“It looked very suspicious,” M says of an anonymous e-mail she and several other journalists received late in 2014. It promised a scoop about a government scandal, but something just didn’t sit right with her. Soon after, strange things started happening on her computer. “I remember clearly not being able to connect via Skype to give an interview about torture,” she says. “There was somehow interference and I had to use someone else’s phone.”
After passing a file attached to the e-mail to security experts, M learned that she and her coworkers had been targeted with Remote Control System (RCS), a sophisticated piece of spying software developed by a small Italian company called Hacking Team. Later, she would find out that it was being used against her by her own government, which likely objected to her reporting. M spoke on condition of anonymity because she fears further reprisals.
M is just one of probably thousands of people who have been hacked with RCS by intelligence and law enforcement agencies that have bought the software. As governments and police departments increase their use of such tools in coming years, there’s reason to think that not only criminals and people who have antagonized an authoritarian government should worry.
After the recent attacks in Paris, figures such as CIA director John Brennan and New York City police commissioner Bill Bratton complained that encryption is neutralizing conventional search and surveillance techniques. That feeling, shared by some European authorities, may deliver a sales boost to RCS, which Hacking Team pitches as a solution to the encryption “problem” because hacking a person’s phone or computer can reveal protected data. And it will help Hacking Team’s competitors. Experts tracking the company say it is just the best-known of many that sell hacking tools that can let even local police use techniques once reserved for national intelligence agencies.
What we know about Hacking Team shows that this new approach is fraught with technological, moral, and legal issues getting scant attention even as access to these tools becomes standard. As they become more widely available to law enforcement agencies, abuses are likelier to occur. “Before hacking trickles down from the FBI to state and local law enforcement agencies, we urgently need to debate if and how such surveillance tools should be used,” says Christopher Soghoian, principal technologist at the American Civil Liberties Union.
Hacking Team was founded in 2003 as a more traditional cybersecurity outfit by CEO David Vincenzetti, who emerged from the 1990s community of encryption experts and enthusiasts that also incubated Julian Assange of Wikileaks. Corporations hired Hacking Team to test their computer networks for weaknesses, with early clients including Deutsche Bank and Barclays.
A few years later, however, Vincenzetti switched the company to focus on offense rather than defense. Hacking Team started selling software that could infiltrate people’s computers and smuggle out their data without their noticing. Its main product became a package called RCS, the software used to target M.
RCS can infect both PCs and mobile devices. It can copy files from your hard drive, listen in on Skype calls and instant messages, read e-mails before they’ve been encrypted, capture passwords typed into a Web browser, and turn on the microphone and camera to watch or listen to you.
The program can infect a device by taking advantage of security flaws in operating systems and other software; Hacking Team either discovers these vulnerabilities itself or pays other companies for knowledge of them. RCS can get onto a computer through a malware-laden e-mail, as in M’s case, or by someone covertly getting physical access to a device. Some customers deploy RCS by installing a device called a Network Injection Appliance at an Internet service provider, which can steer a targeted person’s Web browser to a phony Web page that smuggles RCS onto his or her system. Customers pay Hacking Team for the software and a system of proxies that keep their communications with the software—and their investigations—under wraps. They also get comprehensive technical support. “The value that they’re adding is the training, consultancy, and ease of use that they can offer to any agent who is unfamiliar with computers,” said Edin Omanovic, a research officer at Privacy International, who has tracked the surveillance industry.
The Italian authorities were among the first clients for RCS, and mafia leaders among the first targets. But Hacking Team rapidly expanded beyond its domestic market, promising customers in slick video ads that they would, among other things, be empowered to “overcome encryption and capture relevant data.”
In 2006, Spain’s spying agency, the CNI, signed up, followed two years later by its counterparts in Singapore and Hungary. Before long, Saudi Arabia, Mexico, Egypt, Sudan, Russia, and Kazakhstan had purchased Hacking Team’s tools for their security agencies. The FBI and some other U.S. agencies also bought licenses for RCS. A wide range of local and even university police forces have also asked Hacking Team to demonstrate its tools. E-mails obtained via the Freedom of Information Act by MuckRock show an ordinary sheriff’s office in Florida worrying it couldn’t “survive” without RCS after seeing a demo, although a sale was never made.
Some of Hacking Team’s customers have used RCS in troubling ways. In 2012, the University of Toronto’s Citizen Lab, which investigates how computer security affects human rights, found that Hacking Team software had been used by the United Arab Emirates government to infect the PC of a political dissident and by the Ethiopian government to break into the computers of journalists working in the United States. “We found some fucked-up stuff,” says Claudio Guarnieri, a security researcher who worked with Citizen Lab on a number of its reports.
