As more information leaks out into the public domain, the only difference between the NSA and the DEA seems to be the selection of letters in their acronyms. Both are now known for their bulk domestic collections and both are known for being involved in neverending wars. Now, thanks to Privacy International and Vice’s Motherboard, both are known for purchasing weaponized software.
The Drug Enforcement Administration has been buying spyware produced by the controversial Italian surveillance tech company Hacking Team since 2012, Motherboard has learned.
The software, known as Remote Control System or “RCS,” is capable of intercepting phone calls, texts, and social media messages, and can surreptitiously turn on a user’s webcam and microphone as well as collect passwords.
The DEA originally placed an order for the software in August of 2012, according to both public records and sources with knowledge of the deal.
The problem with the DEA’s purchase and deployment of this malware is that tools normally used to engage in the protection of national security — by military and intelligence agencies — are being handed out to US law enforcement without the slightest concern for the Fourth Amendment or privacy implications. There’s a level of intrusion present here that’s never been examined by the courts. Not that the DEA would ever allow details on Hacking Team’s products to ever enter a courtroom in the first place. Hacking Team’s spy products are one of many secret law enforcement capabilities — something that must never be spoken of in public forums.
The capabilities detailed here far surpass anything that could be obtained with a search warrant or court order. The DEA’s phone metadata collection may still fall under the Third Party Doctrine, but it’s hard to believe anything obtained via the hijacking of cameras, computers and phones would be signed off on by magistrate judges.
There is unclear statutory authority authorising the deployment of spyware by US federal or law enforcement agencies, meaning that deployment of the RCS by the DEA or the Army is potentially unlawful under US law. Furthermore, because RCS is designed to be usable against targets even while they are outside of the end-user’s legal jurisdiction, it raises serious legal questions concerning the ability of US agencies and the military to target individuals based outside of the United States.
Privacy International — which has been tracking private companies in the spyware business for years — is bringing Hacking Team’s activities to the Italian government’s attention.
Hacking Team has confirmed that their product has since 1st January 2015 been subject to export restrictions from the Italian government, which is the first step in ensuring that these types of technologies are not exported and used for human rights violations. This means that the Italian export authority now has to assess and approve any export of Hacking Team’s products in order for a sale to go ahead.
How the Italian government now assesses any potential exports is unclear. Although EU export control regulations stipulate that in circumstances where an export is going to a military end-user the licensing authority should look at a set of criteria which contain human clauses, in practice this rule is implemented disparately across the European Union member states.
Much like many weapons are subject to export restrictions, so are certain kinds of software. Hacking Team’s offerings have been sold all over the world — and not just to the “good guys.” PI says it has evidence this software has been sold to governments known for human rights abuses and has been deployed to surveil journalists and activists.
This may lead to Hacking Team spending some time discussing its product line with Italian regulators — which could result in additional sales and export restrictions. Or this may just lead Hacking Team to find a new home — somewhere its offerings won’t be eyeballed too closely.
It seems to be leaving its location options open, just in case. In the US, it does business under the name of Cicom USA — supposedly just a “reseller” of Hacking Team’s product line.
The connection between Cicom USA and Hacking Team was confirmed to Motherboard by multiple sources with knowledge of the deal, who spoke on condition of anonymity because they were not authorized to discuss the content of the contract…
Cicom USA is based in Annapolis, MD, at the same exact address where Hacking Team’s US office is located, according to the company’s website. The phone number for Cicom USA listed in the contract with the DEA, moreover, is exactly the same one that was displayed on Hacking Team’s website until February of this year.
A few dozen empty offices around the world acting as “local distributors” could assist Hacking Team in dodging local import/export regulations.
The DEA’s use of Hacking Team’s product line deserves closer examination. The capabilities detailed here have yet to be uncovered in criminal prosecutions, suggesting the agency is still heavily engaged in legally dubious parallel construction.