Project description:

Using a series of public records requests and expert sourcing in law enforcement and cybersecurity, NPR correspondents were able to track a mysterious hoax caller reporting false bomb threats and shootings at schools across the country. The caller, who appeared to be operating out of Ethiopia, used an internet based calling platform called Voice Over IP–a service that has serious challenges cracking down on fraud and abuse.

Impact reached:

NPR’s reporting brought together seemingly disparate data points from schools and local police departments around the country to reveal not only a disturbing trend but a specific pattern of activity that can be traced back to a single person or group of people. As a result, federal law enforcement is more deeply aware of the perpetrator’s activities, and local communities can begin linking up to share information. Local students, teachers, and parents desperately want more information about how an anonymous hoax caller can inspire very real fear and mobilize law enforcement. If we can’t yet answer why, we can begin to answer how.

Following NPR’s reporting, other journalists began requesting records in their communities, and technical experts have been able to dig more deeply into the caller’s background.

At least partially as a result of NPR’s reporting, one Voice Over IP service called TextNow decided to permanently ban users in Ethiopia from accessing its platform.

Techniques/technologies used:

The foundation of this reporting were data and reports obtained from FOIA requests. One responsive document to a FOIA request contained detailed information that a Louisiana sheriff’s department had uncovered in its investigation of a hoax call that appeared to be part of the swatting pattern. The response was sent as a PDF image. It contained several tables, including logs of all calls made and received by the Voice Over IP phone number behind one false bomb threat. NPR used optical character recognition technology to convert these tables into spreadsheets to help discern patterns in the caller’s activity.

With the spreadsheets, we used a number of tools. Pivot tables allowed us to examine peak dates on which this caller made most hoax calls. We joined data in these tables with external tables to find which states were targeted, illustrating the caller’s pattern of focusing on a select few states on each day. We also used Excel formulas to calculate the length of phone calls and time between phone calls, lending evidence that the calls were done by a human, rather than automated.

As for the investigation into problems with Voice Over IP, NPR Cybersecurity Correspondent Jenna McLaughlin shared call detail records with technical experts who were able to explain patterns of behavior, the caller’s potential location, and more. McLaughlin also created her own TextNow account and communicated with a community of so-called “scambaiters” about their efforts to target and locate abusers of the platform.

Context about the project:

This investigation began with NPR’s domestic extremism correspondent, Odette Yousef, because in recent years “swatting” schemes have been used by domestic extremist groups and individuals. But as we learned more, it became apparent that these swatting calls to schools are something very different. So far, the caller and his motive for pursuing this sustained and wide-ranging scheme remains unknown.

But in searching for more information, NPR has filed scores of FOIA requests to local government agencies in dozens of states, each with its own unique laws around releasing 911 calls and investigatory reports. On top of this complexity, the FBI has undertaken an investigation of these calls. Because of that, many local agencies have declined to provide documents pending the federal investigation.

What can other journalists learn from this project?

NPR’s reporting demonstrates that reading local news closely and following up with additional requests for records can allow national reporters and correspondents to find patterns that are hiding in plain sight. While a large number of local news outlets had reported on the hoax bomb threats and false shooter calls, few had more deeply explored how frequently it was happening elsewhere, and whether or not an individual person or group might be behind it–or why.

While the records NPR obtained can only reveal so much, it provides a roadmap for journalists looking for meaningful, national or international trends, as well as an example of how correspondents on different beats with different areas of expertise can collaborate. Bringing in journalists with a skill set in data, extremism, and cybersecurity allowed NPR to dig more deeply into each facet of this project, and put the pieces together in a way we wouldn’t otherwise have been able to.

Project links:

https://www.npr.org/2022/10/24/1129919258/swatting-fake-school-shooter-calls-hoax-pattern

https://www.npr.org/2022/10/07/1127242702/false-calls-about-active-shooters-at-schools-are-up-why