Analysis Back in 2013, Canadian John Darrel Krokos got 11.5 years in a US jail for leading a massive cocaine smuggling ring. Two years later, his colleague Zaid Wakil was given a 20-year sentence.
What was unique about their cases – and another 20 people also taken down in the investigation by the US Drug Enforcement Agency (DEA) – was how they had been caught: through cracked phones.
In an affidavit connected to Krokos' case, special agent Rachel Burkdoll revealed that she had sold encrypted BlackBerry phones to Krokos, which he then supplied to his colleagues as a way of communicating confidentially. He had no idea that Burkdoll was a government agent and the US government had retained all the phones' encryption keys – giving them access to all the content of email and text messages between the two.
It was only a matter of time before the authorities had enough evidence to arrest the entire team and send them to jail for decades.
Incidentally, the affidavit [PDF] contains a fascinating list of pseudonyms for those that were involved. Just one example: "John Darrell Krokos, aka Hulk, aka yoyo hulk, aka JJ, aka Walter, aka Lord of the Beaches, aka Pilot, aka Ape, aka Captain, aka Tutor, aka Amy, aka Heavydee."
It was a massive coup but also extremely difficult to pull off: getting a drug smuggler to trust your agent enough to buy phones from them was already a long shot. After Burkdoll was forced to reveal the technique in order to put Krokos in jail, it's fair to say that other drug smugglers become exponentially more cautious over where they get their phones.
And so, around the same time that the technique was revealed, the DEA started looking at other ways to get into suspects' phones.
Backing of Hacking
According to an special report published today by Human Rights Watch, America's drug squad agents approached the infamous Italian company Hacking Team to help them install malware on other phones.
In particular, the DEA wanted to buy Hacking Team's monitoring software for "perhaps 1,000" phones, specifically the BlackBerry 10 – which at the time was the phone of choice for drug smugglers in Latin America.
We know this because Hacking Team's own emails were hacked and subsequently plastered all over Wikileaks. The most revealing was helpfully titled "Re: Second meeting with DEA."
It was later revealed that the DEA had signed a $2.4m contract with Hacking Team, sparking Congressional queries that in turn led to the Department of Justice acknowledging that the government agents of the countries in question would "provide the targeted devices" and the DEA would install the software – something it admitted had happened 16 times with the software used to "collect real-time written communications…and location information."
Amazingly, it turned out that the DEA had cancelled its contract with Hacking Team just days before the DoJ's letter outlining its use of hacking software.
All of which leads to Human Rights Watch's larger question: as useful as these techniques may be, what are the legal constraints around them?
The DoJ has so far refused to provide its policies over the provision of cracked phones or the addition of malware to suspects' phones. The DEA may have cancelled its contract with Hacking Team when the details became public but it made no mention of the techniques behind the contract and it is all too probable that it currently has a different contract with another company to do the same thing.
So, um, your legal process?
It's not clear what legal instruments and interpretations the DEA and other government department are using to authorize the real-time monitoring of suspects' phones, or what level of legal authority they are seeking beforehand.
Wasn't too hard, was it? UK has made 'significant progress' in spy controlREAD MORE
Human Rights Watch notes that the same techniques may be being used to monitor people that aren't smuggling drugs "including peaceful activists whose groups may be at risk of government monitoring and non-suspects who may obtain the compromised phones."
In other words, if there aren't sufficient safeguards in place for what many would view as a justifiable use of such intrusive techniques when it comes to drug smugglers, how can we be sure that the same techniques aren't being used against others?
It's not a theoretical exercise either: law enforcement personnel often share details of how they carried out specific exercises, especially if successful, and that information is not always put to the best use subsequently.
We give you the example of how cops in Maryland using cellphone-tracking technology to hunt down a man who stole $50 of chicken wings. The technology was only supposed to be used in sensitive counter-terrorism cases but a lack of controls meant it was used to find a food thief.
And then there was the constant surveillance of everyone in Greater Boston using cameras and techniques developed for Iraq, with the police avoiding public scrutiny by accepting funds from a Texas billionaire.
Weird but true. So are there ordinary US citizens whose phonecalls and emails are being monitored on a constant basis because some billionaire paid for it, or because some local sheriff has a beef with somebody in his district?
It's all too possible. Which is why Human Rights Watch wants to see the policies behind cracked phones and malware.
"Where surveillance is concerned, international human rights law requires any government that interferences with privacy or correspondence to comply with domestic and international law," it notes. "The measure must also be limited to what is necessary and proportionate to achieving a legitimate aim.
"Surveillance should be authorized by a court or other body that is independent of the law enforcement, intelligence, or other agency implementing the surveillance." ®