These were not the first instances in which Facebook and the federal government have been accused of gathering information from people’s private devices, conversations or even homes.
And they won’t be the last.
What both cases show, experts said, is a grim slice of reality: When it comes to digital data — photos, conversations, health information or finances — nothing can be perfectly private.
And for those entities charged with keeping and protecting people’s data, including governments and big tech companies, what’s best for consumer privacy may not always be in line with their own priorities.
“When it comes to making these decisions about privacy and vulnerabilities, without any clear law or anything, it all becomes a matter of opinion,” said Jeremiah Grossman, the chief of security strategy for cybersecurity firm SentinelOne. “The CIA could have a really reasoned argument for why it’s in the country’s best interest to hoard (tech vulnerabilities). Whereas I would prefer to have the information so we can fix our software and make everyone safer.”
Internet users are increasingly aware of this, and increasingly wary of institutions charged with protecting their data, according to studies from the Pew Research Center.
Just 12 percent of Americans and 9 percent of social media users report a “very high level of confidence” that the government and tech companies can keep their personal information safe and secure, according to a Pew study from 2016.
Overwhelmed with stories of hacks, attacks and the prying eyes of private companies and public agencies, fatigued consumers may feel even attempting to protect themselves in a digital age is futile, security experts said.
That, they added, is exactly the wrong approach.
“The truth is there’s no silver bullet,” said John Breyault, vice president of public policy at the National Consumers League. “There’s no foolproof way to protect your privacy and data security from the government, for example. But there are plenty of basic, important steps people can take to reduce their risk.”
WikiLeaks, an activist organization that exposes government secrets, revealed what appeared to be a legitimate trove of internal CIA documents Tuesday that suggested hackers within the agency had been able to co-opt Android and Apple smartphones, Samsung SmartTVs, and Internet-enabled cars, among other computer systems, to spy on targets.
Using a variety of tools, CIA hackers found ways past antivirus systems and defensive software and around messaging apps that encrypt communication by scrambling messages so third parties cannot intercept a conversation by hacking into the deepest parts of a phone or computer operating system.
By Wednesday, companies cited in the data leak had responded, saying they were working to patch the apparent vulnerabilities of their products.
Samsung, whose Internet-connected TVs were put into a false off-mode and used as listening devices by CIA operatives, according to the leak, said Wednesday that it was “urgently” trying to fix the security flaws.
According to the leaked documents, the CIA discovered and kept secret 14 methods of exploiting Apple devices. Those vulnerabilities are known as zero-day attacks, meaning they pounce on security defects unknown even to the company itself and, therefore, have no known fix.
Apple said in a statement that most of those issues were already fixed in its latest software update; those that weren’t were being quickly addressed, it said.
The spy agency also collected 24 “weaponized” zero-day exploits against Android devices, the documents said. Google, the creator of Android operating systems, did not respond to a request for comment.
Of course, some of these same companies have been embroiled in controversies over how they use and collect consumer data.
Google, which was sued for its practice of scanning Gmail users’ emails for advertising purposes, agreed to modify its own use of data following a lawsuit in 2010.
“Data has become such a part of wearables, smart homes, social media, smart cars, surveillance, that it’s not about privacy as much as it is about disclosure,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “These are data-driven products, tools, services, and the ethics of how you design and use these tools, and how people understand what you’re doing with their personal information — that’s the central point.”
Facebook was not named outright in the CIA documents, though WhatsApp, an encrypted messaging service owned by the social media giant, was.
But just six days prior to the WikiLeaks data dump, Facebook had been dealing with its own privacy concerns.
In settling a 2013 class-action lawsuit accusing it of violating the federal Wiretap Act and California’s Invasion of Privacy Act by mining Facebook users’ private messages without their knowledge or consent, the company agreed last week not to read its users’ private messages.
Facebook, which pointed out in the settlement that it had dropped that particular message-mining practice several years ago, vowed to make it clearer to users how all their data and information is scanned, used and sold to advertisers. The settlement still has to be reviewed by U.S. District Court Judge Phyllis Hamilton in Oakland on April 12 before it can take effect.
Though Facebook is not the CIA, and mining user messages using an algorithm is not the same as a human hacker breaking into someone’s cell phone or the TV they have at home, privacy advocates said both actions stem from a lack of transparency and strict privacy regulations in the U.S.
“What this settlement suggests, and not just to Facebook, but to other companies in the tech world, is if you tell people you’re offering people a private tech service, your word needs to be matched by what you’re doing,” Breyault said.
President Trump has pledged a forthcoming cybersecurity executive order that would push for studies of current vulnerabilities and the United States’ cyberattack capacity. But leaked drafts do not indicate a clear plan for addressing privacy concerns or creating a national mandate that protects consumer data.
“One of the key challenges of the Trump administration, which has been very pro-security, is learning how to integrate privacy concerns into surveillance concerns,” Polonetsky said. “Being responsible for deciding exactly what is too far or what is not for the CIA to use and deciding when we need strong encryption to protect our infrastructure even though that leads to security tensions is so important. These are conversations we need to have.”
©2017 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.