JURIST Guest Columnist Gregory Fouladi, Valparaiso University School of Law Class of 2016, discusses the Constitutional ambiguity surrounding Federal Agency phishing techniques … Imagine a scenario where you are sitting in a private area of your home browsing on your personal computer. You may have be doing research, reading the news, shopping for Christmas gifts, uploading photos or talking with long distance relatives via web cam. Now imagine a team of federal officers at a government agency monitoring your searches, tracking the location of your IP address, and watching from the other side of your computer’s camera. In today’s world this is becoming America’s new reality.

Federal agencies are using a technique known as “phishing” to obtain evidence and against suspected criminals. The art of phishing finds security weaknesses in computer programs to gain control of the user’s PC. Phishing is done in a number of forms most notably through the use of a malware created by the FBI.

The malware’s purpose is to install a malicious software that obtains control of any PC. The agents send the malware to users through some form of an online link. Once the user opens the link, the malware is permanently installed to your PC arming the FBI with the ability to monitor your location, searches, documents and web camera.

MSNBC.com first reported the use of this network investigative technique in 2001. The article reported that “the FBI plans hacker-style intrusion techniques … called ‘Magic Lantern‘ that uses deceptive email attachments and operating-system vulnerabilities to infiltrate a target system.” This marked the beginning of an unprecedented era of intrusion that has dramatically unfolded.

The first reported implementation of the malware was revealed by Christopher Soghoian, Principal Technologist for the American Civil Liberties Union in Washington, DC. According to Mike Carter of the Seattle Times, he presented a set of documents [PDF] from the Electronic Frontier Foundation (EFF) that “reveal that the FBI dummied up a story with an Associated Press byline … with an email link in the style of The Seattle Times including details about the subscriber and advertiser information.”

After creating the false news story, the FBI sent the article to 15 year old high school student Lacey Timberline, who they suspected of making bomb threats. The link was sent to the inbox of the Lacey’s Myspace account. Once she opened the link, the secret malware was permanently installed on the suspect’s computer. At that point, the FBI was able to access her location and Internet Protocol (IP) information. Lacey ultimately was convicted of making bomb threats, identity theft, and felony harassment due to communications written from his PC.

Representatives of the Seattle Times were appalled to find out that the FBI had misrepresented their name in order to obtain evidence against a suspected criminal. The renowned news source believed that its readers would no longer trust the information that they presented, and that this incident has damaged its reputation. Seattle Times Editor Kathy Best said: “We are outraged that the FBI misappropriated the name of the Seattle Times to secretly install spyware on the computer of a crime suspect … Not only does that cross the line, it erases it … The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.” It is now clear that the federal government is willing to deceive the public, at everybody’s expense, in order to advance its criminal investigations.

In 2010 federal agents of the DEA created a fake Facebook account in an attempt to lure in suspected members of a drug ring. Sondra Arquiett filed a suit against the DEA after a fake Facebook account was created under her name. Arquiett was arrested for minor drug charges and ordered to serve probation. While detained, Arquiett’s cell phone was confiscated by the DEA agents. According to the Syracuse federal law suit, “DEA agent Timothy Sinnigen used stored pictures and information to make a remarkably accurate Facebook page.” Included in the Facebook page were pictures of Arquiett, her son, and niece. The DEA Agents continued using the Facebook page for a period of three months. According to the lawsuit: “Sinnigen then utilized the Facebook page to initiate contact with individuals he was investigating with regard to an alleged narcotics distribution ring … the DEA is not disputing the facts in the lawsuit, but insisted Arquiett lost all rights to her cell phone data when her gadget was confiscated.” Arquiett claims that now she is in fear for her life and suffers from severe emotional distress because “by posing as her on Facebook, Sinnigen had created the appearance that Arquiett was willfully cooperating in his investigation of the narcotics trafficking ring, thereby placing her in danger.” Arquiett’s attorney has since agreed to resolve the dispute through mediation. The courts have struggled to interpret these cases in a number of ways and judges have looked to both sides of the dispute when they decide to issue warrants.

In United States v. Forrester, the court held that “IP addresses and the To/From fields in emails are the legal equivalent of dialed phone numbers and the government can get a court order to obtain them without showing probable cause as would be needed in a search of one’s home.” The Forrester Court cited an earlier case, Smith v. Maryland, where the US Supreme Court said that “the contents of the calls could not be listened in on without proving probable cause to a judge.”

Applying these holdings to the current phishing techniques, it would appear that federal agencies may obtain the IP address of an individuals PC without establishing probable cause, but could not uncover the contents or the specific activity of the PC without first establishing probable cause and obtaining a judge issued warrant. The allowance of federal agencies to use phishing techniques has become a matter of judicial discretion. Judges are having to make these powers up as they go along, and there is not much basis for them to be uniform in their decision-making.

The most shocking feature of the federal government’s phishing expedition is the ability to remotely activate the PC’s webcam. According to an article published in 2012 by the Washington Post, Marcus Thomas, the former assistant director of the FBI’s Operational Technology Division in Quantico, said

“The FBI has been able to covertly activate a computer’s camera—without triggering the light that lets users know it is recording—for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations.” In an effort to arrest a suspected terrorist only known as ‘Mo’, a federal judge in Denver approved a warrant that would allow collecting “real-time images by activating cameras connected to computers.”

In a 2013 Houston bank fraud investigation, the FBI requested a warrant to remotely activate video feeds from a personal computer. Judge Steven W. Smith rejected the warrant saying that it was “extremely intrusive” and ran the risk of accidentally capturing information of people not under suspicion of any crime. He wrote that “such surveillance may violate the Fourth Amendment’s limits on unwarranted searches and seizures.”

The Fourth Amendment of the Constitution states:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

A strong argument emerges that the use of the federal government’s phishing techniques conflicts with the meaning, intent, and text of the Constitution’s Fourth Amendment. In the phishing process, there is no “particularity describing the place to be searched, and the persons or things to be seized,” but instead, the federal government obtains a warrant solely to compromise an individual’s general IP address, and from there, goes on a “phishing expedition” for anything it can possibly find.

These techniques are excessive and possibly illegal procedures used by the FBI to obtain suspected criminals.The FBI’s strategies are evolving daily in response to our current technological advancements. Since the online world is still relatively adolescent, it is extremely complicated to regulate this world both for daily consumers and government agencies. Public opinion and Constitutional challenges will determine the future direction of these investigations. At this point, the acceptance of phishing is being determined on a case by case basis. It has merely become a matter of judicial discretion.

Gregory Fouladi is a second year law student at Valparaiso University School of Law in Valparaiso, IN. He is passionate about researching the truth on controversial issues and bringing that information to the public eye. Gregory’s ultimate goal is to become a juvenile court judge.

Suggested citation: Gregory Fouladi, The Federal Government’s Phishing Expedition, JURIST – Student Commentary, Dec. 19, 2014, http://jurist.org/student/2014/12/gregory-fouladi-government-phishing.php.