WikiLeaks and “Vault 7”: a serious cause for concern

This post is also available in: frFrançais (French)

7 March 2017 – The revelations of WikiLeaks of 7 March 2017 are a serious cause for concern. The NGO published a new batch of documents, “Vault 7”, about CIA surveillance techniques. AEDH considers that it is a serious and concerning violation of the right to privacy and protection of personal data of American citizens, but also of European citizens. More than 8.000 documents from 2013 to 2016 describe the commonly used spying methods of the CIA.

Documents detail numerous programmes and security breaches, which enable the CIA to hack devices (smartphone running iOs –iPhones- or Android, Samsung smart TVs, connected terminals functioning with different versions of the operating system) in order to take control of devices or access data conserved inside.

Should we be surprised by the CIA’s spying methods?

Since Edward Snowden’s revelations, we know that this policy is asserted and assumed not only by the American government but also by European Union Member States as evidenced by the cooperation agreements. AEDH notes that technical progress, such as connected devices, are immediately used to improve the mass surveillance that Snowden revealed.

These revelations should raise questions on the data protection of connected devices offered by the developer and the limits to set for national intelligence services, American as well as European.

A necessary growing involvement of the companies producing connected devices

Connected devices gather a lot of sensitive data, without any safeguard to protect information of users. Now is the time for companies to be concerned by security breaches of their materials and to stop considering data protection as a burden. Companies have already launched the movement in favour of a greater involvement in data protection: for example, Mozilla, a non-profit foundation, calls to develop “responsible” connected devices and to patch the lack of security. It is necessary that companies work on finding solutions to improve safeguards, privacy and data protection.

Violation of privacy: a cause for European citizens ‘concern

The violation of data protection by an American authority, either an agency or at a government level, is also a concern for European citizens. Indeed, there are numerous agreements between the United States and the European Union, as the European Parliament and the Commission had estimated that the US legal arsenal in relation to privacy was comparable to the European one. It is on this basis that American authorities retain personal data of European citizens and can access it under certain conditions. For example, there is the US-UE PNR agreement, which allows the transfer of passenger name record (of flight from or to the United States) to American security services. The documents published by WikiLeaks demonstrate how little some American agencies considerate data protection: this makes it all the more necessary to debate these agreements.

Complaisance of European security services

The published documents mention the “Weeping Angel” program, a technique putting the target TV in a “fake-off” mode in taking control of the TV in order to spy people near the TV. This tool would have been jointly developed by the CIA and MI5, the British intelligence agency.

It is not the first time that European security services are implicated in a close collaboration with American intelligence services. The organisation WikiLeaks had already highlighted the responsibility of the German Intelligence Service in the spying of European target organised by the CIA.

AEDH protests against the involvement of European security services in the development of techniques of mass surveillances and against the violation of the right to privacy and to the protection of personal data. The EU Member States have to check that the European legislation concerning the fundamental rights is respected, including by their security agencies. They also have to question the protection of personal data offered by co-signatories to agreements in order to draw the necessary conclusions.