this year. “And without trust they cannot operate.”
Two weeks ago, a federal judge rejected a lawsuit from The Associated Press and the Reporters Committee for Freedom of the Press demanding more detail from the FBI about the practice of posing as journalists. The two media organizations are appealing the ruling.
Meanwhile, the AP has drawn on hundreds of pages of records and interviews with a dozen people to piece together the story of how a computer-savvy sophomore’s end-of-year prank escalated into a confrontation between the Justice Department and the media.
“HAVE A NICE EXPLOSIVE DAY”
The first email said, “I will be blowing up your school.”
Sent on Sunday, June 3, 2007, around 9 p.m. and addressed to several dozen teachers and administrators, it said four bombs were hidden throughout Timberline High, a 1,500-student school in an aging brick building in Lacey, a middle-class suburb of Olympia, Washington.
“We treated it like a real threat,” then-Principal Dave Lehnis recalled. Administrators met with police that night and scoured the school with bomb-sniffing dogs. They found nothing.
The second threat arrived early Tuesday morning.
“It’s now time to get serious,” the email said , warning that five bombs were set to go off throughout the building. Students were evacuated to the soccer field. Again, nothing was found.
The messages, distributed via bogus Gmail accounts, continued like this for more than a week. One said , “Well have a nice explosive day and I hope everyone keeps their arms and legs.” Another warned of a vibration-triggered bomb supposedly taped to the bottom of one of the school’s portable classrooms. Some messages threatened staff members individually; Lehnis received one saying , “ENJOY YOUR LIFE ENDING.”
Each time a threat came in, the school would be emptied. Each time, nothing happened.
“There were times I just wanted to say, ‘This isn’t possible,’” Lehnis said. “I’m not sure al-Qaida could do this on this short notice.”
The threats seemed to be coming from a student. The first message — signed “Your Mom” — had the snotty tone of an attention-seeking adolescent and carried knowing references to the school’s open-plan layout. Many messages were sent in the name of a 14-year-old freshman who clearly had nothing to do with the threats. There were even complaints about prices at the student store.
“SMOOTHIES SHOULD BE $1.00,” one email said .
Some students enjoyed the evacuations. Others grew annoyed.
“A lot of kids started bringing blankets and lawn chairs,” said Meggan Dowd, a Timberline sophomore at the time. “There was just no learning because everybody was waiting for another bomb threat to happen.”
The hoaxer seemed desperate for attention, setting up a MySpace account with a picture of a bomb-wielding cartoon villain to help distribute the threats.
Lacey Police Sgt. Jeremy Knight issued a series of emergency requests to MySpace and Google, but the records pointed back to servers in Italy or the Czech Republic. The hacker had broken into the servers and used them to throw investigators off. He could have been hiding anywhere.
“It was a case unlike anything I’d ever done before or since,” Knight said in a recent interview. “The skill level there was impressive for a 15-year-old kid.”
At Timberline, Knight and his colleagues faced a number of weak tips and a multitude of potential suspects.
One student was singled out because he smiled during an evacuation. Another came under suspicion for an offhand comment about the school’s “weak firewalls.” The 14-year-old freshman framed by the hoaxer told police a certain classmate might be behind it “because he’s been talking sexual stuff about my mom.”
At one point, police had a list of 30 possible high school suspects arrayed into two spreadsheets bearing notes such as “smart, techie” or “picked on, body issues.” One note by a student’s name read: “Possible, if smart enough.”
With police hitting electronic dead ends and struggling to make sense of the high school rumor mill, parents were getting panicky. At a June 12 meeting with police and school administrators at Timberline’s library, they kicked in an extra $450 for the reward for information leading to the hoaxer’s capture.
“It’s more difficult to track email than you might think, if you have computer savvy on the internet,” Police Chief Dusty Pierpoint told the gathering.
By that point, Lacey police had called in the FBI. And agent Sanders was sending the hacker his first interview request.
“OUR SECRET IS OUT!!!”
Charles Jenkins has been programming since he was 10 or 11. Now a youthful 25-year-old with a slight frame and a boyish smile who works in software far from Washington state, he speaks in a bored-sounding monotone over the phone.
“I don’t really have any excuses,” he said in an interview, the first he has ever granted.
Jenkins — whom the AP is identifying by his FBI-assigned pseudonym because he was a minor at the time of his hoaxes — said he wanted to apologize, especially to the classmate he tried to frame. Several Timberline students said Jenkins had been bullied for being gay, but Jenkins said it wasn’t particularly serious.
“I definitely wouldn’t attribute that for a motivation for what I did,” he said. Questioned after his arrest, Jenkins described the threats as a kind of end-of-year prank. A decade later, he said he had no particular motive beyond “feeling powerful.”
He relied largely on two or three servers that he had penetrated from his home computer. He typically emailed his threats between the time his parents left for work and when he took the bus to school.
Jenkins said his parents weren’t overly concerned about what was happening at the school, though he did recall his mother remarking one evening, “Whoever is doing this is going to get in a lot of trouble.”
