Beware of Greeks bearing gifts. There are some pretty good reasons not to trust Julian Assange
Having facilitated the latest leak of yet to be confirmed dump of US government documents highlighting how the Central Intelligence Agency was using exploits in major tech products to carry out intel gathering ops, Wikileaks founder Julian Assange announced last Thursday he was prepared to hand over technical details that would allow them to plug the gaps in their security.
If the information in the leaked Vault 7 material is true, as it most likely will prove to be based on the accuracy of past data dumps, it will prove that the CIA knew of flaws in Android, iOS, and many other devices. It would follow that they used this knowledge for espionage, since they’re . . . well . . . a spy agency.
There has been plenty of debate over whether government hackers have a responsibility to disclose to companies if they uncover an exploitable flaw. Should the government keep secret and use such information that in turn could be used against Americans? Interestingly, there is a process where these decisions over whether to disclose play out that essentially gives intelligence agencies a chance to make their case for keeping the bugs secret, allowing a third party to weigh their operational needs versus the public good.
While there is no denying that concerns about the overstepping of the bounds placed on the intelligence agencies are well founded, there is little reason to believe that Assange is being genuine in his offer.
1. Is he working for the Russians?
Assange is either a willing agent for Russian intelligence or has an extreme case of tunnel vision that only lets him see the sketchy behavior coming out of Western governments. Whatever you think about Edward Snowden’s leaks — and there is PLENTY to criticize about him — the discussion that emerged afterwards about where the lines should be drawn on US government-run surveillance to the global consciousness.
But what about Russia’s bad actions? Snowden conveniently found a safe haven there after fleeing the US, escaping the long reaches of the US government. Assange has had his own show on Kremlin mouthpiece and propaganda machine RT, making it hard to claim that he is a fair arbitrator in this case.
While everything should be viewed through a critical lens, whether it comes from a government or company, there are actors who play dirtier than others. If Wikileaks wants to speak truth to power, then they should call foul when Russia or others break the rules as well.
Either way, without Assange’s motives being clearer, it would be inadvisable to move forward with him.
2. The fact is the information in these reports show that this not really news
Despite the initial panic over the idea that gold standard communication apps like Signal or the more widely used Whatsapp could have been compromised, the general reaction at this point is a resounding shrug.
It turned out that the apps were perfectly secure. The method that the CIA (and probably others) had come up with was to hack the phones themselves, heading off the security on the apps. On the face of it, this means that the CIA is still unable to use mass surveillance to vacuum up your data so long as you use encryption. Therefore, if the intel group wants to spy on your device, they will have to hack your specific device. Taking the effort to do so is a decent limit on unchecked power.
Oh, and the matter that Samsung smart TVs spy on you? They were built to do that. Anything with a camera and microphone can record you. Words to live by. Anyone remember Hello Barbie?
3. Are his exploits still relevant?
The second question that needs to be asked here is if the exploits that he has here are still relevant. On the one hand a RAND Corporation report notes that the average zero-day exploit can remain out in the wild for 6.9 years, which certainly feels like a long time.
At the same time, assessing the real value of an exploit dump can be difficult as patches issued from companies often plug many of these holes on a weekly or perhaps more consistent basis. Therefore the really good ones can be sold in packages that reach the millions of dollars.
However what is far more likely is that the CIA already knows what Assange has his hands on and considers those exploits burned, moving on to new hacks that we do not yet know about.
4. How much more does he have?
Even as Assange offers to pass on to the tech giants the parts of the documents that he did not release or were redacted, we don’t know which parts he’s holding back for his friends.
Even if the information that he is passing is legit, there is a good chance that he is still keeping the best ones in his pocket. If we believe that he has a connection to the Russian government, then he might be passing those along to them.
What is certain is that he is connected with hacker groups that would probably be just as interested in receiving the exploits and to whom he is just as likely to hand off some of the juicier bits.
5. Political fallout: For Silicon Valley’s own reputation, it might not look so good to be accepting help
While there does not appear to be anything illegal about taking “help” from Assange that would fix flaws in security, the optics of appearing too friendly with the leader of Wikileaks simply do not look good.
Unlike most bug bounty programs that have thankfully become far more commonplace, most of the companies recognize that this is pretty much a publicity stunt to make the US intelligence community look bad and Wikileaks to be the hero.
Much like the Russian involvement during the US elections, Assange is trying to sow distrust in how the public views the government and the tech industry. By proffering himself as the one who can step in and save us from the government, he is trying to undermine the system.
As one of the biggest lobbyist groups, the tech sector has a much stronger interest in not appearing to undermine their relationship with the government. Especially as the topic of talent related H-1B visas are all of a sudden on the chopping block. It is one thing to go head to head with the Justice Department over encryption, and another to be embracing someone who has made himself a clear antagonist against the US.
It probably is worth mentioning that the mostly liberal Silicon Valley – with some pretty notable exceptions – are probably still a bit peeved at the man behind the DNC email leak that played a part in sinking Hillary Clinton’s campaign.
When push comes to shove, the tech cos will likely look for alternative paths to securing their technology, preferably which is far less controversial.