The FBI, Drug Enforcement Administration and U.S. Army have all bought controversial software that allows users to take remote control of suspects’ computers, recording their calls, emails, keystrokes and even activating their cameras, according to internal documents hacked from the software’s Italian manufacturer.
The revelations come from hundreds of gigabytes of company information, including emails and financial records, which were released online Sunday night and analyzed by The Intercept. Milan-based Hacking Team is one of a handful of companies that sell off-the-shelf spyware for hundreds of thousands of euros — a price point accessible to smaller countries and large police forces. Hacking Team has drawn fire from human rights and privacy activists who contend that the company’s aggressive malware, known as Remote Control System, or RCS, is being sold to countries that deploy it against activists, political opponents and journalists.
Even in the U.S., where the software would presumably be used only with a judge’s approval, the tactic is still controversial. Just last month, Sen. Chuck Grassley, R-Iowa, wrote to the director of the FBI asking for “more specific information about the FBI’s current use of spyware,” in order for the Senate Judiciary Committee to evaluate “serious privacy concerns.”
The leaked emails show that the FBI has been using Hacking Team’s software since 2011, apparently for the secretive Remote Operations Unit. It’s long been reported that the FBI has deployed malware in investigations, but details on the agency’s efforts are thin, with the tactic only surfacing rarely in court cases — such as one instance last year when the FBI spoofed an Associated Press article to get a target to click on a link. The FBI reportedly develops its own malware and also buys pre-packaged products, but the relationship with Hacking Team has not been previously confirmed.
Hacking Team’s spokesperson, Eric Rabe, said in a statement that “we do not disclose the names or locations of our clients” and “we cannot comment on the validity of documents purportedly from our company.”
The director of the Metropolitan Bureau of Investigation in Florida told The Intercept that it “does not have plans to purchase any product from Hacking Team.” The Manhattan District Attorney’s office said, “It would be an overstatement to say that our office is planning to purchase this type of software. This company is one of several in the industry whom we’ve requested meetings with in order to keep pace with rapid technological advancements in the private sector.”
The CIA declined to comment, and ICE said it “does not discuss law enforcement tools and techniques.” (The Intercept will update this story if other agencies named in the documents respond to requests for comment.)
The leaked emails show that U.S. agencies worried about the legality and perception of Hacking Team’s tools.
Hacking Team refers to its U.S. clients by code names. The FBI unit is “Phoebe” (initially “f-client,” but one employee complained “it sounds like an antivirus),” the DEA is “Katie,” and the CIA, which appears to havesampled, but not bought Remote Control System, is “Marianne.”
In 2011, a representative of the DEA’s Office of Investigative Technology told Hacking Team that its budget request for Remote Control System had been denied because it was considered “too controversial,” according to anemail. “We are working on the foreign angle,” the DEA said, according to Hacking Team’s U.S. account manager.
“I imagine Katie [DEA] is referring to the fact that they as the DEA could buy RCS for other countries (Colombia) where it’s less problematic to use it,” an employee replied in Italian.
The purchase did go through in 2012, and it appears to have been used mainly in conjunction with Colombian law enforcement. As one emailexplained, “Katie will be administrator of the system, while the locals will be collecting the data. They are saying if this works out, they will bring it to other countries around the world. Already they are speaking of El Salvador and Chile.”
Robotec, a company that manages Hacking Team’s sales to several Latin American countries, also mentions clients in Colombia using DEA funding.
Local police in the U.S. also had their worries. Florida law enforcement told Hacking Team this year that the software could create legal problemswithout the ability to have “‘minimization’ of the calls and messages — (ie. deleting portions which are not relevant to the search.)”
In 2013, San Bernardino’s district attorney wanted to go to a judge to obtain a warrant targeting a “known bad guy” even for a trial run of the software. “If the systems [sic] proves itself in this live trial, and the judge is convinced of both its value and proper protection of privacy, they would then move into the purchase phase,” one of Hacking Team’s U.S. business partners, from the security giant SS8, explained.
“One of the concerns of this segment is that the HT product is ‘too powerful,’” Fred D’Alessio, who sits on the board of SS8 and is identified on LinkedIn as a senior advisor to Hacking Team, wrote about local agencies. “They have also said, their biggest challenge is ‘getting the lawyers and the District Attorneys to agree on what they can do legally.”
Hacking Team’s FBI contacts worried that the spread of Hacking Team software around the country could cause word to get out (as has happened with technology like Stingrays, the devices that police use to track cell phone location.) “If San Bernardino gets exposed, they might also expose Phoebe,” Hacking Team’s U.S. point man, Alex Velasco, wrote in September 2013.
