Surveillance is in the news again with WikiLeaks’ release of an archive detailing CIA hacking methods. What does this mean for you, the ordinary reader interested in having a private on-line life?
First, let’s back up a little. NSA whistleblower Edward Snowden’s 2013 revelations showed the ubiquity of mass on-line surveillance.
But they also showed that certain programs and services were giving security agencies difficulty. These programs implemented encryption in various contexts – for browsing, instant messaging, calling, or for drives and whole operating systems. In 2013 the NSA internally characterized these privacy tools as a “major threat” to their mission. It also described the effect of chaining them together as “catastrophic” – leading to a “near-total loss/lack of insight to target[’s] communications [and] presence”.
The development and popularization of these tools has continued, and this column was created to introduce the best of them to readers.
Nothing in this more recent CIA release shows that these encrypted tools have been compromised, despite an initial tweet from WikiLeaks that spoke of “bypassing” popular encrypted apps like Signal and WhatsApp. While it was initially picked up by many news organizations, a growing consensus has characterized this tweet as ‘misleading’ and ‘sensationalizing,’ to borrow words from Zeynep Tufekci, a New York Times contributor and ‘technosociologist’ professor at the University of North Carolina.
So I still recommend encrypted tools like the Tor browser, Signal messaging/voice/video app, ProtonMail webmail, and TAILS operating system. Future columns will cover these tools in detail. In Tufekci’s words, “if anything, the C.I.A. documents in the cache confirm the strength of encryption technologies.”
That said, what the WikiLeaks cache does show is a significant shift in surveillance culture. Having realized that they can no longer reliably intercept communications when they are encrypted, the CIA has shifted to specifically targeting devices with malware. This includes smartphones, computers, smart TVs, and even automobile control centers. These practices by the CIA are probably indicative of what security agencies all over the world are doing, according to ProtonMail founder Andy Yen, a secure e-mail provider.
The leaks show that in order to attack our devices, the CIA has stockpiled and developed a large arsenal of ‘cyber-weapons,’ in the words of WikiLeaks founder Julian Assange. This involves millions of lines of code for viruses, hacking systems, trojans, backdoors, exploits, and other malware. A number of these tools were gleaned from foreign surveillance agencies and criminal hackers. The CIA can theoretically use the ‘digital fingerprint’ carried by such tools to cast blame on others for their own hacking.
In compiling these archives, the CIA deliberately stockpiled and hid vulnerabilities in tech companies’ products, instead of sharing their knowledge so the vulnerabilities could be patched. This was in spite of promises the Obama administration made to share this information through the Vulnerabilities Equities Process. They also did this knowing that foreign powers and cyber-criminals could use them against consumers. In other words, the CIA chose to maximize its own spying capabilities at the expense of even American citizens’ security. (As discussed last column, Canadians and all non-U.S. citizens have had the weak privacy protections granted them in 2007 wiped out by Trump’s Fourth Executive Order.)
As Ben Wizner, director of the ACLU Speech, Privacy, and Technology Project put it, the government has “deliberately maintained vulnerabilities in the most common devices used by hundreds of millions of people. Those vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world.”
Now the usual purpose of all this malware – and the implicit thrust in current surveillance– is to hack into our digital devices and get them to eavesdrop on us before encryption can be applied.
How worried should we be?
On some level, the CIA leaks detail fairly terrifying stuff. Samsung Smart TVs can be put into a fake ‘Power Off’ mode where they are actually recording and transmitting audio. There is the possibility that hacking vehicle control systems could permit “nearly undetectable assassinations,” according to WikiLeaks. This has revived conspiracy theories surrounding the death of journalist Michael Hasting.
Still, it seems like these are targeted tools, that have to be deliberately and specifically deployed. We are not talking about automated mass surveillance like in Snowden’s NSA revelations. As Ed Johnson-Williams, a privacy advocate at Open Rights Group, puts it these “vulnerabilities are expensive to buy or discover. In order to keep their existence secret for as long as possible they are likely to have been used on a targeted basis.”
This means that security agencies are probably relatively selective in who they target for this kind of surveillance. Ordinary readers of this column are probably safe from targeted attacks, and probably able to communicate in relative privacy so long as they are using encrypted tools to combat mass surveillance. But we need to stand up for the whistleblowers, investigative reporters, and ‘disruptive’ activists who are being targeted. Indigenous, racialized, and environmental activists are particularly liable to be targeted by security agencies. Speak up on their behalf and support their causes. Practice good digital security yourself, so as to provide a kind of herd immunity for those who most need on-line security. Using encrypted tools like Signal to text your mom about innocuous things like laundry normalizes private communication, and helps activists doing good work blend in.
The other side of this story is the continued failure of the security establishment to keep its secrets. Bloomberg news quoted an anonymous National Security official who spoke of an ongoing “crisis in operational security over maintaining confidentiality… for security agencies.”
Much like Snowden, the source of the leaks seems to be a security insider who was troubled by these unlicensed surveillance capabilities. According to WikiLeaks, the files had “circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” The source apparently “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons… [as well as] whether the C.I.A.’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.”
So despite the Obama administration’s extraordinary persecution of whistleblowers, information continues to leak out. Measures taken to prevent another Snowden-like leak seem to have failed. Whistleblowers continue to come forward, obeying their conscience in the face of severe consequences.
The security agencies who are invading our privacy have a security problem too.
WikiLeaks has also withheld the vast majority of the data dump so it can share the information with tech companies, so that they can fix their vulnerabilities. The hacking practices revealed by WikiLeaks “aren’t easily replaced once they are disclosed, and targets can develop defenses against them,” according to the same anonymous NSA official quoted earlier.
Meanwhile, commonsense security practices give a measure of protection from many of these cyber-weapons. Keep all your software up to date, and only open documents, links, and programs from sources you trust. Companies like Android and Apple claim that many of the leaked cyberweapons have already been invalidated by their most recent software, and that they will quickly fix the rest.
The struggle is real. Around the world, security agencies are spending millions and billions of our money, trying to develop new ways of spying on us.
The good news, though, is that — despite this powerful opposition, despite a dizzying array of state-sponsored security tools — whistleblowers, reporters, software engineers, and ordinary citizens continue to fight the surveillance state, with some real success.