Italian Spyware Company Execs Arrested After Company Employees Spied On Innocent Citizens

from the power-and-responsibility-once-again-decoupled dept

Any tool that gives people access to tons of personal data will be abused. Law enforcement databases are routinely misused by government employees. Ring -- law enforcement's favorite consumer home product -- collects tons of data about its customers and this data has been inappropriately accessed by Ring employees.

The perfect storm of illicit surveillance and snooping comes from companies that sell spy tools to law enforcement but retain control of the servers where the personal data and communications are stored. An Italian developer, Diego Fasano, followed up his successful medical records app with something far more troubling: law enforcement spyware deployed with the aid of service providers.

The concept behind the company’s product was simple: With the help of Italy’s telecom companies, suspects would be duped into downloading a harmless-seeming app, ostensibly to fix network errors on their phone. The app would also allow Fasano’s company, eSurv, to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages.

Fasano christened the spyware “Exodus.”

The software was popular. Prosecutors all over Italy bought Fasano's product. So did Italy's NSA, L'Agenzia Informazioni e Sicurezza Esterna. There's no telling how much the government slurped from targets' phones over the years, but one prosecutor discovered the truth about eSurv's operations on accident. The information harvested by investigators wasn't walled off from the internet, only accessible by the prosecutor's office. It was accessible to anyone with the right credentials, stored thousands of miles away.

The Naples prosecutor began a more in-depth probe—and found that eSurv had been storing a vast amount of sensitive data, unencrypted, on an Amazon Web Services server in Oregon.

The data included thousands of photos, recordings of conversations, private messages and emails, videos, and other files gathered from hacked phones and computers. In total, there were about 80 terabytes of data on the server—the equivalent of roughly 40,000 hours of HD video.

This meant eSurv employees -- at least the "Black Team" running eSurv's "Exodus" project -- could also access these recordings. There's no evidence (yet) that they did or that this very valuable stash of law enforcement intel was ever exfiltrated by hackers. But the fact remains law enforcement agencies did not have control of their harvested surveillance.

This would have been a tempting stash of personal info for eSurv employees to dip into. But they didn't. They didn't have to because they were already deploying their malware to intercept communications and exfiltrate data from Italian citizens who had been tricked into installing eSurv's malicious, telco-miming apps.

In one instance, the Black Team hacked the phone of a 49-year-old woman from Crotone, a port city on the coast of Calabria, according to the prosecutor’s filings. The team collected the woman’s personal text messages to family and friends, and covertly recorded more than 3,800 audio clips using her mobile phone’s built-in microphone, chronicling the woman’s life and interactions as she went about her daily business, the filings say.

In all, the Black Team spied on more than 230 people who weren’t authorized surveillance targets, according to police documents. Some of the surveillance victims were listed in eSurv’s internal files as “The Volunteers,” suggesting they were unwitting guinea pigs.

A court has already stated the company's product was "designed and intended.. to operate with functions that are very distant from the canons of legality." That should be an indictment of the law enforcement agencies who purchased it as well, but somehow it isn't. The proper paperwork may have been filed and approved by judges, but the spyware relies on cell service providers deceiving customers so malware can be implanted through fake apps.

If the company has abused it tools, it's safe to say some of eSurv's customers have as well. For now, it's only eSurv's principals being investigated. But it does highlight the danger this malware poses, even when it's supposedly only being used for good.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: diego fasano, employees, exodus, italy, spyware, surveillance
Companies: esurv


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Zof (profile), 28 Jan 2020 @ 3:52pm

    Thankfully, our NSA doesn't do stuff like this.

    I mean, unless you count hacking Angela Merkel's iPhone. An ally....

    link to this | view in thread ]

  2. icon
    Éibhear (profile), 29 Jan 2020 @ 2:14am

    Truth

    Any tool that gives people access to tons of personal data will be abused.

    If the term wasn't already in use, I'd declare this "Cushing's Law".

    link to this | view in thread ]

  3. icon
    ECA (profile), 29 Jan 2020 @ 11:49am

    Unless..

    you think about the STAR ID system..For your ID and drivers license.
    DMV/DOT used to throw pictures away(strange aint it). But after 911, they started keeping them and NOW have computer systems to hold all this data..
    Now they can get 60-80% of the USA into a data base.
    Who gets access?
    Thats a good question, as its from 9/11, means DHS and all its agencies get it..

    link to this | view in thread ]

  4. identicon
    bobob, 29 Jan 2020 @ 1:00pm

    Re: Unless..

    In Texas, anyone can get most of your DMV info because the DMV sells it on CDs.

    link to this | view in thread ]

  5. identicon
    ...ROG,SIFIED, 5 Feb 2020 @ 12:19pm

    they all do it

    re: least the "Black Team" running eSurv's "Exodus" project

    Proof or GTFO, right? We all know they are good natured white hats.

    Yet all those biblical/Torah names for software exploits should raise red flags for rational people, right?

    Proof, or GTFO!

    All big tech, military contractors and esp. Mossadi jihadis who are moled into Silicon Valley are running blackops teams, and its good to shed light on the breadth of their depravity, targeted at individuals around the globe.

    Talpion/IDF/Mossad is settling Silicon Valley and its now full of Silicon Wadi mossadis.

    Squad 8200 is Installing Backdoors in Silicon Valleyas companies
    like Carbyne911, and Facebook, et al all employ Mossad on their boards, and outsource blackops to Israel.

    http://www.pacbi.org/etemplate.php?id=558

    Sure, no grand,conspiracy just moooooove along, folks, NTSH

    link to this | view in thread ]

  6. identicon
    ...ROG,SIFIED, 5 Feb 2020 @ 12:31pm

    Re: Unless..

    Who gets what?

    Proof, or GTFO!

    [hits submit button, phone screen dims slightly for five seconds...]

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.