By Trevor Aaronson
Florida Center for Investigative Reporting
An Italian company that sells surveillance software to governments and law enforcement agencies worldwide is negotiating to provide a Florida police agency with spyware technology that infiltrates phones and computers, according to emails leaked this week.
The technology, developed by Hacking Team, can monitor conversations and emails, and even turn phones and laptops into surveillance devices by remotely activating cameras and microphones.
Hacking Team was compromised in a data breach on July 5, when unknown hackers posted a link to download more than 400 gigabytes of company data. A message on Hacking Team’s hijacked Twitter account read: “Since we have nothing to hide, we’re publishing all our e-mails, files, and source code.”
The emails and files, which have since been catalogued by WikiLeaks, show that Hacking Team was selling its products to nations with records of human rights abuses, including Ethiopia, Bahrain, Egypt, Kazakhstan, Russia, Saudi Arabia, Sudan and Azerbaijan.
This year, according to the leaked emails, Hacking Team was looking to enter the large market of local police agencies in the United States. One of the most promising areas for Hacking Team’s expansion was Florida.
On April 22, Agent Randall Pennington of the Metropolitan Bureau of Investigation — a multi-agency task force that covers Orange and Osceola counties — emailed Hacking Team: “We are a law enforcement task force located in Orlando, Florida. I would like to speak with someone regarding your products.”
Within a month, a Hacking Team employee, Daniele Milan, flew from Italy to Orlando to meet with four MBI agents, including the director, Larry Zweig. According to an email Milan sent his co-workers, MBI wanted to increase its surveillance capability. Budget wasn’t a concern, the MBI officials said, even though a leaked company invoice shows Hacking Team services can cost more than $400,000.
Instead, the Orlando law enforcement agents were most concerned about laws that prevent bulk surveillance activities and the collection of information from people who are not targets of investigation.
“The main concern was the federal legal framework they have to comply with (Title III of the Omnibus Crime Control and Safe Streets act of 1968) which imposes ‘minimization’ of the calls and messages (i.e., deleting portions which are not relevant to the speech),” Milan wrote to co-workers on May 21.
Hacking Team’s surveillance software, as originally designed, would have provided information about everyone with whom the target of the investigation communicated. To comply with a search warrant, MBI needed Hacking Team to prevent the transfer of information they are not allowed to receive under the law — to minimize the data.
“We tried to identify ways to go around this,” Milan explained in the email.
If Hacking Team was to enter the state and local law enforcement market in the United States, the company needed to develop a minimization system, Milan added.
Milan and the MBI employees agreed that they would meet again during an upcoming industry conference in North Carolina so that Hacking Team could demonstrate the modified software. That meeting, according to a company spreadsheet labeled “U.S. Action Plan,” is scheduled for July 21. The Hacking Team spreadsheet lists MBI’s “temperature” — the perceived interest in purchasing surveillance products — as green, with a smiley face emoticon.
MBI referred FCIR’s questions to Lt. Mike Gibson, who was among the four agents to meet with Hacking Team in May, according to the leaked emails. Gibson did not respond to requests for comment.
While this is the first documented contact between Florida law enforcement and Hacking Team, Florida agencies have not been shy about deploying aggressive surveillance technologies.
In February, the American Civil Liberties Union released a report that documented how cell site simulators, known as StingRay, have become increasingly popular among Florida police. The technology, which is manufactured by Harris Corporation of Melbourne, fools a cell phone into thinking it is communicating with a service tower. The cell phone then sends location and other data to law enforcement agencies, allowing police to track someone’s movements. This type of surveillance does not require a warrant or probable cause.
The Orange County Sheriff’s Office conducted 558 investigations from 2008 to 2014 in which StingRay technology may have been used, and the Miami-Dade Police Department used StingRay in 59 closed criminal cases during a one-year period ending in May 2014, according to the ACLU report.
In Tallahassee, the secret use of a StingRay device compromised the prosecution of Tadrae McKenzie, a 20-year-old who was charged with robbery with a deadly weapon. After a state judge ordered police to show the StingRay device to McKenzie’s defense lawyers, prosecutors offered a sweetheart deal — just six months probation after pleading guilty to a second-degree misdemeanor — to avoid having to turn over the surveillance device.
Now that Hacking Team’s email and source codes have spilled online, the company’s future business, including with Florida law enforcement, is uncertain. That outcome is something the company’s chief executive officer joked about in an email last month when he instructed an employee not to allow a demonstration to be recorded.
“Imagine this: a leak on WikiLeaks showing you explaining the evilest technology on earth!” David Vincenzetti wrote to several employees on June 7.
He ended the sentence with a smiley face emoticon, then added:
“You would be demonized.”