Hacking Team in Chile: Does the software comply with the minimum quality standards established by the Chilean legal system?

by Digital Rights LAC on August 24, 2015

vigilancia

Chile’s Investigative Police Force (PDI) confirmed the purchase of a modern spy software by the Italian company, explaining that it is a tool to face highly organized criminal activity. Is it proportional to the use of a computer program of this nature?

By Valentina Hernández, ONG Derechos Digitales

On July 6th, Chile’s Investigative Police Force (PDI) confirmed the purchase of a Hacking Team’s software called “Phantom”. The clarification of this matter happened after a group of hackers broke into the system of the Italian company and leaked 400 GB of information, among those, several emails talking about the purchase were found. The PDI justified the purchase as a part of a plan to increase their operational abilities in the investigation of organized crime, international terrorism and large-scale drug trafficking.

Phantom is a variation of the Remote Control System, the Hacking team’s key product, and it is what is known as a trojan: a malicious software presented to the user as a genuine and harmless software but when executed gives the attacker remote access to the infected device for both computers or smartphones.

This software is capable of collecting emails, turn on the camera or the microphone of these devices, and access files, even those that have been already deleted, among many others functions. The big intrusive ability of this software immediately raises one question: does it fulfill the minimum legal standards established by the Chilean legal system?

The Criminal Procedure Code, just like certain special laws (the Antiterrorism law, the Drug law, or the National Intelligence Agency law) contemplates and allows, in the investigation of certain crimes, the exercise of investigative management that infringes the fundamental rights and freedoms from subjects under investigation, as long as they fulfill a series of prerequisites. Among those, a prior judicial authorization allowing the execution of this action is needed.

Is Phantom legal?

The ninth article from the Criminal Procedure Code, titled “Prior judicial authorization” requires the Public Prosecutor’s Office to ask authorization to the Magistrate Judge to execute an investigation management that takes away, disrupts or restricts fundamental rights. Given the extremely intrusive nature of this tool, this management is unavoidable.

But among the leaked emails (indexed by WikiLeaks), there is one that attracts attention. It is a conversation between the Hacking Team and Jorge Lorca, salesman of Mipoltec, company working as intermediary between the Italians and the police. In these emails, Lorca explains that this tool will be used as a “support to get the client’s IP data and to access to information that they could not obtain with a court order”.

This information contradicts specifically what the PDI has said in a public statement, and if it’s true, it is a capital offense to the Chileans’ constitutional rights and an utter contempt to due process.

Unfortunately, this would not be the first time the PDI acts outside the law to get information in the exercise of its functions, violating the right of privacy (as you can see in this case of 2012 and this one of 2014)​

Is Phantom proportional?

It is difficult to give a legal answer without knowing any details of the reasons why this tool has been used. In a preliminary way –and only from the huge wide range of possibilities of surveillance, tracking and information record that “Phantom” gives– we think that the number of cases where the use of a technology of this kind would be proportional is extremely unusual and limited, exceeding the constitutional limits in most cases.

Now, if used, it should be only in crimes of highest social dangerousness, and with a previous legal warrant that delimits the range of this intrusive activity to get the essential data for the criminal investigation.

The problem is that the high capacity of this tool encourages the opposite; this is why control and transparency mechanisms are essential to avoid massive surveillance and political or ideological persecution, charges already existing against Hacking Team. Thus, it is time for the Police Investigative Force to give a more complete explanation about this software and its use in Chile.

Image: (CC BY-NC-SA) Caneles / Flickr