Sending a bomb threat to avoid an exam for which you are almost guaranteed to receive a good grade makes about as much sense as spilling acid on your foot to avoid a soccer game when you know that every player will receive a trophy anyway. Yet that’s what Harvard sophomore Eldo Kim is alleged to have done earlier this week. (The bomb threat, not the acid.)
The threat garnered a response from multiple police forces and government agencies, which determined that it had been sent by someone using the private Guerrilla Mail email service and the Tor privacy tool. From there, they were able to identify Kim as their prime suspect.
The agencies were able to identify Kim not because they could monitor Tor’s network — even the NSA is reportedly unable to do that — but because it was accessed through Harvard’s WiFi network. The services used to send the threat were working perfectly; it was a simple human error that led to Kim being named the primary suspect in the investigation.
This demonstrates just one of the problems with the idea that any tool can guarantee private communication. In this instance, the government’s ability to identify someone using anonymizing tools is probably welcome — a bomb threat is hardly something to ignore. But knowing that people using these and other tools for less nefarious purposes are one mistake away from exposure is discomforting.
Such are the dangers of technological ignorance. It’s easy to trust that a tool automatically deletes your photos, accesses your address book only when necessary, or cares that you told it not to share information with advertisers. It’s harder to verify those claims or to know what many of these tools are doing with the data they collect. It’s harder still to properly use the tools meant to help people protect their information, their anonymity, and their activities.
Again, that proved to be a boon in this case. Though an actual crisis wasn’t averted by the government’s ability to determine just who accessed an otherwise private service, finding someone who is apparently stressed enough to issue a fake bomb threat will likely prove to have been a good thing. But it also highlights just how hard it is to obfuscate your online activities, no matter how secure you think you are.
[Image via Thinkstock]