DEA Deploying Powerful Spyware Without Required Privacy Impact Assessments
from the disturbing-pattern-of-noncompliance dept
It’s not just the FBI that can’t seem to turn in its privacy-related paperwork on time. The FBI has pushed forward with its biometric database rollout — despite the database being inaccurate, heavily-populated with non-criminals, and without the statutorily-required Privacy Impact Assessment that’s supposed to accompany it. As of 2014, it hadn’t produced this PIA, one it had promised in 2012. And one that applied to a system that had been in the works since 2008.
Unsurprisingly, another federal law enforcement agency hasn’t felt too compelled to produce PIAs for privacy-impacting programs. As Joseph Cox reports for Motherboard, the DEA’s privacy paperwork is lagging far behind its intrusive efforts.
[T]he Drug Enforcement Administration did not carry out a Privacy Impact Assessment—a process which is typically designed to understand and minimize the privacy risks with a particular system or technology—when it bought and ultimately used malware from Italian surveillance company Hacking Team.
Hacking Team sells powerful malware and exploits, which very definitely screw with people’s privacy expectations — both the privacy they correctly (or incorrectly) believe they’re entitled to as well as their expectations of the government, which is supposed to keep citizens’ privacy expectations at the front of its mind. At least, everyone would like to believe the government is equally concerned about citizens’ privacy. That’s what these assessments are supposed to show: that the government has done what it can to minimize unwarranted intrusions.
But these are simply not to be found, to the surprise of no one.
Privacy experts say the news is consistent with the DEA’s repeated failure to complete such assessments around the agency’s surveillance operations.
One such privacy hound — EPIC — points out the DEA still hasn’t handed in a Privacy Impact Assessment on its Hemisphere program. This program put the DEA on the NSA’s level: embedded telco employees providing real-time access to millions of phone records. No warrants needed. No privacy assessment needed either, apparently, despite the program being in operation for more than 25 years at the point the DEA inadvertently disclosed it.
Jeramie D. Scott from the Electronic Privacy Information Center (EPIC) pointed to an April letter the organization sent to Congress urging a committee to scrutinize the DEA’s compliance with PIAs. In that letter, EPIC highlights that the DEA did not conduct a PIA for its use of the controversial Hemisphere program, in which agents can access AT&T call records without a warrant. EPIC also found through a Freedom of Information Act lawsuit that the DEA had not completed a PIA for the agency’s license plate reader database.
But the DEA has an excuse for not completing a PIA on purchased software exploits.
According to the DEA spokesperson, the agency did not carry out a PIA for RCS [Hacking Team’s Remote Control Software] because the agency does not produce them for commercial software products.
Ha! Define “commercial.” Just because the DEA can buy exploits and malware from a private company like Hacking Team hardly makes this spyware a “commercial software product.” While any number of nations with piss-poor civil rights records can avail themselves of Hacking Team’s offerings, your average consumer isn’t able to pick up a copy of RCS. Generally speaking, commercial software can be purchased by nearly anyone and a great many people are familiar with the software’s functions and capabilities. Remote-control spyware, purchased and deployed in secret, isn’t “commercial software.”
Nevertheless, the missing DEA PIAs will continue to go missing. There’s seemingly no one in the DOJ interested in holding these agencies accountable, and there are very few people above the DOJ interested in holding it accountable either. So, the lack of oversight trickles downhill and agencies become more powerful — and more of a threat to privacy — but give nothing back to the community (so to speak).
Filed Under: dea, privacy, privacy impact assessment, spyware
Comments on “DEA Deploying Powerful Spyware Without Required Privacy Impact Assessments”
Yet another example
of why Comey is a complete screw up and should have been fired long ago. He disobeyed the law for 5 years and 100% failed to live up to the oath to protect and defend the Constitution.
Anyone still unhappy that he is gone?
The government is very concerned about citizens’ privacy. Specifically, it is concerned citizens have so much of it left after years of increasing surveillance, and is determined to rectify this as soon as possible.
Odd to hear EPIC complain about surveillance
Given that they’ve outsourced their mailings to the spammers at Mailchimp, who are now embedding spyware/bugs in every message and conducting surveillance on everyone subscribed to EPIC’s mailing lists.
Really really off topic, or suggestion for future article
https://www.sciencealert.com/nasa-doesn-t-know-what-made-this-deep-hole-on-mars
What they don’t want to tell you: Pellucidar is really on Barsoom….
Time saving measure
They’re just saving time and money really. Why do a privacy assessment when they’d just completely ignore the results, no matter what those results were? Whether it was ‘Privacy will be respected and protected’ to ‘Privacy will be utterly destroyed even as a concept‘, they were going to make use of it anyway, so why not skip the step?
/poe
Well, personally, I believe that the DEA has taken far more than it’s ever given or going to give back to this country so.. fuck those guys.
At least, everyone would like to believe the government is equally concerned about citizens’ privacy.
A dystopia isn’t official when a government begins to view its citizens as the enemy (or chattel), but rather when it stops bothering trying to lie to them about it.
Well, that agency is involved in some kind of shooting war in American cities (and international waters) because they somehow managed to get a mandate on trying to keep certain substances out of the hands of people.
You should take away the mandate and dissolve them.