US: Government Has Planted Spy Phones With Suspects
Human Rights Watch has identified two forms of this technique that the Drug Enforcement Administration (DEA) has used or, evidence suggests, has contemplated using. One involved the undercover sale of BlackBerry devices whose individual encryption keys the DEA possessed, enabling the agency to decode messages sent and received by suspects. The second, as described in a previously unreported internal email belonging to the surveillance software company Hacking Team, may have entailed installing monitoring software on a significant number of phones before attempting to put them into suspects’ hands.
“Putting a smartphone whose security has been compromised into circulation could create privacy and security risks for anyone who ultimately uses that device and jeopardize free expression,” said Sarah St.Vincent, researcher on US surveillance and domestic law enforcement at Human Rights Watch. “Who’s going to speak freely on the phone if they have to worry about whether it’s bugged?”
Both techniques for distributing compromised phones raise human rights concerns for a broader range of smartphone users, including peaceful activists whose groups may be at risk of government monitoring and non-suspects who may obtain the compromised phones. They also prompt questions about what rights protections the government is applying if the tactic remains in use.
The DEA’s use of the first technique is revealed in court documents filed in 2012 and 2014 during the prosecution in southern California of an alleged drug ring. The traffickers included John Krokos, a Canadian citizen whom the authorities believed was involved in smuggling cocaine between the US, Mexico, and Canada. In early 2010, Krokos and some of his associates began buying encrypted BlackBerry devices from a source in California without realizing she was an undercover DEA agent, as first reported by the Arizona Daily Sun and Vancouver Sun but examined here in detail for the first time. The US also used an undercover law enforcement agent to sell Krokos’ ring some encrypted BlackBerry devices in Mexico in late 2009, although that agent’s institutional affiliation is unclear.
After members of Krokos’ ring were arrested, the government revealed that it had held encryption “keys” allowing it to decode messages agents intercepted from the devices. An affidavit indicates that the intercepted communications included the content of emails.
A court filing suggests that from at least mid-2010, agents obtained wiretap warrants for the real-time monitoring of the compromised devices. However, the available documents do not mention whether a court authorized the dissemination of the devices at the outset. The DEA also attempted to prevent the suspects from buying non-compromised encrypted BlackBerry devices from other sellers, including by arranging for shipments of such devices to be intercepted in Mexico.
The available documents do not suggest that BlackBerry knew about these activities. In response to a request for comment, BlackBerry told Human Rights Watch that it had no involvement in the Krokos investigation. It said customers purchasing BlackBerry devices – in this case, apparently the US government – receive the keys to the encryption used on those individual devices.
The company further stated that it does not possess copies of the encryption keys for the devices it produces and therefore would not have been able to provide them to the government, even in response to a court order. Control over a device’s encryption key is solely in the hands of the customer, the company said.
The DEA declined to comment on these issues due to ongoing proceedings arising from the Krokos investigation.
Ensuring that it holds encryption “keys” to decode communications may not be the only way US law enforcement may make a phone vulnerable before selling or giving it to a suspect. This possibility is illustrated by a previously unreported May 20, 2015 email between personnel at Hacking Team, an Italian firm that has sold surveillance technology to governments. The message, which has no known connection to the Krokos investigation, suggests that the government may seek to infect phones with surveillance software before agents distribute these devices to suspects (or cause others to do the same). A later Justice Department letter to Congress reported by Motherboard acknowledged this technique, but the Hacking Team email raises new questions about the method’s scale and details.
BlackBerry responded to Human Rights Watch’s request for comment regarding the May 2015 Hacking Team email by stating that it had had no involvement with Hacking Team and that its analysis had not revealed any compromise of the security of its platform by the surveillance company.
The US government’s policies for secretly distributing devices it has compromised by obtaining encryption keys or installing surveillance tools largely remain unknown. Documents the Federal Bureau of Investigation (FBI) disclosed in 2011 mention seeking a warrant explicitly for a “two-step” process of installing a spying mechanism on a US computer and then carrying out surveillance, but it is unclear whether the DEA has adopted similar standard procedures for the measures it has used or considered.
