ACLU Reveals FBI Hacking Contractors

James Bimen Associates of Virginia and Harris Corporation of Florida have contracts with the U.S. Federal Bureau of Investigation (FBI) to hack into computers and phones of surveillance targets, according to Chris Soghoian, principal technologist at the American Civil Liberties Union’s Speech, Privacy and Technology Project.

“Bimen and Harris employees actively hack into target computers for the FBI,” Soghoian told CorpWatch.

James Bimen Associates did not return phone calls asking for comment. Jaime O’Keefe, a spokesman for Harris, and Jennifer Shearer, an FBI spokeswoman, both declined to comment for this story.

However, the FBI has not denied these capabilities. The agency “hires people who have hacking skill, and they purchase tools that are capable of doing these things,” a former official in the FBI’s cyber division told the Wall Street Journal recently. “When you do, it’s because you don’t have any other choice.”

Soghoian verified the information from other sources, after uncovering the information from Freedom of Information Act requests filed by the Electronic Freedom Foundation (EFF) and other publicly available information.

“The government doesn’t have the resources to directly monitor every American or let alone every foreigner but they want to read the communications of every foreigner and they want to collect information on every American,” explains Soghoian. “What do you do when you don’t have the manpower to collect everyone’s communications?”

The answer, he says, is spy software. This is not unprecedented among government agencies. For example, the US Food and Drug Administration (FDA) bought commercial products from a company named SpectorSoft in Florida to track five staff whom they suspected of whistleblowing in 2009.

The software allowed them to capture “screen images from the government laptops of five scientists as they were being used at work or at home, tracked their keystrokes, intercepted their personal e-mails, copied the documents on their personal thumb drives and even followed their messages line by line as they were being drafted,” the New York Times reported last year.

Other companies like Gamma International from Germany and Hacking Team from Italy have also been aggressively marketing their products for purchase by local police officers. A number of national governments like Egypt and Mexico have also reportedly bought such systems that allow them to listen to regular phone and Skype conversations and read e-mail.

But what agencies like the FBI are now worried about is that individuals are “going dark” by using freely available encryption software to prevent their e-mail and phone conversations to be captured by law enforcement agencies.

In order to combat this, Soghoian says the FBI wanted custom designed products, so they turned to a little known internal team named the “Remote Operations Unit” inside the Operational Technology Division, which set up a project called “Going Dark”.

Eric Chuang, the head of the Remote Operations Unit in Quantico, Virginia, who has a doctorate in clinical psychology from Indiana University of Pennsylvania, and a law degree from Temple University in Philadelphia, was put in charge of this task.

Bimen Associates, which has its headquarters in McLean, Virginia, near the headquarters of the Central Intelligence Agency, provided custom designed software tools developed exclusively for the FBI to crack encrypted conversations, says Soghoian. Agency staff and contractors access computers of suspects remotely to install this software to allow them to watch everything that the target types or says.

In February 2008, Bimen Associates hired Amanda Hemmila, a former US Air Force computer technician, who was working on an online undergraduate degree in computer science with Grantham University in Missouri, to help test their new software.

Hemmila’s LinkedIn résumé says that she was responsible for “building, testing, deploying, maintaining and tracking software kits and hardware deployed from the Remote Operations Unit Deployment Operations Center” as well as training them in “processing and viewing software and providing End User phone support.” She also helped write policies, guidance and training material to keep the software secret.

After spending a little over a year at Bimen Associates, Hemmila returned to her studies and graduated in 2012. A few months after she left, Mark Muller, who had an undergraduate degree in information technology from George Mason university, went to work for Bimen Associates in Quantico.

Muller says he wrote up the standard operating procedures for the FBI to use proprietary company software “we use to gain access to criminal subject machines in the field.”

He also conducted “pre-deployment meetings with the FBI agents and management to coordinate details of a case and implement an operational plan to track a subject(s).” After the agents completed monitoring of a target, Muller says he archived information on “previous implant(s) installed on subject’s machine, if any, as a knowledge base for the field agents.”

Bimen Associates does not appear to be a big or well known intelligence contractor – the only public contract that the company has been awarded lists zero income – but it is well connected.

Jerry Menchhoff, president of Bimen Associates, has been with the company since it was founded in 1998, after working for Booz Allen Hamilton, a company famous for two other employees – James Clapper and Michael McConnell, both of whom have worked as US director of national intelligence, the top spy job in the country.

(Booz also made the news more recently when Edward Snowden, another former employee, blew the whistle on the surveillance activities of the US National Security Agency).

The other company that supplies tracking software to the FBI is Melbourne, Florida-based Harris Corporation, which has been awarded almost seven million dollars in contracts by the agency since 2001, mostly for radio communication equipment. In 1999 Harris designed the software for the agency’s National Crime Information Center database that keeps track of criminal histories, fugitives, missing persons, and stolen property.

Harris made it into the news a couple of years ago when the Wall Street Journal revealed that the company was selling a gadget called a “Stingray” to the FBI that allows the agency to track cellphone locations of users without their knowledge.

At the time Sherry Sabol, chief of the Science & Technology Office for the FBI’s Office of General Counsel, refused to provide any background on the subject because she said that information about Stingrays and related technology was “considered Law Enforcement Sensitive, since its public release could harm law enforcement efforts by compromising future use of the equipment.”

However, legal depositions by FBI agents, together with contract data dating back to 2002, confirmed the existence of the Stingray.

The big question is whether or not the FBI obtains warrants before using tracking software. In the case of the Stingray, the agency claimed that it was okay to use such devices without obtaining a warrant, on the grounds that it was like tracking down phone numbers, which the US Supreme Court has ruled is permissible.

But privacy advocates say that tracking the “metadata” of phone and computer communications and the information on it involves a far greater invasion of privacy, and should require a warrant from a judge. (This discussion is still ongoing in the courts, notably after a US court ruled it was okay for the government to track cell phone location data without a warrant).

Soghoian believes there needs to be a public debate on the use and potential misuse of these tools.

“There hasn’t been a (Congressional) debate about the FBI getting into the hacking business,” Soghoian told attendees at DEFCON, an annual hacker convention that took place earlier this month in Las Vegas. “People should understand that local cops are going to be hacking into surveillance targets. Particularly for dragnet searches where they want to do a keyword search or a social network analysis, you need everyone’s communications.”

Pratap Chatterjee is executive director of CorpWatch. This story originally appeared on CorpWatch.org.

Inter Press Service