When WikiLeaks released a trove of documents stolen from the CIA on Tuesday, it generated sensational headlines. CNN called the release “explosive.” People quickly drew comparisons to Ed Snowden’s leak of documents taken from the NSA.
But there’s an important difference: Snowden’s documents demonstrated that the NSA was actively spying on Americans in possible violation of US law. In contrast, the new documents simply demonstrate that the CIA develops technologies to help them spy on adversaries more effectively — which is exactly what the agency is supposed to be doing.
“There is absolutely nothing illegal in the contents of any of this stuff,” writes security expert Bruce Schneier.
The CIA is legally prohibited from spying on Americans on American soil, and so far none of the WikiLeaks documents have suggested that the CIA has been flouting this requirement.
And contrary to some media reports, the documents suggest that popular cryptography apps like Signal and Telegram really do provide meaningful privacy protections. They’re not perfect — if the CIA really wants to read your encrypted messages, it can probably find a way to hack your smartphone. But that’s a lot more work than the kind of bulk collection programs revealed in the Snowden leaks.
The leaked documents are hacking instruction manuals
A good way to understand what the CIA documents do show — and what they don’t — is with a nondigital analogy. Presumably, somewhere in the CIA is a department that trains spies on how to pick various kinds of physical locks. This department probably has detailed instruction manuals cataloguing the various kinds of locks and safes and which tools and techniques are most effective at breaking into them.
If someone were to leak a copy of this documentation, nobody would consider this to be evidence of wrongdoing on the CIA’s part. The CIA is supposed to be sneaking into the offices of foreign adversaries, stealing documents, planting listening devices, and so forth. If anything, it would be a bigger scandal if the public discovered that the CIA didn’t have lock-picking experts on staff.
The documents leaked this week are the digital equivalent of lock-picking manuals. It’s a trove of documentation explaining how the CIA’s digital spies can break into a wide variety of popular computer systems, from smartphones to smart TVs. But the documents tell us very little about whose digital locks the CIA is picking, or why.
Notably, most of the techniques revealed in the documents are quite banal. For example, we’ve known for years that older versions of Android software are vulnerable to hacking. The CIA has helpfully catalogued many of those vulnerabilities for use in future CIA operations — though Google says it has fixed “many” of the vulnerabilities disclosed in the documents.
Or consider documents describing how to turn a Samsung TV into a covert listening device. That sounds pretty scary, but the key thing to note is that the technique described in the document depends on having physical access to the TV. To spy on you through your TV, a CIA agent would have to first break into your house and then install malware on your TV using the USB port.
Of course, if the CIA has gone to the trouble of breaking into your house, they don’t actually need to hack your TV in order to spy on you. They could just install an old-fashioned listening device somewhere on the premises.
And, practically speaking, the vast majority of people simply aren’t important enough for the CIA to go to the trouble of breaking into their houses. So while it’s theoretically possible that the CIA is spying on you through the TV, it’s very unlikely.
Encryption apps really do protect your privacy
This point is particularly important when it comes to popular encryption apps. The New York Times reported that the CIA has “managed to compromise both Apple and Android smartphones, allowing their officers to bypass the encryption on popular services such as Signal, WhatsApp and Telegram.”
This is technically accurate, but it’s also misleading, in that it seems to suggest that the CIA has rendered those apps ineffective. But that’s not true at all.
Instead, what the documents show is that if the CIA really wanted to spy on you, it could probably find a way to hack into your smartphone. And once your smartphone is compromised, no encryption app can protect your privacy — because the CIA would be able to view every letter you typed and every message that appears on your screen.
So while it’s possible for the CIA to hack into most peoples’ smartphones, doing so takes a lot of work, in much the same way that breaking into peoples’ homes, one at a time, is a lot of work. Encryption software prevents NSA-style bulk data collection, forcing spy agencies to target people individually. And given that the CIA has limited staff, it’s never going to have time to target more than a tiny fraction of the population.
So if anything, these documents should re-assure people that it’s worth using encrypted messaging apps. They don’t make it impossible for intelligence agencies to spy on you, but they make it a lot more difficult.