Government malware can be seriously powerful tech. Not only do some agencies take advantage of so-called zero day exploits to remotely gain access to a target's device, but the breadth of data malware can obtain from a target device is so rich that it can infringe the privacy of people not suspected of a crime at all—emails, texts, and online messages typically involve more than one person.
Regardless, the Drug Enforcement Administration did not carry out a Privacy Impact Assessment—a process which is typically designed to understand and minimize the privacy risks with a particular system or technology—when it bought and ultimately used malware from Italian surveillance company Hacking Team. Privacy experts say the news is consistent with the DEA's repeated failure to complete such assessments around the agency's surveillance operations.
In a Freedom of Information request, Motherboard asked the DEA for all Privacy Impact Assessments (PIAs) the DEA has conducted in relation to the Hacking Team's malware, known as Remote Control System (RCS). Motherboard also requested other related files, such as all Privacy Threshold Analysis (PTA) documents and Initial Privacy Assessments (IPAs).
However, the DEA did not have any.
"As a result of our query, we are unable to locate any records responsive to your request," the response reads. A DEA spokesperson confirmed that the agency did not complete a PIA.
Once deployed on a target's iOS, Android or desktop device, RCS is capable of capturing web browsing histories, keystrokes, Skype conversations, and much more. A 2015 Motherboard investigation found that the DEA had bought RCS, and a subsequent Freedom of Information request filed by Motherboard found that the DEA had also been invoiced for access to Hacking Team's selection of zero-day exploits.
Many parts of the Department of Justice conduct and publish PIAs, such as the Bureau of Alcohol Tobacco, Firearms and Explosives, and the US Marshals Service. The DEA has some too, including for its system for logging pharmacies who order controlled substances, but it also decides not to complete others for different technologies and programs.
Jeramie D. Scott from the Electronic Privacy Information Center (EPIC) pointed to an April letter the organization sent to Congress urging a committee to scrutinize the DEA's compliance with PIAs. In that letter, EPIC highlights that the DEA did not conduct a PIA for its use of the controversial Hemisphere program, in which agents can access AT&T call records without a warrant. EPIC also found through a Freedom of Information Act lawsuit that the DEA had not completed a PIA for the agency's license plate reader database.
According to the DEA spokesperson, the agency did not carry out a PIA for RCS because the agency does not produce them for commercial software products.
"The lack of privacy assessments for commercial products like the RCS spyware demonstrates that we need stronger oversight, accountability, and transparency requirements," Scott told Motherboard in an email.
"The DEA engages in surveillance programs that raise serious privacy and civil liberties issues and the lack of transparency surrounding these programs and the technology the agency uses is troubling and undermines public confidence. All surveillance technology and programs should be subject to a privacy and civil liberties assessment," Scott added.
Ultimately, the DEA cancelled its contract with Hacking Team, and, as it turns out, did not use the malware all that much. According to a letter the DEA sent to US Senator Chuck Grassley, the agency deployed RCS on 17 foreign-based drug traffickers and money launderers.