ARI SHAPIRO, HOST:
A day after WikiLeaks published what it claims is the CIA's secret guide to hacking, the Trump administration is vowing to go after people who leak classified information. Here's White House Spokesman Sean Spicer today.
(SOUNDBITE OF PRESS CONFERENCE)
SEAN SPICER: This alleged leak should concern every single American in terms of the impact it has on our national security.
SHAPIRO: Among other things, the documents purport to show how the CIA reads messages sent on popular encrypted messaging apps like WhatsApp and Signal. To get a perspective from Silicon Valley, I spoke earlier today with Nico Sell. She's the founder of Wickr, an app that allows people to send encrypted messages that self-destruct after a given time. And she told me what she saw in these documents did not especially surprise her.
NICO SELL: For a long time, I've been educating activists that you really need to think about all the different layers that you have going on on your phone and try your best to protect from them.
SHAPIRO: Explain what you mean by that because it seems that the CIA was not necessarily hacking the apps but rather hacking the devices themselves.
SELL: Right. So if you were to have a hardware-level bug on your phone, it has access to everything that the device is doing. And so therefore you could see anything.
SHAPIRO: Now, some tech companies like Apple and Kaspersky say they have already patched the holes that are described in these documents. Does that suggest that this is just an arms race between the tech companies and the government, each trying to outdo the other?
SELL: That's exactly what it is. And what I think's important to remember here is no security's a hundred percent. Everything can be hacked. And what we need to just do is get better at raising the bar, the cost and time it takes to use these vulnerabilities.
SHAPIRO: It seems as though one takeaway from this leak is it does not matter how secure your encryption is in a particular app. If your device, your phone or laptop or whatever it may be has been hacked, they can read what you're doing - period.
SELL: Exactly. And so there are some other tips that we give to activists assuming that your phone has been owned, which is, you can still talk in code. For instance...
SHAPIRO: Talk in code, meaning, like, the eagle has landed kind of thing.
SELL: Exactly.
SHAPIRO: (Laughter).
SELL: And this is things that the activists know to do already.
SHAPIRO: You're referring to activists. Law enforcement refers to criminals. The FBI director, James Comey, today said that encryption apps are basically the default for pedophiles, terrorists and other people who want to escape law enforcement. I think this speaks to a larger question that many Americans have, which is, what have you got to hide?
SELL: You know, I think it's really cute when Americans say that. I think people from other countries have a much closer memory of not trusting their government. One of the things that we suggest above and beyond encryption is that you have shorter time to live on the data that lives in your network. With Wickr, you can set a self-destruct timer because the less data that you have around, the less footprint that you have, then the less likely you are to be owned.
SHAPIRO: Even disappearing messages don't seem that safe or protected if somebody is watching what you type as you type it.
SELL: Well, so like I said, nothing is a hundred percent. But the shorter time a piece of data lives, the more secure it is.
SHAPIRO: Beyond the knowledge that the CIA was doing this, is there harm in the information being available publicly, being published on WikiLeaks?
SELL: So, you know, I mean I think it's definitely a concern that an agency that's job is keeping secrets is leaking information. And having these exploits out there for more people to have their eyes on is definitely a concern. I think what we've seen here, too, is that the agencies overall are hoarding vulnerability data and who are hoarding vulnerabilities and using them for their own benefit. And I think there needs to be some public discussion here about, what are the cyber norms? How long can vulnerabilities be held, and how often can the public be in danger?
SHAPIRO: Nico Sell is the founder of the Wickr app and the Wickr Foundation, a nonprofit dedicated to privacy and technology. Thanks for being on the program.
SELL: Thanks for having me, Ari - interesting as always. Transcript provided by NPR, Copyright NPR.