The massive hack of Hacking Team, a surveillance company notorious for selling spyware to repressive regimes, brought a wave of unrestrained schadenfreude to many social media feeds last week. A mysterious hacker spilled more than 400 gigabytes of the company’s emails, internal documents, source code and more across the Internet, allowing journalists to lay bare the inner workings of one of the most controversial players in the booming government surveillance industry.

Privacy advocates have long been fascinated and appalled by Hacking Team, and for good reason. Its flagship spyware suite, Remote Control System, or RCS, is a flashily advertised “hacking suite for governmental interception” that allows police to quietly take control of electronic devices — reading emails and texts, recording keystrokes, snooping on Skype calls, even eavesdropping on the device’s microphone and webcam. Security researchers at the University of Toronto previously discovered the software targeting activists and journalists from the United Arab Emirates, Morocco and Ethiopia, using a hidden network of servers based in 21 countries.

The company’s leaked emails and documents display a disturbing nonchalance about all of this, confirming highly questionable clients including Sudan, Ethiopia, Saudi Arabia, Uzbekistan, Bahrain, Kazakhstan and Tunisia, among many others. The U.S. government is also a customer: The Drug Enforcement Administration, Federal Bureau of Investigation and U.S. Army have all bought Hacking Team’s spyware, which is sold as a service with software updates and full customer support. The company also has plans for a U.S. branch, and is currently using a front company called Cicom USA to drum up business with other North American agencies including the U.S. Department of Homeland Security, the Bureau of Alcohol Tobacco and Firearms, the New York City Police Department and the Royal Canadian Mounted Police.

Of course, it’s ironic that none of this would have likely come to light if not for an act of hacking. But if there’s a singular lesson of the post-Snowden era, it’s that extreme acts of transparency are sometimes the only remedy for extreme corporate and government secrecy. Armed with the knowledge that these intrusive tools are being sold to governments around the world, we must now begin a long-overdue debate about how, where and when — not to mention if — governments should be allowed to hack their own citizens.

In the U.S., that debate could not come any sooner. Despite the fact that a lack of security led to the hack of the Office of Personnel Management, compromising a staggering 21 million government employee records, U.S. law enforcement agencies such as the FBI are continuing a campaign of fear against widespread encryption. They’re demanding that companies such as Apple and Google insert backdoors into their products so they can unscramble messages from criminals and terrorists, claiming that their inability to do so is causing investigations to “go dark.”

But one important takeaway from the Hacking Team leak is that government agencies are doing just fine without backdoors.

A key feature of Hacking Team’s software, and targeted surveillance in general, is the ability to overcome encryption by compromising individual “endpoints,” such as a computer or smartphone. But the documents show this capability is sometimes redundant. The FBI, for example, is so fully invested in homegrown hacking tools that it only bought Hacking Team spyware as a “backup” solution, according to leaked emails.