DEA Deploying Powerful Spyware Without Required Privacy Impact Assessments

from the disturbing-pattern-of-noncompliance dept

It's not just the FBI that can't seem to turn in its privacy-related paperwork on time. The FBI has pushed forward with its biometric database rollout -- despite the database being inaccurate, heavily-populated with non-criminals, and without the statutorily-required Privacy Impact Assessment that's supposed to accompany it. As of 2014, it hadn't produced this PIA, one it had promised in 2012. And one that applied to a system that had been in the works since 2008.

Unsurprisingly, another federal law enforcement agency hasn't felt too compelled to produce PIAs for privacy-impacting programs. As Joseph Cox reports for Motherboard, the DEA's privacy paperwork is lagging far behind its intrusive efforts.

[T]he Drug Enforcement Administration did not carry out a Privacy Impact Assessment—a process which is typically designed to understand and minimize the privacy risks with a particular system or technology—when it bought and ultimately used malware from Italian surveillance company Hacking Team.

Hacking Team sells powerful malware and exploits, which very definitely screw with people's privacy expectations -- both the privacy they correctly (or incorrectly) believe they're entitled to as well as their expectations of the government, which is supposed to keep citizens' privacy expectations at the front of its mind. At least, everyone would like to believe the government is equally concerned about citizens' privacy. That's what these assessments are supposed to show: that the government has done what it can to minimize unwarranted intrusions.

But these are simply not to be found, to the surprise of no one.

Privacy experts say the news is consistent with the DEA's repeated failure to complete such assessments around the agency's surveillance operations.

One such privacy hound -- EPIC -- points out the DEA still hasn't handed in a Privacy Impact Assessment on its Hemisphere program. This program put the DEA on the NSA's level: embedded telco employees providing real-time access to millions of phone records. No warrants needed. No privacy assessment needed either, apparently, despite the program being in operation for more than 25 years at the point the DEA inadvertently disclosed it.

Jeramie D. Scott from the Electronic Privacy Information Center (EPIC) pointed to an April letter the organization sent to Congress urging a committee to scrutinize the DEA's compliance with PIAs. In that letter, EPIC highlights that the DEA did not conduct a PIA for its use of the controversial Hemisphere program, in which agents can access AT&T call records without a warrant. EPIC also found through a Freedom of Information Act lawsuit that the DEA had not completed a PIA for the agency's license plate reader database.

But the DEA has an excuse for not completing a PIA on purchased software exploits.

According to the DEA spokesperson, the agency did not carry out a PIA for RCS [Hacking Team's Remote Control Software] because the agency does not produce them for commercial software products.

Ha! Define "commercial." Just because the DEA can buy exploits and malware from a private company like Hacking Team hardly makes this spyware a "commercial software product." While any number of nations with piss-poor civil rights records can avail themselves of Hacking Team's offerings, your average consumer isn't able to pick up a copy of RCS. Generally speaking, commercial software can be purchased by nearly anyone and a great many people are familiar with the software's functions and capabilities. Remote-control spyware, purchased and deployed in secret, isn't "commercial software."

Nevertheless, the missing DEA PIAs will continue to go missing. There's seemingly no one in the DOJ interested in holding these agencies accountable, and there are very few people above the DOJ interested in holding it accountable either. So, the lack of oversight trickles downhill and agencies become more powerful -- and more of a threat to privacy -- but give nothing back to the community (so to speak).

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dea, privacy, privacy impact assessment, spyware