Cybersecurity

Grassley questions whether FBI broke the law with contract

The government’s relationship with the controversial Italian surveillance firm Hacking Team may have violated the law, Senate Judiciary Committee Chairman Chuck Grassley (R-Iowa) said in a letter sent Wednesday to the FBI.

Hackers recently broke into Hacking Team’s networks, dumping troves of internal documents, contracts and emails with clients. The leaked documents revealed long-standing ties with the U.S. government, along with deals between the company and oppressive governments across the Middle East, Africa and Eastern Europe.

{mosads}“It is troubling that the leaked documents also revealed Hacking Team’s business relationships with a number of repressive regimes around the world, including Sudan,” Grassley said in his letter.

Grassley singled out Sudan because of a 2007 law that forbids the U.S. government from doing business with companies conducting restricted business with Sudan, such as selling military equipment.

Hacking Team’s surveillance tools, designed to crack and scoop up encrypted communications, may fall under the bill’s definition of “military equipment,” according to a recent United Nations investigation into the company.

Researchers have published extensive evidence that the Sudanese government used Hacking Team’s technology to gather intelligence on political dissidents and activists.

“While it is vital that U.S. law enforcement and our military have the technological tools needed to investigate terrorists and criminals in order to keep the public safe, it is also important that we acquire those tools from responsible, ethical sources who are acting in accordance with the law,” Grassley said.

The exact terms of Hacking Team’s relationship with Sudan are unclear.

Leaked documents revealed a 2012 contract worth more than $1 million. They also show that the firm severed ties with the regime in 2014, under pressure from the U.N., which had placed an arms embargo on Sudan.

“Our technology has always been sold lawfully, and, when circumstances have changed, we have ended relationships with clients such as Sudan, Ethiopia and Russia,” said Hacking Team Chief Operating Officer David Vincenzetti.

The FBI and Drug Enforcement Agency (DEA) have been buying surveillance tools from Hacking Team since at least 2011, according to internal documents, indicating at least some degree of overlap.

The FBI has not confirmed its relationship with Hacking Team.

But on Tuesday, the DEA, responding to an April letter from Grassley, did admit to purchasing snooping tools from Hacking Team starting in 2012.

“Having encountered evidence collection challenges in a number of foreign investigations, and without the resources to internally develop its own technical solution, DEA sought to lawfully acquire a commercially-available tool that would allow for remote, overseas deployment of communication monitoring software on foreign-based devices used by foreign-based traffickers and money launderers,” the agency said in a letter sent Tuesday to Grassley.

In total, the DEA said it spent $927,000 on Hacking Team’s Remote Control System (RCS) software. The agency ultimately canceled its contract in recent months, the letter said.

In three years, the drug office used the software in one foreign country on 17 devices. The agency said the tactic only worked once, due to “technical difficulties with the software.”

After the DEA’s admission, Grassley said, “the question arises as to whether the contracts the company had with U.S. agencies” violate the 2007 law, known as the Sudan Accountability and Divestment Act.

To answer that question, Grassley wants the same information from the FBI and Defense Department, which reportedly also had a contract with Hacking Team.

The Judiciary Committee head is seeking a response by the end of the month.