“It looked very suspicious,” M says of an anonymous e-mail she and several other journalists received late in 2014. It promised a scoop about a government scandal, but something just didn’t sit right with her. Soon after, strange things started happening on her computer. “I remember clearly not being able to connect via Skype to give an interview about torture,” she says. “There was somehow interference and I had to use someone else’s phone.”
After passing a file attached to the e-mail to security experts, M learned that she and her coworkers had been targeted with Remote Control System (RCS), a sophisticated piece of spying software developed by a small Italian company called Hacking Team. Later, she would find out that it was being used against her by her own government, which likely objected to her reporting. M spoke on condition of anonymity because she fears further reprisals.
M is just one of probably thousands of people who have been hacked with RCS by intelligence and law enforcement agencies that have bought the software. As governments and police departments increase their use of such tools in coming years, there’s reason to think that not only criminals and people who have antagonized an authoritarian government should worry.
After the recent attacks in Paris, figures such as CIA director John Brennan andNew York City police commissioner Bill Bratton complained that encryption is neutralizing conventional search and surveillance techniques. That feeling, shared by some European authorities, may deliver a sales boost to RCS, which Hacking Team pitches as a solution to the encryption “problem” because hacking a person’s phone or computer can reveal protected data. And it will help Hacking Team’s competitors. Experts tracking the company say it is just the best-known of many that sell hacking tools that can let even local police use techniques once reserved for national intelligence agencies.
What we know about Hacking Team shows that this new approach is fraught with technological, moral, and legal issues getting scant attention even as access to these tools becomes standard. As they become more widely available to law enforcement agencies, abuses are likelier to occur. “Before hacking trickles down from the FBI to state and local law enforcement agencies, we urgently need to debate if and how such surveillance tools should be used,” says Christopher Soghoian, principal technologist at the American Civil Liberties Union.