What, exactly, did WikiLeaks reveal yesterday in its new trove of purported Central Intelligence Agency documents? As is standard practice for the online clearinghouse of former (and mostly American) secrets, the claim was bold and up-front: “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo
, Confide and Cloackman
by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.”
Those apps (with the exception of Weibo) are made for keeping secrets. Surely, if the spooks at the CIA could get around those apps's safeguards, then the privacy of millions of activists, dissidents, journalists, and everyday people who prefer secure communications would be in jeopardy. Right? After all that threat was at the center of former NSA contractor Edward Snowden's revelations in 2013: a vast wealth of data about individuals, Hoovered en masse, indiscriminately. No one was safe.
Except what WikiLeaks released yesterday doesn’t indicate a broad abuse of power.
Both The New York Times and The Wall Street Journal repeated WikiLeaks claim mostly verbatim. That framing shaped their initial stories, as Columbia University computer science professor Steve Bellovin highlighted:
BothTargeted attacks. The CIA is not, as the NSA might, scooping up secure, encrypted communications in transit between people, and then later revealing those conversations. Instead, the CIA is doing what the CIA, as a spy agency focused on collecting intelligence from individuals, does: looking for a way into a specific person’s phone. Then, once it's in that phone, it is bypassing the encryption and recording data and audio transmitted to the device. The fact is most encryption apps, for most purposes, work. We tend to think of security as a binary function: the door is locked or it isn’t. Same with messages sent on an encrypted messaging service: they are either locked or not. But that's misleading. Your locked front door keeps casual intruders and pranksters out; which is enough for most of us, most of the time. But the truth is, it won’t stop a determined burglar with tools, and it won’t stop a cop with a warrant. Most of us aren't targeted and never will be (sorry self-important tech reporters). So communicating with encrypted messaging services means that our messages likely (highly likely) won’t ever be seen by anyone except the person who unlocks them at the other end of our communication chain. What the WikiLeaks trove shows shouldn't surprise anyone: the CIA has a way to get into some phones, some of the time, in the process of looking for information from a specific individual.
uncritically accepted the premise: that there's something wrong with these encryption apps. Nothing could be farther from the truth. Rather, the existence of these hacking tools is a testimonial to the strength of the encryption. It's hard or impossible to break, so the CIA is resorting to expensive, targeted attacks.
Read More: Popular Science