More than a year before the deadly shooting at Apalachee High School in Winder, Ga., the sheriff in a neighboring county was told by the F.B.I. of school shooting threats that a local student was believed to have posted on the internet chat site Discord.
An investigator interviewed the student, who was 13, for less than 10 minutes, and came away saying he could not determine whether the teen had made the threats. He closed the case, and his supervisor said the teenager would be monitored.
Now that same teenager is accused of carrying out the rampage that killed two students and two teachers last week at Apalachee, and his earlier encounter with the police has raised questions about whether more aggressive intervention then could have prevented the deadly shooting.
Cybersecurity experts and law enforcement officers who specialize in tracking online activity say that the investigator, from the Jackson County Sheriff’s office, gave up too quickly and that the handling of the case underscores a lack of training and expertise among rank-and-file officers in the nation’s 18,000 police agencies. Those officers are often the first line of investigation into online threats of violence, working in an ever-shifting universe of apps and chat rooms.
Seeking information from social media platforms has become routine for many police agencies, who use it to piece together timelines and behavioral profiles. Instagram, YouTube and TikTok have entire divisions dedicated to responding to law enforcement inquiries and complying with subpoenas that officers have obtained for user account information. But the investigator in Jackson did not seek such information.
“If I had subpoena power, which law enforcement officers do, with a very high degree of confidence I would be able to identify who the author of those threats was,” said Paul Raffile, a cyber-intelligence analyst who has collaborated with law enforcement agencies on investigating sexual extortion cases and other internet scams.
Janis Mangum, the sheriff of Jackson County, defended her department’s investigation. “We have somebody here that specializes in that kind of stuff,” she said in an interview. “We investigated this crime in May of ’23 every way it could be investigated at that time.”
Sheriff Mangum challenged criticism that arresting the teenager in 2023 would have prevented last week’s shooting. “I just wish the media would stop trying to blame people for this boy doing this,” she said. “If we had charged him last year, it wasn’t going to keep him from being in a school.”
The F.B.I. receives thousands of tips a day and refers many of them to state and local agencies who are asked to help pluck the truly dangerous needles from the haystack of pranks and posturing. Since the shooting last week, Georgia has experienced a rash of online copycats. More than a dozen students across the state, including an 11-year-old, have been arrested in connection with threats.
But many departments are small, stretched thin and, experts say, lacking in the evolving technical expertise required to identify and investigate bad actors.
“This online way of policing is so new and it changes every day — we get new platforms, we get new rules, we get new things all the time,” said Shonda Nadzakovic, a detective with the Phoenix Police Department who specializes in social media investigations.
Experts said that rapid changes should not be an excuse. “We cannot pretend this is not the cyber age,” said John Bandler, a professor at the John Jay College for Criminal Justice and a co-author of “Cybercrime Investigations: A Comprehensive Resource for Everyone.” “We can’t be in an era where we call local law enforcement and they say, ‘Sorry, we don’t do cyber.’”
Several experts who looked at the investigative file noted that the investigator, Daniel Miller Jr., did not read the F.B.I. report before he conducted his first interview with the teenager and his father. Investigator Miller said that he was unable to open the attachment on his county-issued phone.
The report said that the F.B.I. had received several tips that a Discord user had posted photographs of an AR-15-style rifle and a semiautomatic shotgun and threatened to shoot up an elementary school. It provided screenshots of the posts as well as the email address, phone number and IP addresses associated with the Discord account. It said the email address was linked to Colt Gray, and the internet service to his father, Colin Gray, at an address on River Mist Circle in Jefferson, Ga.
The information was obtained by the F.B.I. through publicly available resources and emergency requests to Discord and Comcast, the report said.
Investigator Miller and a deputy tracked down Mr. Gray and spoke to him and his son on their doorstep, a body camera video of the encounter shows.
Mr. Gray said that if he learned that his son had made threats, “All the guns will go away, and they won’t be accessible to him.”
He readily summoned his son to speak to the officers, telling them, “Please instill in him that whatever or wherever this is coming from, it’s no joke.”
