SAN FRANCISCO – There’s an old Soviet proverb that computer security experts like to quote: “If you think it, don’t say it. If you say it, don’t write it. If you write it, don’t be surprised.”
That message may be one private citizens need to take to heart if the WikiLeaks revelations about the CIA’s ability to break into cell phones, smart TVs and even encrypted messaging systems is proven to be true.
Initial reports could mean that there’s very little ordinary people can do to ensure their communications remain private — there’s no phone you can buy or consumer-friendly app you can download that would protect you.
However, the statement comes with two big caveats. The first is that legally, these cyber-snooping weapons can’t be deployed against U.S. citizens within the United States without the permission of legal authorities. We have no information at this point that they were.
The CIA can legally use tools such as those described in the documents outside of the United States because constitutional limitations don’t apply there, said Scott Vernick, a partner with the law firm of Fox Rothschild in Philadelphia who focuses on data security and privacy.
For Americans, the question is whether these tools were used within the United States, which isn't known.
The second big note of caution: These expensive and difficult-to-create weapons are unlikely to have ordinary citizens as their quarry.
Typically, cyberweapons are only used once or possibly a very few times, because once used out in the wild where they can be seen by others, their advantage of surprise and secrecy is gone.
For that reason, “it’s probable that they’re reserved for use with high value targets,” said Bruce McConnell, a global vice president at the EastWest Institute, a non-partisan think tank, where he heads the cooperation in cyberspace initiative.
WikiLeaks claims that the documents it released Tuesday have been circulated among former U.S. government computer experts and contractors “in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
The CIA issued a statement declining comment on the "purported" documents. USA TODAY has not yet been able to confirm the authenticity of the documents nor seen anything in them thus far to indicate the tools were used in the U.S., or at all.
If they're true, the list of devices the CIA may be able to hack is far-reaching:
Samsung smart TVs
A program dubbed "Weeping Angel” after an episode of the popular British TV science fiction series "Dr. Who," can set a Samsung smart TV into a fake "off" mode to fool the consumer into thinking the TV isn't recording room sounds when it still is. The conversations are then sent out via the user's server. The program was developed in conjunction with MI5, the British FBI equivalent of a domestic counterintelligence and security agency, according to the WikiLeaks documents. Samsung did not respond to a request for comment.
Apple iPhones and Android smartphones
CIA-created malware can penetrate and then control the operating systems for both Android and iPhone phones, allege the documents. This software would allow the agency to see the user's location, copy and transmit audio and text from the phone and covertly turn on the phone's camera and microphone and then send the resulting images or sound files to the agency.
Apple did not respond to a quest for comment. Google, which develops the Android operating systems, said it's looking into the report.
Encrypted messaging systems such as WhatsApp, Telegram and Signal
The WikiLeaks documents don't actually show that the encryption on these secure messaging programs has been hacked. Instead, they describe programs that could be placed on the user's smartphone which then collected audio from calls and texts before they were encrypted. WhatsApp, owned by Facebook, is looking into the report.
Vehicle control systems
It's unclear if this software was actually deployed, but the documents detail a meeting from 2014 in which the agency discussed developing malware that could be used to infect vehicle systems, with the presumed goal of being able to gain information about where the vehicle went and potentially taking control of it if it had self-driving capabilities.
FBI, not CIA
One thing that is known is if these cyber tools were used domestically, and that's a big if, it would have been through the FBI and not the CIA. The domestic authority of the CIA is extraordinarily limited, said Robert Cattanach, a partner at the law firm Dorsey & Whitney.
“The only thing they can do is debrief people that have been overseas. They have no authority and in fact are forbidden from conducting operations in the United States,” said Cattanach, who was previously a trial attorney for the United States Department of Justice and also special counsel to the Secretary of the Navy.
Theoretically, the FBI and the CIA could work together, but give in Cattanach’s experience “the FBI doesn’t very often if ever go to the CIA for anything, and vice versa.” So he doesn't htink it's likely.
If the CIA were to share its cybertools with the FBI, what type of disclosure the agency would have to make isn’t clear, said Neema Singh-Guliani, a legislative counsel with the ACLU.
While there are very clear rules about wiretapping, which requires a judge’s approval, whether hacking into a communication device is something the FBI considers wiretapping isn’t known, she said.
“We just don’t have a clear statement of policy from the FBI saying ‘Here’s what we do and here’s why we have the power to do it,’” she said.
A change to Rule 41 of the Federal Rules of Criminal Procedure in November could have allowed the FBI more leeway “but we just don’t know because they don’t tell us,” Singh-Guliani said.
Congress allows rule permitting mass hacking by government to take effect