DEA Also Spending Millions To Purchase Exploits And Spyware

from the all-up-in-your-everything dept

As more information leaks out into the public domain, the only difference between the NSA and the DEA seems to be the selection of letters in their acronyms. Both are now known for their bulk domestic collections and both are known for being involved in neverending wars. Now, thanks to Privacy International and Vice’s Motherboard, both are known for purchasing weaponized software.

The Drug Enforcement Administration has been buying spyware produced by the controversial Italian surveillance tech company Hacking Team since 2012, Motherboard has learned.

The software, known as Remote Control System or “RCS,” is capable of intercepting phone calls, texts, and social media messages, and can surreptitiously turn on a user’s webcam and microphone as well as collect passwords.

The DEA originally placed an order for the software in August of 2012, according to both public records and sources with knowledge of the deal.

The problem with the DEA’s purchase and deployment of this malware is that tools normally used to engage in the protection of national security — by military and intelligence agencies — are being handed out to US law enforcement without the slightest concern for the Fourth Amendment or privacy implications. There’s a level of intrusion present here that’s never been examined by the courts. Not that the DEA would ever allow details on Hacking Team’s products to ever enter a courtroom in the first place. Hacking Team’s spy products are one of many secret law enforcement capabilities — something that must never be spoken of in public forums.

The capabilities detailed here far surpass anything that could be obtained with a search warrant or court order. The DEA’s phone metadata collection may still fall under the Third Party Doctrine, but it’s hard to believe anything obtained via the hijacking of cameras, computers and phones would be signed off on by magistrate judges.

There is unclear statutory authority authorising the deployment of spyware by US federal or law enforcement agencies, meaning that deployment of the RCS by the DEA or the Army is potentially unlawful under US law. Furthermore, because RCS is designed to be usable against targets even while they are outside of the end-user’s legal jurisdiction, it raises serious legal questions concerning the ability of US agencies and the military to target individuals based outside of the United States.

Privacy International — which has been tracking private companies in the spyware business for years — is bringing Hacking Team’s activities to the Italian government’s attention.

Hacking Team has confirmed that their product has since 1st January 2015 been subject to export restrictions from the Italian government, which is the first step in ensuring that these types of technologies are not exported and used for human rights violations. This means that the Italian export authority now has to assess and approve any export of Hacking Team’s products in order for a sale to go ahead.

How the Italian government now assesses any potential exports is unclear. Although EU export control regulations stipulate that in circumstances where an export is going to a military end-user the licensing authority should look at a set of criteria which contain human clauses, in practice this rule is implemented disparately across the European Union member states.

Much like many weapons are subject to export restrictions, so are certain kinds of software. Hacking Team’s offerings have been sold all over the world — and not just to the “good guys.” PI says it has evidence this software has been sold to governments known for human rights abuses and has been deployed to surveil journalists and activists.

This may lead to Hacking Team spending some time discussing its product line with Italian regulators — which could result in additional sales and export restrictions. Or this may just lead Hacking Team to find a new home — somewhere its offerings won’t be eyeballed too closely.

It seems to be leaving its location options open, just in case. In the US, it does business under the name of Cicom USA — supposedly just a “reseller” of Hacking Team’s product line.

The connection between Cicom USA and Hacking Team was confirmed to Motherboard by multiple sources with knowledge of the deal, who spoke on condition of anonymity because they were not authorized to discuss the content of the contract…

Cicom USA is based in Annapolis, MD, at the same exact address where Hacking Team’s US office is located, according to the company’s website. The phone number for Cicom USA listed in the contract with the DEA, moreover, is exactly the same one that was displayed on Hacking Team’s website until February of this year.

A few dozen empty offices around the world acting as “local distributors” could assist Hacking Team in dodging local import/export regulations.

The DEA’s use of Hacking Team’s product line deserves closer examination. The capabilities detailed here have yet to be uncovered in criminal prosecutions, suggesting the agency is still heavily engaged in legally dubious parallel construction.

