Wikileaks will hand Central Intelligence Agency hacking tools to technology companies in order for them to defend their customers against spying.
Julian Assange, founder of the website, said he had decided to provide the classified information to giants such as Microsoft, Samsung and Apple whose products were implicated in the alleged CIA leaks.
The announcement comes after Wikileaks on Tuesday released a raft of documents that it claims detail tools the CIA used to hack into peoples computers, televisions and smartphones, among other internet-connected devices.
Wikileaks didn’t disclose details of how the tools worked, but basic information that allegedly proves the cyber weapons arsenal exists.
In the wake of the release, Assange said tech companies had asked Wikileaks to pass them details of the hacks that affect their products in order for them to fix them.
“After considering what we think is the best way to proceed and hearing calls from some of the manufacturers we have decided to work with them, to give them exclusive access to some of the technical details we have,” said Assange.
With the information Assange said the companies can “effectively disarm” the alleged CIA hacking tools.
It is not clear how long it will take for all of the vulnerabilities to be fixed or if they can all be solved. Some could be blocked in a couple of days, said Assange, while other more critical one could take weeks.
Assange warned that other hacks, such as the one used to turn on a “fake off” spying mode on Samsung smart TVs, may have to be manually blocked. This could prove difficult as it would require people to know their device had been infected in order for it to be fixed.
The CIA has not commented on the authenticity of the leaks.
WikiLeaks has offered to help the likes of Google and Apple identify the software holes used by purported CIA hacking tools – and that puts the tech industry in something of a bind.
While companies have both a responsibility and financial incentive to fix problems in their software, accepting help from WikiLeaks raises legal and ethical questions. And it’s not even clear at this point exactly what kind of assistance WikiLeaks can offer.
WikiLeaks founder Julian Assange said Thursday that the anti-secrecy site will help technology companies find and fix software vulnerabilities in everyday gadgets such as phones and TVs. In an online news conference, Assange said some companies had asked for more details about the purported CIA cyberespionage toolkit that he revealed in a massive disclosure on Tuesday.
“We have decided to work with them, to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out,” Assange said. The digital blueprints for what he described as “cyberweapons” would be published to the world “once this material is effectively disarmed by us.”
Any conditions WikiLeaks might set for its cooperation weren’t immediately known. Nor was it clear if WikiLeaks holds additional details on specific vulnerabilities, or merely the tools designed to exploit them.
Apple declined comment on the WikiLeaks offer, and Google didn’t respond to requests for comment. Microsoft said it hopes that anyone with knowledge of software vulnerabilities would report them through the company’s usual channels.
Tech companies could run into legal difficulties in accepting the offer, especially if they have government contracts or employees with security clearances.
“The unauthorized release of classified documents does not mean it’s unclassified,” said Stewart Baker, a former official at the Department of Homeland Security and former legal counsel for the National Security Agency. “Doing business with WikiLeaks and reviewing classified documents poses a real risk for at least their government contracting arms and their cleared employees.”
Other lawyers, however, are convinced that much of the information in the documents is so widely known that they are now part of the public domain. That means tech companies would be unlikely to face any legal liability for digging deeper with WikiLeaks.
Alternatively, suppose tech companies don’t accept WikiLeaks’ offer to help fix any security flaws – and are subsequently hacked. At that point, they could face charges of negligence, particularly in Europe where privacy laws are much stricter than in the U.S., said Michael Zweiback, a former assistant U.S. attorney and cybercrime adviser now in private practice.
GETTING TOO CLOSE TO WIKILEAKS
Public perception might be a bigger problem. “They don’t want to be seen as endorsing or supporting an organization with a tainted reputation and an unclear agenda,” said Robert Cattanach, a former U.S. Department of Justice attorney.
During the 2016 election, WikiLeaks published thousands of emails, some embarrassing, from breached Democratic Party computers and the account of a top aide to Hillary Clinton. U.S. intelligence agencies concluded those emails were stolen by hackers connected to the Russian government in an attempt to help Donald Trump win the presidency.
The CIA did not respond directly to Assange’s offer, but it appeared to take a dim view of it.
“Julian Assange is not exactly a bastion of truth and integrity,” CIA spokeswoman Heather Fritz Horniak said.
