As a number of outlets have reported, the DOJ IG just released a report on FBI’s impersonation of a journalist in 2007. The FBI pretended to be the AP to catch a high school student making bomb threats.

As I will explain in more detail in a follow-up post, the IG report somewhat exonerated the Agents who engaged in that effort. It also gives reserved approval of an interim policy FBI adopted this June (that is, well after the press complained, and just as the IG was finishing this report) that would prevent the FBI from pulling a similar stunt without higher level approval.

But some of the details in the report — as well as one of its recommendations — suggests that the FBI would still be able to pretend to be a software company making a software update. Here’s the recommendation.

Recommendation 2: The FBI should consider the appropriate level of review required before FBI employees in a criminal investigation use the name of third party organizations or businesses without their knowledge or consent.

As the report explains, this concern arises because FBI policies on undercover activities distinguishes between impersonating a biological person and a corporate one.

Finally, as we described in Section III of this report, we learned during the course of this review that while FBIHQ approval is required to use a third person’s “online identity” in undercover online communications or to make “untrue representations . . . concerning the activities or involvement of any third person” without that person’s knowledge or consent, special approval was not required to use the identity of an organization or business in undercover online communications or in other undercover activities. The new interim policy changes that policy as it relates to news organizations, but does not address this issue with regard to non-news organizations or businesses. We think the Department should consider the appropriate level of review necessary before agents in a criminal investigation are allowed to use the name of a third-party organization or business without its knowledge or consent, in light of the potential impact that use might have on the third party’s reputation.30

30 After reviewing a draft of this report, the FBI provided comments explaining that the heightened level of review and approval required for FBI employees to pose as members of the news media was introduced because such activity potentially could “impair news-gathering activities” under the First Amendment, but that such constitutional considerations do not apply to businesses and other third parties. Our recommendation, however, does not rely on equating the reputational interests of some third party organizations and businesses with the constitutional interests of others. We believe that reputational interests, and the potential impact FBI investigations can have on those interests, are themselves sufficiently important to merit some level of review before FBI employees use the names of third party organizations or businesses without their knowledge or consent. [my emphasis]

The new policy requires additional approvals before the FBI can pretend to be a news-gathering organization, but only requires that higher approval for news-gathering organizations, not other corporate entities.

In other words, FBI is only imposing these new restrictions because by pretending to be a journalist, it might impair the news-gathering activities under the First Amendment. But the FBI doesn’t care about the reputational harm that its undercover activities might do to non news media corporations.

And there’s nothing here that would prohibit the FBI to engage in the most obvious undercover activity to accomplish the same objective they had in the bomb threat case: to get someone to click a link that would, unbeknownst to the target, infect their computer with malware.

In other words, by all appearances, the FBI can’t infect you with malware by pretending they want to interview you, but they could infect you with malware by pretending they want to update your software.