by Timothy Blinks
Government surveillance is in the news again with WikiLeaks’ release of an archive detailing CIA hacking methods. What does this mean for you, the ordinary reader who might be interested in having a private online life?
First, let’s back up a little. NSA whistleblower Edward Snowden’s revelations showed the ubiquity of mass online surveillance. But they also showed that certain programs and services were giving security agencies difficulty. These programs implemented encryption in various contexts — for browsing, instant messaging, calling or for computer drives and entire operating systems. In 2013, the NSA internally characterized these privacy tools as a “major threat” to their mission. It also described the effect of chaining them together as “catastrophic” — leading to a “near-total loss/lack of insight to target communications.”
The development and popularization of these anti-surveillance tools has continued, and this column will introduce the best of them to Leveller readers.
Nothing in the recently released archive shows that these encrypted tools have been compromised, despite an initial tweet from WikiLeaks that spoke of “bypassing” popular apps like Signal and WhatsApp. While the tweet was initially picked up by many news organizations, a growing consensus has characterized it as “misleading” and “sensationalizing,” in the words of Zeynep Tufekci, New York Times contributor and ‘technosociology’ academic at the University of North Carolina.
In Tufekci’s words, “if anything, the CIA documents in the cache confirm the strength of encryption technologies.”
But the WikiLeaks cache also shows a shift in surveillance culture. Having realized that they can no longer reliably intercept communications when they are encrypted, the CIA has shifted to specifically targeting devices with malware. This includes smartphones, computers, smart TVs, and even automobile control centers. According to ProtonMail founder Andy Yen, the CIA’s practices are probably indicative of what security agencies all over the world are doing.
The leaks show that in order to attack our devices, the CIA has stockpiled and developed a large arsenal of “cyber-weapons,” in the words of WikiLeaks founder Julian Assange. This involves millions of lines of code for viruses, hacking systems, trojans, backdoors, exploits, and other malware. A number of these tools were gleaned from foreign surveillance agencies and criminal hackers. The CIA can use the “digital fingerprint” carried by such tools to cast blame on others for their own hacking.
While compiling these archives, the CIA deliberately stockpiled and hid vulnerabilities in tech companies’ products, instead of sharing their knowledge so the vulnerabilities could be patched. This was in spite of promises the Obama administration made to share this information through the Vulnerabilities Equities Process. They also did this knowing that foreign powers and cyber-criminals could use these vulnerabilities against consumers, instead choosing to maximize their own spying capabilities at the expense of American citizens’ security.
The usual purpose of all this malware – and, implicitly, the general thrust in current surveillance – is to hack into our digital devices and get them to eavesdrop on us before encryption can be applied.
How worried should we be?
On some level, the CIA leaks detail fairly terrifying stuff. Samsung Smart TVs can be put into a fake “Power Off” mode where they are actually recording and transmitting audio. There is the possibility that hacking vehicle control systems could permit “nearly undetectable assassinations,” according to WikiLeaks. This has revived conspiracy theories surrounding the death of journalist Michael Hasting.
Still, it seems like these are targeted tools, that have to be deliberately and specifically deployed against individuals. We are not talking about automated mass surveillance like in Snowden’s NSA revelations. As Ed Johnson-Williams, a privacy advocate at Open Rights Group, puts it, these “vulnerabilities are expensive to buy or discover. In order to keep their existence secret for as long as possible they are likely to have been used on a targeted basis.”
This means that security agencies are probably relatively selective in who they target for this kind of surveillance. Ordinary readers of this column are probably safe from attack. But we need to stand up for the whistleblowers, investigative reporters, and ‘disruptive’ activists who are being targeted.
This being said, I still recommend the use of tools like the Tor browser, Signal voice/messaging app, ProtonMail webmail, or TAILS operating system for those concerned about preserving their privacy online.
The other side of this story is the continued failure of the security establishment to keep its secrets. Bloomberg news quoted an anonymous NSA official who spoke of an ongoing “crisis in operational security over maintaining confidentiality.”
Much like Snowden, the source of the leaks seems to be a security insider who was troubled by the unlicensed surveillance capabilities they observed while performing their job. According to WikiLeaks, the files had “circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” The source apparently “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyber-weapons… [as well as] whether the C.I.A.’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.” Measures taken in the wake of Snowden to prevent more leaks do not seem to be working, as whistleblowers continue to come forward, obeying their conscience in the face of severe consequences.
WikiLeaks has also withheld the vast majority of the data dump so it can share the information with tech companies, allowing them to fix their vulnerabilities. The hacking practices revealed by WikiLeaks “aren’t easily replaced once they are disclosed, and targets can develop defenses against them,” according to the same anonymous NSA official.
Meanwhile, a few basic security practices can give a measure of protection from many of these cyber-weapons. Keep all your software up to date, and only open documents, links, and programs from sources you trust. Companies like Android and Apple claim that many of the leaked cyber-weapons have already been invalidated by their most recent software, and that they will quickly fix the rest.
Also, in order to protect yourself from mass surveillance, I still recommend encrypted tools like the Tor browser, Signal messaging/call/video app, ProtonMail webmail, or TAILS operating system – many of which we’ll explore in future columns.
This article first appeared in the Leveller Vol. 9, No. 6 (Spring 2017).