But most tech companies already have digital hotlines to receive tips about security weaknesses, even if they come from unsavory characters. So it wouldn’t break new ground for them to consult with a shadowy organization such as WikiLeaks.
A BETTER PATH
Ideally, the CIA would have shared such vulnerabilities directly with companies, as other government agencies have long done. In that case, companies would not only be dealing with a known entity in an aboveboard fashion, they might also obtain a more nuanced understanding of the problems than their engineers could glean from documents or lines of computer code.
And if companies could learn details about how the CIA found these vulnerabilities, they might also find additional holes using the same technique, said Johannes Ullrich, director of the Internet Storm Center at the SANS Institute.
And there are risks obtaining actual hacking tools from WikiLeaks. Some might have unadvertised features that could, for instance, start extracting data as soon as they launch. Ullrich said the CIA also might have left some traps to attack people running its exploits. If these aren’t detailed in the documents, only the CIA would be able to help tech companies avoid setting them off.
If all goes well, WikiLeaks could emerge looking better than some parts of the U.S. government.
“I am not a fan of WikiLeaks, but I don’t think it is fair to throw rocks at everything they do,” said Cindy Cohn, executive director of the Electronic Frontier Foundation, a group specializing in online privacy and other digital rights. “What WikiLeaks is demonstrating is that the CIA does not have the best interests of these companies at heart.”
BETTER THAN NOTHING
There’s one more unknown, which is just how much help WikiLeaks can actually provide. Apple, Google and Microsoft say they’ve already rendered many of the alleged CIA cyberespionage tools obsolete with earlier updates that patched related software holes.
Still, the companies will probably want to check out what WikiLeaks has, assuming that the organization hasn’t set unreasonable conditions on its cooperation. Some privacy and security experts believe the CIA’s own refusal to contact the affected companies about the vulnerabilities gives them little choice.
“We all should have better security, and certainly at this point, not trying to fixing them makes no sense,” Cohn said.
Liedtke reported from San Ramon, Calif. Raphael Satter in Paris, Paisley Dodds in London and Deb Riechmann in Washington contributed to this report.
This story has been corrected to reflect that purported CIA tools are not aimed at “defeating encryption” but at hijacking computers.
Why Is Obama Expanding Surveillance Powers Right Before He Leaves Office?
It could be to prevent Trump from extending them even more.
Kaveh Waddell: First off, what do these changes mean for the intelligence community? Has a lack of information-sharing among agencies been holding back investigations?
Susan Hennessey: The origin of these changes dates back, honestly, to just after 9/11. There was this identified issue of “stovepiping”: Intelligence wasn’t being shared frequently or fast enough. Some modifications have already been made throughout the years.
Under Executive Order 12333 as it previously existed, NSA analysts had to make an initial determination and apply a set of privacy rules before sharing raw signals-intelligence information with other parts of the intelligence community. After this change, it doesn’t necessarily have to be an NSA analyst that makes that determination—that information can be shared with other parts of the intelligence community.
So it doesn’t change the substantive rules, it doesn’t change the scope of collection, it doesn’t change the types of protection, it doesn’t change the possible uses; it essentially just broadens the group of people who can apply those protections to the raw intelligence.
Waddell: And by extension, it broadens the group of people who get to see raw intelligence, before those rules are applied?
Hennessey: Yes. This is something that has been at the forefront of privacy and civil-liberties advocates’ minds when they’ve expressed concern with this type of collection. But it’s not accurate to say the rule change means it’s a raw signals-intelligence free-for-all, that anybody can get signals intelligence.
Intelligence agencies other than the NSA will have to provide justification for why they need access to that data. It can only be for foreign intelligence, or other enumerated purposes. So it’s not that those agencies will just be able to see whatever they want—it’s that they will be able to request, with particular justifications, access to more raw signals intelligence than they had before. Then, they will need to apply those minimization procedures for themselves.
The civil-liberties concern often surrounds the use of incidentally collected information. Under the new rule, the FBI could not obtain access to or search raw intelligence information for ordinary criminals in an ordinary criminal investigation against a U.S. person. However, if the FBI incidentally seized evidence of a crime, they are allowed to use that information. So that tends to be where the tension is for people who are concerned with the potential impacts that this change could have on U.S. persons.
