{"id":177033,"date":"2020-01-16T18:55:00","date_gmt":"2020-01-16T23:55:00","guid":{"rendered":"https:\/\/www.panix.com\/~msaroff\/40years\/2020\/01\/16\/whats-the-problem-with-an-encryption-back-door\/"},"modified":"2020-01-16T18:55:00","modified_gmt":"2020-01-16T23:55:00","slug":"whats-the-problem-with-an-encryption-back-door","status":"publish","type":"post","link":"https:\/\/www.panix.com\/~msaroff\/40years\/2020\/01\/16\/whats-the-problem-with-an-encryption-back-door\/","title":{"rendered":"What’s the Problem with an Encryption Back Door?"},"content":{"rendered":"
Just ask the Italian state security apparatus, whose preferred contractor for breaking into people’s phones turned out to be mobbed up<\/a>:<\/div>\n

After successfully creating a health care app for doctors to view medical records, Diego Fasano, an Italian entrepreneur, got some well-timed advice from a police officer friend: Go into the surveillance business because law enforcement desperately needs technological help.<\/p>\n

In 2014, he founded a company that creates surveillance technology, including powerful spyware for police and intelligence agencies, at a time when easy-to-use encrypted chat apps such as WhatsApp<\/a> and Signal<\/a> were making it possible for criminal suspects to protect phone calls and data from government scrutiny.<\/p>\n

The concept behind the company\u2019s product was simple: With the help of Italy\u2019s telecom companies, suspects would be duped into downloading a harmless-seeming app, ostensibly to fix network errors on their phone. The app would also allow Fasano\u2019s company, eSurv, to give law enforcement access to a device\u2019s microphone, camera, stored files and encrypted messages. <\/p>\n

\u2026\u2026\u2026<\/p>\n

\u201cI started to go to all the Italian prosecutors\u2019 offices to sell it,\u201d explained Fasano, a 46-year-old with short, dark-brown hair and graying stubble. \u201cThe software was good. And within three years, it was used across Italy. In Rome, Naples, Milan.\u201d<\/p>\n

Even the country\u2019s foreign intelligence agency, L\u2019Agenzia Informazioni e Sicurezza Esterna<\/a>, came calling for Exodus\u2019s services, Fasano said. <\/p>\n

But Fasano\u2019s success was short lived, done in by a technical glitch that alerted investigators that something could be amiss. They followed a digital trail between Italy and the U.S. before unearthing a stunning discovery.<\/p>\n

Authorities found that eSurv employees allegedly used the company\u2019s spyware to illegally hack the phones of hundreds of innocent Italians\u2014playing back phone conversations of secretly recorded calls aloud in the office, according to legal documents. The company also struck a deal with a company with alleged links to the Mafia, authorities said.<\/p>\n

The discovery prompted a criminal inquiry involving four Italian prosecutor\u2019s offices. Fasano and another eSurv executive, Salvatore Ansani, were charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing. <\/p>\n

\u2026\u2026\u2026<\/p>\n

The demand for such technology has been driven in part by the rise in popularity of encrypted mobile phone apps and the reality that it is getting harder for law enforcement to glean evidence without the assistance of Silicon Valley giants such as Apple Inc., which is currently at loggerheads<\/a> with the FBI over access to an iPhone used by an accused terrorist.<\/p>\n

\u2026\u2026\u2026<\/p>\n

What makes the allegations against eSurv so astounding is that, if true, the company became involved in the spying itself\u2014and did so right in the heart of Europe.<\/p>\n

\u2026\u2026\u2026<\/p>\n

\u201cI think that no prosecutors in Western countries have ever worked on a case like this,\u201d Melillo said in a recent interview at his Naples office. This story is based on interviews with Italian authorities and a review of 170 pages of documents outlining the evidence collected, much of it never before reported.<\/p>\n

In the city of Benevento, about 40 miles northeast of Naples, technicians working for the prosecutor\u2019s office in 2018 were using Exodus to hack the phones of suspects in an investigation. That October, one of the technicians noticed that the network connection to Exodus was frequently dropping out, according to Italian authorities.<\/p>\n