Under international human rights law, all surveillance methods that interfere with privacy should be authorized by clear, publicly available laws; be subject to approval by a court or other independent body for specific purposes such as protecting public safety or national security; and be proportionate to those aims. Undermining the security of devices to conduct surveillance could have long-term repercussions for privacy, including for people other than the original intended surveillance targets, making it all the more important for the Justice Department to disclose its policies regarding these tactics.
“These are intrusive investigative methods with potentially far-reaching rights consequences in the US and globally,” St.Vincent said. “The Justice Department should disclose its policies for spreading vulnerable devices around, whether in the US or elsewhere – and Congress and the courts should be vigilant in preventing potential abuses.”
Comments by experts and former officials interviewed about the subject and further details regarding the documents located by Human Rights Watch are provided below.
Encryption, Surveillance Authorization, and Human Rights
Encryption is a technique for encoding the content of communications in a manner that makes them unreadable by anyone who lacks the “key” to decode them. Journalists, human rights activists, and millions of others worldwide regularly use encrypted communications – sometimes without realizing it, since some applications and devices employ encryption by default.
Where surveillance is concerned, international human rights law requires any government that interferences with privacy or correspondence to comply with domestic and international law. The measure must also be limited to what is necessary and proportionate to achieving a legitimate aim. Surveillance should be authorized by a court or other body that is independent of the law enforcement, intelligence, or other agency implementing the surveillance. In the United States, the surveillance of the content of telephone or electronic communications is generally subject to a requirement that authorities obtain a judicial warrant in advance based on strict criteria.
Experts’, Former Officials’ Assessments
In an interview with Human Rights Watch, former DEA attorney Robert Spelke, who retired from the Justice Department in 2011, recalled that DEA agents had deliberately disseminated satellite phones to drug trafficking organizations in Colombia through confidential informants approximately 10 years ago during operations with which he was personally familiar.
In Spelke’s recollection, the DEA was able to track the location of these phones – although he did not suggest that the phones’ technical security had been compromised. Human Rights Watch was unable to corroborate the use of this method in Colombia, although the May 2015 Hacking Team email said the DEA has expressed a particular interest in “the ability to know the geographic location of [a] device, and its user.”
“If a DEA agent has a connection into a drug organization and [the agency] can get the phones into them,” then it would do so, Spelke said. In Colombia, he recalled, “We were getting sat[ellite] phones to captains of go-fast [drug-running] boats, and we gave phones to some other people who were in the jungle.” He indicated that the DEA would have obtained warrants or court orders in any relevant countries.
Former DEA Special Agent Bobby Kimbrough, who retired from the agency in 2016, told Human Rights Watch he was not aware of any distribution of compromised devices. However, he suggested that investigative technology exists that should largely remain unrevealed to protect agents’ safety. He said that for the DEA to be able to “do what the taxpayers pay the agents to do – and that is secure, stop, and apprehend those that engage in the illegal drug trade – sometimes the technology is not commonly known or commonly used.”
However, US courts will typically prohibit the prosecution from using evidence obtained through techniques that broke the law, meaning that the use of a legally questionable investigative method can undermine the government’s case. Kimbrough said DEA agents – whom he emphasized do “a very dangerous job” – take pains to do everything legally so as not to risk such consequences. “It would be a sad day to put over a year or two years into an operation … and have done something to break the rules and have it be for naught,” he said. He emphasized that an agent would always obtain advance confirmation from a US government attorney that a technology was legal to use, to avoid the risk of negative legal repercussions.
Notwithstanding this caution, the distribution of surveillance-ready devices raises difficult questions under current US law and multiple human rights concerns.
Jumana Musa, director of the Fourth Amendment Center at the National Association of Criminal Defense Lawyers, declined to comment on the Krokos case – some aspects of which remain ongoing – but expressed broader doubts about the legality of agents’ dissemination of compromised phones unless a judge has already issued a wiretap warrant.
