"Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement," Christopher Soghoian, the principal technologist at the American Civil Liberties Union and an expert of surveillance technology, told Motherboard.And given the how powerful this spyware can be, Soghoian added, "we need a public debate over this invasive surveillance technology."
"Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement."
THE PAPER TRAIL
"We don't identify our clients. I'm certainly not going to comment whether the DEA or anyone else has purchased Hacking Team software," he told Motherboard in a phone interview. And for the same reason, he added, he declined to clarify what was the relationship between Hacking Team and Cicom USA.Alex Velasco, Cicom USA's general manager, did not answer Motherboard's request for comment.But the connection between the two companies is clear. Cicom USA is based in Annapolis, MD, at the same exact address where Hacking Team's US office is located, according to the company's website. The phone number for Cicom USA listed in the contract with the DEA, moreover, is exactly the same one that was displayed on Hacking Team's website until February of this year.
"We don't identify our clients. I'm certainly not going to comment whether the DEA or anyone else has purchased Hacking Team software."
IS IT LEGAL FOR LAW ENFORCEMENT TO HACK TARGETS?
The FBI is the only other US law enforcement agency that has been reported to use malware. The bureau has been using it since at least 2001 when FBI's spyware Magic Lantern was revealed. But the precise legal authority, as well as the process that FBI agents use to get authorization, is still unclear, and very few cases where the bureau used malware have actually come to light.In 2011, internal emails obtained by the Electronic Frontier Foundation revealed that in some past instances, FBI agents considered using malware known as "Computer and Internet Protocol Address Verifier" (CIPAV) without getting a warrant, or in other cases, hid key details on what the technology actually entailed in order to increase the chances the judge would approve it.In any case, the bureau, after consulting with the Office of General Counsel and the National Security Law Branch finally appeared to settle on a "two-step request" legal process: get a search warrant to authorize the deployment of the software on a target's computer, and then a subsequent order (known as pen register or trap and trace) to authorize the actual surveillance.
"The use of Hacking Team's spyware is potentially unlawful."
"Courts are not being told how agencies will get malware onto the computers of targets," Soghoian said. "Similarly, law enforcement agencies have not discussed the use of this technique in any public Congressional hearings.""The American people deserve some answers and I think Congress needs to investigate this," Soghoian told Motherboard.Omanovic, from Privacy International, added that the US needs update the legal framework regarding hacking and the use of spyware by law enforcement agencies and establish "effective oversight mechanisms."Privacy International also released a dossier on Hacking Team on Wednesday, asking Italian authorities to look into the company and its practices in light of European export controls of surveillance technology. (Rabe said that the company "is in compliance with all export laws.")Some legal experts, however, argue that there's nothing illegal about the use of spyware. Although there is no specific law that specifically covers hacking, Jonathan Mayer, a computer scientist and lawyer at Stanford University, said that law enforcement agencies are "broadly authorized" to conduct searches in the US, including using hacking techniques."They don't need some special legislative grant of extra authority before they can hack," Mayer told Motherboard, adding that a search warrant supported by probable cause and particularly describing what the agents seek is all they need.But for critics, such as Soghoian or Privacy International, there still should be more transparency and a public debate."If law enforcement agencies can hack into your computer, turn on your webcam, turn on your microphone and steal documents from your computer," Soghoian said, "that's the kind of thing that should get the attention of Congress, particularly before this trickles down to local law enforcement agencies."This story has been updated to include a comment from Hacking Team's Eric Rabe on his company's compliance with export controls. And to clarify that FBI agents considered using malware without a warrant, according to documents obtained by the EFF.
"If law enforcement agencies can hack into your computer, turn on your webcam, turn on your microphone and steal documents from your computer, that's the kind of thing that should get the attention of Congress."