KRWG

WikiLeaks Reveal Demonstrates Encryption Apps' Vulnerabilities

Mar 10, 2017
Copyright 2017 NPR. To see more, visit http://www.npr.org/.

DAVID GREENE, HOST:

More and more people are using encryption apps like Signal and WhatsApp to secure their text messages, or to try to do that at least. The latest batch of WikiLeaks prove that those programs essentially become irrelevant if a hacker takes control of your smartphone.

MOXIE MARLINSPIKE: If you're, you know, sending an encrypted text message to somebody and someone else is standing behind you looking over your shoulder, encryption doesn't help you there.

GREENE: That is Moxie Marlinspike, the founder of Signal, an encrypted messaging app. WikiLeaks did not expose any vulnerabilities in Signal's technology, but it did reveal that when the CIA hacks into a smartphone, it can easily exploit the phone itself. And that means a hacker can read your messages as you're typing them before they even get encrypted. Think of it like a computer virus that's infected your phone.

MARLINSPIKE: It's not the kind of thing where, you know, some CIA agent presses a button and suddenly has access to your phone. You would have had to be involved somehow, either by getting tricked into installing an app that's like the CIA's app or clicking on a link or something and getting something installed that way. It's not mass surveillance, you know? And that's really a big distinction that I think is worth trying.

GREENE: Now that there's been this revelation that, even as unlikely as it is, you say, that the CIA has malware, that they can be in a phone when someone is using Signal, are you developing more secure technology taking this into account?

MARLINSPIKE: You know, the vulnerabilities that the CIA have are in, like, the operating system. You know, they're in things like Android. The other thing to say is that, like, the information in this release was pretty technically unimpressive. If anything, it was obviously embarrassing to the CIA that this information got out, but it's also somewhat embarrassing that this is their level of sophistication. There's a tendency to sort of think, oh, my God, you know, the CIA has these insane capabilities, and I think the truth is somewhat different.

GREENE: Julian Assange, the founder of WikiLeaks, said that there's more coming. And he has just made this offer saying that he'll let tech companies have a look at the documents before he actually releases them to the public so you could fix things if there are any vulnerabilities. Are you going to take him up on that?

MARLINSPIKE: Well, I mean, like I said, these aren't vulnerabilities in anything that we've developed. So, you know, I presume he's talking about Google and Microsoft. I would imagine that most of the things have already been fixed.

GREENE: But is there an argument that what Julian Assange is offering is something that the government should be doing, that if they know about vulnerabilities in technology that they might tell you or, you know, Android about them, and that's not a role WikiLeaks should be playing?

MARLINSPIKE: Absolutely. I think - certainly I agree that it is irresponsible to hoard these vulnerabilities and to, A, think that, you know, no one else has discovered these vulnerabilities or to, B, think that they can manage them securely because, you know, obviously they can't. If what the CIA is interested in doing is protecting Americans, then I think it should be in the CIA's interest to disclose these vulnerabilities to American companies so that they can fix them and protect their users.

GREENE: I just find this so interesting because you created a technology that makes leakers in the government or elsewhere feel safer. But after this revelation, you know, the Trump administration is now saying we have to crack down on leaking. So your technology is at the heart of a question about leaking. So which is it for you? I mean, should the Trump administration crack down on leaking or is leaking something that you think should happen more and more?

MARLINSPIKE: Our objective is not necessarily to enable leakers. You know, all types of people use Signal. And really what we're trying to do is make private communication simple and to make mass surveillance impossible. So it's true that, you know, there are probably some people in government who use Signal for leaks.

But, you know, it's also true that the Trump transition team used Signal during the transition. It's also true that the Hillary Clinton campaign used Signal. Local police departments use Signal and Black Lives Matter uses Signal. Edward Snowden uses Signal. So, you know, there's a lot of people who are interested in private communication and making that as simple as possible, and that's what we're trying to enable.

GREENE: Moxie Marlinspike, thanks so much for joining us. We appreciate it.

MARLINSPIKE: Thank you.

GREENE: He is the creator of the messaging app Signal. Transcript provided by NPR, Copyright NPR.