It was just after class on June 13 that “AP Staff Publisher Norm Weatherill” wrote to Jenkins to ask for comment on the threats.
“Leave me alone,” Jenkins replied.
Weatherill — who was actually Sanders, the undercover FBI agent — persisted, promising anonymity. “Readers find this type of story fascinating,” he explained, the way any journalist would.
Jenkins relented, and the agent sent him links to material related to an AP article he was supposedly putting together. When Jenkins clicked, malicious code ran on his computer and broadcast his internet protocol address back to law enforcement.
Six hours later, Lacey police were at his door.
Jenkins pleaded guilty in juvenile court to identity theft, harassment and making bomb threats. He was sentenced to 90 days’ detention, ordered to pay nearly $9,000 in restitution and barred from possessing computers, cellphones or video games for two years.
That might have been the end of it had it not been for Wired magazine. Two days after Jenkins was sentenced, Wired broke the news that the precocious cybercriminal had been caught with the help of FBI surveillance software, offering what it called “the first public glimpse into the bureau’s long-suspected spyware capability.”
“Our secret is out!!!” an employee of the FBI’s technology division emailed colleagues the day the story ran. The spyware disclosure angered the bureau. “People are not happy,” an FBI lawyer wrote in an email several days later.
The emails, obtained in 2011 by the San Francisco-based Electronic Frontier Foundation, were part of a cache showing how the spyware that caught Jenkins appears to have been first developed in 2001 . By 2007, the FBI was secretly deploying the technology across the country , drawing interest from the military and foreign governments .
Then in 2014, Soghoian went through the EFF documents and spotted something others had missed. The FBI hadn’t just used spyware in the Timberline case; it had delivered it using a fake AP news story dressed up to look as if it was on The Seattle Times website. Soghoian shared the find on Twitter , setting off a media firestorm .
FBI Director James Comey defended the practice in The New York Times about a week later, revealing in the process that the bureau had not merely produced a fake AP story but had also relied on an agent posing as an AP journalist.
“That technique was proper and appropriate under Justice Department and FBI guidelines at the time,” Comey wrote. He said doing the same thing now “would probably require higher-level approvals than in 2007, but it would still be lawful.”
AP responded by saying Comey’s explanation “doubles our concern and outrage.” Writing on behalf of two dozen media organizations, the Reporters Committee called law enforcement’s impersonation of journalists unacceptable, “whether it is digital or physical.”
“THE TOOL OF FIRST RESORT”
In 2007, law enforcement hacking was a novelty. By 2014, researchers had documented a crowded field of police and spy agency hackers and the frequent use of fake media personalities , malicious news apps and bogus articles to trick targets into compromising their own devices.
A few days after Comey’s comments, the AP filed a public records request seeking information on whether the FBI’s actions in the Timberline case were an isolated incident or part of a broader pattern.
The bureau blew its legally mandated 20-day deadline, at one point saying it would take 649 days to process the data. The Reporters Committee, which had filed similar requests , sued together with AP.
In March 2016, the FBI produced 186 pages of documents, among them a report acknowledging that “an argument can be made” that the FBI’s Seattle office violated agency guidelines by letting Sanders go undercover as a journalist without alerting headquarters. In June, the bureau quietly tightened its rules on the impersonation of reporters, explicitly requiring top-level clearance from Washington every time an agent poses as a member of the media.
The new restriction, made public when the FBI’s inspector general released its report on the episode in September, fell far short of the ban on impersonation that the AP and other news organizations were seeking. And it did little to answer the question of how often the FBI has passed itself off as the media.
On Feb. 23, a federal judge said the FBI had made a good-faith search of its records and had disclosed all it needed to. The AP and the Reporters Committee say the bureau needs to look harder.
“AP is calling for the release of all FBI documents related to the impersonation of any and all journalists in order to make the public aware of this deceptive practice and its breadth,” Executive Editor Sally Buzbee said in a statement.
Underlying the fight is the suspicion that the FBI didn’t impersonate a journalist just that one time.
“If they’re using this to find a teenager who doesn’t want to take an exam, it’s not a tool that’s reserved for high-profile terrorism cases or child abuse cases,” said Soghoian, formerly of the ACLU. “The concern is it’s becoming the tool of first resort.”
The FBI declined to comment on the Timberline case or its fallout and refused to make Sanders, the FBI agent, available for an interview.
Back in Lacey, even those who were pleased with the FBI’s work allowed that the bureau’s methods raised eyebrows.
Lehnis, the former principal, said the bureau caught Jenkins in the nick of time — less than two days before graduation ceremonies.
“We were glad it ended when it did,” he said. “But using the press? Certainly if I were a journalist that would piss me off some.”
AP Researcher Monika Mathur in Washington contributed to this report.
Timberline High Bomb Hoax Documents: http://apne.ws/2niMDP0
Know more about FBI hacking or law enforcement impersonation of journalists? Raphael Satter is reachable at: http://raphaelsatter.com