Hacking Team spyware sold to US DEA, and US Army

News & Analysis
Hacking Team spyware sold to US DEA, and US Army

Investigations by Privacy International in co-operation with VICE Motherboard, reveal that Hacking Team has sold its Remote Control System to the US Drug Enforcement Agency and US military via a front company based in the US.

The investigation catalogues what is known about Hacking Team’s intrusive spyware that can remotely switch on the microphone on mobile phones, activate webcams, as well as modify and/or extract data from the computer or phone itself. Whether the export was corrected assessed and approved remains unclear, and Privacy International will be writing to the relevant Italian authorities to seek answers on these key questions.

Remote Control System

Hacking Team is a Milan-based surveillance company that develops “offensive technologies” for targeted surveillance. Its flagship product - the “Remote Control System” (RCS) - is sold as a solution that “provide[s] effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.” Because RCS targets end-point devices, it can monitor anyone, anywhere in the world. Hacking Team claim that it can be used to monitor a hundred thousand targets.

Hacking Team = Cicom?

Records show that in 2011, a company called Cicom, with a registered address identical to that at which Hacking Team’s US office is registered (1997 Annapolis Exchange Parkway Suite 30x), sold a “Remote Control System”, originating in Italy, to the US Army for USD $350,000.1

Only months later, in March 2012, the DEA released a call for tender for a “Remote Control Host Based Interception System”:

The DEA is seeking information from potential sources with a fully functional and operational product proven to be capable of providing a Remote Control Host Based Interception System for device or target specific collection pursuant to authorized law enforcement use.”

In August 2012, the DEA's Office of Investigative Technology paid an initial USD$575,000 of an All Options Value of USD$2,410,000 to Cicom, and has continued to pay annual installments to the company. The most recent record shows a transaction, effective in August 2014 and to be completed in August 2015, for a “Remote Control Host Based Interception System and support services”. The transactions are due to end in 2017.

The transfers come in the wake of recent revelations of the DEA's mass surveillance programme, through which the agency has been collecting and storing the telephone records of ordinary Americans for more than two decades. It is now clear that, in addition to such bulk collection practices, the DEA also possesses the technical capacity to conduct intrusive surveillance on individuals across the globe, using Hacking Team's products.

International abuse

Evidence shows that Hacking Team has a consistent track record of delivering its software to end-users with records of human rights abuse and has been connected multiple times to the targeting of journalists and activists.

However, when presented with compelling evidence of the deployment of its products by human rights abusing governments, Hacking Team has consistently chosen to 'neither confirm nor deny' allegations, ignoring demands for transparency about its customer base, and disregarding victims' claims for redress against offenders.

A first step: export control regulations

Hacking Team has confirmed that their product has since 1st January 2015 been subject to export restrictions from the Italian government, which is the first step in ensuring that these types of technologies are not exported and used for human rights violations. This means that the Italian export authority now has to assess and approve any export of Hacking Team's products in order for a sale to go ahead.

How the Italian government now assesses any potential exports is unclear. Although EU export control regulations stipulate that in circumstances where an export is going to a military end-user the licensing authority should look at a set of criteria which contain human clauses, in practice this rule is implemented disparately across the European Union member states.

Furthermore, because Hacking Team needs to regularly update their RCS software, and because such updates can in themselves be classed as 'exports', it is arguable that any update would now require a new license if none has been received beforehand.

Privacy International will be writing to the relevant Italian authorities to seek clarification on both these points.