The Drug Enforcement Administration has been buying spyware produced by the controversial Italian surveillance tech company Hacking Team since 2012, Motherboard has learned.
The software, known as Remote Control System or "RCS," is capable of intercepting phone calls, texts, and social media messages, and can surreptitiously turn on a user's webcam and microphone as well as collect passwords.
The DEA originally placed an order for the software in August of 2012, according to both public records and sources with knowledge of the deal.
The contract, which has not been previously revealed, shows that the FBI is not the only US government agency engaged in hacking tactics, but that the DEA has also been purchasing off-the-shelf malware that could be used to spy on suspected criminals.
This revelation comes just a week after USA Today uncovered a secret program with which the DEA collected the phone records of millions of Americans for more than 20 years, a program that pre-dated and inspired the NSA's own bulk telephone collection program, suggesting that the drug agency is sort of a pioneer in the use of surveillance.
Surveillance tech experts say the DEA's relation with Hacking Team is further proof that methods and tools once only reserved for the military, intelligence agencies and even cybercriminals—such as drones and StingRays—are becoming commonplace in law enforcement as well.
"Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement."
"Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement," Christopher Soghoian, the principal technologist at the American Civil Liberties Union and an expert of surveillance technology, told Motherboard.
And given the how powerful this spyware can be, Soghoian added, "we need a public debate over this invasive surveillance technology."?
THE PAPER TRAIL
The contract, according to public records, was signed on August 20, 2012 for a total value of $2.4 million between the DEA's Office of Investigative Technology and a government contractor named Cicom USA.
The records were uncovered by Motherboard and Pri?vacy International, a London-based digital rights group, in independent investigations.
The contract, which records show is slated to be completed in August of 2015, is identified only as "Remote Controlled Host Based Interception System."
That system, according to sources, is none other than Hacking Team's Remote Control System, also known as Galileo, which the company markets as "the hacking suite for governmental interception."
"You cannot stop your targets from moving. How can you keep chasing them? What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain. Remote Control System does exactly that," a company brochure boasts.
Cicom USA, Motherboard has learned, was simply a reseller for Hacking Team, a spyware-maker that's been accused of selling its products to some governments with questionable human rights records. Some of those governments, such as Ethiopia, the United Arab Emirates, or Morocco, used Hacking Team's software to target dissidents and journalists.
In light of those incidents, which were uncovered by researchers at the Citizen Lab at the University of Toronto's Munk School of Global Affairs, the company was included in a blacklist of corporate "Enemies of the Internet" by Reporters Without Borders.
Despite speculation based on the fact that Hacking Team has an office in the US, there's never been any evidence that the company had sold its products on American soil, even though CEO David Vincenzetti boasted of having clients in more than 40 countries, including the US, in a 2011 interview with Italian newsmagazine L'Espresso.
The connection between Cicom USA and Hacking Team was confirmed to Motherboard by multiple sources with knowledge of the deal, who spoke on condition of anonymity because they were not authorized to discuss the content of the contract.
Eric Rabe, a spokesperson for Hacking Team, did not confirm nor deny the existence of the contract with the DEA.
"We don't identify our clients. I'm certainly not going to comment whether the DEA or anyone else has purchased Hacking Team software."