A claim by Wikileaks that documents it released last week provide evidence of a “secret new industry” of mass surveillance was as breathless as previous pronouncements from Julian Assange’s organization. But the material does provide a stark reminder that our online activities are easily snooped upon, and suggests that governments or police around the world can easily go shopping for tools to capture whatever information they want from us.
The take-home for ordinary computer users is that the privacy and security safeguards they use—including passwords and even encryption tools—present only minor obstacles to what one researcher calls the “cyber security industrial complex.”
“There is no true privacy in any computing systems against determined government-level surveillance,” says Radu Sion, a computer scientist at Stony Brook University who directs its Network Security and Applied Cryptography Laboratory. He says that as computing systems become more complex, and reliant on components from many different suppliers, the number of vulnerabilities that can be exploited by attackers and surveillance tools will grow.
The 287 documents released by Wikileaks come from 160 companies in 25 countries. They detail various commercial products and services offered to governments and law enforcement officials interested in intercepting online communications or eavesdropping on computer use. Wikileaks founder Julian Assange described the documents as unmasking a “international mass surveillance industry.” In fact, many of the companies named have been discussed in public before, for example, Blue Coat, a U.S. company whose corporate network filters have been used by the Syrian regime to censor the Internet inside the nation’s borders and spy on dissidents. However, the Wikileaks release was still noteworthy because of its breadth and level of detail.
Marketing materials from a German company, DigiTask, are a typical offering from the new Wikileaks haul. They describe how the company’s software—installed on users’ computers by taking advantage of newly found software defects known as “zero day exploits”—could steal encryption keys to let law enforcement or governments eavesdrop. The same method was used against security software company RSA earlier this year in an apparent attempt to compromise U.S. defense contractors.