from the Blackberry-once-again-at-the-center-of-government-subterfuge dept
Human Rights Watch — which delivered info on law enforcement’s “parallel construction” habit earlier this year — is back with a bombshell. Court documents obtained by the group show the DEA sold compromised devices to drug dealers during an investigation into a Mexico-to-Canada trafficking operation.
Human Rights Watch has identified two forms of this technique that the Drug Enforcement Administration (DEA) has used or, evidence suggests, has contemplated using. One involved the undercover sale of BlackBerry devices whose individual encryption keys the DEA possessed, enabling the agency to decode messages sent and received by suspects. The second, as described in a previously unreported internal email belonging to the surveillance software company Hacking Team, may have entailed installing monitoring software on a significant number of phones before attempting to put them into suspects’ hands.
The DEA broke ranks (at least publicly) with Italy’s exploit/malware vendor Hacking Team after it was (ironically) hacked and its internal communications fed to Wikileaks. That the DEA would purchase exploits and hacking tools wasn’t surprising. Neither was the fact that these tools had never been discussed in a courtroom setting. (See above re: parallel construction.) What was more disappointing than surprising was that a US government entity would choose to do business with a company caught selling hacking tools to UN-blacklisted countries.
The big news here is the compromised phones. The DEA held encryption keys for phones sold to drug dealers in order to intercept communications like texts and email. The affidavit [PDF] obtained by Human Rights Watch raises cart/horse questions about the legality of the interceptions. While wiretap warrants were obtained (and quite easily — these were routed through Southern California’s particularly DEA-friendly courtrooms), the narrative in the sworn statements doesn’t state clearly whether these warrants were obtained before the interceptions began. In fact, one statement made in the affidavit seems to indicate the interceptions from the compromised phones were used to buttress claims in warrant requests. From the affidavit:
[O]n April 10, 2011, [suspect John] Krokos in Mexico contacted SA Burkdoll and asked for another EBD [encrypted Blackberry device]. The next day, on April 11, 2011, SA Burkdoll, in an undercover capacity, provided [suspect Ismael] Tomatani with a new EBD for $1,000 in the parking lot of a Home Depot store in West Hills, California. Two days later, Tomatani began communicating with [suspect Eduardo] Olivares over the EBD. A variety of relatively plain drug communications were intercepted over Tomatani’s EBD as he communicated with Olivares on the new EBD.
I am aware that, on May 16, 2011, signed an order for the wiretap interception of both the EBD and cellular telephone being used by Olivares.
The wiretap order to intercept communications came nearly a month after the interception began. And that warrant targeted only the communications originating from Olivares’ devices. Nothing in the affidavit narrative says anything about obtaining wiretap warrants for the EBDs supplied to Tomatani and Krokos.
There’s also nothing in the paperwork suggesting the plan to sell suspects compromised devices was ever run past a judge. Considering the sole purpose of these devices was to facilitate the interception of communications, you’d think judicial approval would have been sought to ensure the collected evidence would survive a suppression motion. (There’s also discussion of the DEA repeatedly using “slap on” GPS tracking devices to track suspects’ movement without seeking warrants first. Of course, some of this happened before the Supreme Court (sort of) ruled law enforcement should seek warrants before placing tracking devices on vehicles, but the practice appears to have continued past the 2012 ruling.)
Another, longer affidavit [PDF] from SA Burkdoll (the agent that sold the drug dealers the compromised phones) suggests the agency had been seeking wiretap warrants for a number of devices and landlines since 2010, which would be prior to the sale described in the other affidavit.
Even if the wiretap warrants preceeded the interceptions, the delivery of compromised phones to criminal suspects is still a questionable tactic. For one, nothing suggests this plan had been run by anyone outside of the DEA to vet the tactic for legality or constitutionality.
Second, this isn’t the sort of thing you want investigative agencies to do regularly. There are all sort of side effects and the omnipresent mission creep problem to be considered.
The US government’s policies for secretly distributing devices it has compromised by obtaining encryption keys or installing surveillance tools largely remain unknown. Documents the Federal Bureau of Investigation (FBI) disclosed in 2011 mention seeking a warrant explicitly for a “two-step” process of installing a spying mechanism on a US computer and then carrying out surveillance, but it is unclear whether the DEA has adopted similar standard procedures for the measures it has used or considered.
Under international human rights law, all surveillance methods that interfere with privacy should be authorized by clear, publicly available laws; be subject to approval by a court or other independent body for specific purposes such as protecting public safety or national security; and be proportionate to those aims. Undermining the security of devices to conduct surveillance could have long-term repercussions for privacy, including for people other than the original intended surveillance targets, making it all the more important for the Justice Department to disclose its policies regarding these tactics.
This isn’t to say the government should never engage in these tactics. Sometimes it’s necessary. But subterfuge involving compromised devices and muddy wiretap warrant timelines isn’t the way to do it.The agency has shown it’s more than willing to launder its tainted evidence — both to hide its true origin from defendants and to hide its methods from the rest of the world. The agency’s past actions indicate respect for people’s rights (along with their personal property/lives) is pretty low on its list of priorities. So, if further revelations show a lack of candor — either in court or to its oversight — it won’t surprise anyone.