News organization have been abuzz this week following the release of a new WikiLeaks document dump detailing the hacking tools used by the CIA to spy on Americans. Of the countless worrisome discoveries made possible by the leaked documents, one of the most frightening was the assertion that the CIA is capable of “bypassing” encrypted messaging apps such as Signal and WhatsApp. This detail was widely reported throughout the week, but according to the New York Times, those reports are overblown.
The Times reports that following the dump, security researchers used automated tools to search the entire database and couldn’t find a single mention of any popular encrypted messaging apps. That means top messaging apps like WhatsApp, Signal, Wickr and Apple’s own iMessage platform are all safe from the CIA’s prying eyes.
Additionally, “the hacking methods described in the documents do not, in fact, include the ability to bypass such encrypted apps.” While a member of the intelligence community might be able to access your WhatsApp by taking control of your phone, the app itself isn’t vulnerable, at least not according to the documents.
As the Times surmises, reporters seem to fundamentally misunderstand what these documents actually reveal. End-to-end encryption means that no one can aside from the two participants can access the conversation, including the company that developed the app. The tools that the leaked documents describe focus on “techniques for hacking into individual phones,” which would subsequently give the CIA (or anyone else who hacked your phone) the ability to see anything they want to see.
While this is also troublesome, it’s a different story than if the CIA had developed a tool to “bypass” encryption altogether. Instead, it seems to reinforce the idea that encrypted communication is working. Otherwise, why would the CIA be hacking into individual devices rather than massive network of app users?
“If anything in the WikiLeaks revelations is a bombshell, it is just how strong these encrypted apps appear to be. Since it doesn’t have a means of easy mass surveillance of such apps, the C.I.A. seems to have had to turn its attention to the harder and often high-risk task of breaking into individual devices one by one.”
Had WikiLeaks not willfully deceived the public with tweets about “hacking malware” that could “infest” mobile devices and “bypass” encryption of apps like Signal and Confide, this clarification might not be necessary. But once again, there appears to be a story behind the story being pushed by WikiLeaks.