Skip to content

What Vault 7 Means for You & How to Protect Yourself With Encryption

Posted in Act Out!, Austin, Creative Commons, Journalism, and Video

Kit O’Connell wrote this segment of Act Out!

With special thanks to Oh Shit! What Now? Austin.

So, you may have heard: the CIA could be listening to your phone conversations, recording your Skype calls, and even spying on you through your TV.

The CIA seal as seen on the floor of CIA headquarters. (Wikimedia Commons, PD)

The latest bombshell from WikiLeaks, code named “Vault 7,” revealed the Central Intelligence Agency’s secret tool box of technological exploits. This leak is terrifying, to be sure, but it also gives tech companies valuable new information about how to protect their users.

And for everyday activists on the Front Lines, there are some vital, and simple steps we can take to protect our allies and our plans from surveillance.

Now, we still don’t know who’s responsible for the Vault 7 leak, although WikiLeaks released a statement saying that the anonymous source, “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

Much like Snowden hoped to do.

WikiLeaks infographic: “WikiLeaks. The truth will always win. Vault 7: What, where, when, who, why?” (WikiLeaks)

WikiLeaks describes Vault 7 as the CIA’s arsenal of “malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation” including exploits which target “a wide range of U.S. and European company products, [including] Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”

Even more disturbing than the very existence of these secret spy tools is the fact that the CIA actually lost control of its cyberweapons. “The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

They created a monster – and now Franken-spyer is on the loose. On the flip side, after releasing selected details to the public and the media, WikiLeaks promised to supply the details of the CIA’s exploits to device manufacturers, meaning Apple, Google, and the rest can hopefully begin to patch these holes.

A creepy ice cream van parked down the block. (Flickr / Paul & Hien Brown, CC NC)

That being said, there’s no doubt that the surveillance state has upped their spy game. What used to take a team of people to bug your room and then lurk in a creepy van down the street now takes one guy in his office watching you watch your TV. Smartphones, and the proliferation of the so-called “internet of things” — or as computer security researchers call it, the “internet of shit” because it’s notoriously insecure — have certainly made it easier to spy on all of us. Essentially, we’ve willingly let the cops and the feds into our living rooms. Amazon even turned over Alexa recordings to police in an Arkansas murder case in early March.

Meme: “People in the sixties: The government will wiretap your home. People now: Hey wire tap, can cats eat pancakes?”

So in light of all this: what can we do? Is there any hope that we can keep our plans private and our comrades safe, at least from local police and less determined state and federal agents?

In short, yes. You may have heard that this leak revealed that the encryption in popular messaging services like WhatsApp or Signal was broken, but these early reports were wrong and popular encryption methods are still as secure as ever.

As Open Whisper Systems, makers of one of the most popular encrypted messaging apps, Signal, tweeted on the day WikiLeaks released Vault 7:

In other words – encrypt, encrypt, encrypt! And take these steps to help keep spying eyes at bay:

The first thing you should consider is what security experts call “threat modeling,” which basically means determining how risky your plans are and, therefore, how big of a target you have painted on your back. The Electronic Frontier Foundation has a detailed guide to surveillance self-defense at ssd.eff.org, including a great introduction to threat modeling. I’ll start with the EFF’s five threat modeling questions. When you’re planning an action, or seeking to protect your movement, ask yourself:

  1. What do you want to protect?
  2. Who do you want to protect it from?
  3. How likely is it that you will need to protect it?
  4. How bad are the consequences if you fail? And
  5. How much trouble are you willing to go through in order to try to prevent those consequences?
Stop Tar Sands banner drop in Oklahoma, March 19, 2013. Threat modeling means a banner drop like this … (Flickr / Tar Sands Blockade, CC license)

Now, the EFF’s guide goes into more detail than I can include here, so you should really study it yourself, but essentially, what threat modeling means is that the more likely someone is to try to shut down your protest, your action, or your movement, the more precautions you should take to stay safe. So, for example, a three person team carrying out a single banner drop on an overpass would need to take fewer precautions than dozens or hundreds of people planning a major shutdown of a highway, or a multi-day occupation of a public space.

