DEA Deploying Powerful Spyware Without Required Privacy Impact Assessments


It’s not just the FBI that can’t seem to turn in its privacy-related paperwork on time. The FBI has pushed forward with its biometric database rollout — despite the database being inaccurate, heavily-populated with non-criminals, and without the statutorily-required Privacy Impact Assessment that’s supposed to accompany it. As of 2014, it hadn’t produced this PIA, one it had promised in 2012. And one that applied to a system that had been in the works since 2008.

Unsurprisingly, another federal law enforcement agency hasn’t felt too compelled to produce PIAs for privacy-impacting programs. As Joseph Cox reports for Motherboard, the DEA’s privacy paperwork is lagging far behind its intrusive efforts.

The Drug Enforcement Administration did not carry out a Privacy Impact Assessment—a process which is typically designed to understand and minimize the privacy risks with a particular system or technology—when it bought and ultimately used malware from Italian surveillance company Hacking Team.

Hacking Team sells powerful malware and exploits, which very definitely screw with people’s privacy expectations — both the privacy they correctly (or incorrectly) believe they’re entitled to as well as their expectations of the government, which is supposed to keep citizens’ privacy expectations at the front of its mind. At least, everyone would like to believe the government is equally concerned about citizens’ privacy. That’s what these assessments are supposed to show: that the government has done what it can to minimize unwarranted intrusions.

But these are simply not to be found, to the surprise of no one.

Privacy experts say the news is consistent with the DEA’s repeated failure to complete such assessments around the agency’s surveillance operations.

One such privacy hound — EPIC — points out the DEA still hasn’t handed in a Privacy Impact Assessment on its Hemisphere program. This program put the DEA on the NSA’s level: embedded telco employees providing real-time access to millions of phone records. No warrants needed. No privacy assessment needed either, apparently, despite the program being in operation for more than 25 years at the point the DEA inadvertently disclosed it.

Jeramie D. Scott from the Electronic Privacy Information Center (EPIC) pointed to an April letter the organization sent to Congress urging a committee to scrutinize the DEA’s compliance with PIAs. In that letter, EPIC highlights that the DEA did not conduct a PIA for its use of the controversial Hemisphere program, in which agents can access AT&T call records without a warrant. EPIC also found through a Freedom of Information Act lawsuit that the DEA had not completed a PIA for the agency’s license plate reader database.

For the full story please visit :