“If they’re going to be in a position of putting in somebody’s hands a device that would give them the ability to listen to people’s real-time communications, then the bare minimum is that they need to get a warrant” for real-time wiretapping, Musa said, observing that such warrants are only issued under exceptionally strict standards to prevent abuses. “You don’t set up a wiretap before you get the wiretap order.”
Even if authorized by a warrant, the dissemination of vulnerable devices could create a risk of significant harm. Riana Pfefferkorn, a cryptography fellow at Stanford Law School’s Center for Internet and Society, told Human Rights Watch it would be “frightening to use a wiretap order to authorize seeding compromised devices among people.” She suggested that anyone who might accept such a tactic when the targets are suspected drug traffickers should consider a hypothetical scenario in which agents secretly gave such non-secure devices to “journalists or activists.”
The existence of this technique might also “make people suspicious of using the products that are out there for protecting themselves,” Pfefferkorn added.
Hamid Khan, campaign coordinator Stop LAPD Spying, a grassroots coalition that has investigated law enforcement and privacy issues in Los Angeles (the area where the Krokos investigation took place), told Human Rights Watch that any warrantless distribution of compromised phones “completely throws due process out the window” and should be viewed in the broader context of an investigative environment that “flips innocent until proven guilty on its head.”
The United States has a lengthy history of excessive surveillance of minority communities, and Khan suggested that the larger issue of surveillance’s impact on “the most vulnerable populations” should be kept in mind as methods evolve.
The Krokos Investigation
Government filings say that in 2009, the DEA began investigating John Krokos, a Canadian citizen whom the authorities described as part of an international cocaine trafficking ring. Investigators regarded encrypted communications using BlackBerry devices as integral to Krokos’ operation. In late 2009, an undercover source began selling encrypted BlackBerry devices (EBDs) to Krokos and his associates, and US law enforcement soon began a multi-year period of intercepting communications that the traffickers believed were encrypted and would therefore be unintelligible if captured by authorities.
In response to a 2013 motion by one of Krokos’ co-defendants, Zaid Wakil, to suppress evidence in the case due to alleged constitutional violations, prosecutors filed a declaration stating that a DEA special agent had initially posed as a drug buyer to infiltrate the suspected trafficking ring “but subsequently posed as a person who could supply encrypted [B]lackberry devices … to the group.”
The declaration noted that the agent went on to meet with one of Krokos’ suspected associates “on multiple occasions in Southern California to supply EBDs” and that “[t]he exchanges typically occurred in parking lots in Southern California” – including the parking lot of a Home Depot in the West Hills area of Los Angeles. Undercover sales of the devices to Krokos’ ring had also taken place in Puerto Vallarta, Mexico the previous year.
The declaration suggests that at some point after the phones had been sold to the suspected traffickers, “agents applied for and obtained orders for the wiretap interception of the EBDs” and other devices with which the users communicated. The earliest orders for real-time wiretapping mentioned in the documents examined by Human Rights Watch date to mid-2010, although the government had previously obtained search warrants for historical communications sent and received by the devices.
“I believe that, since the EBDs had encryption technology on them, Krokos felt relatively safe in communicating over the devices,” a Homeland Security Investigations special agent wrote in the declaration.
The agent went on to state that “[i]n fact, law enforcement had the encryption software ‘keys’ to the devices and was able to intercept communications over them.”
An affidavit by the undercover DEA agent who sold the BlackBerry devices in California also describes repeated efforts by the agency to prevent the suspected traffickers from obtaining non-compromised devices from vendors, including by arranging for shipments of such devices to be intercepted in Mexico.
Krokos and several of his associates were ultimately convicted of federal offenses related to the drug trafficking conspiracy. Wakil’s prosecution remains ongoing.