Many details about Hacking Team and its clients come from documents released after the company was itself hacked this July. An internal spreadsheet, dated May 2015, suggests that 6,550 individual devices—phones or computers—may have been infected with RCS since 2008. In all, the company sold to around 70 different customers, including governments, which provided over 40 million euros (more than $44 million) in revenue.
Having its dirty laundry aired online didn’t seem to pose too much of a problem for Hacking Team’s business, though, and no customers publicly distanced themselves from the company. “Clients have stuck with us, because I think they recognize the value of what we do, and the superiority of the product,” says company spokesman Eric Rabe. (The CEO, Vincenzetti, declined to be interviewed.)
“Even having its dirty laundry aired online didn’t seem to pose too much of a problem for Hacking Team’s business. No customers publicly distanced themselves from the company.”
There is a great deal of competition, however, from small hacking shops and large government contractors alike. Gamma International, a company with offices in Germany and the U.K., offers a tool similar to RCS called FinFisher. It has been bought by government agencies and police forces in Australia, Belgium, and Italy. FinFisher was also used by the Bahraini government to target activists, and by the government of Uganda, which Privacy International says used it to blackmail political opponents. Gamma was hacked in 2014 and, like Hacking Team, this year had internal files leaked online but didn’t appear to suffer much. CitizenLab reports that it has gained customers.
Omanovic says that he knows of around 16 companies that sell products similar to Hacking Team’s. Two weeks prior to our interview he had found another firm based in Israel, and two months before that a new one in South Africa. Guarnieri, who worked with Citizen Lab, thinks there are many more. “I think the most important ones, in terms of size of business and customer base, are still to be revealed,” he says. “They haven’t really got much attention, maybe just because they’ve been better at not getting busted.”
In the U.S., use of tools like RCS to access a person’s data are governed by the Fourth Amendment and the rules of criminal procedure, which means the FBI needs a warrant before it can hack your computer. But the U.S. Department of Justice is in the process of tweaking the rules for securing warrants for “remote access” searches in a way that the American Civil Liberties Union and Google have both complained could significantly widen their use.
When police get access to new surveillance technologies, they are often quickly deployed before any sort of oversight is in place to regulate their use. In the United States, the abuse of Stingrays—devices that sweep up information from cell phones in given area—has become common. For example, the sheriff of San Bernadino County, near Los Angeles, deployed them over 300 times without a warrant in the space of less than two years. That problem is only being addressed now, years after it emerged, with the FBI now requiring a warrant to use Stingrays, and efforts underway to force local law enforcement to do the same. It’s easy to imagine a similar pattern of abuse with hacking tools, which are far more powerful and invasive than other surveillance technologies that police currently use.
Soghoian, the ACLU technologist, believes that a public and political discussion about the power of hacking tools and their growing use by authorities is desperately needed. “I think that many Americans would be shocked to learn that the government can take over their webcam (without the indicator light turning on), or remotely activate the microphone in their laptop or phone,” he says.
It is unlikely that Congress or its equivalents in other Western nations are about to take up the debate Soghoian wants. After recent attacks by the Islamic State and its sympathizers, interest in empowering intelligence and law enforcement is only increasing. And an attempt to limit the sale of tools like RCS to governments with poor human rights records has already faltered. Late in 2013, an arms control pact signed by the U.S. and 40 other countries, the Wassenaar Arrangement, was updated to restrict the export of surveillance technology to certain governments. But the proposed rules in the U.S. were laid to rest after security researchers protested they were too broad and would restrict vital work needed to keep the Internet secure.
The close relationship between vendors of hacking tools and national intelligence and crime agencies might also confer some immunity to regulation. Internal e-mails from Hacking Team show that it met with military officials after the Italian government halted exports of RCS over human rights concerns. The ban was soon lifted.
Guarnieri worries that we are sleepwalking toward a world in which the sale and use of such tools is taken for granted. “If in 10 years we have 50 Hacking Teams in Italy … sabotaging secure operating systems, finding ways to make security software meaningless, that creates a stack of problems that we’re never going to address because it’s been legitimized,” he says.
We appear to have arrived at a crossroads for surveillance without society being much aware, let alone getting to choose the path taken. That has downsides even for people lucky enough to live in places with good civil rights protections. People like M, targeted by her own government for spreading truths it found inconvenient, can only hope that companies like Hacking Team might show some restraint about who they sell to.
Rabe, the company’s spokesman, suggests that’s the case: “Society has always expected law enforcement to conduct surveillance of suspects in order to keep us all safe from fraud, theft, bodily harm, terrorism, and other crimes,” he said in a statement. “Hacking Team provides tools exclusively to government—to be used with appropriate safeguards—that can bypass the encryption routinely employed by criminals and terrorists to attack us. “
But security researchers aren’t buying it. “I believe that one could start a responsible company that sells intrusion solutions,” says Bill Marczak, a senior research fellow from Citizen Lab. “Would such a company have any customers? I don’t know.”