Vault 7: Balancing Privacy, Security, and Surveillance in the Digital Age

What are you looking at
What are you looking at?

I’m shocked — shocked — to find that gambling is going on in here!” ~ Casablanca, 1942.

Surveillance technology has become ubiquitous in our society. While most of us are not troubled by the use of surveillance video to detect criminals and deter crime, their excessive use should make us apprehensive. Of course, the main difference between security cameras and internet surveillance is that video surveillance systems are installed only in public places.

The massive Vault 7 data dump by WikiLeaks appears to contain extensive documentation of sensitive Central Intelligence Agency surveillance operations and hacking tools. The recent leak highlights a tension between the importance of checking surveillance overreach, and the need to maintain US defense and intelligence-gathering capabilities abroad.

But it’s not just the government that is tracking our every move. Retail surveillance is now a reality for most consumers. Understandably, the vast amount of data stored by companies like Apple, Amazon, Facebook, Yahoo!, Samsung, and Google are appealing targets for intelligence services seeking to expand their capabilities and countermeasures.

Why worry about Big Brother when it’s your big Samsung TV that’s watching you? As Samsung warned in 2015, “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.” 1984 finally arrived in 2015.

Spies spy and hackers hack (Angry Birds, anyone?). In this increasingly complex world of connected devices, consumers cannot take it for granted that their digital devices remain safe, secure, and private. It should come as no surprise that the Internet of Things (IoT) is vulnerable to exploitation. In fact, hacking phones, smart TVs, and computers is nothing new. What man can make, man can break (into). This incident hasn’t changed any of that. Protecting digital privacy remains an active process.

It should also come as no surprise that we live in a dangerous world. Disclosing software vulnerability spy tools hinders intelligence organizations because it gives manufacturers the opportunity to patch their code, and close the backdoors that allowed covert access. Protecting users necessitates that process, as does the reality that intelligence groups can’t ensure that some malicious actor isn’t also using an active exploit. If the US government can get into a device, so can a black hat hacker.

Cyberspace is a double-edged sword. While technological innovation has led to unprecedented information sharing and communication, the proliferation of digital technology has also resulted in a dramatic erosion of personal privacy. Balancing privacy with legitimate surveillance and lawful data access is the defining issue of our time. Like it or not, we are all combatants in an information war, with our data under constant siege.

As a free and open society we must learn to balance competing requirements for privacy, national security, law enforcement, and economic competitiveness. Anyone who believes we have a binary choice between privacy or letting the terrorists win is missing the point. National security and privacy are not mutually exclusive. Digital security is not a zero-sum game.

Who will guard the guards themselves? The US intelligence community must realize that while increased oversight and controls may restrict their operational capabilities to an extent, they are necessary to ensure that the digital privacy of US citizens is protected. After all, unchecked cyber weapons are never a good thing and can have unintended consequences. Remember Stuxnet?

The bigger story here is countering the insider threat and unauthorized disclosure of sensitive data (looking at you, Russia and Shadow Brokers!). Attribution of cyberattacks is, at the end of the day, often difficult. But what is the CIA doing to safeguard sensitive data? Are those safeguards effective? Will consumer electronics manufacturers embrace privacy and security standards for new products? What impact will the Vault 7 leak have on US dominance in cyberspace? Maybe the CIA (and NSA!) isn’t as good at keeping its secrets as the agency would like us to believe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s