Sunday 15 March 2020

After successfully creating a health care app for doctors to view medical records, Diego Fasano, an Italian entrepreneur, got some well-timed advice from a police officer friend: Go into the surveillance business because law enforcement desperately needs technological help.

In 2014, he founded a company that creates surveillance technology, including powerful spyware for police and intelligence agencies, at a time when easy-to-use encrypted chat apps such as WhatsApp and Signal were making it possible for criminal suspects to protect phone calls and data from government scrutiny.

The concept behind the company’s product was simple: With the help of Italy’s telecom companies, suspects would be duped into downloading a harmless-seeming app, ostensibly to fix network errors on their phone. The app would also allow Fasano’s company, eSurv, to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages.

Fasano christened the spyware “Exodus.”

“I started to go to all the Italian prosecutors’ offices to sell it,” explained Fasano, a 46-year-old with short, dark-brown hair and graying stubble. “The software was good. And within three years, it was used across Italy. In Rome, Naples, Milan.”

Even the country’s foreign intelligence agency, L’Agenzia Informazioni e Sicurezza Esterna, came calling for Exodus’s services, Fasano said.

But Fasano’s success was short lived, done in by a technical glitch that alerted investigators that something could be amiss. They followed a digital trail between Italy and the U.S. before unearthing a stunning discovery.

Authorities found that eSurv employees allegedly used the company’s spyware to illegally hack the phones of hundreds of innocent Italians—playing back phone conversations of secretly recorded calls aloud in the office, according to legal documents. The company also struck a deal with a company with alleged links to the Mafia, authorities said.

The discovery prompted a criminal inquiry involving four Italian prosecutor’s offices. Fasano and another eSurv executive, Salvatore Ansani, were charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing.

Already, the unfolding story of eSurv has renewed questions about the growing use of spyware. It has also brought attention to the largely unregulated companies that develop the spyware technology, which is capable of hacking into a device that nearly everyone carries in a pocket or purse, often storing their most sensitive information.

The demand for such technology has been driven in part by the rise in popularity of encrypted mobile phone apps and the reality that it is getting harder for law enforcement to glean evidence without the assistance of Silicon Valley giants such as Apple Inc., which is currently at loggerheads with the FBI over access to an iPhone used by an accused terrorist.

In recent years, spyware developers such as Israel’s NSO Group and Italy’s Hacking Team have been criticized for selling their products to repressive governments, which have used the technology to, among other things, track activists and journalists. (Both companies have said they sell their equipment to law enforcement and intelligence agencies to fight crime and terrorism.)

What makes the allegations against eSurv so astounding is that, if true, the company became involved in the spying itself—and did so right in the heart of Europe.

Giovanni Melillo, the chief prosecutor in Naples who is overseeing the case, has worked on some of the country’s highest-profile investigations, from the feared Camorra organized crime group to international money laundering and drug trafficking schemes. But he said the allegations against eSurv are unusual, even for a veteran prosecutor like him.

“I think that no prosecutors in Western countries have ever worked on a case like this,” Melillo said in a recent interview at his Naples office. This story is based on interviews with Italian authorities and a review of 170 pages of documents outlining the evidence collected, much of it never before reported.

In the city of Benevento, about 40 miles northeast of Naples, technicians working for the prosecutor’s office in 2018 were using Exodus to hack the phones of suspects in an investigation. That October, one of the technicians noticed that the network connection to Exodus was frequently dropping out, according to Italian authorities.

The technician did some troubleshooting and found a glaring problem. The Exodus system was supposed to operate from a secure internal server accessible only to the Benevento prosecutor’s office. Instead, it was connecting to a server accessible to anyone on the internet, protected only by a username and password, the authorities said.

The implications were enormous: hackers could potentially gain access to the platform and view all of the data that Italian prosecutors were covertly harvesting from suspects’ phones in some of Italy’s most sensitive law enforcement investigations. (Authorities don’t know if the server was in fact ever hacked.)

The prosecutor’s office quickly took steps to shut down Exodus, and in October 2018, they ordered the seizure of eSurv’s equipment.