Waddell: The fact that more Americans could potentially be subject to warrantless searches, just by virtue of being caught up in the raw signals intelligence that’s shared—is that something that concerns you?
Hennessey: No. Look, I think it’s important to understand that these minimization procedures are taken very seriously, and all other agencies that are handling raw signals intelligence are essentially going to have to import these very complex oversight and compliance mechanisms that currently exist at the NSA.
Within the NSA, those are extremely strong and protective mechanisms. I think people should feel reassured that the rules cannot be violated—certainly not without it coming to the attention of oversight and compliance bodies. I am confident that all of the agencies in the U.S. intelligence community will discharge those very same obligations with the same level of diligence and rigor, adhering to both the spirit and the letter of the law.
That said, there are potentially broader reforms that might be undertaken. I don’t think that they necessarily need to be linked to the sharing of data. But it’s reasonable to at least engage in a conversation about whether or not it’s appropriate to have particular post-collection reforms, like for example imposing an obligation for law enforcement to obtain a warrant in particular circumstances.
That’s a long way of saying that nothing about this particular rule change exposing Americans to additional privacy risks. However, that doesn’t mean that there are not still reasonable and responsible reforms which might take place.
Waddell: I found it interesting that you said the change could, in one way, actually be viewed as a “huge source of comfort.” I think you were referring to the timing of the change. Why is that?
Hennessey: These changes have actually been in process for eight or nine years. One of the things that I think individuals who had insight into intelligence activities and were concerned about the election of Donald Trump—specifically, some of the statements he’s made about adherence to the rule of law—a lot of those people’s minds went very quickly to these procedures.
It’s important to understand the distinction between Executive Order 12333 and the Foreign Intelligence Surveillance Act: One very oversimplified way to think about it is that FISA is a statute that governs collection that takes place within the United States, but that is aimed at a foreign target; 12333 collection is aimed at a foreign target, and takes place outside the United States. That’s shorthand that glosses over some technical and legal nuance, but those are the broad buckets people should be thinking about.
FISA is a statute, so you’d need congressional action to change those rules, and you have a built-in check there. But 12333 is not constrained by statute; it’s constrained by executive order. In theory, a president could change an executive order—that’s within his constitutional power. It’s not as easy as just a pen stroke, but it’s theoretically possible.
Executive Order 12333 requires that this series of protective procedures exist and are adhered to. The procedures are kind of where the rubber meets the road on privacy. They’re the details, the nitty-gritty: What can you actually see? What can you share? What do you have to minimize? So they’re really, really important in terms of what the relationship between U.S. citizens and the intelligence community looks like.
When they were in rewrites, they were sort of vulnerable. There was the possibility that an incoming administration would say, “Hey! While you’re in the process of rewriting, let’s go ahead and adjust some of the domestic protections.” And I think a reasonable observer might assume that while the protections the Obama administration was interested in putting into place increased privacy protections—or at the very least did not reduce them—that the incoming administration has indicated that they are less inclined to be less protective of privacy and civil liberties. So I think it is a good sign that these procedures have been finalized, in part because it’s so hard to change procedures once they’re finalized.
Waddell: Is that why we just went through an eight- or nine-year process to get here?
Hennessey: Exactly. For questions both of genuine complexity and just government bureaucracy, the time horizon here is longer than a single term of the presidency.
So I don’t think that it’s necessarily true that the intelligence community or the Department of Justice was rushing to get these procedures passed; if anything, they’re a little bit late. But I think the bottom line is that it’s comforting to a large national-security community that these are procedures that are signed off by Director of National Intelligence James Clapper and Attorney General Loretta Lynch, and not by the DNI and attorney general that will ultimately be confirmed under the Trump Administration.
Waddell: Is there anything else we should be thinking about with these new changes?
Hennessey: People sometimes focus on the top-line stuff and end up missing the things that aren’t necessarily the symbolic expressions of privacy—the things that make us feel good—but are the functional elements of privacy and civil liberties. What rules do people apply day-to-day and how? There’s going to be a need moving forward to have disciplined conversations about the legal protections that really matter.
If there is a silver lining to some of the anxieties that the incoming administration has produced, I think it’s the potential to move the conversation into a much more productive place. But that opportunity will end up being lost if the responses are the same old same. That’s my last shred of optimism, and I’m hanging on to it.