Leaked emails show Florida police interested in buying Hacking Team surveillance tech

Leaked Hacking Team emails show the Florida MBI law enforcement agency was interested in buying Hacking Team tech to increase its surveillance capabilities.

Hacking Team Remote Control System ad

"Developing the U.S. market. Well done," reads an email from Hacking Team CEO David Vincenzetti dated on May 22. That comment was in regards to the Hacking Team meeting with the Florida Metropolitan Bureau of Investigation (MBI) in Orlando after the police agency expressed an interest in purchasing surveillance malware. The MBI is a "a multi-agency task force that covers Orange and Osceola counties" and includes members from DEA, FBI, ICE, Secret Service and other agencies.

After WikiLeaks released over one million searchable Hacking Team emails, the Florida Center for Investigative Reporting (FCIR) discovered MBI's Electronic Surveillance Unit reached out to Hacking Team to request more information about purchasing surveillance malware. FCIR reporter Trevor Aaronson discovered that a Hacking Team employee flew to Orlando to meet with the police one month later to discuss how Florida LEA could increase its surveillance capabilities. Florida police already love (pdf) StingRays, aka cell site simulator equipment, having used them at least 1,835 times as of May 2014.

Besides a pack of three-letter agencies and the U.S. Army, which purchased Hacking Team's surveillance malware in the past, The Intercept previously reported that the Hacking Team has been "aggressively marketing the software to other U.S. law enforcement and intelligence agencies, demonstrating their products to district attorneys in New York, San Bernardino, California, and Maricopa, Arizona; and multi-agency task forces" like MBI "in Florida and California's Regional Enforcement Allied Computer Team."

As pointed out by FCIR, a Hacking Team email reporting on the MBI Orlando meeting explained that the "Director of the MBI" acknowledged "the need" for a solution such as Hacking Team's surveillance tech. Lieutenant Gibson apparently had no problems with the price tag on the spyware and HT services which a leaked invoice showed could be in excess of $400,000; Gibson was "positive" LEA could find the money in its budget. The Florida law enforcement agency was "interested in 10 conc. targets" for starters, with the infection vectors yet to be decided.

However, MBI was concerned about Hacking Team's surveillance tech capabilities that would gobble up and store communications "from everyone with whom the target of the investigation communicated." Hacking Team said this would go against U.S. Title III, a federal legal framework which "imposes ‘minimization' of the calls and messages." Florida MBI needed the irrelevant portions deleted. Hacking Team Operations Manager Daniele Milan said figuring out how to comply with Title III would be necessary "to enter state and local markets" in the U.S.

Florida Metropolitan Bureau of Investigation wanting Hacking Team survking team surveillance malware WikiLeaks

HT's Milan suggested "two options to comply with the requirements."

1) export the data to their existing monitoring center (VERINT), which we can do by the Connector feature, already implemented; 2) change our graphic console to implement the minimization capabilities: deleting parts of the voice tracks which are not relevant to the investigation, blanking out part of the emails and messages which are not relevant, etc.

Of course solution 1 is the easiest and fastest to implement, although my take is that we need to go for 2 to really be able to tackle the market without having to rely on third party products and capabilities, which in some cases may not be there. The advantage of pursuing solution 2 with Orlando MBI is that they have an attorney right there with them in the office, which may greatly help in getting this right once and for all.

Solution 2 is what we tried to achieve with San Bernardino, which we probably should try to resume as well.

Hacking Team two options to comply with Florida MBI WikiLeaks

FCIR reported that – at least before Hacking Team was hacked – Florida MBI members would attend the upcoming National Technical Investigators Association conference in North Carolina with plans to meet with Hacking Team representatives on July 21 to see a fast proof of concept "to check the capabilities with a phone of theirs." FCIR added that according to spreadsheet attached to Hacking Team's US Action Plan, "MBI's ‘temperature' — the perceived interest in purchasing surveillance products" — was listed "as green, with a smiley face emoticon."

Hacking Team predicted its evilest technology on earth would be demonized

A month ago, according to a Hacking Team email thread titled "Virna training," an "end user" wanted to video record all of Hacking Team's sessions, from "delivery to training" and a Hacking Team field engineer wanted to know if that was permitted.

"NO" was the consensus of Daniel Maglietta, Chief of HT Singapore Representative Office. Then CEO Vincenzetti at first replied "Definitely NOT!!!" as leaks happen even to the NSA.

Hacking Team saying no to recording as leaks happen even to NSA WikiLeaks

Close to being prophetic, Vincenzetti jokingly added a what-if scenario such as if the recordings about the "evilest technology on earth" ended up in the hands of WikiLeaks and then the field app engineer would be "demonized."

Hacking Team evilest technology on earth WikiLeaks

Apparently on a roll, Vincenzetti lumped anti-surveillance malware people into a category of "idiots" who are good at manipulation.

Hacking Team CEO saying idiots manipulate and demonize their tech WikiLeaks

And now info about Hacking Team's "evilest technology on earth" is on WikiLeaks and other sites, available for all to demonize.

New! Download the State of Cybercrime 2017 report