The anti-secrecy platform WikiLeaks has said it would work with tech firms to fix security flaws before publishing them. Customers’ trust in firms like Google and Apple has already been eroded by the Snowden leaks.Google, Apple, Microsoft, Samsung and other major tech companies have been faced with new dilemmas by the latest WikiLeaks release. The “Vault 7” dump of CIA files has exposed a number of security breaches in their software, which US intelligence has exploited and kept secret so that it can continue to hack into smartphones, computers, and even TV sets to use them as surveillance devices.
Apple was one of the first companies to respond to the revelations, releasing a statement on Tuesday, the same day that WikiLeaks released the files. The tech giant promised to “rapidly address any identified vulnerabilities” in the iPhone.
It also said that its “initial analysis” indicated that many of the holes mentioned in the files, which were created between 2014 and 2016, had already been plugged in the latest updates to its operating system.
Samsung offered a similar statement, emphasizing that “protecting consumers’ privacy and the security of our devices is a top priority,” and promised that the claims would be investigated. Microsoft, meanwhile, would only say: “We’re aware of the report and are looking into it.”
On Thursday, WikiLeaks founder Julian Assange announced that not only did his organization have “a lot more information” about the CIA’s hacking operation, but that it had listened to manufacturer’s complaints and would from now on first share that information with tech companies.
“We have decided to work with them to give them some exclusive access to the additional technical details we have so fixes can be developed and then pushed out,” Assange told a press conference broadcast via Facebook. “Once this material is effectively disarmed by us, we will publish additional details about what has been occurring.”
Trusting your phone
The CIA refuses to comment on the authenticity of leaks, but so far few doubt that the documents are real, and that they represent further damage to customers’ trust in major tech giants. Documents released in 2013 by the former National Security Agency (NSA) contractor Edward Snowden showed that the NSA paid Google, Facebook, Yahoo, and Microsoft to cover legal costs related to its “Prism” surveillance program.
In 2014 a top lawyer representing the NSA told a hearing of the US government’s institutional privacy watchdog that technology companies were not only fully aware of the agency’s mass collection of data, but had provided assistance. In fact, as Snowden himself pointed out on Twitter on Tuesday, the new leaks included evidence that the US government was also paying firms to keep software unsafe.
This raises doubts about whether major tech firms even have full control over their users’ data. But Frank Herrmann, privacy spokesman of the German Pirate Party, criticized WikiLeaks for leaking flaws that hadn’t been fixed. “Some manufacturers seem to have been surprised, and they were annoyed a little I think,” he said.
“Having trust is a difficult matter, but we believe that the manufacturer is the first who should be informed about a security gap in their software – so that they can fix it,” Herrmann told DW. “But in the end there should always be some kind of publication. The aim of the publication always has to be that broken, flawed software, which includes dangers, isn’t used, or is fixed.”
The big question, for Herrmann, was whether such tech companies could still be trusted in the future – not least because they are US companies bound by US law to help authorities in some cases. “The big companies, like Apple, are defending themselves, saying, ‘We’d never do that,’ but in ten years it might be different; they might say, ‘We had to.'”
Privacy vs. connectivity
Frederike Kaltheuner, policy advisor for Privacy International, suggested that the real problem lay in the fact that the technology is fundamentally insecure. “These revelations point to a more systematic problem: consumers are buying ever more smart, connected devices that are insecure,” she told DW. “The Samsung smart TV is a good example, because Samsung has faced security issues before these revelations, and I think these vulnerable devices give governments easier access to our private lives.”
“Companies do have a responsibility and must be liable for putting poorly secured connective devices with more sensors into our private lives,” she said. “If you’re selling devices that don’t put the individual in control, that have sensors that you never know if they’re on or off, you’re essentially betraying your users.”