No, the CIA Hasn’t Compromised Signal and WhatsApp

By
Signal’s end-to-end encryption is still safe from the CIA’s prying eyes. Photo: Jaap Arriens/NurPhoto via Getty Images

WikiLeaks has released a new data dump today, which it is calling “Vault 7,” detailing some of the surveillance and hacking tools WikiLeaks claims the CIA currently uses. The release, which is made up of nearly 8,000 web pages and 1,000 documents, has a couple of bombshells that — if true — would show that the CIA wields some truly powerful tools, including the ability to use smart TVs as active surveillance devices, and using “Zero Day” exploits against popular smartphones like iPhone, Android, and Microsoft’s Windows devices.

Fortunately, one of the claims getting the most play online isn’t technically true. Here is this tweet from the New York Times (which the Times later deleted and apologized for):

And the full paragraph detailing the leak in the Times:

Among other disclosures that, if confirmed, would rock the technology world, the WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect ‘audio and message traffic before encryption is applied.’

It’s that second sentence that’s vital here: It’s not that the encryption on Signal, WhatsApp (which uses the same encryption protocol as Signal), or Telegram has been broken, it’s that the CIA may have a way to break into Android devices that are using Signal and other encrypted messaging apps, and thus be able see what users are typing and reading before it becomes encrypted.

What WikiLeaks says the CIA is able to do right now on Android phones is look over your shoulder while you use your phone. It doesn’t matter how strong or secure your end-to-end encryption program is if someone can observe everything you type or read.

Not that that hasn’t caused the spread of, at best, misleading information on Twitter:

The bottom line is that if the CIA has managed to install malware on your Android smartphone (perhaps something like a keylogger or screen-capture program), it wouldn’t matter how strong the encryption is.

In the meantime, anyone saying the CIA has “cracked Signal,” or other encrypted chat apps, is either betraying a lack of understanding about what WikiLeaks claims the CIA is capable of doing, or engaging in base fearmongering. There’s plenty to be worried about in the WikiLeaks “Vault 7” file dump. Signal, WhatsApp, and Telegram being cracked isn’t one of them.

Update 1:14 p.m. ET: Signal creator Moxie Marlinspike offered his own thoughts about the information revealed in the WikiLeaks “Vault 7” files. “For us, it’s confirmation that the things we’re doing are working,” says Marlinspike. “End-to-end encryption has pushed intelligence agencies away from undetected and unfettered mass surveillance to where they have to use high-risk and targeted attacks.”

“They have to use these [attacks] very carefully,” continues Marlinspike. “Every time they use one, there’s a chance it’ll be detected, which costs millions of dollars to them.”

When asked if he took any personal satisfaction in knowing he’s created additional headaches for intelligence agencies, Marlinspike paused before simply replying, “No comment.”

No, the CIA Hasn’t ‘Cracked’ Encrypted Chat App Signal