Above: Claudio Guarnieri of IT security firm Rapid7
Italy's Hacking Team is like most any software company: worried about market demand, creating desirable features, and not being too buggy. But their product, called "DaVinci," is something no one ever wants to find on their computer.
"They sell software that helps people break into people's computers and spy on them," explains Morgan Marquis-Boire, a researcher with University of Toronto's Citizen Lab.
Hacking Team develops targeted malware for use by nation-states.
Malware comes in many forms. It's so common that people get plenty of it in emails every day, though most of it is caught by spam filters. Malware that tricks people into clicking on a bad link or attachment can steal credentials, add computers to botnets, and generally be an expensive nuisance. But targeted malware, often customized for the targeted person and disguised as something innocuous, can be much scarier. It's how Chinese hackers have been exfiltrating intellectual property from US targets, and also how repressive regimes have tracked and beaten their reformist dissidents.
"I don't think you want a company like [Hacking Team] making decisions about who's a terrorist."
"There's no transparency at all on how these operations are run," says Claudio Guarnieri, a researcher for Rapid7 who has worked on some of this reverse-engineering with Marquis-Boire. As public pressure has grown, both companies have had to step out of the shadows.
Guarnieri recently sat down with an unlikely crew at RSA's annual security conference in San Francisco to talk about state-deployed malware. The panel included Dale Beauchamp, a Branch Manager for DHS/TSA; Eric Rabe, Senior Counsel for Hacking Team; Jake Appelbaum of the Tor Project; and Kurt Opsahl, Senior Staff Attorney for the Electronic Frontier Foundation. (Disclosure: the author is represented by the EFF in legal matters unrelated to this article.)
Rabe saw the problem from another perspective. "Let me just suggest that somebody who figures out how the Hacking Team software works and publishes that on the internet is doing a great favor to terrorist organizations, criminals, and others, because investigation underway will be compromised," he said. This was a clear allusion to the work of independent security researchers like his co-panelist Guarnieri and the absent Marquis-Boire.
Marquis-Boire thinks his work is more important than the risk of compromising an investigation. "I think it's shined a light on the potentially shadowy nature of surveillance technology sold to regimes of questionable human rights practices," he said.
"One person's activist is another person's terrorist."
But even this idea is stymied, not only by governmental reticence, but more fundamental problems. Who is a terrorist or activist? What is a human right? Does it include women driving, access to inexpensive medical care, or the sharing of digital files?
"One person's activist is another person's terrorist," said Rabe. "Well of course, they're all going to be called terrorists [by these regimes]," interrupted Opsahl, seated beside him. "I don't think you want a company like [Hacking Team] making decisions about who's a terrorist," Rabe replied, "That's a role for government."
State-deployed malware in the USA
Locally, the direct US use of these tools is limited by law. Malware that takes over a computer is complicated by the Wiretap Act, and is probably rarely if ever legal for use by law enforcement. But within corporations and government agencies there is a much lower standard of privacy. An organization can put whatever kind of software it wants on its own machines. Beauchamp explained that this kind of software is used inside the TSA to catch malicious employees.
In an unguarded moment of tone-deafness, Beauchamp responded to a question of whether the massive government agency would investigate an American activist trying to organize people to opt out of scanner machines for pat downs at TSA check points. "Absolutely," he replied. "If it caused a major disruption in transportation… it would be investigated."
Jake Appelbaum speaks at RSA 2013
Later he walked this back, saying this wouldn't likely be a criminal or even civil investigation, but rather for the informational use of the agency. But he also conceded that any tool not requiring a warrant or judicial oversight would be acceptable to use in such an investigation. That doesn't include wiretaps or malware, but it does include a range of scary things, like requesting email older than six months on mail servers and surveillance — despite the fact that in the hypothetical example, the activist organizing an opt-out campaign was only using speech.
"Let's not attack the tool, let's attack what they're doing."
"Believe it or not, if [Hacking Team] doesn't sell the tool, [its clients] are going to do what they're doing. So let's not attack the tool, let's attack what they're doing," said Beauchamp late in the session. But it's unclear that many of Rabe's customers could do what they do without Hacking Team. And while Beauchamp was alluding to torture, the invasiveness of malware surveillance itself is troubling. Beauchamp repeatedly made comparisons of the malware tools sold by Hacking Team with traditional wiretaps in in his career of police work. But a tool that can capture your every keystroke, listen to you, watch you, look back through years of mails, family photos, every Google search you run and webpage you click on is doing much more than something that captures the echoey voices of an old telephone line, or even the packet stream of an active internet connection.
Traditional telephone wiretapping is identical to malware surveillance in exactly the way that land line phones are identical to modern laptops: that is to say, not very.
Malware’s future and the ghost of Brandeis
Malware is algorithmic; unlike even the most cliched of the old g-men, it has no human sense of proportionality. It attacks a criminal and an innocent equally hard. "The use of this kind of software is definitely going to become more prevalent, and we need checks and balances," says Marquis-Boire. Right now, everyone in the debate acknowledges the limits of self-regulation, but given the global nature of the technology and its tapping, there aren’t many suggestions on how to fix it.
Malware attacks a criminal and an innocent equally hard
In 1928, Supreme Court Justice Brandeis, dissenting in a case that allowed law enforcement to listen in to telephone calls without warrants, saw in these devices a profoundly different level of intrusion into the lives of people than what had been possible before. He said, "the evil incident to invasion of the privacy of the telephone is far greater than that involved in tampering with the mails."
With an almost creepy prescience, he went on to say: "the makers of our Constitution... recognized the significance of man's spiritual nature, of his feelings and of his intellect... They sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the government, the right to be let alone — the most comprehensive of rights and the right most valued by civilized men."
It is easy to imagine the ghost of Brandeis admonishing us to step carefully on this new ground.