The Drug Enforcement Administration has been buying spyware produced by the controversial Italian surveillance tech company Hacking Team since 2012, Motherboard has learned.
The software, known as Remote Control System or "RCS," is capable of intercepting phone calls, texts, and social media messages, and can surreptitiously turn on a user's webcam and microphone as well as collect passwords.
The DEA originally placed an order for the software in August of 2012, according to both public records and sources with knowledge of the deal.
The contract, which has not been previously revealed, shows that the FBI is not the only US government agency engaged in hacking tactics, but that the DEA has also been purchasing off-the-shelf malware that could be used to spy on suspected criminals.
This revelation comes just a week after USA Today uncovered a secret program with which the DEA collected the phone records of millions of Americans for more than 20 years, a program that pre-dated and inspired the NSA's own bulk telephone collection program, suggesting that the drug agency is sort of a pioneer in the use of surveillance.
Surveillance tech experts say the DEA's relation with Hacking Team is further proof that methods and tools once only reserved for the military, intelligence agencies and even cybercriminals—such as drones and StingRays—are becoming commonplace in law enforcement as well.
"Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement."
"Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement," Christopher Soghoian, the principal technologist at the American Civil Liberties Union and an expert of surveillance technology, told Motherboard.
And given the how powerful this spyware can be, Soghoian added, "we need a public debate over this invasive surveillance technology."
THE PAPER TRAIL
The contract, according to public records, was signed on August 20, 2012 for a total value of $2.4 million between the DEA's Office of Investigative Technology and a government contractor named Cicom USA.
The records were uncovered by Motherboard and Privacy International, a London-based digital rights group, in independent investigations.
The contract, which records show is slated to be completed in August of 2015, is identified only as "Remote Controlled Host Based Interception System."
That system, according to sources, is none other than Hacking Team's Remote Control System, also known as Galileo, which the company markets as "the hacking suite for governmental interception."
"You cannot stop your targets from moving. How can you keep chasing them? What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain. Remote Control System does exactly that," a company brochure boasts.
Cicom USA, Motherboard has learned, was simply a reseller for Hacking Team, a spyware-maker that's been accused of selling its products to some governments with questionable human rights records. Some of those governments, such as Ethiopia, the United Arab Emirates, or Morocco, used Hacking Team's software to target dissidents and journalists.
In light of those incidents, which were uncovered by researchers at the Citizen Lab at the University of Toronto's Munk School of Global Affairs, the company was included in a blacklist of corporate "Enemies of the Internet" by Reporters Without Borders.
Despite speculation based on the fact that Hacking Team has an office in the US, there's never been any evidence that the company had sold its products on American soil, even though CEO David Vincenzetti boasted of having clients in more than 40 countries, including the US, in a 2011 interview with Italian newsmagazine L'Espresso.
The connection between Cicom USA and Hacking Team was confirmed to Motherboard by multiple sources with knowledge of the deal, who spoke on condition of anonymity because they were not authorized to discuss the content of the contract.
Eric Rabe, a spokesperson for Hacking Team, did not confirm nor deny the existence of the contract with the DEA.
"We don't identify our clients. I'm certainly not going to comment whether the DEA or anyone else has purchased Hacking Team software."
"We don't identify our clients. I'm certainly not going to comment whether the DEA or anyone else has purchased Hacking Team software," he told Motherboard in a phone interview. And for the same reason, he added, he declined to clarify what was the relationship between Hacking Team and Cicom USA.
Alex Velasco, Cicom USA's general manager, did not answer Motherboard's request for comment.
But the connection between the two companies is clear. Cicom USA is based in Annapolis, MD, at the same exact address where Hacking Team's US office is located, according to the company's website. The phone number for Cicom USA listed in the contract with the DEA, moreover, is exactly the same one that was displayed on Hacking Team's website until February of this year.
When asked whether this was just a coincidence, Rabe laughed.
"I don't know about why that would be a coincidence," he said, but declined to elaborate.
It's unclear what the DEA has been doing with Hacking Team's malware. But the relationship between the agency and Cicom USA—and thus, Hacking Team—appears to be ongoing. The most recent public record shows a payment from the DEA to Cicom USA made in September of 2014.
A spokesperson for the DEA did not respond to a series of specific questions on the contract and how the DEA is using this technology. Thomas L. Walden, the section chief of the DEA Office of Investigative Technology, also did not respond to a message requesting comment.
Hacking Team's RCS software can be surreptitiously installed on a target's computer or cellphone and monitor all activity, allowing police officers to spy on data that might otherwise be encrypted and out of their reach.
Software like this isn't sold only by Hacking Team. The Italian company is just one of an ever-growing group of surveillance tech companies that market their products exclusively to governments, police departments, and spy agencies, such as the French VUPEN, or the German FinFisher and its parent company Gamma International.
