How Investigators Tracked Down the D.C. Plane Crash Video Leaker

More than six months after the collision over the Potomac River that killed 67 people, there are still plenty of questions about how a U.S. Army helicopter and a passenger jet collided. Just last week, the Department of Transportation’s inspector general launched a fresh audit of how the Federal Aviation Administration manages the airspace around Ronald Reagan Washington National Airport.

But a different investigation into the catastrophe moved at a much quicker pace. In the immediate aftermath of the crash, the Metropolitan Washington Airports Authority scrambled to figure out who had leaked video of the incident to the news media, according to documents obtained by The Intercept through a public records request.

The reports offer a panoramic view of how the leak investigation unfolded, the squishy statute the cops used to investigate and charge CNN’s source with a crime, and how the network’s failure to crop the leaked footage inadvertently aided the investigation.

On January 31, two days after the crash, CNN published two videos showing “previously unseen angles of the collision.”

“The videos, both shot on cell phones, show video replays of surveillance cameras capturing the crash between the passenger flight and the military helicopter,” CNN reported.

It didn’t take long for the MWAA police to determine the provenance of the source material.

Patrick Silsbee, a detective with the agency, recognized the shots as coming from airport security cameras and set about trying to smoke out the leaker. “The video shows camera angles and views that can only be found on the Metropolitan Washington Airport’s Authority CCTV video,” Silsbee wrote in a January 31 report, noting the location of landmarks in the videos, including a boathouse near the airfield.

The locations of the MWAA security cameras are redacted in the reports provided to The Intercept, ostensibly “to prevent the disclosure of law enforcement and security techniques and procedures not generally known outside the law enforcement community,” according to an accompanying letter from MWAA.

However, in one of the videos published online by CNN, the following text appears to be briefly visible in a corner of the clip, The Intercept found: “Terminal 2 FAA Tower South View,” seemingly corresponding to the security camera feed from which it was recorded. This material was cropped from the clip in CNN’s initial broadcast segment about the videos. The MWAA reports do not note this detail about the online version of the video.

A screenshot from CNN’s online article about the leaked videos, which seems to faintly show the words “Terminal 2 FAA Tower South View,” center-top.Screenshot: CNN

CNN did not respond to a request for comment.

Once Silsbee identified the leaked videos as having come from CCTV footage, his next step was figuring out where that footage could be accessed. Based on additional visual clues in the clips aired by CNN — such as the particular kind of monitor mount, and flashing lights visible in the area behind the monitor — Silsbee determined that the leaker must have recorded the video from monitors inside the MWAA police dispatch center.

“After reviewing the leaked footage several times, it is evident that the video comes from inside of this facility,” Silsbee wrote in the same report, noting a “very quick glimpse” of the dispatch center at the beginning of one video.

A screenshot from CNN’s online article about the leaked videos offered clues showing where they were recorded, including a monitor visible in the top right (partially obscured by the CNN logo), and lights in the background in the upper right.Screenshot: CNN

Silsbee’s next step was finding out who had made the recordings. He reviewed surveillance footage for the dispatch center and identified a dispatch worker, Mohamed Mbengue, who “clearly photographs and filmed the incident on his personal cell phone,” Silsebee wrote.

Silsbee also reviewed access records for Mbengue’s workstation during his overnight shift.

“Between the hours of 2256 and 0545, Mr. Mbengue can be seen on multiple occasions utilize [sic] his personal cell phone to record video and photograph these critical scenes,” Silsbee wrote.

Investigators frequently review CCTV footage during leak investigations, especially once an initial leak location has been identified or a suspected leaker is flagged.

Earlier this year, as part of a case against an alleged would-be leaker at the Defense Intelligence Agency, an FBI agent reviewed video surveillance footage of the suspect’s desk station, according to court documents. The footage showed the suspect, Nathan Vilas Laatsch, writing notes while looking at his computer monitor, then folding the notes and tucking them in his socks. In May, Laatsch was arrested and accused of attempting to pass classified information to a foreign government.

Checking surveillance tape isn’t a tactic reserved for government investigators. Following an embarrassing story about waste at Tesla in 2018, internal investigators reportedly reviewed factory CCTV footage in an attempt to identify the leaker.

