After successfully creating a health care app for doctors to view medical records, Diego Fasano, an Italian entrepreneur, got some well-timed advice from a police officer friend: Go into the surveillance business because law enforcement desperately needs technological help.
In 2014, he founded a company that creates surveillance technology, including powerful spyware for police and intelligence agencies, at a time when easy-to-use encrypted chat apps such as WhatsApp and Signal were making it possible for criminal suspects to protect phone calls and data from government scrutiny.
The concept behind the company’s product was simple: With the help of Italy’s telecom companies, suspects would be duped into downloading a harmless-seeming app, ostensibly to fix network errors on their phone. The app would also allow Fasano’s company, eSurv, to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages.
Fasano christened the spyware “Exodus.”
“I started to go to all the Italian prosecutors’ offices to sell it,” explained Fasano, a 46-year-old with short, dark-brown hair and graying stubble. “The software was good. And within three years, it was used across Italy. In Rome, Naples, Milan.”
Even the country’s foreign intelligence agency, L’Agenzia Informazioni e Sicurezza Esterna, came calling for Exodus’s services, Fasano said.
But Fasano’s success was short lived, done in by a technical glitch that alerted investigators that something could be amiss. They followed a digital trail between Italy and the U.S. before unearthing a stunning discovery.
Authorities found that eSurv employees allegedly used the company’s spyware to illegally hack the phones of hundreds of innocent Italians—playing back phone conversations of secretly recorded calls aloud in the office, according to legal documents. The company also struck a deal with a company with alleged links to the Mafia, authorities said.
The discovery prompted a criminal inquiry involving four Italian prosecutor’s offices. Fasano and another eSurv executive, Salvatore Ansani, were charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing.
Already, the unfolding story of eSurv has renewed questions about the growing use of spyware. It has also brought attention to the largely unregulated companies that develop the spyware technology, which is capable of hacking into a device that nearly everyone carries in a pocket or purse, often storing their most sensitive information.
The demand for such technology has been driven in part by the rise in popularity of encrypted mobile phone apps and the reality that it is getting harder for law enforcement to glean evidence without the assistance of Silicon Valley giants such as Apple Inc., which is currently at loggerheads with the FBI over access to an iPhone used by an accused terrorist.
In recent years, spyware developers such as Israel’s NSO Group and Italy’s Hacking Team have been criticized for selling their products to repressive governments, which have used the technology to, among other things, track activists and journalists. (Both companies have said they sell their equipment to law enforcement and intelligence agencies to fight crime and terrorism.)
What makes the allegations against eSurv so astounding is that, if true, the company became involved in the spying itself—and did so right in the heart of Europe.
Giovanni Melillo, the chief prosecutor in Naples who is overseeing the case, has worked on some of the country’s highest-profile investigations, from the feared Camorra organized crime group to international money laundering and drug trafficking schemes. But he said the allegations against eSurv are unusual, even for a veteran prosecutor like him.
“I think that no prosecutors in Western countries have ever worked on a case like this,” Melillo said in a recent interview at his Naples office. This story is based on interviews with Italian authorities and a review of 170 pages of documents outlining the evidence collected, much of it never before reported.