In 2010, a suspected cocaine smuggler named John Krokos bought encrypted BlackBerry devices from an undercover Drug Enforcement Administration agent. That sort of federal subterfuge is par for the course. But in this case, the DEA held onto the encryption keys—meaning that when the government moved on Krokos and his alleged collaborators a few years later, they could read the emails and messages that passed to and from the phone.
That revelation is detailed in a new report from Human Rights Watch, along with a 2015 email that shows that the DEA had expressed interest in using smartphone malware from Italian company Hacking Team to spy on multiple suspects’ locations. Together, they illustrate a potentially chilling practice on the part of the US government to preemptively plant spy devices on suspects. They also shed light on actions by federal law enforcement that aren’t necessarily illegal, but do test the boundaries of surveillance, and potentially subject non-targets to federal snooping.
“If the government is distributing, effectively, bugging devices, without sufficient court oversight and authorization, I think that could really have a chilling effect on free expression, if people feel like they have to assume the risk that any phone they’re handed could have been bugged in a way that would violate their rights,” says Human Rights Watch researcher Sarah St. Vincent.
BlackBerry has denied any involvement in the proceedings, and the DEA declined to comment because some litigation related to the Krokos investigation remains ongoing. Krokos himself eventually pleaded guilty, and received a 138-month prison sentence.
The key question in the Krokos case centers around whether the government had a wiretap warrant prior to distributing the devices in the first place; an affidavit from the prosecutors suggest they got it afterward. If so, that would effectively let them set up a surveillance system before they had approval to use it.
“The consequence of them not disclosing that they’ve kept the decryption key gets a little more complicated,” says Stephanie Lacambra, a staff attorney at the Electronic Frontier Foundation, a digital rights group, who cautions that law enforcement would have required judicial oversight before actually accessing the communications.
‘If the government is distributing, effectively, bugging devices, without sufficient court oversight and authorization, I think that could really have a chilling effect on free expression.’
Sarah St. Vincent, Human Rights Watch
Even if the DEA’s actions were by the book, though, St. Vincent argues that the practice could have unintended consequences. “The reality is that people can and do buy used phones. Mobile phones are mobile; people borrow them, people lose them, people steal them, people buy them on Ebay or the used phone shop. There’s some possibility, if this tactic were commonly used, that you could be seeing phones that were compromised in some way getting into the hands of someone other than the intended targets,” she says. “If you think of the ways the tactic could be abused, it is quite scary.”
The lack of clarity around how widespread a tactic this is also raises concerns for Human Rights Watch. The Krokos case seems unlikely to be an isolated incident, especially given that the DEA had a seven-figure contract with Hacking Team, as first reported by Motherboard in 2015. While the Krokos case did not involve the type of spyware Hacking Team provides, that would be another means to the same end, compromising a phone, then ensuring that it winds up in the hands of a suspect.
That contract was apparently canceled after 17 deployments, but in a 2015 internal email leaked by WikiLeaks and surfaced by Human Rights Watch, the Hacking Team operations manager claimed that the DEA was infecting “a large number of phones,” and had interest in installing the spy software in as many as 1,000 devices, though it’s unclear whether a purchase of that magnitude ever took place.
Ultimately, it’s the secrecy and uncertainty that concerns St. Vincent the most. “I think part of the problem here is that this tactic is not clearly forbidden in US law, but also it’s not clearly authorized,” she says. “When we think about protections for private freedom of expression, we really have to make sure we’ve got the full picture of what the government can do and thinks it can do. If it thinks it can get around some pretty important security measures by distributing vulnerable phones, then that’s a thing that I think all of us who are concerned about civil liberties need to know.”
In the meantime, if you have any reason to think you might be a target of surveillance, buy your phone from a source you trust, keep up to date with the latest software, and follow basic smartphone security hygiene. Until more is known about how the government passes down spy phones, better safe than bugged.