April 27, 2015
VIA ELECTRONIC TRANSMISSION
The Honorable Sally Quillian Yates Acting Deputy Attorney General U.S. Department of Justice 950 Pennsylvania Avenue, NW Washington, DC 20530 Dear Acting Deputy Attorney General Yates: Recent media reports have stated that the Drug Enforcement Agency (“DEA”) spent millions of taxpayer dollars to purchase a spyware program from an Italian hacking company in 2012.
1
According to the reports, the spyware, known as Remote Control System (“RCS”), can surreptitiously turn on a user’s webcam and microphone, collect passwords, and is capable of intercepting phone calls, texts, and social media messages. Obviously, the use of such capabilities can raise serious privacy concerns. The Judiciary Committee needs a more detailed understanding of the DEA’s use of spyware programs such as RCS, including details regarding the agency’s policies and procedures for using these programs, the legal authorities pursuant to which the DEA deploys them, and the audit procedures used to ensure they are used in compliance with both DEA policies and procedures, as well as the law. Accordingly, please provide written responses to these questions by May 11, 2015: 1.
Which spyware and related programs has the DEA used in the field since 2012?
1
Lorenzo Franceschi-Bicchierai,
The DEA Has Secretly Been Buying Hacking Tools From An Italian Company
, M
OTHERBOARD
, April 15, 2015, available at: http://motherboard.vice.com/read/the-dea-has-been-secretly-buying-hacking-tools-from-an-italian-company; Timothy J. Seppala,
The DEA’s Using Powerful Spyware For Surveillance Too
, E
NDGAGET
, April 16, 2015, available at: http://www.engadget.com/2015/04/16/dea-spyware/.
Acting Deputy Attorney General Yates April 27, 2015 Page 2 of 3
a.
What are each program’s capabilities? b.
How much has the DEA spent on each program? c.
How many times has the DEA used each of programs in the field, and in what capacity? 2.
What are the internal DEA policies and procedures related to requesting, approving, deploying, and terminating the use of spyware and related programs? 3.
For how long does the DEA retain any data obtained through spyware? a.
Who has access to the data while it is in DEA’s possession? b.
How, if at all, is the data destroyed? 4.
Pursuant to what legal authorities does the DEA deploy spyware and related programs? a.
Does the DEA obtain a search warrant or other judicial approval prior to using such programs? b.
Does the DEA use different legal authorities or processes based on the jurisdiction in which the targeted subject is located? 5.
What internal audit procedures does the DEA use to ensure that spyware and related programs are used in accordance with agency policies, procedures, and the law? a.
If they exist, have such internal audit procedures discovered any violations of DEA policies, procedures, or applicable law relating to the use of spyware or related programs? Has the DEA discovered any such violations through other means? b.
If so, please provide the details of each violation, as well as any remedial or punitive measures taken in response. Please number your answers according to their corresponding questions. In addition, please arrange for DEA officials to provide a briefing to Judiciary Committee staff about these