custom ad
NewsMarch 10, 2017

NEW YORK -- WikiLeaks has offered to help the likes of Google and Apple identify the software holes used by purported CIA hacking tools -- and that puts the tech industry in a bind. While companies have a responsibility -- not to mention financial incentive -- to fix problems in their software, accepting help from WikiLeaks raises legal and ethical questions. And it's not even clear at this point exactly what kind of information WikiLeaks has to offer...

By ANICK JESDANUN ~ Associated Press

NEW YORK -- WikiLeaks has offered to help the likes of Google and Apple identify the software holes used by purported CIA hacking tools -- and that puts the tech industry in a bind.

While companies have a responsibility -- not to mention financial incentive -- to fix problems in their software, accepting help from WikiLeaks raises legal and ethical questions. And it's not even clear at this point exactly what kind of information WikiLeaks has to offer.

The promise

WikiLeaks founder Julian Assange said Thursday the anti-secrecy site will work with technology companies to help defend them against software vulnerabilities in everyday gadgets such as phones and TVs.

In an online news conference, Assange said some companies had asked for more details about the purported CIA cyberespionage toolkit he revealed in a massive disclosure Tuesday.

"We have decided to work with them, to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out," Assange said.

The digital blueprints for what he described as "cyberweapons" would be published to the world "once this material is effectively disarmed by us."

Terms for disclosure, if any, weren't immediately known, nor was it known how much detail WikiLeaks has on specific vulnerabilities, rather than just the tools capable of exploiting them.

Legal questions

Tech companies could run into legal difficulties in accepting the offer, especially if they have government contracts or employees with security clearances.

"The unauthorized release of classified documents does not mean it's unclassified," said Stewart Baker, a former official at the Department of Homeland Security and former legal counsel for the National Security Agency. "Doing business with WikiLeaks and reviewing classified documents poses a real risk for at least their government-contracting arms and their cleared employees," Baker said.

But it's tough to prosecute cases involving classified documents, said Robert Cattanach, a former U.S. Department of Justice attorney. At some point, he and other experts said, courts and the administration may consider such material as having passed into the public domain.

Receive Daily Headlines FREESign up today!

Trust matters

But tech companies might face a bigger problem with public perception.

"They don't want to be seen as endorsing or supporting an organization with a tainted reputation and an unclear agenda," Cattanach said.

For instance, WikiLeaks published thousands of emails, some embarrassing, from breached Democratic Party computers and the account of a top aide to Hillary Clinton during the 2016 election. Those emails were stolen by hackers connected to the Russian government, an act U.S. intelligence agencies concluded was a Russian attempt to help Donald Trump win the presidency.

"You are getting in bed with someone who is ... happy to harm the interests of the United States in whatever way they can," Baker said. "That does raise concerns of an ethical sort for companies that take their nation seriously."

Joseph Lorenzo Hall, chief technologist with the civil-liberties group Center for Democracy and Technology, said companies would have to navigate with care and assume any discussions ultimately will become public, given WikiLeaks' past and "Assange's philosophy of radical transparency."

A better path

Ideally, the CIA would have shared such vulnerabilities directly with companies, as other government agencies long have done. In such a case, companies not only would be dealing with a known entity in an above-board fashion, they also might obtain a more nuanced understanding of the problems than might be apparent in documents or lines of computer code.

And if companies could learn details about how the CIA found these vulnerabilities, they also might find additional vulnerabilities using the same technique, said Johannes Ullrich, director of the Internet Storm Center at the SANS Institute.

But there are risks as well. Should tech companies obtain the actual hacking tools, Ullrich said, they'd have to treat them with great caution.

Some might have unadvertised features that could, for instance, start extracting data as soon as they launch.

Raphael Satter in Paris, Paisley Dodds in London, Deb Riechmann in Washington and Michael Liedtke in San Francisco contributed to this report.

Story Tags
Advertisement

Connect with the Southeast Missourian Newsroom:

For corrections to this story or other insights for the editor, click here. To submit a letter to the editor, click here. To learn about the Southeast Missourian’s AI Policy, click here.

Advertisement
Receive Daily Headlines FREESign up today!