Cybersecurity

CIA Leak Shows How We're Losing Both Privacy and Security with Tech Data

Agency hoards infiltration tools and puts our information at risk of exposure.

|

surveillance
Richard B. Levine/Newscom

Consider this: The actual details about certain CIA cybersurveillance tools and hacking programs making it out into the public sphere aren't as important as we think. That the fact these details leaked in the first place is what matters. That our intelligence agencies cannot expect to keep their practices secret from the public at large (and other nations) should influence policy decisions on how much information they collect and how they prioritize infiltrating devices over revealing security risks.

After WikiLeaks dumped thousands of documents about CIA surveillance and cyberespionage techniques Tuesday, Ed Krayewski looked through and summarized some of the more notable discoveries. There have been some responses that maybe overstate what the CIA is doing based on at least what's in these documents. The use of surveillance through smart televisions, for example, requires a person to physically interact with the television in order to install malware. There is no evidence that CIA snoops can simply access the camera in any Samsung smart television.

So maybe the information from this leak is itself not particularly shocking. The CIA is doing largely what people expect them to do. That doesn't mean there's nothing important we should be learning from this info dump. Julian Sanchez, a Cato senior fellow who writes and speaks on surveillance issues and is a founding editor of Just Security, spoke to Reason (via Twitter direct messages) about the greater implications of the dump.

The CIA documents demonstrated an emphasis on data and device infiltration over security and the desire to keep "zero day" exploits (security weaknesses the device or software creator doesn't initially know exists) to themselves to aid in surveillance. Except, as this latest leak demonstrates, the CIA may not actually be good at keeping these exploits secure. And that creates more cybersecurity vulnerabilities for everybody because the CIA isn't informing companies about holes in their devices and programs.

"Many of us have been saying for a while that the default really ought to be quite prompt disclosure, because on net the security gain from closing vulnerabilities—defense against attacks against Americans—is likely to be greater than the value of the intelligence gleaned from maintaining the access," Sanchez says. "And I think that holds even if we're just talking about the risk of a hacker or foreign intel service independently discovering the same leak."

It's not unlike the fight over encryption "backdoors," deliberately designed mechanisms to access the data of a device or program by bypassing its security systems. Government officials want to use backdoors to access data for investigations of crime or terrorism. But there's no such thing as an encryption bypass that only the "right" people can use. Just like zero day exploits, anybody with the right knowledge—regardless of whether they have good or ill intent—would be able to exploit an encryption backdoor.

If even the secretive CIA cannot keep the details of its exploits out of the hands of Wikileaks, then we've surrendered both privacy and security for the benefit of the intelligence community's desire to collect information. Sanchez notes that "when you add what appears to be a very real problem of the actual tools we develop—weaponized vulnerabilities—making it into the wild, the risk of opting for retention over disclosure is even greater."

The leak should also be a reminder that when the federal government snoops, collects, and stores data about everybody, there's also the risk of that information "making it into the wild." We already saw this under President Barack Obama's administration when the private personnel data on millions of federal employees was compromised. The more information the government has, the greater potential for harms from other compromises.

But it's unclear right now whether any of these concepts or concerns will play any role in this post-leak analysis. Right now the emphasis is on who is responsible for the leaks ("Was it Russia? Was it? It was Russia, wasn't it? Tell us if it was Russia.") and the embarrassment the CIA must feel over the leak.

NEXT: University of Lincoln's Conservative Student Group Censored for Complaining About Censorship

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. ABOOT TYME SHACKLEFRAUD!

    1. Sorry, I wanted to beat everyone else.

      1. I “second” that

        I’ll just let myself out

  2. That our intelligence agencies cannot expect to keep their practices secret from the public at large (and other nations) should influence policy decisions on how much information they collect and how they prioritize infiltrating devices over revealing security risks.

    Should, but won’t. Ed Snowden is still being a heroic hero over in Russia and nothing he did mattered either.

    1. Again the solution to this is to write an amendment that states all government documents are public record when its government internal work and information on a citizen (foreign nation data can stay secret if needed).

      People would start to give a shit when their credit card purchases, drug prescriptions, medical records, photos, texts, phone calls, location data, income, skype videos, nudies, and everything was posted on a governments website for public record.

      Problem fucking solved.

  3. I dunno, still seems like kind of a big deal that they can do all this stuff right here with nothing but a secret warrant. At least we hope they’re getting warrants. Because how would we ever actually know? They’re SECRET.

    But point taken. If they can’t secure their own secrets, how are they supposed to secure everybody else’s? Not that they give a damn about that.

  4. My Uncle Nolan recently got Infiniti G Sedan by working part-time from a macbook… go to
    the website…………. https://tinyurl.com/5days-job

  5. Oh, Shackford, you’re my favori–

    spoke to Reason (via Twitter direct messages)

    You’re dead to me.

  6. embarrassment the CIA must feel over the leak.