Filed Under: , , , ,
Companies: hacking team

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DEA Also Spending Millions To Purchase Exploits And Spyware”

Subscribe: RSS Leave a comment
18 Comments
art guerrilla (profile) says:

Re: Re:

many have…
Empire does not hear the baleful bleatings of the sheeple…
there were record numbers of protests -both worldwide and domestically- before the iraq war, and it mattered not one whit to Empire…
the occupy movementette, was crushed with extra-legal -and quite konspiratorial- means with hardly a bahhh from the sheeple…
(of course, part of that is the near-absolute control of the media, and who don’t report on stories embarrassing to Empire…)
frei sprech zones, sekret executive Orders, extra-judicial executions, bribery legalized, morality compromised, and mammon our highest god, our only aspiration…
but it is not the chains of Empire which restrain us, but the chains we imagine ourselves to be bound by…

who will be first to step into the chasm ?
…and who will follow ? ? ?

Anonymous Coward says:

Another agency gone rogue.

” The capabilities detailed here have yet to be uncovered in criminal prosecutions, suggesting the agency is still heavily engaged in legally dubious parallel construction. “

The kind of things the DEA is supposed to be doing are law enforcement things that lead to criminal prosecutions. So, either they are doing things they are not supposed to be doing (i.e. domestic spying for other reasons) or they are lying about things in court. Neither possibility makes them look good.

orbitalinsertion (profile) says:

What kills me is that as these things become apparent, I don’t see any calls to patching software, fixing hardware, or or fixing standards and protocols to mitigate this type of activity. And while we get patches for some things, they certainly don’t even cover the (much cheaper if the governments are interested) criminal markets for similar wares (and a lot of other innovative, if ghastly, stuff). And I don’t believe for a second that major vendors couldn’t get (or haven’t gotten) their hands on these things or enough info to mitigate.

Of course a lot of entry is via other tactics, social engineering, and complicity. But it’s like they don’t try at all.

James Burkhardt (profile) says:

Re: Re:

I am having a hard time parsing your statement….

What kills me is that as these things become apparent, I don’t see any calls to patching software, fixing hardware, or or fixing standards and protocols to mitigate this type of activity.

Like the calls for improved encryption and the calls to push buggy, vulnerable, outdated software (like java and flash) off the web by major tech companies? those calls?

nd while we get patches for some things, they certainly don’t even cover the (much cheaper if the governments are interested) criminal markets for similar wares (and a lot of other innovative, if ghastly, stuff).

I can’t seem to figure out what you are saying here. Much cheaper then what? similar to what?
Are you refering to Security patches? no-that doesn’t make any sense.
The software being discussed in the article? how is it cheaper then itself?

And I don’t believe for a second that major vendors couldn’t get (or haven’t gotten) their hands on these things or enough info to mitigate.

It would seem that the software is stuff that needs to be installed on the target system. If it obeys the computers rules, its hard to break in the OS without breaking legitimate software. Mitigation of spyware has been a war for a long time, and generally requires software designed to mitigate it. Microsoft had a great solution. Provide a free, baseline anti-malware solution to get fixes for spy- and malware out to the people as quickly as microsoft can fix them. Norton and MacAfee shut that down.

One place I admit I have always been confused about is why the light on a laptop webcam isn’t directly tied to the power system on the camera itself. No software turn on the light, but literally have the camera and led power intertwined, hardline. You can’t turn on one without the other. That would fix one problem.

Jack says:

John Oliver had the right idea

You can use big and scary words to describe the absurd capabilities of the alphabet agencies but people just do not give a fuck until they find out the government can see their dick (or their significant others’ dick) as John Oliver recently proved.

Techdirt, you need to frame this as “the DEA can see your dick” and maybe, just maybe, we can have a serious conversation about privacy and the state of the 4th amendment.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...