WikiLeaks has published what it says is the largest leak of secret CIA documents in history. The thousands of documents, dubbed “Vault 7,” describe CIA programs and tools that are capable of hacking into both Apple and Android cellphones. By hacking into entire phones, the CIA is then reportedly able to bypass encrypted messenger programs, such as Signal, Telegram and WhatsApp, although, contrary to many news reports, the documents do not show the CIA has developed tools to hack these encrypted services themselves. The documents also outline a CIA and British intelligence program called “Weeping Angel,” through which the spy agency can hack into a Samsung smart television and turn it into a surveillance device that records audio conversations, even when it appears to be off.
Julian Assange talking:
Vault 7 is the largest intelligence leak in history. We’ve published so far less than 1 percent of that material. Now, so far, the publications that we have published reveal that the Central Intelligence Agency has decided to create, in the last 10 years, its own captive version of the National Security Agency, not specialized in bulk interception, but specialized in semiautomated hacking processes. That’s creation of viruses, Trojans, etc., to put in people’s computer systems, telephones, TVs, and have those then report back to CIA listening posts that collect that information, ingest it into the broader CIA process. And also information can be pushed, using these mechanisms, onto those telephones, computers, etc., etc., to, for example, plant information that could implicate someone falsely, or perhaps even truly, in a crime.
So, I think it’s—it’s significant that as the Central Intelligence Agency gained budgetary and political preeminence over the National Security Agency, which used to have a bigger budget—in the post-9/11 environment, the CIA’s budget has now increased to about 1.5 times that of the National Security Agency. So, in response to that increased political power, where increased budgetary spending comes from, it has created its own effective air force, using drones, and its own large hacker squad. So it is able to do things internally that it would previously have to go out for others to do. So, the Central Intelligence Agency, like all institutions, is maximizing its institutional power. And it is slowly succeeding, compared to other institutions.
Now, in response to the various disclosures about the National Security Agency—most importantly, the Edward Snowden disclosures of 2013—industry has responded to market demand in various places, and various engineers ideologically also invested in this, to introduce encryption, in WhatsApp, in Signal, greater type—more types of encrypted email and so on. Now, the Central Intelligence Agency’s hacking approach does not target the intermediaries like the National Security Agency does for these bulk intercepts. Instead, it targets the endpoints, and then it doesn’t need to worry about the encryption. For example, if you and I, Amy, are communicating using, say, Signal on a smartphone, on an Apple or Android, then the Signal encryption protocol is actually quite good and, as far as is known, cannot be decrypted by an intermediary bulk spying on communications traffic going across the Atlantic, like the National Security Agency does. But if either you or I have our phones hacked, and the CIA software specializes in doing this, it means that that encryption doesn’t matter, because the—because the information is gathered either before it’s encrypted or after it is decrypted.
we made this offer publicly, and we also wrote to a number of the large companies, such as Apple, Microsoft, Google, Mozilla, which produces the Mozilla browser, etc. Now, the European companies responded almost immediately. Some even approached us. A couple of U.S. companies, such as Mozilla, responded immediately. And we were also approached by a security engineer at Cisco.
Google, Apple and Microsoft took eight or nine days, depending on the company, to respond. Now, that means that they were putting the—all the users at risk for eight or nine days. What was happening in that eight or nine days? Well, we hear—we’re not sure it’s true for all of the companies, but we hear from one of the companies that what was happening is that they were engaging their lawyers, they had been worried about the politics, etc., etc. My guess is that, on the legal front, a type of collaboration involving classified material could be argued to be conspiracy to commit espionage. Now, of course, that’s not actually practically possible in the U.S. court system or politically possible. And then these companies have individuals within them who have security clearances, because they work on classified projects for the government. And particularly the security divisions of Apple, Google, Microsoft, etc., have people with security clearances in them and who might lose their security clearances if they’re engaged in working on information that has been distributed not through a formal process. So, what you see in the—all those big three taking eight or nine days is some kind of collaboration, either directly with each other or through a third party, say, like the Department of Justice, to understand what role that they’re going to play.
And the role that they ended up playing is saying, “No, we don’t agree to fix anything,” which we had asked for, within 90 days. “No, we don’t agree to say that any fix came from you.” This was our requirement. “Instead, you can just throw something at our regular security reporting mechanism.” So, what’s going on there? Well, no record of collaboration, in a formal sense or in a political sense, that could be used to make political problems for those companies in terms of their contracts with the United States government or potentially introduce problems in relation to the Espionage Act or security clearances. That’s my supposition. We don’t know that’s true for sure. We know that some of that is true for at least one of these companies. But looking at the timing, it’s very unusual that Google, Microsoft and Apple all wrote back to us on the eighth or ninth day, whereas the other companies wrote back immediately or at various times.
founder and editor-in-chief of WikiLeaks.
— source democracynow.org