We this this morning that Wikileaks released parts of Vault7, its leak of classified information about the CIA's Center for Cyber Intelligence. These leaks confirm what we have discussed for about two years now: "return to the typewriter" and build a non-digital skill set.
This news is relevant to earlier reporting on the FBI's child pornography case, in which they decided not to disclose methods of de-anonymizing users of Tor.
The combination of Wikileaks and the FBI story underscores a central point about government spying: the information about programs must be timely. We can do little with documents of intelligence programs from 2007 or 2012. The technology advances exponentially in depth and breadth -- so that capabilities two years ago, at the secret government level, are nearly obsolete for purposes of planning countermeasures. Imagine reading a review of the first iPod. That is the equivalent of NSA documents from 2015.
The Wikileaks news release discusses capabilities by end of 2016. This is timely. But by end of 2018, we would need additional information. How long has the FBI de-anonymized Tor users? We expected a few years ago, based on our own sources, that as early as 2014, government capabilities included de-anonymizing Tor traffic with manpower devoted to particular users who were targeted for felony crimes. Essentially, as it was explained, "Nodes run in a circle, and the point at which users enter the circle may be found. It takes enough man hours to reverse and find that point."
Another relevant feature is the tension between high technologies. For instance, cars with computer systems face a real threat of hacking of brakes, speed, or steering. Manufacturers respond by digitally enhancing computer security. When the next government breaks the latest updates, they go back to current systems and repair once more. Meanwhile, in Eastern Europe, criminal gangs drive older vehicles without computer systems. The threat is eliminated outright by using low tech. Compare this to non-digital encryption, calling cards and payphones, and FedEx.
The Wikileaks press release mentions monitoring of cellphones before encryption may be applied in messaging services like Signal. Tangentially, we talked about Signal on another matter here. Even with the highest rated digital encryption available, users must secure the "end points," or points at which communication enters the encryption cycle: speaking into a machine, texting into a machine, or recording into a device. For encrypted email, for example, the data may be unreadable during transit, but the typing itself is readable.
Finally, a comment about balance between civil liberty and community security: the child pornographer gets away, and the FBI holds its secret capability. There is no formal commendation of the perpetrator, no punishment, and no further investigation to prosecute more. They move on to the next case. The Tor compromise remains hidden and privacy advocates, at this point in 2017, have a marker to hold for perhaps a year or so. The developments in anonymity online continue in the private sector, and law enforcement and intelligence collaborate in secret. This is not a healthy balance. The FBI is supposed to be a democratic institution. In that spirit, it should prosecute this offender, disclose its methods, and let the private sector respond. The cycle continues hinged to an organic balance of privacy and security.