The investigation was eventually handed off to the prosecutor’s office in nearby Naples, which is responsible for handling major computer crimes in the region. The Naples prosecutor began a more in-depth probe—and found that eSurv had been storing a vast amount of sensitive data, unencrypted, on an Amazon Web Services server in Oregon.

The data included thousands of photos, recordings of conversations, private messages and emails, videos, and other files gathered from hacked phones and computers. In total, there were about 80 terabytes of data on the server—the equivalent of roughly 40,000 hours of HD video.

“A large part of the data is secret data,” said Melillo. “It’s related to the investigation of Mafia cases, terrorist cases, corruption cases.”

Prosecutors filed criminal charges against eSurv for unlawfully collecting and storing private communications, transferring them overseas, and failing to keep secure “sensitive personal data of a judicial nature.”

But, according to authorities, a far worse discovery was yet to come.

When Fasano began thinking about creating a police surveillance tool, he recruited a small team to explore the possibilities. They eventually developed a spyware tool that would allow police to hack Android phones by luring suspects into downloading what looked like an ordinary app from the Google Play store.

The police, with cooperation from mobile phone networks, would shut down a targeted person’s data service, Fasano said. They would then send them instructions to use Wi-Fi to download an app to restore service. ESurv designed the app to look as though it was associated with telecommunications providers, with names such as “Operator Italia.”

The app didn’t contain spy software, allowing it to bypass Google’s automated virus scans. But once a person downloaded it, the app served as a gateway through which eSurv could place spyware onto a person’s phone. The spyware would then covertly take total control: recording audio, taking photos and giving police access to encrypted messages and files, Fasano said.

In March 2019, researchers with a group called Security Without Borders said they had discovered more than 20 apps that were associated with the Exodus spyware circulating on the Google Play Store.

ESurv developed different versions of Exodus that could target iPhones, as well as laptops and desktop computers using Microsoft Corp.’s Windows and Apple Inc.’s OS X operating systems, Fasano said. Google said it had removed all versions of the Exodus app from its Play Store. Microsoft said it wasn’t aware of any samples of Exodus targeting the Windows platform. Apple didn’t respond to a message seeking comment.

ESurv created its spyware in Catanzaro, a city of narrow cobbled streets in southern Italy known for its silk and velvet production and its ties to the ‘Ndrangheta, the most powerful Mafia group in Europe. The company employed about 20 people, most of whom were involved in another part of the business—selling video surveillance technology. The work of developing and expanding Exodus was left to a small group of employees who worked in a separate room. They called themselves the Black Team.

The Black Team was led by Ansani, the 43-year-old technical director who was charged with Fasano, according to testimony from former employees given during the police investigation. They used the spyware to target law-abiding Italian citizens, bugging their phones and recording their private conversations, according to prosecutors. The reasons for the spying remain unknown.

Ansani, who denied the charges to police, declined to comment, saying in an email, “Investigations are currently being carried out by the Public Prosecutor. Therefore, as you know, I cannot issue any statement.”

In one instance, the Black Team hacked the phone of a 49-year-old woman from Crotone, a port city on the coast of Calabria, according to the prosecutor’s filings. The team collected the woman’s personal text messages to family and friends, and covertly recorded more than 3,800 audio clips using her mobile phone’s built-in microphone, chronicling the woman’s life and interactions as she went about her daily business, the filings say.

In all, the Black Team spied on more than 230 people who weren’t authorized surveillance targets, according to police documents. Some of the surveillance victims were listed in eSurv’s internal files as “The Volunteers,” suggesting they were unwitting guinea pigs.

Ansani would sometimes sit at his computer and wear headphones, listening to conversations covertly collected from people’s phones, the employees said. On other occasions, Ansani would loudly play the recordings through his computer speakers and show other employees images that Exodus had collected, the employees told police. Under its strict agreement with authorities, eSurv didn’t have permission to view or listen to this information, the employees said.

After reviewing evidence about the Black Team in May, a judge concluded that Exodus appeared to have been “designed and intended from the outset to operate with functions that are very distant from the canons of legality.” The judge approved a warrant to place Ansani and Fasano under house arrest; the investigation is continuing and additional charges could be filed, according to Italian authorities.

