An online threat which sparked fears of a mass shooting at the University of Otago was made via an internet server in Colombia - but the trail ran cold when a Colombian company did not co-operate, a police report reveals.
The threat, made on message board 4chan in 2015, included a picture of a pistol and warned people against ''coming to Otago University on Wednesday'', leading to a police presence at the university on the day.
Police released a report on ''Operation Varsity'' to the Otago Daily Times yesterday.
The file said the cybercrime unit investigating the threat found the person who made the post ''very computer-literate'', knowing how to re-route and hide IP addresses.
Thirty-seven people were questioned about the threat, but no evidence was found linking them to the post.
The threat was made shortly after a shooting at an Oregon community college. It referred to mass shootings, and was traced to a server belonging to a telecommunications company based in Medellin, Colombia.
Despite requests for the IP address and other data that could identify the user, the firm did not release information to police.
An Interpol detective senior sergeant made inquiries, but failed to obtain further information.
A police spokeswoman said yesterday no investigator was working on the case at present, but if any additional information came to light, it would be considered.
Computer security expert Henry B. Wolfe, a retired information science lecturer at the university, said tracing threats going through several anonymising servers required a lot of resources, as well as the co-operation of the country.
''The trail back to the actual origin is really, really, really hard and sometimes impossible,'' he said.
New Zealand Law Foundation Centre for Law and Policy in Emerging Technologies director Colin Gavaghan said the outcome when cybercrime crossed borders depended on how similar countries' laws were.
New Zealand and Danish police forces recently worked together successfully tracking down a Danish criminal.
However there was ''no unanimity at all across the world'' about what was required for a company to disclose the identity of an anonymous poster, he said.
