By Detective Rich Wistocki (ret.) 

This article will explain how to stop the school shooter before the actual act happens.  There are so many school and law enforcement threat assessment trainings out there that do a great job at identifying threats.  However, I have not seen any that trains the LEO on how to obtain the data and execute a full plan on finding the intent, means and collaboration of the persons involved in this heinous act of terror. It amazes me that over the last 25 years of school shooters, no one has been able to figure out the protocol to stop them.  Some use these unfortunate situations at the peril of our children to make a political stance against guns and our second amendment.  Some make it about “hardening the target.”  Some blame it on the school districts.  Some blame it on police tactics and operations.  Some blame it on the breakdown of mental health help and how our students cope with their lives.  This article will discuss this issue through the application of hard evidence obtained by experience, training and most of all, the United States Secret Service 2021 Averting Targeted School Violence.

Let’s start with the facts.  According to the USSS study, 75 % of school shooters over the last 20 years have either told a classmate, an online group chat or posted in some way or another their intent to cause harm to school students, staff or a local school in general. How did they tell or post their intentions?  Through a group chat in social media, a message sent to someone they know on a gaming platform or a posting for everyone to see online from their personal social networks. This activity is called “leakage.”  Leakage is when the potential school shooter posts their intentions online before they commit the active shooter incident.

Recently, testimony has come out of the Nikolas Cruz (Parkland Shooter) trial that shows he had been planning his event for years. This was a news article from Terry Spencer of the AP:

“Cruz told Dr. Charles Scott during a March jailhouse interview that five years before he murdered 17 at Parkland’s Marjory Stoneman Douglas High School on Feb 14, 2018, he read about the 1999 murder of 13 at Colorado’s Columbine High School, which sparked the idea of his own mass killing.

Cruz told Scott how Columbine, the 2007 murder of 32 at Virginia Tech University and the 2012 killing of 12 at a Colorado movie theater all played a part in his preparation.

“I studied mass murderers and how they did it,” Cruz told Scott. “How they planned, what they got and what they used.” He learned to watch for people coming around corners to stop him, to keep some distance from people as he fired, to attack “as fast as possible” and, in the earlier attacks, “the police didn’t do anything.”

“I should have the opportunity to shoot people for about 20 minutes,” Cruz said.

Here is my exact point.  Where do you think he researched this?  On his school chrome book? On his desktop computer at home?  On his cell phone?  This is LEAKAGE and thus part of our investigation of evidence.  This will set the stage to build our case against the potential school shooter.

What is the problem when leakage is posted online?  There are various breakdowns when this happens.  The problem is that when students see these threats on social media, they are afraid to report it due to them being known as “snitches.”  When it is brought to the school’s attention, they either disregard the information or do not know how to continue to investigate it and notify law enforcement.  Law enforcement, typically has not had any internet crime investigation training and they just “hope nothing happens.”

This is a culmination of failures on behalf of all involved.  In my experience, when you mention the term “Cybercrime Investigation”, school administers, and law enforcement school resource officers typically shut down and shut it out.  They think “Cybercrime Investigations? “Oh my, I can’t do that” or “I never went to training for that.” Those social networks are not going to give me any information.  That’s private stuff. What if it is all anonymous?  What if it comes out of another country?  What if the person is using a Virtual Private network (VPN)?”

These are the statements I have heard with my own ears through my travels across the United States in schools and law enforcement circles.  Basically, they are excuses when they are faced with leakage and they do not understand what the protocol is.

Many times, they will dismiss the posting as “They don’t mean it.  That is just who they are. They are just having a bad day. They always say that stuff.”  when they do not know what to do next.

Another huge problem in our schools is that some administrators or school officials keep their SROs in the dark about the initial leakage incident.  Some schools feel that they should only call upon their SRO when things really go sideways.  This belief that the SRO is only there to keep the peace, write tickets, traffic control, patrol duties and arrest students is a very big misunderstanding on their part.

My message to school administrators is that this line of thought endangers school faculty and your students.  You see, trained SROs with national certifications know that they are part of a Triad.  This triad is their ethos in being a mentor, a teacher, and a law enforcement officer.  Being a certified SRO is more than people think.