The FBI’s use of Hacking Team’s software also informs the public debate about the growing use of encryption to protect Internet communications. FBI and other top U.S. law enforcement officials have been calling for a lawthat would provide for a “backdoor” into commercial encryption technologies — something privacy advocates and many cybersecurity researchers see as a undermining Internet security.
Hacking Team claims that its software offers a way around encryption, obviating the need for a backdoor. Vincenzetti regularly sends out articles about the encryption debate to his email list with a plug for Remote Control System. Last February, he wrote that law enforcement and security agencies could use “technologies to ACCESS THE DATA they need IN CLEARTEXT, BEFORE it gets encrypted by the device and sent to the network and AFTER it is received from the network and decrypted by the device itself. Actually THIS IS precisely WHAT WE DO.”
The push into the local district attorney market, for which the companyconsidered San Bernardino a pilot, appears to have been facilitated by SS8, a massive California-based security company that markets to law enforcement agencies in the United States and abroad. (Rabe denied that SS8 is working with Hacking Team, despite emails between the companies.) The local market could be lucrative: a budget for the district attorney in New York that Hacking Team proposed in April totaled $760,000 in upfront license fees, and another $382,000 in services and maintenance.
“As with so many other surveillance technologies that were originally created for the military and intelligence community, they eventually trickle down to local law enforcement who start using them without seeking the approval of legislators — and, in many cases, keeping the courts in the dark too,” said Christopher Soghoian, principal technologist of the American Civil Liberties Union.
The DEA, FBI and Army bought Hacking Team’s software through a company called Cicom, which for several years served as a middleman for Hacking Team’s U.S. business. The DEA and Army contracts to buy Remote Control System through Cicom were first revealed by the advocacy group Privacy International this spring. Reporters noted that Cicom shared the same corporate address in the United States as Hacking Team, but when asked about the connection by Ars Technica, Hacking Team’s U.S. spokesperson Eric Rabe said, “I cannot confirm any relationship between the company Cicom and Hacking Team.”
Alex Velasco, Cicom’s general manager, has in fact been a consultant under contract to represent Hacking Team to clients in North America since 2012, company emails show. The relationship ended in March, after Hacking Team accused Velasco of scheming to market competing products, according to an internal investigation commissioned by Hacking Team. Velasco declined to comment to The Intercept on the allegations, because he is in legal proceedings with Hacking Team.
Hacking Team was also in talks in 2014 with the FBI’s National Domestic Communications Assistance Center, a secretive unit formed in 2012 and focused on interception technologies. Velasco claims in an email that the group came to them after Citizen Lab, a research group at the University of Toronto focused on Internet technology and human rights, published a highly critical report on Hacking Team’s global sales. “If anything good came out of the Citizen lab articles is that it brought them to contact us to see if it was true,” he wrote. “Thank you Citizen Lab!!”
It’s not clear from Hacking Team emails what Army component bought an RCS system in 2011, but it was based at Fort Meade and apparently sat unused for years. According to a 2013 email from Velasco, “they purchased a system right before they got their budget cut…They were never given permission to pull an internet line to their office to install the system. (ridiculous but true!)”
Hacking Team was in the midst of negotiations for a new FBI contract from Cicom after Velasco’s firing, but the agency decided to go with another vendor due to budget timing issues, according to an email from Phillipe Vinci, Hacking Team’s vice president for business development. Besides, the product was “seen as a ‘nice to have’ by FBI,” but “they confessed they were using it for low level types of investigations. For critical operations, they were using another platform,” wrote Vinci. He said the FBI wanted more ability to go after users of Tor, the anonymizing web browser; those users accounted for 60 percent of its targets.
But Hacking Team appeared determined to continue its conquest of the U.S. market.
“There will be a process to have ‘HT Usa Inc.’ accredited,” wrote operations manager Daniele Milan. He pledged to stay in touch with the FBI, marketing new features, and identifying problems “to resolve for them (in exchange for $$$).”
While Hacking Team’s emails reveal the company to be stringent about selling only to governments, the company officials appear to worry less about how its technology is used once it gets to those customers. Responding to concerns raised by the district attorney of New York in 2013, Hacking Team’s chief operating officer Giancarlo Russo wrote that “all the consideration regarding the ‘legal framework’ cannot be addressed by us.”
Instead, he was more concerned about local customers’ ability to use the product effectively. “If you buy a Ferrari… they can teach you how to drive. They cannot grant you will be the winner of the race,” he wrote to his colleagues in English. “If Beretta sell you a gun, the most peculiar and sophisticated one, they can teach how to use it. They can not grant you are going to shoot your target properly on the field.”
Sheelagh McNeill contributed research to this report.