After successfully creating a healthcare app for doctors to view medical records, Diego Fasano, an Italian entrepreneur, got some well-timed advice from a police officer friend: Go into the surveillance business, because law enforcement desperately needs technological help.
In 2014, he founded a company that creates surveillance technology, including powerful spyware for police and intelligence agencies, at a time when easy-to-use encrypted chat apps, such as WhatsApp and Signal, were making it possible for criminal suspects to protect telephone calls and data from government scrutiny.
The concept behind the company’s product was simple: With the help of Italy’s telecoms, suspects would be duped into downloading a harmless-seeming app, ostensibly to fix network errors on their smartphones.
The app would also allow Fasano’s company, eSurv, to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages.
Fasano christened the spyware “Exodus.”
“I started to go to all the Italian prosecutors’ offices to sell it,” said Fasano, a 46-year-old with short, dark-brown hair and graying stubble. “The software was good. And within three years, it was used across Italy. In Rome, Naples, Milan.”
Even the country’s foreign intelligence agency, L’Agenzia Informazioni e Sicurezza Esterna, came calling for Exodus’ services, Fasano said.
However, Fasano’s success was short-lived, done in by a technical glitch that alerted investigators that something could be amiss.
They followed a digital trail between Italy and the US before unearthing a stunning discovery.
Authorities found that eSurv employees allegedly used the company’s spyware to illegally hack the smartphones of hundreds of innocent Italians — playing back phone conversations of secretly recorded calls aloud in the office, according to legal documents.
The company also struck a deal with a company with alleged links to the mafia, authorities said.
The discovery prompted a criminal inquiry involving four Italian prosecutors’ offices. Fasano and another eSurv executive, Salvatore Ansani, were charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing.
Already, the unfolding story of eSurv has renewed questions about the growing use of spyware. It has also brought attention to the largely unregulated companies that develop the spyware technology, which is capable of hacking into a device that nearly everyone carries in a pocket or purse, often storing their most sensitive information.
The demand for such technology has been driven in part by the rise in popularity of encrypted smartphone apps and the reality that it is getting harder for law enforcement to glean evidence without the assistance of Silicon Valley giants, such as Apple, which is at loggerheads with the FBI over access to an iPhone used by an accused terrorist.
In the past few years, spyware developers, such as Israel’s NSO Group and Italy’s Hacking Team, have been criticized for selling their products to repressive governments, which have used the technology to, among other things, track advocates and journalists.
Both companies have said they sell their equipment to law enforcement and intelligence agencies to fight crime and terrorism.
What makes the allegations against eSurv so astounding is that, if true, the company became involved in the spying itself — and did so right in the heart of Europe.
Giovanni Melillo, the chief prosecutor in Naples who is overseeing the case, has worked on some of the country’s highest-profile investigations, from the feared Camorra organized crime group to international money laundering and drug trafficking schemes, but he said the allegations against eSurv are unusual, even for a veteran prosecutor like him.
“I think that no prosecutors in Western countries have ever worked on a case like this,” Melillo said in an interview at his Naples office.
This story is based on interviews with Italian authorities and a review of 170 pages of documents outlining the evidence collected, much of it never before reported.
In the city of Benevento, about 67km northeast of Naples, technicians working for the prosecutors’ office in 2018 were using Exodus to hack the phones of suspects in an investigation.
That October, one of the technicians noticed that the network connection to Exodus was frequently dropping out, Italian authorities said.
The technician did some troubleshooting and found a glaring problem. The Exodus system was supposed to operate from a secure internal server accessible only to the Benevento prosecutors’ office. Instead, it was connecting to a server accessible to anyone on the Internet, protected only by a username and password, the authorities said.
The implications were enormous: Hackers could potentially gain access to the platform and view all of the data that Italian prosecutors were covertly harvesting from suspects’ phones in some of Italy’s most sensitive law enforcement investigations. Authorities do not know if the server was in fact ever hacked.
The office quickly took steps to shut down Exodus, and in October 2018, they ordered the seizure of eSurv’s equipment.
The investigation was eventually handed off to the prosecutors’ office in nearby Naples, which is responsible for handling major computer crimes in the region. The Naples prosecutor began a more in-depth probe — and found that eSurv had been storing a vast amount of sensitive data, unencrypted, on an Amazon Web Services server in Oregon.
The data included thousands of photographs, recordings of conversations, private messages and e-mails, videos and other files gathered from hacked smartphones and computers.
In total, there were about 80 terabytes of data on the server — the equivalent of about 40,000 hours of HD video.
“A large part of the data is secret data,” Melillo said. “It’s related to the investigation of mafia cases, terrorist cases, corruption cases.”