Once outside, the son acknowledged that he had a Discord account several months earlier while his father and he were living at a previous address, but said he had deleted it because he believed the password had been stolen. He denied having made any threats against a school.
The F.B.I. said the account had not been set up until April 2023, that it had been tracked to the Grays’ current address on River Mist Circle and had been used as recently as the day before.
On the video, Investigator Miller says he is not trying to get anyone “pinned up,” but “this is some serious stuff.” He adds, “God forbid something happened and I didn’t do my job. I’d feel pretty bad about that.”
Experts said Investigator Miller did not obtain basic information like the teen’s Discord username, current or previous phone numbers, his email addresses or any other active social media accounts, which could have been used to check the teenager’s story or verify information from the F.B.I. that Investigator Miller later described as “inconsistent” and “unreliable.”
“I got to take you at your word,” Investigator Miller tells the teen.
At one point, when Investigator Miller was out of earshot, the other officer did ask the teen for his phone number, but he claimed he had a new phone and did not know it.
The teen’s implication that his Discord account had been hacked is a common response when someone is confronted about potentially inappropriate conduct online, experts said.
Investigators must be able to test such claims, Detective Nadzakovic said, using techniques that include looking at the suspect’s other social media activity, comparing IP addresses and times of illicit activity to those on the user’s other accounts, or simply interviewing teachers and other people who know the person. The Jackson County investigative file contains no record of such efforts.
The screenshots of Discord messages shared by the F.B.I. showed that the user said he planned to destroy his hard drive and leave a decoy drive for the police to find after he carried out the shooting.
Federal and state agencies have sought to fill the gaps in local investigative expertise by offering help. The Secret Service is home to the National Threat Assessment Center, which has done extensive research on school shootings and routinely assists local law enforcement.
The Georgia Bureau of Investigation has a Cyber Crime Center whose mission is “to assist local and state law enforcement agencies with complex investigations involving cyber-related criminal activity.” Jackson County did not request help in the threat investigation, a spokeswoman for the bureau said.
Investigator Miller joined the sheriff’s department in 2013 and became an investigator in 2017. His personnel records indicate that he had a bachelor’s degree in criminal justice and military policing experience, but, like many of his peers, no specialized training in cyber investigations of the kind offered by the Federal Law Enforcement Training Centers in Georgia.
Mr. Miller left the sheriff’s office last November and now works as an investigator for the county solicitor. Approached at his current job, Mr. Miller declined to comment.
According to his report, two days after his initial interview with the Grays, Investigator Miller reviewed the information from the F.B.I. that he had initially been unable to open. He notes that the Discord username was in Cyrillic and spelled out “Lanza,” the surname of the Sandy Hook school shooter who killed 26 people and himself in Newtown, Conn., in 2012. In a follow-up call to Mr. Gray, he asked if the teen spoke Russian.
Investigator Miller closed the investigation “due to the inconsistent nature of the information received by the FBI,” he wrote.
Mr. Raffile said that justification was not enough. “You have to assume that tips are going to be incomplete, you have to assume that tips are going to be inconsistent,” he said. “That’s never a reason to close a case.”
Paul Eckloff, a former special agent for the Secret Service, said that an investigation with no follow-through can embolden a would-be killer.
Sheriff Mangum said that her deputies had taken their investigation as far as the law allowed.
After the shooting at Apalachee, in which two students and two teachers were killed on Sept. 4, Colt Gray, now 14, was charged with four counts of murder. His father was charged with four counts of involuntary manslaughter, two counts of second-degree murder and eight counts of cruelty to children based on law enforcement officials’ contention that he supplied the gun used in the shooting. They have not entered pleas and are due back in court later this year.
Officials at the National Threat Assessment Center say that school shootings can and have been stopped, citing the center’s study of 67 averted attacks between 2006 and 2018 that found that success by law enforcement agencies lies in identifying warning signs and taking action to find help for a potential perpetrator.
The post Earlier Investigation of Georgia Shooting Suspect Ended Too Soon, Experts Say appeared first on New York Times.
