Italian Spyware Company Execs Arrested After Company Employees Spied On Innocent Citizens

from the power-and-responsibility-once-again-decoupled dept

Any tool that gives people access to tons of personal data will be abused. Law enforcement databases are routinely misused by government employees. Ring -- law enforcement's favorite consumer home product -- collects tons of data about its customers and this data has been inappropriately accessed by Ring employees.

The perfect storm of illicit surveillance and snooping comes from companies that sell spy tools to law enforcement but retain control of the servers where the personal data and communications are stored. An Italian developer, Diego Fasano, followed up his successful medical records app with something far more troubling: law enforcement spyware deployed with the aid of service providers.

The concept behind the company’s product was simple: With the help of Italy’s telecom companies, suspects would be duped into downloading a harmless-seeming app, ostensibly to fix network errors on their phone. The app would also allow Fasano’s company, eSurv, to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages.

Fasano christened the spyware “Exodus.”

The software was popular. Prosecutors all over Italy bought Fasano's product. So did Italy's NSA, L'Agenzia Informazioni e Sicurezza Esterna. There's no telling how much the government slurped from targets' phones over the years, but one prosecutor discovered the truth about eSurv's operations on accident. The information harvested by investigators wasn't walled off from the internet, only accessible by the prosecutor's office. It was accessible to anyone with the right credentials, stored thousands of miles away.

The Naples prosecutor began a more in-depth probe—and found that eSurv had been storing a vast amount of sensitive data, unencrypted, on an Amazon Web Services server in Oregon.

The data included thousands of photos, recordings of conversations, private messages and emails, videos, and other files gathered from hacked phones and computers. In total, there were about 80 terabytes of data on the server—the equivalent of roughly 40,000 hours of HD video.

This meant eSurv employees -- at least the "Black Team" running eSurv's "Exodus" project -- could also access these recordings. There's no evidence (yet) that they did or that this very valuable stash of law enforcement intel was ever exfiltrated by hackers. But the fact remains law enforcement agencies did not have control of their harvested surveillance.

This would have been a tempting stash of personal info for eSurv employees to dip into. But they didn't. They didn't have to because they were already deploying their malware to intercept communications and exfiltrate data from Italian citizens who had been tricked into installing eSurv's malicious, telco-miming apps.

In one instance, the Black Team hacked the phone of a 49-year-old woman from Crotone, a port city on the coast of Calabria, according to the prosecutor’s filings. The team collected the woman’s personal text messages to family and friends, and covertly recorded more than 3,800 audio clips using her mobile phone’s built-in microphone, chronicling the woman’s life and interactions as she went about her daily business, the filings say.

In all, the Black Team spied on more than 230 people who weren’t authorized surveillance targets, according to police documents. Some of the surveillance victims were listed in eSurv’s internal files as “The Volunteers,” suggesting they were unwitting guinea pigs.

A court has already stated the company's product was "designed and intended.. to operate with functions that are very distant from the canons of legality." That should be an indictment of the law enforcement agencies who purchased it as well, but somehow it isn't. The proper paperwork may have been filed and approved by judges, but the spyware relies on cell service providers deceiving customers so malware can be implanted through fake apps.

If the company has abused it tools, it's safe to say some of eSurv's customers have as well. For now, it's only eSurv's principals being investigated. But it does highlight the danger this malware poses, even when it's supposedly only being used for good.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: diego fasano, employees, exodus, italy, spyware, surveillance
Companies: esurv