Ansani told police that he didn’t carry out unlawful surveillance and couldn’t access data from hacked phones or computers. Police later discovered that he had possessed “superuser” credentials at eSurv that gave him the ability to review recordings, private messages, photographs and other data Exodus vacuumed up from people’s devices, according to legal documents and Italian authorities.

Fasano, eSurv’s founder, who is fighting the charges against him, said in an interview that he had no knowledge of unlawful surveillance and that he had delegated responsibility for Exodus to Ansani.

Inside the prosecutor’s office in Naples, a 14-floor building a short distance from the city’s business district, a task force of investigators is combing through the vast amount of data seized from eSurv.

The investigators are still trying to work out whether eSurv’s employees were unlawfully monitoring people for a malicious purpose such as blackmail, whether it was just some sort of cruel game, or whether there is another explanation.

The case has shocked prosecutors in Italy, according to Melillo, and forced them to change their protocols. In Naples, the prosecutor’s office will no longer work with private surveillance companies unless they first pass tests showing that their systems are secure and conform to stringent standards.

Melillo said he is concerned other companies may be conducting their own illegal surveillance. ESurv’s hacking technology, he said, was “just the top of a big iceberg. We don’t know yet the part of iceberg that is under the water.”

“It’s like a gun. Once you have sold it, you don’t know how it will be used.”

About 35 miles south of Naples, in Salerno, a spin-off investigation is focusing on whether a contractor that eSurv was working with, STM, may have been using Exodus to carry out its own unlawful spying operations. According to a person with knowledge of the Salerno investigation, STM obtained the Exodus spyware from eSurv and allegedly used it to assist Eugenio Facciolla, a prosecutor at the center of a corruption scandal.

The prosecutor’s office in Salerno has charged Facciolla with forging documents in an effort to obstruct or mislead a police investigation into an ‘Ndrangheta-led illegal logging operation, which involved chopping down thousands of trees in some of Italy’s national parks, according to the person and Italian media reports.

Facciolla worked for a different prosecutor’s office, in Castrovillari, that paid STM more than €700,000 (about $780,000) for help carrying out surveillance in criminal investigations, said the person. But the Salerno prosecutor is looking at the possibility that Facciolla went rogue—and enlisted STM to help with illegal, off-the-books surveillance operations, said the person.

Nicola Gratteri, one of Italy’s leading anti-mafia prosecutors, said he identified connections between STM and people working for the ‘Ndrangheta. “From telephone tapping, I discovered that some of my subjects had something to do with this company,” said Gratteri.

Gratteri said he passed on the information about STM to the prosecutor’s office in Salerno, which is investigating the matter but declined to comment for this story. The use of Exodus and other spyware, Gratteri suggested, had gotten out of control. In the hands of corrupt police or prosecutors, he said, it could be used to target people like him.

“I think I am an interesting subject for those not on the side of justice,” he said.

Italy’s High Council of the Judiciary, which manages the appointment of prosecutors, said in November that it was removing Facciolla from his office in Castrovillari, on the grounds that he had “abused his functions.” Facciolla is appealing that decision and said that the accusations against him were “false.”

“I have been fighting crime for decades,” he told Bloomberg News in a statement.

Fasano acknowledged providing Exodus to other companies, including STM, which signed a partner agreement with eSurv in January 2018 worth about €50,000 (about $61,000). However, Fasano said he didn’t know how STM used the technology.

“It’s like a gun,” said Vincenzo Ioppoli, Fasano’s lawyer. “Once you have sold it, you don’t know how it will be used.”

The investigation is expected to be completed later this year, according to the Naples prosecutors. Fasano and Ansani were kept under house arrest for three months and released. They are awaiting the next stage of their legal proceedings, which will likely conclude with a trial, according to Fasano.

Fasano said that his wife has left him due to troubles caused by his legal case and that he is struggling to make his mortgage payments because eSurv has shut down its operations. (His wife didn’t return a message seeking comment.) He said he’s had offers for new jobs but only from companies in the surveillance industry. He said he’s done with the spyware business and regrets getting into it in the first place.

“I don’t want to work in this kind of market anymore,” said Fasano, lamenting his fate ahead of a meeting about his case in October. “Privacy, for me, it is a very, very important thing. I made a big mistake.”

This article first appeared at Bloomberg News.