Prosecutors filed criminal charges against eSurv for unlawfully collecting and storing private communications, transferring them overseas and failing to keep secure “sensitive personal data of a judicial nature.”
However, according to authorities, a far worse discovery was yet to come.
When Fasano began thinking about creating a police surveillance tool, he recruited a small team to explore the possibilities. They developed a spyware tool that would allow police to hack Android smartphones by luring suspects into downloading what looked like an ordinary app from the Google Play Store.
The police, with cooperation from mobile phone networks, would shut down a targeted person’s data service, Fasano said.
They would then send them instructions to use Wi-Fi to download an app to restore service.
ESurv designed the app to look as though it was associated with telecommunications providers, with names such as “Operator Italia.”
The app did not contain spy software, allowing it to bypass Google’s automated virus scans, but once a person downloaded it, the app served as a gateway through which eSurv could place spyware onto a person’s phone.
The spyware would then covertly take total control: recording audio, taking photos and giving police access to encrypted messages and files, Fasano said.
In March last year, researchers with a group called Security Without Borders said they had discovered more than 20 apps that were associated with the Exodus spyware circulating on the Google Play Store.
ESurv developed different versions of Exodus that could target iPhones, as well as laptops and desktop computers using Microsoft Corp’s Windows and Apple’s OS X operating systems, Fasano said.
Google said it had removed all versions of the Exodus app from its Play Store.
Microsoft said it was not aware of any samples of Exodus targeting the Windows platform.
ESurv created its spyware in Catanzaro, a city of narrow cobbled streets in southern Italy known for its silk and velvet production and its ties to the ’Ndrangheta, the most powerful mafia group in Europe.
The company employed about 20 people, most of whom were involved in another part of the business — selling video surveillance technology. The work of developing and expanding Exodus was left to a small group of employees who worked in a separate room. They called themselves the Black Team.
The Black Team was led by Ansani, the 43-year-old technical director who was charged with Fasano, according to testimony from former employees given during the police investigation.
They used the spyware to target law-abiding Italian citizens, bugging their phones and recording their private conversations, prosecutors said.
The reasons for the spying remain unknown.
Ansani, who denied the charges to police, declined to comment, saying in an e-mail: “Investigations are currently being carried out by the public prosecutor. Therefore, as you know, I cannot issue any statement.”
In one instance, the Black Team hacked the phone of a 49-year-old woman from Crotone, a port city on the coast of Calabria, according to the prosecutors’ filings.
The team collected the woman’s personal text messages to family and friends, and covertly recorded more than 3,800 audio clips using her mobile phone’s built-in microphone, chronicling the woman’s life and interactions as she went about her daily business, the filings say.
In all, the Black Team spied on more than 230 people who were not authorized surveillance targets, according to police documents.
Some of the surveillance victims were listed in eSurv’s internal files as “The Volunteers,” suggesting they were unwitting guinea pigs.
Ansani would sometimes sit at his computer and wear headphones, listening to conversations covertly collected from people’s phones, the employees said.
On other occasions, Ansani would loudly play the recordings through his computer speakers and show other employees images that Exodus had collected, the employees told police.
Under its strict agreement with authorities, eSurv did not have permission to view or listen to this information, the employees said.
After reviewing evidence about the Black Team in May last year, a judge concluded that Exodus appeared to have been “designed and intended from the outset to operate with functions that are very distant from the canons of legality.”
The judge approved a warrant to place Ansani and Fasano under house arrest; the investigation is continuing and additional charges could be filed, Italian authorities said.
Ansani told police that he did not carry out unlawful surveillance and could not access data from hacked phones or computers.
Police later discovered that he had possessed “superuser” credentials at eSurv that gave him the ability to review recordings, private messages, photographs and other data Exodus vacuumed up from people’s devices, according to legal documents and Italian authorities.
Fasano, who is fighting the charges against him, said in an interview that he had no knowledge of unlawful surveillance and that he had delegated responsibility for Exodus to Ansani.
Inside the prosecutors’ office in Naples, a 14-floor building a short distance from the city’s business district, a task force of investigators was combing through the vast amount of data seized from eSurv.
The investigators are still trying to work out whether eSurv’s employees were unlawfully monitoring people for a malicious purpose, such as blackmail, whether it was just some sort of cruel game, or whether there is another explanation.
The case has shocked prosecutors in Italy, Melillo said, and forced them to change their protocols. In Naples, the prosecutors’ office would no longer work with private surveillance companies unless they first pass tests showing that their systems are secure and conform to stringent standards.
Melillo said he is concerned that other companies might be conducting their own illegal surveillance.
ESurv’s hacking technology was “just the top of a big iceberg. We don’t know yet the part of iceberg that is under the water,” he said.
About 56km south of Naples, in Salerno, a spin-off investigation is focusing on whether a contractor that eSurv was working with, STM, might have been using Exodus to carry out its own unlawful spying operations.