… than a blockade of construction equipment, like this one. Tar Sands Blockade action in Texas, November 19, 2012. (Flickr / Elizabeth Brossa, CC NC SA license)

To be extra safe, plan sensitive actions in person, with only trusted allies. If you’re worried about someone using your phone to listen in on your meeting, turn it off before you get to the meeting space or leave it at home. Keep in mind that even if your phone is off, it can still be a medium for surveillance.

If you’ve got anything sensitive on your phone, which means pretty much everyone, it’s important that you lock your phone, and use a long passcode of at least 8 characters. iPhones are automatically encrypted when you password protect them, but (OS: Android security settings) Android users need to go into their phone’s security settings and turn on phone encryption. Don’t lose your password, though. You’ll need it to turn on your phone from now on. And, for all you iPhone users, it’s not a good idea to use the fingerprint lock feature, even though a federal judge recently ruled that police can’t compel you to unlock your phone using a fingerprint reader. This ruling is simply too new, and police have been getting away with forcing you to unlock your phone for too long, so you’re still better off with just a passcode.

Riot police with batons out at inauguration protests on January 20, 2017. (Flickr / Joe Catron, CC NC license)

Also you should seriously consider just leaving your phone at home before a protest or direct action where there’s a high risk of arrest. In one recent, chilling example, police kept most of the phones of the activists who were arrested at the J20 inauguration protests, and are using them to map out networks of activist groups for infiltration and state harassment. So, at the very least, turn off your phone before you are arrested or buy cheap “burner” phones to use just for the event that can be destroyed if arrest is imminent.

A street medic in a Guy Fawkes mask uses a smartphone to film a protest. August 29, 2011. (Flickr / Daniel Hoherd, CC NC license)

And even when you aren’t about to take the streets, one of the most important steps anyone can take to make you and your contacts safer from surveillance is to again encrypt your communications — which means quit planning shit using Facebook messenger. Signal, the Snowden-approved app I mentioned above, is available for free on both iPhone and Android and it’s one of the simplest and most secure options for text messaging, voice and even video chats.

Just download Signal from the App Store on your phone, and follow the on screen setup after you launch the app. It takes less than five minutes, even if you’re not a computer genius. Once you’re up and running, any text messages, phone and video calls made through Signal are encrypted, as long as the recipient is also using Signal. Of course, this means that not only do you have to to download Signal, but you need to encourage all your comrades, your friends, your lawyer, and your family to do the same.

An NYPD elevated surveillance booth near Zuccotti Park, home of Occupy Wall Street in New York City. December 15. 2011. (Flickr / Jagz Mario, CC SA license)

After all, if just a few activists encrypt our communication while planning a protest, they might as well be broadcasting “spy on us!” to the world. But if all of us, activists and supporters alike, use Signal and other forms of encryption for our everyday messaging, it becomes harder for the government and the corporations that control it to target the activists undermining their plans.

A woman uses her smartphone while seated on the subway. (Flickr / Dragan, CC license)

And even if you’re not planning a protest, these tools allow anyone who doesn’t want the fucking government spying on them to utilize secure tools to thwart the surveillance state – because it’s not about whether you have something to hide or not, it’s about our right to private communication – even if it’s just you and your mom talking about dinner plans.

So, start using Signal and other forms of encryption whenever you can. It’s an easy way all of us can protect ourselves and the activists on the front lines.

What Vault 7 Means for You & How to Protect Yourself With Encryption by Kit O’Connell is licensed under a Creative Commons Attribution 4.0 International License.
Based on a work at https://kitoconnell.com/2017/03/24/vault-7-means-protect-encryption/.

If you enjoyed this post, please support Kit on Patreon!

Subscribe to Gonzo Notes

Get Kit′s thoughts on current events, and links to all his latest writing, delivered 2-4 times per month to your inbox.

FreshMail.com