The technician did some troubleshooting and found a glaring problem. The Exodus system was supposed to operate from a secure internal server accessible only to the Benevento prosecutor\u2019s office. Instead, it was connecting to a server accessible to anyone on the internet, protected only by a username and password, the authorities said. <\/p>\n

The implications were enormous: hackers could potentially gain access to the platform and view all of the data that Italian prosecutors were covertly harvesting from suspects\u2019 phones in some of Italy\u2019s most sensitive law enforcement investigations. (Authorities don\u2019t know if the server was in fact ever hacked.)<\/p>\n

\u2026\u2026\u2026 <\/p>\n

The investigation was eventually handed off to the prosecutor\u2019s office in nearby Naples, which is responsible for handling major computer crimes in the region. The Naples prosecutor began a more in-depth probe\u2014and found that eSurv had been storing a vast amount of sensitive data, unencrypted, on an Amazon Web Services server in Oregon.<\/p>\n

The data included thousands of photos, recordings of conversations, private messages and emails, videos, and other files gathered from hacked phones and computers. In total, there were about 80 terabytes of data on the server\u2014the equivalent of roughly 40,000 hours of HD video.<\/p>\n

\u201cA large part of the data is secret data,\u201d said Melillo. \u201cIt\u2019s related to the investigation of Mafia cases, terrorist cases, corruption cases.\u201d<\/p>\n

\u2026\u2026\u2026<\/p>\n

When Fasano began thinking about creating a police surveillance tool, he recruited a small team to explore the possibilities. They eventually developed a spyware tool that would allow police to hack Android phones by luring suspects into downloading what looked like an ordinary app from the Google Play store.<\/p>\n

\u2026\u2026\u2026<\/p>\n

The app didn\u2019t contain spy software, allowing it to bypass Google\u2019s automated virus scans. But once a person downloaded it, the app served as a gateway through which eSurv could place spyware onto a person\u2019s phone. The spyware would then covertly take total control: recording audio, taking photos and giving police access to encrypted messages and files, Fasano said.<\/p>\n

\u2026\u2026\u2026<\/p>\n

In all, the Black Team spied on more than 230 people who weren\u2019t authorized surveillance targets, according to police documents. Some of the surveillance victims were listed in eSurv\u2019s internal files as \u201cThe Volunteers,\u201d suggesting they were unwitting guinea pigs.<\/p>\n

\u2026\u2026\u2026<\/p>\n

After reviewing evidence about the Black Team in May, a judge concluded that Exodus appeared to have been \u201cdesigned and intended from the outset to operate with functions that are very distant from the canons of legality.\u201d The judge approved a warrant to place Ansani and Fasano under house arrest; the investigation is continuing and additional charges could be filed, according to Italian authorities.<\/p>\n

\u2026\u2026\u2026<\/p>\n

\u201cIt\u2019s like a gun,\u201d said Vincenzo Ioppoli, Fasano\u2019s lawyer. \u201cOnce you have sold it, you don\u2019t know how it will be used.\u201d<\/span><\/p><\/blockquote>\n

This is why you can never trust law enforcement, or their contractors, not to abuse the power that you give them.<\/p>\n","protected":false},"excerpt":{"rendered":"

Just ask the Italian state security apparatus, whose preferred contractor for breaking into people’s phones turned out to be mobbed up: After successfully creating a health care app for doctors to view medical records, Diego Fasano, an Italian entrepreneur, got some well-timed advice from a police officer friend: Go into the surveillance business because law …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[395,368,371,665,526],"class_list":["post-177033","post","type-post","status-publish","format-standard","hentry","tag-computer","tag-corruption","tag-europe","tag-hacking","tag-law-enforcement-misconduct"],"_links":{"self":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/177033"}],"collection":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/comments?post=177033"}],"version-history":[{"count":0,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/177033\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/media?parent=177033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/categories?post=177033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/tags?post=177033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}