Is Wikileaks Blackmailing Tech Companies For CIA Hacking Details?… Good Question…
Wikileaks had the chance to become a bit of a hero by standing by its pledge to release details of the various CIA hacking techniques that it acquired. But it seems to have have decided that blackmailing the tech industry is far more important. Here are the details from Motherboard:
Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security “zero days” and other surveillance methods in the possession of the Central Intelligence Agency… Wikileaks’ demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard’s sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Now, if Wikileaks is asking for a 90 day deadline to force these companies to fix these issues in a timely manner, that would be in line with responsible disclosure efforts like Project Zero. Thus there would be nothing to see here. However if there’s more to it, that will not inspire confidence.
Of course the cynic in me also sees this as some sort of litmus test. As in, they’re trying to see who’s potentially in bed with the CIA, or the Kremlin, or anyone else. After all, if you are a tech company and you have a bug out there that’s part of this dump, you’d think that you want to fix it ASAP. Unless you’re working with those who are spying on their citizens, or others, or both.
Other than the above reasons, I struggle to see a good faith reason for WikiLeaks to require agreement to any terms before they tell tech companies about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with. Perhaps it would be simpler for them to say “here’s the bugs we found in the documents that we got. Prove to us that they’re fixed or going to be fixed in 90 days or we go public with them” and leave it at that. The mystery over whatever else they want isn’t helpful IMHO.