“Computer Trespass”

Having identified Mbengue as the suspected leaker, Silsbee and other detectives obtained warrants to arrest him and search his phone, which had already been seized during an interview at Mbengue’s home.

Both the search and arrest warrants against Mbengue were predicated on alleged violations of Virginia’s “computer trespass” statute, a misdemeanor offense.

But Andrew Crocker, an attorney at the Electronic Frontier Foundation who has written about the federal counterpart to the Virginia law, the Computer Fraud and Abuse Act, called the application in Mbengue’s case “pretty staggering.”

The CFAA and its state counterparts were drafted quite broadly, which makes them tempting “catchall” infractions for police and prosecutors to throw at “any kind of behavior that’s objectionable in some way using a computer,” Crocker said.

The typical “computer trespass” case involves some sort of hack or unauthorized access. In 2021, the U.S. Supreme Court ruled that to violate the federal CFAA, a person must have accessed “particular areas of the computer — such as files, folders, or databases — that are off limits to him.”

“If the theory is recording a computer screen is a violation, I don’t know where that stops.”

But the MWAA reports suggest Mbengue merely recorded what he saw playing on the screen, and this was the sole basis for his alleged violation of the Virginia statute. Silsbee’s report indicates that dispatch center employees sign agreements not to share or record information they obtain on the job, but there is no indication that Mbengue lacked authorization to view videos of the crash.

“It seems like a real reach to me to say it’s a computer trespass,” said Riana Pfefferkorn, an attorney and tech policy researcher at Stanford University, who likened it to a “throwback to earlier attempts to expand the bounds of computer hacking law.”

“If the theory is recording a computer screen is a violation, I don’t know where that stops,” Pfefferkorn said.

On January 31, Mbengue was arrested during his shift at MWAA and taken to the Arlington Detention Center. He was later released on his own recognizance and arraigned on February 4.

The reports don’t indicate what, if anything, MWAA police found on Mbengue’s phone; whether the phone was unlocked; or how they otherwise obtained access to its contents. They note that it took the digital forensics lab several weeks to finish processing the data. According to the Arlington County Commonwealth’s Attorney, which handled Mbengue’s prosecution after Silsbee filed charges, Mbengue admitted to sending the footage to CNN and initially negotiated with the network over a potential fee but later retracted his fee demand. 

In May, Mbengue pleaded no contest to a single charge under the state computer trespass law, which local media reported was part of a pretrial diversion agreement that will expunge the charge after a year of good behavior.

Mbengue’s attorney did not reply to The Intercept’s inquiries about the case.

A Second Investigation

The MWAA’s leak investigation didn’t end with Mbengue.

On February 2, two days after Mbengue’s arrest, a lieutenant notified Silsbee “that an additional suspect was identified in possibly illegally obtaining photos or videos from the airport CCTV computers,” Silsbee wrote in a subsequent report.

Like Mbengue, security footage showed Jonathan Savoy, another MWAA employee, “taking a video on his cell phone” from the dispatch center monitors in the early hours of a shift.

Savoy told Silsbee he had “no nefarious intentions to disseminate or share the videos/pictures he had taken with anyone else,” Silsbee wrote in a report. Savoy consented to a search of his phone, and based on five videos found on the phone, Silsbee obtained a warrant for his arrest for violating Virginia’s “computer trespass” statute.

On February 3, the MWAA announced both men’s arrests, writing in a press statement that Savoy had been arrested “following further police investigation.”

In May, however, local prosecutors quietly dropped the charges against Savoy, through a filing called a “nolle prosequi,” according to the court docket.

Savoy’s attorney, Robert L. Jenkins Jr., told The Intercept that his client never violated the state law, and charges should never have been filed.

“The statute requires that the actions be done for specific reason,” Jenkins wrote in an emailed statement. “It must also be done in a clandestine manner. Mr. Savoy’s action did not fit the statute.”

The MWAA declined to comment on its investigation into Savoy and Mbengue.

The post How Investigators Tracked Down the D.C. Plane Crash Video Leaker appeared first on The Intercept.