    Why would they be embarrassed? At most I could see them having some poor schmoe fall on his sword then they’ll wipe their hands and walk away. Scott free, so to speak.

  7. the private personnel data on millions of federal employees was compromised.

    But did any of them lose their lives over it? If not, why not?

  8. Shut up, Scott. We all know that Reason hates Julian Assange and Wikileaks because he hurt Hillary. You aren’t fooling anyone.

  9. I for one have stopped using my phone, TV and computer, because Assange.
    This is huge.

  10. Right now the emphasis is on who is responsible for the leaks (“Was it Russia? Was it? It was Russia, wasn’t it? Tell us if it was Russia.”)

    It’s good to be Russian.

  11. “The use of surveillance through smart televisions, for example, requires a person to physically interact with the television in order to install malware. There is no evidence that CIA snoops can simply access the camera in any Samsung smart television.”

    Of course if they wanted to there’s nothing stopping them from installing the malware as soon as the TVs are unloaded on the dock, or even at the factory where they’re made.

    1. Who says they don’t have the private keys to all the certificate authorities that you rely on to keep transactions secure? I no longer trust any technology, and I work in technology.

      Fuck it, we’re screwed.

  12. The reality is you have no privacy or security online beyond dumb luck. These tools exist and they are not going away. And no matter how secure you make something, someone will always be able to crack it. Go ahead and shut down the CIA if you like. But doing that won’t stop other nations or parties from using these tools.

    The only way to restore privacy and security is to go back to an analog system to some degree. If you are worried about privacy, you should be working to protect the existence of cash, the postal system and other analog ways of doing business and living that exist outside of the digital world and thus cannot be as easily compromised and controlled.

    Libertarians need to understand their pavlovian love of all technology is the road to ruin. Do you want your freedom and your privacy or do you want to live in a digital gilded cage? Those are the choices. And no amount of fantasizing about bitcoin and the next great encryption technology is going to change that.

    1. The postal system — good one. You think they can’t read your mail?

      1. You can use unbreakable codes via snail mail. Just have a mental disorder and say random shit. works for me

  13. The CIA is doing largely what people expect them to do.

    Waste munny and screw everything up?

    1. It is what they have been doing for over 60 years now. Why wouldn’ that be what people expect them to do?

  14. Right now the emphasis is on who is responsible for the leaks (“Was it Russia? Was it? It was Russia, wasn’t it? Tell us if it was Russia.”) and the embarrassment the CIA must feel over the leak.

    And here I thought the CIA learned to love leaks.

  15. You know Wikileaks is a CIA disinformation operation, right? They want you to think they can watch you anywhere, anytime, but the reality is these people are so dumb they need to read the instructions to operate a spoon.

    1. You make a great point Jerry. There is no way to know if wiklleaks isn’t a CIA run disinformation program. And even if it is not, there is no way to know if this leak isn’t just disinformation.

      And I am inclined to agree with you that they are more incompetent than anything else.

    2. they can though…its been public knowledge for 1-4 decades to varying degrees. The tech exists and they control it. Your an idiot if you think otherwise.

  16. There is no evidence that CIA snoops can simply access the camera in any Samsung smart television.

    If there’s a camera and an internet connection, consider it hacked.

    One more reason to just say no to the Internet of Things turning your house into surveillance zone.

    1. It’s the Internet of Shit, in my opinion. And I agree. Consider everything tainted. Everything.

    2. This is very true. Hackers have shown they can infect and control and send anything they want off your phone without your knowledge.

      Hell Even fox has a short segment on this.

  17. I am using it now & it’s awesome! I’ve signed up for my account and have been bringing in fat paychecks. For real, my first week I made ?350 and the 2nd week I doubled it & then it kinda snowballed to ?150 a day! just folllow the course.. they will help you out

    ================> http://MaxNet80.com

  18. like Elizabeth implied I’m amazed that a stay at home mom able to earn $7417 in 4 weeks on the internet . read here…………. (((( http://www.net.jobs34.com ))))

  19. Most of us want to have good income but dont know how to do that on Internet there are a lot of methods to earn huge sum, but whenever Buddies try that they get trapped in a scam/fraud so I thought to share with you a genuine and guaranteed method for free to earn huge sum of money at home anyone of you interested should visit the page. I am more than sure that you will get best result. Best Of Luck for new Initiative!

    ,,,,,,,,,,,,,,,,,,,,,,,,, http://www.moneytime10.com

  20. Wisdom from my grandmother:
    A secret is something known to only one person.

    Cold hard facts, from my security briefing:
    1. The possibility of a leak goes up as the square of the number of people who know a secret. (probably BS, but they say it)
    2. You cannot keep what we are doing from getting out. We can, however, make it take so much time and resources that by the time it is confirmed, it is too late to stop us.

    My grandmother had a better grasp of secrets.

Please to post comments

Comments are closed.