BROOKE GLADSTONE: This is On the Media. I'm Brooke Gladstone.
BOB GARFIELD: And I’m Bob Garfield. Last week, WikiLeaks released a gigantic cache of documents about how the CIA does its job. And yes, it was everyone's big story.
[CLIPS]:
MALE CORRESPONDENT: Explosive new documents revealed by WikiLeaks.
MALE CORRESPONDENT: Can the CIA spy on us using the technology we touch every day?
FEMALE CORRESPONDENT: They say the agency is spying on people via their computers, their smart phones and even their TVs.
BOB GARFIELD: Trouble is, says computer security expert Nicholas Weaver, the media portrayed the material in the data dump as new, incendiary and very spooky when, in fact, it was essentially a how-to guide for CIA operations that mostly are already known and don't affect American citizens. But Weaver says the exaggerated fear-mongering coverage was precisely what WikiLeaks sought to engineer, by doing its own analysis of the documents and serving that up to reporters.
NICHOLAS WEAVER: Here's an example. The WikiLeaks analysis pointed to the CIA phone hacking as how the CIA breaks signal. Signal is a encrypted messenger that can keep your messages safe from everybody. How many “CIA Breaks Signal” stories did you see?
[CLIPS]:
MALE CORRESPONDENT: The CIA had managed to crack the encryption using very popular applications like WhatsApp or Signal.
FEMALE CORRESPONDENT: The CIA hacked into their smart phones, even into encrypted apps like Signal and WhatsApp.
MALE CORRESPONDENT: Now, WikiLeaks says the CIA and, and British intelligence are capable of bypassing the security in those kinds of apps.
NICHOLAS WEAVER: This is deliberately deceptive, that if I can take over your phone I can read the messages you sent. There was nothing in the documents about CIA actually breaking Signal. It's just the well-known fact that if somebody compromises your cell phone, you see the encryption. It's like saying, I broke Signal because I'm watching you type in your message.
BOB GARFIELD: Another example, the CIA can hack your car. Here's what WikiLeaks wrote.
NICHOLAS WEAVER, READING: “As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified but it would permit the CIA to engage in nearly undetectable assassinations.”
BOB GARFIELD: And here’s the coverage.
[CLIP]:
FEMALE CORRESPONDENT: Another document revealed the program the CIA was working on to hack into cars, either to listen in or even crash them for assassinations.
[END CLIP]
NICHOLAS WEAVER: And the actual document is basically, oh, people are doing car hacking, this is interesting.
BOB GARFIELD: Perhaps the scariest misleading narrative ceded by WikiLeaks, that the CIA can spy on you through your TV.
MAN: Your own home under government surveillance? How the CIA may be using everyday devices like your TV to spy on you.
NICHOLAS WEAVER: In order to do this, the CIA has to walk up to your television, plug something in the back and manipulate the remote. If the CIA can do that, they can just stick a bug under the table.
BOB GARFIELD: There is no evidence that any of these tools were deployed against Americans or that we are particularly at risk, from the CIA, anyway, of being surveilled through the internet of things.
NICHOLAS WEAVER: Correct, there's no evidence of any abuse. Even for foreigners, this is reassuring because there's nothing in here that indicates mass surveillance; 99.999 plus percent of the world doesn't actually need to worry about the CIA, and the fraction that do, we want them to worry about the CIA.
BOB GARFIELD: [LAUGHS] And that's another point. It’s like we’re shocked - shocked that there’s espionage going on at the CIA. Well, yeah, they’re a spy organization. [LAUGHS] So the breathlessness of the reporting, in of itself, seems odd.
NICHOLAS WEAVER: And I think WikiLeaks helped that by creating this sense of pressure. They provided 500 megabytes of stuff that consisted mostly of internal developer notes and stuff like that. When they released everything at once, they effectively overwhelm the press and created a land rush mentality that forced reporters, in a hurry, to go with WikiLeaks’ analysis, to quote from WikiLeaks’ own release, “Has WikiLeaks already mined all the best stories?” No. “WikiLeaks has intentionally not written up hundreds of impactful stories to encourage others to find them and so create expertise in the area for subsequent parts in the series.” There, there, look. “Won’t other journalists find all the best stories before me?” “Unlikely. There are considerably more stories than there are journalists or academics who are in a position to write them.” They deliberately created this rush mentality that results in bad reporting.
BOB GARFIELD: There was also a quid pro quo. WikiLeaks said those who acted quickly, which is to say jumped at the analysis provided by WikiLeaks, would be rewarded later with early releases of subsequent data dumps, so, you know, kind of like, I’ll bribe you not to do your job right?
NICHOLAS WEAVER: That seems like such a cynical accurate view.
