QuickTake: A Skeptical Look at CIA Spying Revelations
March 22, 2017
Last week Wikileaks revealed what was claimed to be a trove of documents about CIA spying techniques that allow agents to access a variety of popular consumer devices ranging from smartphones to televisions. While the revelations made international news and spurred widespread concern—as well as a slew of inevitable headlines along the lines of “What You Can Do To Protect Yourself”—much of the coverage was predictably alarmist. There are a few things to keep in mind about the recent revelations for the average American who’s concerned that the CIA is spying on them.
The CIA doesn’t do domestic U.S. spying or investigations; that’s handled by the NSA or FBI, depending on the issue. The ability of the NSA to conduct mass surveillance is limited by the USA FREEDOM Act, which requires, for example, that the organization must make requests to telecoms to access databases of telecom-collected metadata. In other words the telecoms, not the NSA, hold the information.
Furthermore most of the information released so far is not actually about mass surveillance or spying on large groups of American citizens (or anyone else). Instead it’s about technology that has been developed to exploit devices that require the end device to be compromised. There is an important difference between spying on everybody and people hacking into the personal electronic devices of specific people who happen to have devices whose flaws can be exploited.
As I noted last year in my CFI blog “A Skeptic Reads the Newspaper,” critics can express legitimate outrage at raw data being collected en masse on all Americans without a warrant—but that doesn’t necessarily mean that anyone is actually being spied upon, or their phone calls, emails, text messages, and other communications read. There is a difference between communication metadata (for example, lists of times and durations of phone calls to a specific number, or frequency of emails to or from a given email account) and actually reading or accessing the content of that phone call or email.
The disparity was brought into clear focus in the wake of the November 2015 attacks in Paris that killed 129 people—and the attack on the Charlie Hebdo satirical newspaper office in January of that year—when French authorities were forced to explain why the attacks weren’t prevented even though several of the attackers were known to authorities for their terrorist links, and the French benefit from cooperation with American, British, and other intelligence agencies. The answer was simple: they can’t track or watch everyone, even if they wanted to.
Intelligence officials have stated that it takes fifteen to twenty agents to monitor one suspect twenty-four hours a day. This is an incredibly costly and time-consuming process. At the time of the attacks, the French authorities had 11,000 people flagged as a possible threat to national security; of those, 5,000 were elevated to an additional level of concern and considered candidates for additional surveillance.
America’s spy agencies don’t have enough staff to monitor the residents of Cleveland, much less the entire country or the whole world. It would easily tie up every national security employee indefinitely. This doesn’t mean that raw data may not be gathered, but whether anyone ever actually looks at it (or has reason to analyze it) is a whole other matter. The problem that intelligence agencies face is not having too little data, but precisely the opposite: having too much.
If a few thousand people on established watchlists who have criminal records and/or known connections to terrorist organizations can’t be tracked, why would anyone think that government spy agencies are spending their time reading the personal emails or spying on ordinary citizens? The vast majority of Americans (and their communications) are of no interest whatsoever to national security and therefore are unlikely in the extreme to be picked out of the literally billions of communications exchanged globally every day to be examined by a human.
This of course does not mean that ordinary people—accountants, Denny’s managers, car mechanics, etc.—cannot be spied upon and watched, just that it’s very unlikely that they would: With terrorist attacks to prevent, Russian hackers to deal with, and countless other legitimate threats and targets, why would the NSA listen in on a teenager’s cell phone conversation or intercept a text between a married couple about what groceries to buy on the way home from work? It’s likely that at least 99.99997 percent of communications between average Americans are irrelevant to anything that national security agencies care about, and because of that it would be pointless, counterproductive, and an enormous waste of resources to monitor what most of us do, say, or write.
The average person’s privacy can be invaded in countless ways, by anyone from Peeping Tom neighbors to anonymous computer hackers; American spy agencies hardly have that market cornered. And, of course, many millions of people voluntarily post private information about themselves on Facebook, Instagram, and other social media. From the names and birthdays of their family members, to pets, to when (and where) they go on vacation, to personal medical issues, and so on, there’s an enormous amount of personal data that people happily put online.
It’s also important to note that experts have offered very simple advice to help improve your cybersecurity: update your software. Many of the vulnerabilities discussed in the Wikileaks data have been known (and patched)—in some cases for years. As The New York Times notes, “In their haste to post articles about the release, almost all the leading news organizations took the WikiLeaks tweets at face value. Their initial accounts mentioned Signal, WhatsApp and other encrypted apps by name, and described them as ‘bypassed’ or otherwise compromised by the C.I.A.’s cyberspying tools. Yet on closer inspection, this turned out to be misleading. Neither Signal nor WhatsApp, for example, appears by name in any of the alleged C.I.A. files in the cache... More important, the hacking methods described in the documents do not, in fact, include the ability to bypass such encrypted apps—at least not in the sense of ‘bypass’ that had seemed so alarming. Indeed, if anything, the C.I.A. documents in the cache confirm the strength of encryption technologies.”
There is no magic bullet to prevent hacking, and any computer can potentially be vulnerable. But for as much as the public fears—or seems to fear—its loss of privacy, doing simple things such as changing passwords and updating software remain simple and effective.
QuickTakes offer brief (1,000 words or less), timely commentary on topical news items.