There has been a lot of bad stories and comments about Vault 7, the trove of Central Intelligence Agency (CIA) documents WikiLeaks recently posted. Claims that the CIA has broken Signal, can use any Samsung smart television to spy on people, and a whole bunch of other unsubstantiated or outright false claims have been circulating. Basically, idiots who speak before they think have been claiming that Vault 7 is proof that privacy is dead. But that’s not the case. The tools described in the Vault 7 leak appear to be aimed at targeted surveillance:
Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.
As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”
The threats of mass surveillance and targeted government surveillance are very different. Let’s consider Signal. If the CIA had broken Signal it would be able to covertly collect Signal packets as they traveled from source to destination, decrypt the packets, and read the messages. This would enable mass surveillance like the National Security Agency (NSA) has been doing. But the CIA didn’t break Signal, it found a way to attack Android (most likely a specific version of Android). This type of attack doesn’t lend itself well to mass surveillance because it requires targeting specific devices. However, if the CIA wants to surveil a specific target then this attack works well.
Avoiding mass surveillance is much easier to deal with than defending yourself against an organization with effectively limitless funds and a massive military to back it up that specifically wants your head on a platter. But unlike mass surveillance, very few people have to actually deal with the latter. And so far the data released as part of Vault 7 indicates the surveillance tools the CIA has developed are aimed at targeted surveillance so you most likely won’t have to deal with them.
Privacy isn’t dead, at least so long as you’re not being specifically targeted by a three letter agency.
Its not the targeted surveillance by the government most people are worried about or even mass surveillance since mass surveillance can’t catch shit. It is the very real security vulnerabilities that were left in place well after discovery in order to implement these attacks that can and will and have been used by the criminal element.
I made the same point two days ago. The idea that the government exists to protect us goes out the window when government agencies put us in harm’s way by hoarding vulnerabilities instead of submitting them to developers so they can be fixed.