Parallel Construction – Keeping Evidence Secret
Krokos’ co-defendant Wakil ultimately became the subject of a US government attempt to engage in “parallel construction” – a controversial method for concealing investigative sources and methods from defendants. In January, Human Rights Watch published an investigative report on parallel construction concluding that the practice violates rights.
The parallel construction method in Wakil’s case involved a request from DEA agents to Arizona police to find a reason to conduct a “traffic stop” of Wakil’s rental car. An Arizona officer subsequently stopped the car on the grounds that it lacked a license plate and had an illegal windshield attachment. However, authorities did not disclose in the Arizona state-level prosecution that a DEA agent had placed a secret “slap-on” GPS tracking device on Wakil’s rental car without getting a warrant; this warrantless tracking violated Arizona law at the time, and the US Supreme Court has since ruled that it is unconstitutional throughout the country.
The prosecutors in the state court also did not disclose the interceptions of communications from compromised devices, which were part of the chain of investigative steps that had led the DEA to suspect Wakil of being involved in drug trafficking. At the state level, Wakil was convicted of narcotics trafficking.
The interceptions and unlawful GPS tracking came to light during the prosecution of Wakil in federal court for offenses stemming from the same activities. An Arizona judge went on to vacate Wakil’s state-court conviction. However, while as a matter of policy US defendants often are not prosecuted in both state and federal court for the same acts, the law does not strictly prohibit such successive prosecutions and the federal proceedings against Wakil remained in progress at the time of publication.
Other California Investigations
Human Rights Watch has identified another federal drug investigation from approximately the same period as the Krokos sting, and the same California jurisdiction, in which indictments refer to the suspects’ extensive use of encrypted BlackBerry communications. The indictments in the resulting cases, United States v. Alvarez and United States v. Higgins, go on to describe the content of communications within the alleged rings, and a government filing suggests that “email intercepts” were used in the investigation. However, the available court records do not clarify whether federal agents had distributed compromised devices and/or were decrypting intercepted conversations.
While inconclusive, these documents raise questions about whether the technique employed in the Krokos case has been used more widely.
The Hacking Team Email
In July 2015, a large number of internal emails belonging to Hacking Team were leaked, and a searchable database is now available on WikiLeaks. An email Hacking Team’s operations manager sent on May 20, 2015 provides notes from what he describes as a meeting with “the DEA Team,” including procurement and technical officials, two days earlier.
The email’s author indicated that the DEA was infecting “a large number of phones” with Hacking Team’s software and then “work[ing] to circulate these phones within target organizations” of suspected drug traffickers, although he noted that the agents wanted to be able to use the malware’s capabilities “[o]nly when a person of interest in the [target] organization begins to use one of the phones.”
The email said the DEA wanted to buy the monitoring software for “perhaps 1,000” phones and that while agents “showed high interest in BlackBerry 10, as it is widely used in Latin America where they operate,” they were “looking at all the options possible to infect Android and iPhones as well.”
The Hacking Team emails available through WikiLeaks do not appear to confirm whether the DEA made this purchase. Hacking Team did not respond to a request for comment regarding the May 20, 2015 e-mail prior to publication, and the DEA declined to comment, citing pending judicial matters.
In July 2015, after the breach of Hacking Team’s emails publicly revealed a longstanding relationship between the company and the DEA, the Justice Department wrote a letter to the chair of the Senate Judiciary Committee stating that Hacking Team’s surveillance application could be installed either “remotely” or “through physical access” to a device.
The letter, which has previously been reported, describes the use of this technique outside the United States, explaining that agents of a country that hosted the DEA would “provide the targeted devices” and that the DEA would then install Hacking Team’s software before handing the devices back “to be given to … foreign-based drug traffickers and money launderers.” The letter said this activity occurred in 16 instances under foreign court orders, and that the software was “used to collect real-time written communications … and location information.”
In the same letter, the Justice Department said the DEA had “recently” cancelled its contract with Hacking Team, although it did not disavow the technique it had described.
Originally published by Human Rights Watch