Last fall, we wrote about how the FBI had set up a fake AP news story
in order to implant malware during an investigation. This came out deep in a document that had been released via a FOIA request by EFF, and first noticed by Chris Soghoian
of the ACLU. The documents showed the FBI discussing how to install some malware, called a CIPAV (for Computer and Internet Protocol Address Verifier) by creating a fake news story:
It later came out that the way the FBI used this was an undercover agent pretended to be an AP reporter
and sent the suspect -- a 15 year old high school kid... -- a "draft" of the article to review. And when the kid opened it, the malware was deployed.
In response to this, FBI director James Comey defended the practice
, saying that it was legal "under Justice Department and FBI guidelines at the time" and, furthermore, that this bit of deception worked. Comey also said that while guidelines had changed, and such impersonation would require "higher-level approvals," it was still something the FBI could do.
The AP has now sued the FBI
, along with the Reporters Committee on Freedom of the Press (RCFP) over its failure to reveal any more details about this effort following a FOIA request. For reasons that are beyond me, even though it's the AP filing the lawsuit and the AP writing about
the lawsuit, reporter Michael Biesecker apparently doesn't think its readers can handle the actual filing, so they don't include it (this is bad journalism, folks). However, you can read the actual lawsuit here
In short, the AP made a FOIA request for documents related to this specific case above, as well as "an accounting of the number of times" that the FBI "has impersonated media organizations or generated media-style material" to deliver malware. The FBI said it was working on it, and then bizarrely told the AP that the request was being "closed administratively" because it was being combined with someone else's FOIA request, which left the AP reasonably confused, since they had not initiated that request and had no idea who had.
In a letter from Mr. Hardy dated December 10, 2014, the FBI stated that, even
though the request had yet to be fulfilled, the AP Request was unilaterally “being closed
administratively,” because the “material responsive to your request will be processed in FOIA
1313504-0 as they share the same information.”
The combining of Mr. Satter’s request with Request No. 1313504-0 occurred
despite the fact that Mr. Satter had not filed Request No. 1313504-0 and was given no
information about the identity of the requester underlying FOIA Request No. 1313504-0.
When the AP asked the FBI for more info, it was told that "the estimated completion time for large requests is 649 days." And still refused to reveal who had sent in the other FOIA request. The AP filed a formal appeal, and a week ago was told that there was nothing to appeal because the FBI had not completed Request No. 1313504-0 (which, again, the AP had not actually sent in). Hence the lawsuit.
The RCFP FOIA request received a somewhat more standard "no responsive records" response, to which the RCFP pointed out that the FBI was clearly lying, given that the earlier response (to the EFF FOIA, which kicked off this whole thing) showed that there was, in fact, such responsive results (I know this experience
all too well).
And thus, both organizations are now suing to force the FBI to actually turn over the damn documents. Can't wait to find out all the national security reasons (or will they be redacted) for why the FBI won't respond, and why it combined the AP's FOIA request with some totally unknown party's.