According to a person with knowledge of the Salerno investigation, STM obtained the Exodus spyware from eSurv and allegedly used it to assist Eugenio Facciolla, a prosecutor at the center of a corruption scandal.
The prosecutors’ office in Salerno has charged Facciolla with forging documents in an effort to obstruct or mislead a police investigation into an ’Ndrangheta-led illegal logging operation, which involved chopping down thousands of trees in some of Italy’s national parks, according to the person and Italian media reports.
Facciolla worked for a different prosecutors’ office, in Castrovillari, that paid STM more than 700,000 euros (US$775,982) for help carrying out surveillance in criminal investigations, the person said.
However, the Salerno prosecutor was looking at the possibility that Facciolla went rogue — and enlisted STM to help with illegal, off-the-books surveillance operations, the person said.
Nicola Gratteri, one of Italy’s leading anti-mafia prosecutors, said he identified connections between STM and people working for the ’Ndrangheta.
“From telephone tapping, I discovered that some of my subjects had something to do with this company,” Gratteri said.
Gratteri said he passed on the information about STM to the prosecutors’ office in Salerno, which is investigating the matter, but declined to comment for this story.
The use of Exodus and other spyware had gotten out of control, Gratteri suggested.
In the hands of corrupt police or prosecutors, it could be used to target people like him, he said.
“I think I am an interesting subject for those not on the side of justice,” he said.
The Italian High Council of the Judiciary, which manages the appointment of prosecutors, in November last year said that it was removing Facciolla from his office in Castrovillari, on the grounds that he had “abused his functions.”
Facciolla is appealing that decision and said that the accusations against him were “false.”
“I have been fighting crime for decades,” he told Bloomberg News in a statement.
Fasano acknowledged providing Exodus to other companies, including STM, which signed a partner agreement with eSurv in January 2018 worth about 50,000 euros.
However, Fasano said that he did not know how STM used the technology.
“It’s like a gun,” said Vincenzo Ioppoli, Fasano’s lawyer. “Once you have sold it, you don’t know how it will be used.”
The investigation is expected to be completed later this year, Naples prosecutors said.
Fasano and Ansani were kept under house arrest for three months and released.
They are awaiting the next stage of their legal proceedings, which would likely conclude with a trial, Fasano said.
Fasano said that his wife has left him due to troubles caused by his legal case and that he is struggling to make his mortgage payments because eSurv has shut down its operations.
He said he has had offers for new jobs, but only from companies in the surveillance industry.
He said he is done with the spyware business and regrets getting into it in the first place.
“I don’t want to work in this kind of market anymore,” Fasano said, lamenting his fate ahead of a meeting about his case in October. “Privacy, for me, it is a very, very important thing. I made a big mistake.”
Since COVID-19 broke out in Taiwan, there has been a fair amount of news regarding discrimination and “witch hunts” against medical personnel, people under self-quarantine and other targets, such as the students of a school where an infection was discovered. Quarantine breakers are almost certainly on the loose and it is only natural for people to be vigilant. One in Chiayi was found by accident at a traffic stop because his helmet was not fastened. However, those who follow the rules by quarantining themselves should be encouraged to keep up the good work in a difficult situation, instead of being
Chinese Nationalist Party (KMT) Legislator-at-large Wu Sz-huai (吳斯懷) has said that there is a huge difference between Chinese military aircraft circling Taiwan along the edges of its airspace and invading Taiwan’s airspace. He also said that whether it is US or Chinese aircraft flying along or encircling Taiwan’s airspace, there is no legal basis to say that such actions imply a clear provocation of Taiwan, and asked the Ministry of National Defense not to mislead the public. People who hear this might think that it is not a very Taiwanese thing to say. US military activity in the vicinity of Taiwan
As the nation welcomes home Taiwanese who had been stranded in China’s Hubei Province — arguably one of the most dangerous places on Earth since the novel coronavirus outbreak began in its capital, Wuhan, late last year — problems surrounding the “quasi-charter flights” that brought them back have been largely overlooked. The media used the term to describe the two flights dispatched by Taiwan’s state-run China Airlines because they do not count as charter flights. Taiwanese wanting to board those flights had to travel — most likely by train — more than 1,000km from Hubei to Shanghai Pudong International Airport
As the COVID-19 pandemic spins out of control, many parts of the world are experiencing shortages of medical masks and other protective equipment. I am studying in Washington state, which at the time of writing is the US state that has suffered the largest number of deaths from the novel coronavirus. The week before last, UW Medicine — an organization that includes the University of Washington School of Medicine and associated medical centers and clinics — sent its volunteers an e-mail asking the public to make masks and donate them to hospitals. Attached to the message was a mask donation