This is exactly the kind of software that the DEA was looking for, according to an official call for tender or "request for Information" published by the agency in March, 2012.
"The DEA is seeking information from potential sources with a fully functional and operational product proven to be capable of providing a Remote Control Host Based Interception System for device or target specific collection pursuant to authorized law enforcement use," the document reads.
Roughly a month later, on May 4, 2012. The DEA had what it was looking for. In another document, the agency announced that it was going to "solicit and negotiate" a contract with Cicom USA for the duration of at least four years.
Cicom USA, according to the DEA, emerged as the only company capable of providing the service required, based on market research conducted internally by the agency. The DEA did not respond to questions regarding this research.
It's possible the DEA picked Cicom USA because the US Army had done the same a year prior. According to public records, the Army made a purchase order for a Remote Control System on March 2011. The order shows that the Army was supposed to pay $350,000 for the software, and further confirms Cicom USA's connection with Hacking Team, given that Italy is listed as the country of origin of the product. (The Army did not respond to Motherboard's questions regarding the contract.)
IS IT LEGAL FOR LAW ENFORCEMENT TO HACK TARGETS?
For surveillance experts, the big question is whether the DEA actually has legal authority to use spyware such as Hacking Team's—and how, exactly, it is used. A DEA spokesperson said that the agency "always abides by the laws of the jurisdictions within which it operates."
And added that "however, in this case, this is off-the-shelf technology, legally available for purchase by all and used throughout the world by many organizations."
But experts are not convinced.
"The legal framework governing the use of such tools in the US is extremely unclear, meaning that the use of Hacking Team's spyware is potentially unlawful," Edin Omanovic, a researcher at Privacy International, told Motherboard.
"The use of Hacking Team's spyware is potentially unlawful."
The FBI is the only other US law enforcement agency that has been reported to use malware. The bureau has been using it since at least 2001 when FBI's spyware Magic Lantern was revealed. But the precise legal authority, as well as the process that FBI agents use to get authorization, is still unclear, and very few cases where the bureau used malware have actually come to light.
In 2011, internal emails obtained by the Electronic Frontier Foundation revealed that in some past instances, FBI agents considered using malware known as "Computer and Internet Protocol Address Verifier" (CIPAV) without getting a warrant, or in other cases, hid key details on what the technology actually entailed in order to increase the chances the judge would approve it.
In any case, the bureau, after consulting with the Office of General Counsel and the National Security Law Branch finally appeared to settle on a "two-step request" legal process: get a search warrant to authorize the deployment of the software on a target's computer, and then a subsequent order (known as pen register or trap and trace) to authorize the actual surveillance.
In 2013, a Texas judge stopped the FBI from using malware, rejecting the bureau's warrant application because it was too vague and didn't specify how the agents would actually install the software.
Soghoian, the ACLU surveillance tech expert, said that given the nature of this technology, and the fact that "Congress and the courts have been kept in the dark" about it, Americans should have more information on when and how the feds are using spyware.
"If law enforcement agencies can hack into your computer, turn on your webcam, turn on your microphone and steal documents from your computer, that's the kind of thing that should get the attention of Congress."
"Courts are not being told how agencies will get malware onto the computers of targets," Soghoian said. "Similarly, law enforcement agencies have not discussed the use of this technique in any public Congressional hearings."
"The American people deserve some answers and I think Congress needs to investigate this," Soghoian told Motherboard.
Omanovic, from Privacy International, added that the US needs update the legal framework regarding hacking and the use of spyware by law enforcement agencies and establish "effective oversight mechanisms."
Privacy International also released a dossier on Hacking Team on Wednesday, asking Italian authorities to look into the company and its practices in light of European export controls of surveillance technology. (Rabe said that the company "is in compliance with all export laws.")
Some legal experts, however, argue that there's nothing illegal about the use of spyware. Although there is no specific law that specifically covers hacking, Jonathan Mayer, a computer scientist and lawyer at Stanford University, said that law enforcement agencies are "broadly authorized" to conduct searches in the US, including using hacking techniques.
"They don't need some special legislative grant of extra authority before they can hack," Mayer told Motherboard, adding that a search warrant supported by probable cause and particularly describing what the agents seek is all they need.
But for critics, such as Soghoian or Privacy International, there still should be more transparency and a public debate.
"If law enforcement agencies can hack into your computer, turn on your webcam, turn on your microphone and steal documents from your computer," Soghoian said, "that's the kind of thing that should get the attention of Congress, particularly before this trickles down to local law enforcement agencies."
This story has been updated to include a comment from Hacking Team's Eric Rabe on his company's compliance with export controls. And to clarify that FBI agents considered using malware without a warrant, according to documents obtained by the EFF.