DEA spending million of dollars on buying hacking tools from an Italian company

The Drug Enforcement Agency has been spending millions on spyware tools produced by the controversial Italian surveillance tech company, Hacking Team since 2012, according to an exclusive report by Motherboard.

The software, known as Remote Control System or “RCS,” is capable of hijacking phone calls, texts, and social media messages, and can secretly switch on a user’s webcam and microphone as well as collect passwords.

Government records show the agency paying $2.4 million for a RCS that could be embedded in a suspect’s phone. Once the phone is infected, the spyware can record texts, emails, passwords, and even tap nearby conversations through the onboard microphone. The use of spyware by law enforcement is contentious, and officials typically need a warrant before setting up the programs. However, some agencies in the past have ignored that requirement.

The source of the spyware is even more contentious. The records show the DEA purchasing the spyware from Cicom USA, but Motherboard’s sources say Cicom is simply a reseller for products made by Hacking Team that began marketing to US agencies in 2011. The group has a bad reputation in security circles for implanting targeted malware into YouTube and Microsoft Live services, and has also sold to governments in Morocco, Ethiopia, and the United Arab Emirates.

According to both public records and sources, the DEA originally placed an order for the software in August 2012. The contract, which records show is slated to be completed in August of 2015, is identified only as “Remote Controlled Host Based Interception System.”

The contract, which was revealed previously shows that the FBI is not the only US government agency involved in hacking tactics. It showed that the DEA has been illegally purchasing the malware to be used to spy on suspected criminals.

According to the Surveillance tech experts, the DEA’s ties with Hacking Team is enough proof that methods and tools which were once meant to be used only for the military, intelligence agencies and even cybercriminals—such as drones and StingRays—are now becoming mundane in law enforcement as well.

Despite rumors that Hacking Team has an office in the US, there has never been any proof that the company had sold its products in America. Further, in an interview with Italian newsmagazine L’Espresso, the CEO David Vincenzetti bragged of having clients in more than 40 countries, including the U.S.

However, the connection between Cicom USA and Hacking Team was confirmed to Motherboard by multiple sources with knowledge of the deal, who spoke on condition of anonymity because they were not authorized to discuss the details of the contract.

Eric Rabe, a spokesperson for Hacking Team, did not accept or deny the existence of the contract with the DEA.

Hacking Team’s RCS software can be secretly implanted on the suspect’s computer or cellphone and monitor all activity, allowing police officers to spy on data that might otherwise be encrypted and out of their reach.

Cicom USA, according to the DEA, was the only company capable of providing the service required, based on the market research conducted internally by the agency. The DEA did not respond to questions regarding this research.

The big question for the surveillance experts is whether the DEA actually has legal authority to use spyware such as Hacking Team’s—and how, exactly, it is used. A DEA spokesperson said that the agency “always abides by the laws of the jurisdictions within which it operates.”

And added that “however, in this case, this is off-the-shelf technology, legally available for purchase by all and used throughout the world by many organizations.”

But the experts are not convinced. However, some legal experts point out that there is nothing illegal about the use of spyware. Although there is no specific law that specifically covers hacking, Jonathan Mayer, a computer scientist and lawyer at Stanford University, said that law enforcement agencies are “broadly authorized” to conduct searches in the US, including using hacking techniques.

However, for critics, such as Soghoian or Privacy International, there still should be more clarity and a public discussion.

“If law enforcement agencies can hack into your computer, turn on your webcam, turn on your microphone and steal documents from your computer,” Soghoian said, “that’s the kind of thing that should get the attention of Congress, particularly before this trickles down to local law enforcement agencies.”

Resource : Motherboard.Vice.