Unfortunately, there are school administrators who keep their SRO in the dark until something bad happens.  This needs to stop IMMEDIATELY.  Having the SRO part of the initial team when the leakage comes in is crucial for these types of incidents.  An SRO who has taken a cybercrime investigation class knows that time is of the essence in these cases and the quicker something called a “Preservation Letter” is created, the sooner the evidence can be obtained by the social media platform or gaming platform.

Because of my extensive child exploitation training by the Department of Justice, SANS and my own involvement with High Technology Crimes, most school officials and law enforcement do not know there is an actual protocol set up by the federal government called the Electronics Communications Privacy Act (ECPA).  In the ECPA, it outlines the type of information online companies have on their customers worldwide.  It also recognizes that law enforcement investigations may require the information they are in possession of for criminal investigations.  Some of this information includes but is not limited to; subscriber information, e-mails, phone numbers, devices used, Internet Protocol Numbers, geolocation, photos, videos, friends lists, likes, messages, postings, cell tower data and all other accounts that were set up in association with other accounts.

As you can see there is a lot of information that is useful to put together a solid case on any criminal action. Basically, almost any crime today has some sort of link to a cell phone or social media.  Would you agree?  What we need to do is combine what is going on in our schools with the students posting their deepest darkest feelings, giving others enough courage to come forward with what they are seeing online and report it to school officials when it happens.

Many schools have already started the “See Something Say Something” campaign with their students.  This is the first step in reporting leakage. We need to train our students that this is not snitching.  It is a cry for help by a fellow student who may have been bullied, made fun of, abused, ostracized by fellow students/teachers or abused at home.  Our mission is to get this person lashing out online the mental health help they are in immediate need of.

The second step is to train all school staff on what they should do when leakage comes to their attention.  I train both school staff and students nationwide on what the information or evidence they need to capture should consist of, which is:

1) Screen shots of everything involved with the posting

2) User ID information

3) Do not report it to the social network abuse section of the social network or gaming platform before the police get involved.  When users report it to the social network before they report it to the police, this could be a Terms of Service (TOS) violation and the posters account may be deleted before the police can preserve the data.

4) Make a detailed type-written statement on what you observed and experienced and relate how it made you feel.

5) Print all this evidence out and also save it on a flash drive for police evidence.

When the evidence is obtained by the school official, it is now time to contact law enforcement.

When there is an online threat, where death or serious physical injury is threatened, the next step is to initiate the exigent circumstance protocol within the ECPA (Section 2702(b).  This means that the trained SRO can contact the social network or gaming platform via email or their own law enforcement portal to request the information on the posting party immediately to identify them and their whereabouts. Most of the major and most popular social networks have private law enforcement portals where the information is tracked and secure.

There is a series of 7 questions that are involved in this protocol.  These questions are as follows:

1) What is the nature of the emergency involving death or serious physical injury?

2) Whose death or serious physical injury is threatened?

3) What is the imminent nature of the threat?  Please provide information that suggests that there is a specific deadline before which it is necessary to receive the requested information and/or that suggests that there is a specific deadline on which the act indicated in response to Question 1 will occur (e.g., tonight, tomorrow at noon).

4) Please explain why the normal disclosure process (including any statutory emergency procedures) would be insufficient or untimely in light of the deadline set forth in Question 3.

5) What specific information in the social networks possession related to the emergency are you seeking to receive on an emergency basis?

6) Please explain/describe how the information you request will assist in averting the threatened death or serious physical injury.

7) If a posting was sent from a social networks account, is the basis for the belief that there is a risk of imminent harm, please attach a copy of the email message(s) to this form.

The law enforcement officer must then attest to their current investigation is true and correct.  The social network also may require a screen shot uploaded to the portal for verification of the information.  This information is so locked down that at times the social network or gaming platform may hire a third-party firm such as Oath Inc or Kodex Inc to handle all of their law enforcement requests.  Most of these portals and companies will verify the law enforcement officers position by contacting the law enforcement agency to verify employment before giving the information on the account holder.  The social networks take their customers personal data very seriously as they should.  But they will also cooperate with law enforcement investigations when the appropriate due process and data request language is in order and correct. I have never had a social network deny me the information I sought in a verified criminal investigation as long as my due process requests were in order.

Here is where law enforcement investigations sometimes break down and the information is not followed up on.  Many police departments across the country have officers that work really really hard…AT NOT TAKING A REPORT!

