When it comes to protecting our privacy, we can take a cue from teenagers. As WikiLeaks’ recent disclosures revealed, the CIA and other agencies have designed and purchased hacking tools that can use your personal devices, including laptops and TVs, to secretly spy on you in your own home. Savvy tech users, as many teens are, know their laptop cameras are vulnerable to hacks. So they tape over them.
We shouldn’t have to rely on duct tape to protect our privacy. The ease with which the CIA and other intelligence agencies can turn our personal devices into spyware — in some cases even while they are in the “off” position — should shock us. Equally egregious is the CIA’s decision to hoard information about these vulnerabilities rather than alert the vendors so they could repair them. This threatened our personal security. It also endangered our national security.
Increasingly, sensors connected to the Internet are being embedded in all sorts of machines we use every day — not just laptops, but also refrigerators, thermostats and cars. These “Internet of Things” (IoT) devices should be secure by default. To play in this market, companies should be required to set out-of-the-box defaults to protect consumers against remote access and other likely hacks. They should also need to make all security and privacy features intuitive and self-explanatory.
Even when your machine’s camera looks like it’s asleep, it can record you. If criminals or the CIA have compromised it, the green light will not turn on. This can happen even though standards bodies and browser vendors have taken important steps, like requiring websites to indicate to users when a camera or microphone turns on and to explicitly ask permission to do so. Those standards also don’t cover all the IoT devices in your home. And there is no equivalent to a duct-tape fix for laptop, TV and smartphone microphones. Consumers shouldn’t have to take the matter into their own hands, with tape, sticky notes and other DIY tools, to stop spies at the gate. We need software and hardware solutions to protect our personal security. “Off” should really mean off.
As for the matter of national security, the CIA’s decision to hack in and exploit security weaknesses in our personal devices, and then hide the fact, was extraordinarily dumb. Parents often accuse teenagers of seeking short-term thrills and overlooking the long-term consequences of their actions. Whatever “national security” buzz the CIA got, they potentially exposed important infrastructure to malicious hackers, terrorists and bad-actor nations that do not wish us well.
One of the most important protections available to us is an established norm that when one of the “good guys” successfully breaks into a system, the makers and owners of the hardware or software are alerted — so they can fix the breach. This sharing of information is key to protecting ourselves. By hiding their hacks, including a breaking-and-entering app they developed with MI5 called Weeping Angel, the CIA broke that norm. These unfixed software vulnerabilities left us all exposed, and the CIA compromised every government agent and agency by potentially leaving their smartphones or laptops or TVs vulnerable to a foreign spy or a terrorist hacker.
Our national conversation too often equates security with secrecy. Yet it turns out that, while secrecy can sometimes promote security, it can also sometimes endanger it. As we saw last year, even the not-so-smart sensors embedded in everyday appliances and devices can be used to drill holes through our security systems. In the fall, a piece of malware called Marai targeted online consumer devices to enable a series of large-scale network attacks. One, claimed by the groups Anonymous and New World Hackers, disabled huge swaths of the Internet itself by using a botnet — consisting of a large number of Internet-connected devices such as printers, IP cameras and baby monitors — to shut down Dyn, one of the main Domain Name System operators (essentially, an address book for the Internet). Sites from Airbnb to Zillow were compromised.
These developments show that national cyber-security is complicated and merits an ongoing conversation — informed by technologists and policy stakeholders — about how to ensure it and balance it with other values, such as privacy, fairness and even personal security. Increasingly, agencies and companies are rushing to bake certain values into their technologies and technology use, often at the expense of other values and without any public airing. Consider the high-profile battle between Apple and the FBI over hacking into a San Bernardino terrorist’s iPhone. Apple built encryption software into its devices to protect its customers’ privacy. The FBI tried to force the company to create new software to hack its own phones. It also simultaneously employed a third party to do so. After the third party succeeded, the agency then refused to share how they did it with Apple, leaving iPhones vulnerable to future attacks. The bureau, for the sake of an outmoded definition of “national security”, decided to keep everyone less safe.
The attacks on our security and our way of life could get much worse. As the number of Internet-connected appliances and devices increases, and as they are increasingly hooked up to enable the machines to learn from one another, the stakes are raised as to which values to protect and how to prevent our machine networks from being used maliciously. These decisions should be democratically debated and adjudicated, not made for us by a handful of Silicon Valley executives or Langley agents. And we should insist that our devices and appliances be designed in ways that protect us by default and enable us to genuinely turn them off.
In the long run, our democratic institutions and civil society offer the best defense against runaway machines and misbehaving spy agencies. In the meantime, follow the smart teenagers’ example. Buy a roll of tape.