Here’s the DEA Contract for Hacking Team's Spyware
Image: Ryan Lackey/Flickr

FYI.

This story is over 5 years old.

Tech

Here’s the DEA Contract for Hacking Team's Spyware

The contract reveals all the details of the relationship between the Italian spy tech company and the American anti-drug agency.

Last year, a Motherboard investigation revealed that the Drug Enforcement Administration had secretly bought spyware made by the infamous Italian spy tech company Hacking Team. In order to spy on drug smugglers and merchants, the DEA bought software capable of intercepting phone calls, texts, and social media messages, and surreptitiously turning on a target's webcam and microphone as well as collecting passwords.

Advertisement

Now, almost a year later, the DEA finally released its contract with a US-based Hacking Team reseller. The agency sent a 92-page document to Motherboard following a Freedom of Information Act request filed last April.

The contract gives a glimpse into the government side of the spyware business, revealing why law enforcement agencies feel the need to purchase hacking tools, and the lengths they go to keep it all secret.

The DEA has redacted the portions of the document that describe what Hacking Team's products do. But we know from extensive academic research, the company's own marketing materials and claims, as well as leaked documents and emails, that Hacking Team sells a suite of hacking and spying tools to monitor all sorts of communications.

The contract confirms most of what we already knew about the DEA's relationship with Hacking Team, such as the total cost, $2.4 million, and the date the relationship started, on August 20, 2012. Curiously, it doesn't say where the DEA will use the spyware, a detail that's redacted. But thanks to the hack on the Italian surveillance contractor last summer, and the leaked emails, we know the DEA used it in Colombia.

The contract also contains a breakdown of all the services that the DEA bought from Hacking Team.

In July of last year, the DEA revealed that it had decided to cancel its contract with Hacking Team, after paying $927,000 out of the total estimated cost of $2.4 million dollars.

Advertisement

Despite spending almost a million dollars on Hacking Team's spyware, the DEA said it only used in a grand total of 17 "foreign-based drug traffickers and money launderers" with only "one successful instance of remote deployment," according to a DEA letter to US Senator Chuck Grassley, who asked the agency to explain on how it used Hacking Team's spyware.

Years before cancelling the contract and claiming that it barely used Hacking Team's technology, however, the DEA made a strong argument for why it really needed Hacking Team's software, known as Remote Control System or RCS.

"Seasoned traffickers know that using encrypted IP often makes them largely immune to most conventional law enforcement techniques."

In essence, the DEA realized it can't wiretap drug merchants like it used to. The anti-drug agency, just like the FBI, is worried about "going dark," a future where encryption makes it hard, or even impossible, to surveil criminals.

"Narcotics traffickers are increasingly using encrypted Internet protocol (IP) traffic to communicate on either traditional personal computers or on smartphones," reads the contract. "Seasoned traffickers know that using encrypted IP often makes them largely immune to most conventional law enforcement techniques."

"More importantly, in most cases, the encryption is performed on the end device(s) and is only decrypted on the receiving device," the contract continues, referring to end-to-end encryption, which makes messages readable only by the sender and the receiver.

Advertisement

In publicly available records of the deal before our investigation, the DEA didn't identify Hacking Team as its contractor, only Cicom USA, a small company that acted as Hacking Team's reseller in the US. This allowed the existence of the contract with the spy tech company to go unnoticed for three years, even though it was out there for everyone to see. But in the full contract, the DEA makes it clear that even though the contractor is formally Cicom USA, it's Hacking Team that's was going to provide the service.

It's unclear why the DEA kept the real identity of the company behind the contract secret. A DEA spokesperson declined to comment for this story.

Other interesting tidbits from the contract include:

Hacking Team helped the DEA install the surveillance software at its "overseas location," which isn't specified but we know it's in Colombia.

-Contract hints at where it will deployed by requiring Hacking Team to provide "Spanish speaking support."

-The contracts establishes monthly "regular meetings" where Hacking Team and the DEA would go over support issues.

-The DEA tested and conducted training for Hacking Team's spyware at its office in Lorton, Virginia, which has since been closed-out and sold.

-Hacking Team was required by the contract to provide testimony and defend its product if its equipment were ever to be challenged in court on the basis of "collection methodology, accuracy, reliability, integrity, or other function."

-The DEA demanded Hacking Team to be quick and reliable in case of need, and provide support "within 20 minutes" of a DEA agent asking for help "at least 95% of the time."

The full contract is here.