A digital tool to monitor “all the devices,” whether they be smartphones or laptop computers. One that is “invisible to the user, evades antivirus and firewalls, and doesn’t affect the devices’ performance or battery life.” Leaked documents indicate the maker of this “hacking suite for governmental interception” has been in contact with law enforcement organizations across the Northwest in recent months: the police departments of Seattle, Tacoma, Portland, and Eugene, and the sheriff’s offices in King and Pierce counties.
The tool in question is named Galileo, and is made by Hacking Team, a company based in Milan, Italy. The company specializes in “Remote Control Systems” – essentially malicious and sophisticated computer viruses – that infiltrate smartphones and computers and allow law enforcement to secretly monitor and control the devices, including activation of their cameras and microphones. The RCS can be implanted through such means as email, a simple USB stick, or cooperative telecom companies.
According to a series of in-depth reports released last year by Citizen Lab – a research project housed at the University of Toronto – Hacking Team sells these tools to law enforcement and spy organizations across the U.S. and the world. The report also indicates the company’s products have been used to target dozens of journalists and activists.
Documents released by Wikileaks this month, consisting of over one million internal emails from the company’s servers, include the contact information for specific officers in regional law enforcement. Our review of the emails has found no indication that local departments have purchased Hacking Team’s services. However, the presence of these officers on the firm’s contact list – as well as the likely reasons they're on it – provides a glimpse at how domestic law enforcement is seeking to understand and potentially utilize the tools of computer hackers.
For example, a long-time detective with the Seattle Police Department was added to Hacking Team’s contact list last October, following a cyber-security conference by Intelligence Support Systems in Washington D.C. Asked whether this indicated the detective had been in contact with a company representative at the conference, SPD spokesman Sean Whitcomb issued a denial.
“Our detective attended a cyber-crimes investigations conference and as a registered attendee was placed on an email distribution list,” said Whitcomb.
Leaked emails seem to indicate a less impersonal process. In emails related to the event, a company representative explained they “did not get that many contacts at ISS. I was busy with the different meetings we had.” It appears only five contacts were added to the Hacking Team’s contact list following the conference.
Were Hacking Team pulling contacts from the registered attendee list, time and busyness would not be likely constraints, and the list of added emails may have been longer. One possible interpretation of this email is that the company only had time to make a few direct contacts at the conference, and a detective from SPD was among them.
Regardless of whether the detective met with a member of the company, Hacking Team’s “different meetings” at the conference would have educated the investigator about their services. A cached copy of the conference’s schedule includes three presentations by Hacking Team representatives: two on “intruding communications devices” and one on intercepting data in “in an encrypted, social and clouded world.”
Other presentations at the conference included:
- "Feel their Pulse with Every Interaction: Extracting More Target Intelligence from Captured IP”
- Instruction on “how to stay ahead of threats with Remote Stealth Surveillance”
- “Converging Big Data Analytics with Targeted Lawful Interception and Investigation”
- A myriad of presentations and seminars on infiltrating social media networks for information gathering
Officers from the police departments of Tacoma, Portland, and Eugene, as well as the sheriff’s offices of King and Pierce county, were added to the Hacking Team's list following a similar conference last year – the National Technical Advisors Association (NATIA) annual exhibition in San Diego. Information on that conference’s presentations and exhibitors is not publicly available. However, the Hacking Team’s website indicates they attended both last year and this year.
In the leaked emails, the only record of a regional law enforcement representative contacting Hacking Team comes from a detective with the Pierce County Sheriff’s Office. The officer asked to be removed from their mailing list.
Vice News and Muckrock – an online governmental transparency organization – have co-published a map of state and municipal addresses found in Wikileaks' email release. which allows users to search through the leaked records. However, the map can be taken to suggest representatives of the Bellevue and Everett police departments are on Hacking Team's contact list. In fact, both they and the firm were simply included on the same promotional email from another organization.
As Wired, Vice News, and others have reported, both the FBI and DEA have used Hacking Team’s services, as well as foreign governments and organizations. Leaked emails depict at least one regional law enforcement agency – a sheriff’s office near Fort Lauderdale, Florida – seeking out a demo of their product. Following that meeting, an email describes the department as having been “definitely impressed by [their services]” and that most of their questions “were about the legal aspects, but in the end they seemed confident that the product could be used for investigations.”
The surveillance abilities of local law enforcement agencies has been a heated topic in the region. In 2013, The Stranger and Geekwire reported on the installation of a wireless “mesh network” in downtown Seattle, which could be utilized by police to track individuals using their mobile devices. This created an outcry that led police to shut the devices down. The Seattle Police Department was also forced to ground the two Dragonflyer X6 surveillance drones they purchased, eventually shipping them to Los Angeles. An article by this reporter in Seattle Weekly documented the ability of police to track and record the movement of vehicles using license plate scanners.
Following the release of Hacking Team’s internal emails by Wikileaks, Hacking Team CEO David Vincenzetti defended the company, stating that “the lawful surveillance system that Hacking Team has provided to law enforcement for more than a decade is critical to the work of preventing and investigating crime and terrorism…Today’s Internet is a safe harbor for criminals such as those who attacked Hacking Team, but also for terrorists, sex traffickers, murderers, narcotics dealers and other wrong-doers. No other company has ever produced a lawful surveillance capability nearly as comprehensive, as easy to use, or as powerful as ours.”
The need for law enforcement to be digitally advanced is unarguable. However, when it comes to regulating how agencies gather data on individuals, it’s also tough to argue that there’s strong oversight and legal restrictions in place. The emails published by Wikileaks are simply a snapshot of Hacking Team's activity, and the extent to which local law enforcement has pursued their sort of surveillance abilities is unknown. We've filed requests with regional law enforcement agencies for records on this subject.