How to process WikiLeaks’ Vault 7 dump if you are Zimbabwean

“The worst thing that could happen is for users to lose faith in encryption-enabled tools and stop using them.”

WikiLeaks’ “Vault 7” leaks reveal the CIA’s dangerous global hacking arsenal. It’s forcing people everywhere to question their privacy rights. Photo credit: Blogtrepreneur / Flickr (CC BY 2.0)

by: Obert Madondo |  | Published Mar 20, 2017, by The Zimbabwean Progressive

WikiLeaks recently released what it claims to be the global hacking arsenal of the U.S. Central Intelligence Agency (CIA): a trove of 8,761 documents and files comprising “malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.”

Code-named “Vault 7”, the dump came from “an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina.” According to Wikileaks, in addition to developing its own hacking tools, the CIA also harnessed the power of the surveillance tools created by professional hackers, cybersecurity companies, security researchers, and other key players in the intelligence game, including the National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ).

No need to panic here if you’re Zimbabwean. To be clear, the “Vault 7” leak confirms the increasing powers of key spy agencies such as Robert Mugabe’s “secret police,” the dreaded Central Intelligence Organization (CIO). But the dump also confirms that encrypted messaging apps such as Signal and WhatsApp are still your first line of defence against government surveillance.

Encryption is a method of protecting data and communications from unintended eyes, including those of authoritarian regimes and criminals profiting from our private data. It ensures that the communication you sent across the internet is turned in pure gobbledygook, almost impossible for unintended recipients to unscramble. Only you and the intended recipient, who must have a “decryption key” or password, can make sense of the communication.

Still, it’s important to appreciate the fact that the Vault 7 release is freaking out a lot of people to the point of losing faith in encrypted communication apps. That reaction is understandable. Reading WikiLeaks’ “Vault 7” intro information, and the media’s coverage of the dump, one gets the impression that spying agencies are now able to bypass the security offered by encrypted messaging apps.

Introducing “Vault 7”, WikiLeaks tweeted:

WikiLeaks also claims that the CIA’s new spying techniques permit the agency to “bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”

According to WikiLeaks:

The CIA’s Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones. Infected phones can be instructed to send the CIA the user’s geolocation, audio and text communications as well as covertly activate the phone’s camera and microphone.

Reading major global publications such as the Independent (UK) and New York Times one is left with the impression that the CIA has found ways to exploit vulnerabilities in the devices ordinary people now heavily rely on at home and work, as well as essential computer software, and iOS and Android operating systems. One is tempted to conclude that the CIA has developed new software capable of cracking into or taking full control of Android smartphones and Apple iPhones.

On March 7, 2017, Edward Snowden, the former NSA contractor who blew the whistle on the agency’s expansive armory of surveillance tools back in 2013, tweeted:

So, how should Zimbabweans process WikiLeaks’ “Vault 7” dump? Below are a few things to consider:

First, civil libertarians suggest caution before pushing the panic button. Cindy Cohn, the executive director of the Electronic Frontier Foundation (EFF), a San Francisco-based group specializing in online privacy and digital rights, recently blogged:

While we are still reviewing the material, we have not seen any indications that the encryption of popular privacy apps such as Signal and WhatsApp has been broken. We believe that encryption still offers significant protection against surveillance. The worst thing that could happen is for users to lose faith in encryption-enabled tools and stop using them.

Second, leading tech companies whose software was allegedly breached, such as Apple, Google and Microsoft, say they have since fixed many of the vulnerabilities the CIA may have exploited.

Third, breaching end-to-end encryption is damn expensive. Big Brother would need gargantuan amounts of computing power and time to decipher encrypted communications. That leaves spies with these limited options: a) Targeting only high-priority individuals; b) Resorting to old school surveillance techniques, such as bugging phones and following targets around; c) Installing malware on individual targeted devices to harvest communications before encryption takes effect.

The bottom line is: encryption works.

That said, for Zimbabweans, faith in encrypted messaging tools is not enough. Zimbabwean activists and rights defenders are increasingly harnessing the power of the internet, digital activism, social media platforms, and modern communication technologies to plan and coordinate collective action. In 2016, Internet-enabled mobile phones, social media platforms and communication apps such as WhatsApp were driving forces behind Pastor Evan Mawarire’s #ThisFlag protest and youth-led Tajamuka/Sesijukile’s #ShutDownZim protests. Undoubtedly, the internet, social media and modern communications technologies will improve political participation during Zimbabwe’s 2018 elections. They will strengthen Zimbabwean democracy after the fall of the Mugabe dictatorship.

RELATED: Zimbabwe President Robert Mugabe’s Emerging Digital Authoritarianism

But Zimbabweans are increasingly using the enriching power of the internet in the face of increasing government surveillance. The Mugabe regime has been deepening and expanding its surveillance capacity since at least 2000.

