from the literally-under-our-inattentive-noses,-says-Congress dept
For years, governments around the world have deployed powerful malware to hack the phones of their targets. Most of these deployments went unnoticed, as many governments were less interested in performing oversight than pursuing ends (read: wars on terror, drugs) they felt justified the means.
But as people began coming forward with evidence of suspected government-based hacking attempts, the narrative began to shift. While some governments targeted terrorists and drug lords, other governments preferred to target journalists, activists, and opposition leaders. Reports of government abuse went from “occasional” to “zeitgeist,” ushered into effect by a leak of data allegedly containing targets of Israeli-based NSO Group’s customers. According to this list, government purchasers of NSO’s zero-click Pegasus product were routinely targeting people these governments and rulers didn’t like, rather than criminals and terrorists.
The exposure of NSO Group’s willingness to sell to autocrats and human rights abusers turned the international tide. Its host country — which helped NSO broker sales contracts with abusive governments — opened an investigation into NSO and took a bunch of longtime customers off its approved sales list. The US Commerce Department made its own move, issuing sanctions against NSO and its Israeli-based competitor, Candiru.
But it’s not just NSO and Candiru doing the international dirty by selling powerful spyware to abusive governments. Yet another Israel-based exploit purveyor is being targeted, albeit somewhat indirectly, by the US federal government. Congressional oversight wants to know what the DEA is doing with the powerful malware it has purchased from another NSO Group competitor.
Representative Adam Schiff, the California Democrat who is chairman of the House Intelligence Committee, sent a letter last week to the head of the Drug Enforcement Administration asking for detailed information about the agency’s use of Graphite, a spyware tool produced by the Israeli company Paragon.
“Such use could have potential implications for U.S. national security, as well as run contrary to efforts to deter the broad proliferation of powerful surveillance capabilities to autocratic regimes and others who may misuse them,” Mr. Schiff wrote in the letter.
The DEA’s use of Graphite attracted attention earlier this month when the New York Times reported on findings derived from thousands of courtroom documents, including some involving the government of Greece, which is currently waist-deep in an Israeli malware-enabled domestic spying scandal.
The DEA has already offered up some partial responses to Rep. Schiff’s questions, as well as the Times’ reporting. But what it has offered up is nothing more than non-denials that attempt to shift the focus to the DEA’s ends, in hopes that these curious minds will decide to stop digging into the means.
In a statement to The Times, the Drug Enforcement Administration said that “the men and women of the D.E.A. are using every lawful investigative tool available to pursue the foreign-based cartels and individuals operating around the world responsible for the drug-poisoning deaths of 107,622 Americans last year.”
This statement is 98% air and less than 2% of anything else. All this says is the DEA is doing DEA stuff, supposedly in the noble service of preventing overdose deaths. That the DEA has only made the drug problem worse during its decades of existence goes unmentioned by the ineffectual agency that still demands billions a year to have almost zero effect on the flow of drugs into this country. The statement refuses to address direct questions about phone malware use, which is the only thing the DEA was actually asked to respond to.
Further non-denials followed when the DEA was pressed for more substantive answers.
An official with the Drug Enforcement Administration said Graphite had been used only outside the United States, for the agency’s operations against drug traffickers. The agency did not respond to questions about whether Graphite had been used against any Americans living abroad or to questions about how the agency handled information about American citizens — messages, phone contacts or other information — that the agency obtained when using Graphite against its targets.
Maybe the first assertion is true. But the DEA has yet to offer up any evidence to support its claims that it does not use malware acquired from foreign countries to target US residents or citizens. And this statement completely ignores the valid “incidental collection” concern raised by the Times.
If Congressional leaders like Schiff can continue to apply pressure, rather than let this fade way into the news cycle twilight, the DEA may have to actually start answering the questions its been asked. Whether or not the American public will be allowed to access these answers if and when they arrive remains to be seen. But the questions are valid. We don’t want the US to be just another abusive government willing to misuse powerful malware just because agencies feel like no one’s paying attention or, even if they are, they’re too cowardly to push back against the DEA’s willingness to let the ends justify the means.
Filed Under: dea, graphite, spyware, surveillance