DEA Deploying Powerful Spyware Without Required Privacy Impact Assessments

from the disturbing-pattern-of-noncompliance dept

It's not just the FBI that can't seem to turn in its privacy-related paperwork on time. The FBI has pushed forward with its biometric database rollout -- despite the database being inaccurate, heavily-populated with non-criminals, and without the statutorily-required Privacy Impact Assessment that's supposed to accompany it. As of 2014, it hadn't produced this PIA, one it had promised in 2012. And one that applied to a system that had been in the works since 2008.

Unsurprisingly, another federal law enforcement agency hasn't felt too compelled to produce PIAs for privacy-impacting programs. As Joseph Cox reports for Motherboard, the DEA's privacy paperwork is lagging far behind its intrusive efforts.

[T]he Drug Enforcement Administration did not carry out a Privacy Impact Assessment—a process which is typically designed to understand and minimize the privacy risks with a particular system or technology—when it bought and ultimately used malware from Italian surveillance company Hacking Team.

Hacking Team sells powerful malware and exploits, which very definitely screw with people's privacy expectations -- both the privacy they correctly (or incorrectly) believe they're entitled to as well as their expectations of the government, which is supposed to keep citizens' privacy expectations at the front of its mind. At least, everyone would like to believe the government is equally concerned about citizens' privacy. That's what these assessments are supposed to show: that the government has done what it can to minimize unwarranted intrusions.

But these are simply not to be found, to the surprise of no one.

Privacy experts say the news is consistent with the DEA's repeated failure to complete such assessments around the agency's surveillance operations.

One such privacy hound -- EPIC -- points out the DEA still hasn't handed in a Privacy Impact Assessment on its Hemisphere program. This program put the DEA on the NSA's level: embedded telco employees providing real-time access to millions of phone records. No warrants needed. No privacy assessment needed either, apparently, despite the program being in operation for more than 25 years at the point the DEA inadvertently disclosed it.

Jeramie D. Scott from the Electronic Privacy Information Center (EPIC) pointed to an April letter the organization sent to Congress urging a committee to scrutinize the DEA's compliance with PIAs. In that letter, EPIC highlights that the DEA did not conduct a PIA for its use of the controversial Hemisphere program, in which agents can access AT&T call records without a warrant. EPIC also found through a Freedom of Information Act lawsuit that the DEA had not completed a PIA for the agency's license plate reader database.

But the DEA has an excuse for not completing a PIA on purchased software exploits.

According to the DEA spokesperson, the agency did not carry out a PIA for RCS [Hacking Team's Remote Control Software] because the agency does not produce them for commercial software products.

Ha! Define "commercial." Just because the DEA can buy exploits and malware from a private company like Hacking Team hardly makes this spyware a "commercial software product." While any number of nations with piss-poor civil rights records can avail themselves of Hacking Team's offerings, your average consumer isn't able to pick up a copy of RCS. Generally speaking, commercial software can be purchased by nearly anyone and a great many people are familiar with the software's functions and capabilities. Remote-control spyware, purchased and deployed in secret, isn't "commercial software."

Nevertheless, the missing DEA PIAs will continue to go missing. There's seemingly no one in the DOJ interested in holding these agencies accountable, and there are very few people above the DOJ interested in holding it accountable either. So, the lack of oversight trickles downhill and agencies become more powerful -- and more of a threat to privacy -- but give nothing back to the community (so to speak).


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 5 Jun 2017 @ 1:48pm

    Yet another example

    of why Comey is a complete screw up and should have been fired long ago. He disobeyed the law for 5 years and 100% failed to live up to the oath to protect and defend the Constitution.

    Anyone still unhappy that he is gone?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2017 @ 2:07pm

    The government is very concerned about citizens' privacy. Specifically, it is concerned citizens have so much of it left after years of increasing surveillance, and is determined to rectify this as soon as possible.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2017 @ 2:11pm

    Odd to hear EPIC complain about surveillance

    Given that they've outsourced their mailings to the spammers at Mailchimp, who are now embedding spyware/bugs in every message and conducting surveillance on everyone subscribed to EPIC's mailing lists.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2017 @ 2:15pm

    Really really off topic, or suggestion for future article

    https://www.sciencealert.com/nasa-doesn-t-know-what-made-this-deep-hole-on-mars

    What they don't want to tell you: Pellucidar is really on Barsoom....

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 5 Jun 2017 @ 2:42pm

    Time saving measure

    They're just saving time and money really. Why do a privacy assessment when they'd just completely ignore the results, no matter what those results were? Whether it was 'Privacy will be respected and protected' to 'Privacy will be utterly destroyed even as a concept', they were going to make use of it anyway, so why not skip the step?

    /poe

    reply to this | link to this | view in chronology ]

  • icon
    Rapnel (profile), 5 Jun 2017 @ 2:54pm

    Well, personally, I believe that the DEA has taken far more than it's ever given or going to give back to this country so.. fuck those guys.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2017 @ 6:34pm

    At least, everyone would like to believe the government is equally concerned about citizens' privacy.

    A dystopia isn't official when a government begins to view its citizens as the enemy (or chattel), but rather when it stops bothering trying to lie to them about it.

    reply to this | link to this | view in chronology ]

  • icon
    Seegras (profile), 6 Jun 2017 @ 12:50am

    Well, that agency is involved in some kind of shooting war in American cities (and international waters) because they somehow managed to get a mandate on trying to keep certain substances out of the hands of people.

    You should take away the mandate and dissolve them.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.