The Post and Telecommunications Act, enacted in 2000, allows government interception of communications. The government used the Interception of Communications Act (ICA), enacted in 2007, to co-opt telecom companies and internet service providers (ISPs) into its surveillance agenda. Under ICA, service providers are required to “provide a telecommunications service which has the capacity to be intercepted.” They must ensure that their “services are capable of rendering real time and full time monitoring facilities for the interception of communications.”

The government responded to the game-changing #ThisFlag and Tajamuka/Sesijukile protests by temporarily blocking access to WhatsApp, and by boosting its surveillance capabilities. Later, the government introduced the so-called Computer Crime and Cyber Crime Bill, which would authorize the interception communications and seizure of communication devices such as cellphones and computers. Since the Bill’s introduction in August 2016, government, police and military officials have repeatedly warned Zimbabweans against “abusing” social media platforms and colluding with “diaspora cyber terrorists”.

The latest draft version of the Computer Crime and Cyber Crime Bill confirms the Mugabe regime’s determination to criminalize Zimbabweans’ on and offline activism, and even accessing computer systems:

A Bill for An Act to criminalize offences against computers and network related crime; to consolidate the criminal law on computer crime and network crime; to provide for investigation and collection of evidence for computer and network related crime; to provide for the admission of electronic evidence for such offences, and to provide for matters connected with or incidental to the foregoing.

The CIO is no longer the only spying entity Zimbabweans need to be concerned about. The Joint Operations Command (JOC), which consists of President Mugabe and the chiefs of the army, air force, intelligence services, police, and prisons, and the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), the country’s telecoms regulator, are also part of Mugabe’s surveillance apparatus.

The ICA established a Monitoring of Interception of Communications Center, the “sole facility through which authorised interceptions shall be effected.” In the name of national security, the centre has the power to intercept all telecommunications, including emails and phone calls. The Computer Crime and Cyber Crime Bill proposes the creation of a Computer Crime and Cybercrime Management Centre dedicated to the interception of Zimbabweans’ communications, and seizure of cellphones and computers.

The Mugabe regime is responding Zimbabweans’ growing use of the Internet, social media and modern communication technologies by extending its authoritarian agenda into cyberspace. Increased government surveillance powers should not deter Zimbabweans from the goal of defeating Mugabe in 2018. The following are a few of the tools, online behaviours and resources Zimbabweans can adopt to protect themselves, and their colleagues, against Mugabe’s burgeoning digital authoritarianism:

  • Don’t panic.
  • Use encrypted privacy apps such as Signal and WhatsApp for all of your sensitive communications.
  • Make sure the you’re using the latest version of the apps on your mobile phone, computer and other communications device.
  • Knowledge is power. Expand your understanding of government surveillance in the global context. The internet is full of useful information on government surveillance and, importantly, safe communication technologies, strategies and practices Zimbabwean activists, rights defenders, journalists/bloggers, and ordinary Zimbabweans can adopt to defend themselves and their families, friends and communities against government surveillance. The Electronic Frontier Foundation’s Surveillance Self-Defense guide is an excellent starting point.
  • Make government surveillance an election issue for the landmark 2018 elections. The Internet, social media and modern communications technologies will play an important role in strengthening Zimbabwean democracy after the dictatorship’s fall. So far, no opposition party has offered any substantial guarantees that they will revisit Mugabe’s surveillance agencies and draconian information control laws. Now if the time to start telling the post-Mugabe government that Zimbabwe needs new Internet cyber security policies grounded in transparency, constitutionalism and human rights.

This article is part of The Zimbabwean Progressive‘s “Zimbabwe Surveillance Self-Defense” initiative, whose main pre-occupation is in-depth, comparative and evidence-based independent journalism on Mugabe’s ever-evolving surveillance and digital authoritarianism. In the coming months, the initiative will unmask Zimbabwe’s key surveillance organizations, practices and information control laws. It will bring safe communication technologies, strategies and practices to the doorsteps of Zimbabwean activists, rights defenders, journalists/bloggers, and ordinary Zimbabweans who wish to defend themselves and their families, friends and communities against government surveillance.

Obert Madondo is an Ottawa-based blogger, activist, photographer, digital rights enthusiast, and former international development administrator. He’s the founder and editor of these blogs: The Canadian ProgressiveZimbabwean Progressive, and Charity Files. Follow him on Twitter: @Obiemad

This article is published under a Creative Commons Attribution-NonCommercial 4.0 International licence. No permission is required for non-commercial reuse and distribution. However, you’re strictly required to cite the original source in accordance with the terms of the license.