BOB GARFIELD: [LAUGHING] What’s a bit odd about this story, Nick, is that typically when there’s massive document dumps, often by a government agency under some sort of PR pressure, the intention is to obscure the contents, to create a haystack from which it is very difficult to locate a needle. In this case, if I understand you correctly, WikiLeaks dumped this material, said, yes, it's a haystack, but allow us to helpfully call your attention to the needles buried within.
NICHOLAS WEAVER: Correct.
BOB GARFIELD: And the needles that they pointed to didn't really amount to much.
NICHOLAS WEAVER: Because in order to evaluate the needles, you needed expertise. So you had good reporting by reporters who knew who to call. So, for example, Ellen Nakashima of the Washington Post did it right. She had a broad contact list of people and she kept re-contacting people like me throughout the day as the story evolved to go, is this part of the story real, is this realistic, is this not? And, as a consequence, her reporting was fantastic.
The New York Times did fix their coverage. So they initially tweeted out with a “CIA Breaks Signal” lead and they actually deleted their tweet and changed their article in response to comments from the technical experts. So some people did get it right.
BOB GARFIELD: But others did exactly what you say WikiLeaks intended for them to do, which is to rush to some pretty explosive conclusions, based on the signpost set up by WikiLeaks. Why? What’s in it for WikiLeaks to do this?
NICHOLAS WEAVER: WikiLeaks has a recent history of being very anti-US, so they've previously published CIA tasking orders purported to target the French election in 2012. It's the CIA's job to know what's happening in a election of the French government, and they tried to make up this big scandal. Beyond the disruption to the US, I don't know what their motives are, and you’d have to ask the guy running WikiLeaks, who's hiding from sexual assault charges.
BOB GARFIELD: WikiLeaks said in a press release that the document dump was about initiating public debate.
NICHOLAS WEAVER: This is not about public debate. If you wanted to talk about public debate, focus on the Snowden leaks. Those revealed programs that significantly disrupted people across the world. This reveals stuff that's basically the kind of thing I would assign to advanced undergrads in computer security: Build mal code that does this, build a device that copies floppies. This is reasonable Intrusion 101.
BOB GARFIELD: But is there anything that was dumped that in the hands of, you know, good undergraduate programmers could be used for mischief?
NICHOLAS WEAVER: Fortunately, no. Unlike most other releases, they actually did a reasonable job retracting things and they did not include tools at all. Now, the tools that they seem to have that they redacted are really simple things. They aren’t cyber weapons. But they didn't even release those.
BOB GARFIELD: The corrections of the story don't help very much ‘cause once the notion of the CIA snooping on you through your thermostat or whatever gets into the ether I don’t think it’s ever leaving. How will we know how much damage has been done here?
NICHOLAS WEAVER: It's impossible to know, but that is the damage done. They lost effectively no technical capabilities, but they got totally hammered in the court of world opinion. And so, this was an attack, in many ways, on the CIA. And it worked!
BOB GARFIELD: And the moral of this story and your advice for reporters dealing with WikiLeaks in the future?
NICHOLAS WEAVER: Step back and wait an hour. There's many of us in the security field who now know WikiLeaks’ game plan, and we will be analyzing this stuff in real time on Twitter, and reporters are welcome to join in.
The real disappointing thing is that this happened before with the Podesta emails, that there was very little, when you actually talked to political scientists, that was revelatory in all those emails, but there were so many stories.
BOB GARFIELD: Well, there was a great recipe, if I recall correctly.
NICHOLAS WEAVER: Yes, but everybody knows you have to be patient stirring risotto.
BOB GARFIELD: [LAUGHING] Nick, thank you very much.
NICHOLAS WEAVER: You’re welcome.
BOB GARFIELD: Nicholas Weaver is a senior staff researcher focusing on computer security at the International Computer Science Institute at Berkeley.
[TOM WAITS SINGING/“WAY DOWN IN THE HOLE”]:
When you walk through the garden
You gotta watch your back…
[SINGING UP & UNDER]
BOB GARFIELD: That’s it for this week’s show. On the Media is produced by Meara Sharma, Alana Casanova-Burgess, Jesse Brenneman and Micah Loewinger. We had more help from Sara Qari, Leah Feder and Kate Bakhtiyarova. And our show was edited – by Brooke. Our technical director is Jennifer Munson. Our engineers this week were Terence Bernardo and Sam Bair.
BROOKE GLADSTONE: Katya Rogers is our executive producer. Jim Schacter is WNYC’s vice-president for news. On the Media is a production of WNYC Studios. I’m Brooke Gladstone.
BOB GARFIELD: And I’m Bob Garfield.