Many people who “Back the Blue” will take offense to this statement.  However, many of them have not walked the walk or talked the talk.  When I train over 2000 officers every year this is usually my first joke.  Do they take offense in my class?  Absolutely not.  As a matter of fact, they all laugh. And I ask them to raise their had if they have an officer like that working for their department.  All of them raise their hands and laugh.

Inside, I am not laughing. I am making a stark point that when these officers do not do the work on paper, that is when the shooter, the predator or sextortionist goes on to victimize another day.

When it comes to our kids, we MUST do better at taking reports and investigating these threats. Is this a lot of paperwork? Yes, it is.  But what would you rather have?  In my career as a SWAT sniper, we always play the game, “What do I gain and what do I lose?” by making this tactical decision? A threat to your school, that if true, can be catastrophic for your community or a threat that comes in that is true and you immediately stop the event BEFORE it even happens.  Do I ignore it and skip the paperwork because “It will never happen here” or do I dot my i’s and cross my t’s in an effort to get this student the mental health help they need? We just need to train law enforcement on these issues for them to better understand it.

Now that a preservation and an exigent circumstance request is done to the social network on the leakage, The LEO will get subscriber information, email, phone and IP information on the posting party within hours of the request.  Part of this information is any and all IPs for as long as the account existed.  This will give the LEO every single IP used to log into the poster’s account.  The LEO is trained to run this IP into various Geo IP location websites and they will learn what Internet Service Provider owns this said IP.  A second preservation and exigent circumstance letter is crafted and the true identity of the poster is made.  Thus, we have now identified who and where this student is.

I caution all school officials and SROs, though. Over the past year, I have come to help several of my SROs across the US with these investigative protocols.  They have reported to me that as a form of Cyber-Bullying, sometimes an account is manufactured to make it look like a student has created an account and made threats to shoot up the school.  However, when the student is confronted about their postings, they emphatically deny they are the ones who posted it.  They are probably right. The LEO MUST do the work by dotting their i’s and crossing their t’s to ensure that a case is not brought against an innocent student who was a target of Cyber-Bullying and False Personation.

At this time of the investigation, after the requests are appropriately made to the social network or gaming platform, then to the ISP, we can now identify the posting student and take them into our custody and have a wrap-around service to get them the mental health help they need. This could be by arrest or hospitalization. Are we done yet?

Not a chance.

You see once we have positively identify the struggling student who had made the post, we must now know how far they went in their planning stages. How do we do that?  We will now execute three search warrants or obtain consent by their parent or legal guardians. We will obtain search warrants or consents on three areas.

1. Their homes for the search of weapons and their devices in the home to see what their internet history shows.
2. Their social media accounts to see the messages and their planning and or intent with others.
3. Their phones to see what they were searching and whom, if anyone else, they were collaborating with.

This plan of action will give you that student’s ability and intent to carry out the school shooting.

In summary, we need to not pay so much attention to the political aspect of this issue and get down to the mental health aspects of why school violence occurs.  As I am writing this article, I was just apprised that one of my SRO students from the western suburbs of Chicago had addressed a posting of a student bringing a gun to school and it was posted on Snap Chat.  This post plainly stated, “I will shoot up the school tomorrow.”

“This trained SRO was able to identify the posting party within minutes and now this student is sitting in custody and the aforementioned protocols will be followed for weapons, planning and collaborators.  It’s just that simple.  Train your schools and law enforcement on cyber investigations and we can stop school shootings TOGETHER!

Comments? E-mail us at: editor@calibrepress.com

Please reach out to Detective Rich Wistocki (RET) To schedule classes for your school districts.  www.BeSureConsulting.com or richwistocki@besureconsulting.com

About the author

Detective Rich Wistocki (ret.) had a very illustrious and fulfilling career as a law enforcement officer at the Naperville, Illinois Police Department. He had spent 28 years there and 22 of those years as an Internet Crimes Against Children (ICAC) Detective.  He has been involved in and have arrested over 300 online predators.  He has trained close to 2000 police officers a year how to investigate internet crime.  He has been a keynote speaker in many states School Resource Officer Conferences across the country. He has written laws to keep kids safe in Illinois pertaining to Sexting, Child Exploitation online, Swatting and the Mandatory training and qualification for Illinois SRO’s. Finally, he trains approximately 200,000 students a year on how to be safe online and on their devices.  Currently, he is one of the cyber trainers for the National Association of School Resource Officers