Future Tense
The Citizen's Guide to the Future

March 16 2017 6:11 PM

Future Tense Event: Is Technology Enriching Language? ¯\_(ツ)_/¯

The oral tradition begat the printing press and the bounded book, which begat our touchscreen civilization, which begat much hand-wringing about the fate of language. It's easy to bemoan the informality and spontaneity of ubiquitous, democratized communication in all its forms—especially if you're willing to dismiss the democratization. But the ability to communicate across cultures and distance has never been greater, and technology increasingly provides translation across media, languages, and cultures in real time.

Join Future Tense in New York on Wednesday, March 29, for a happy hour conversation on how new and emerging technologies are changing the way we speak, write, and communicate. Will language be richer or poorer for it? For more information and to RSVP, visit the New America website.


Melissa Broder
Poet and author, Last Sext

John McWhorter
Linguist and associate professor of English and comparative literature, Columbia University

Ben Zimmer
Language columnist, the Wall Street Journal

Katy Waldman
Words correspondent, Slate

March 16 2017 11:38 AM

The Russian Officials Charged in the Yahoo Hack Will Never Be Arrested. Maybe That’s OK.

In 2014, when the Justice Department charged five members of the Chinese People’s Liberation Army with illegal cyberespionage, the New York Times called the move “almost certainly symbolic since there is virtually no chance that the Chinese would turn over the five People’s Liberation Army members named in the indictment.” Indeed, nearly three years later, those charges have led to no arrests and, seemingly, has done little more than irritate the Chinese government.

The Justice Department’s decision this week to charge two members of the Russian Federal Security Service with similar cyber espionage crimes—tied, in this case, to the 2014 breach of millions of Yahoo user accounts—appears, at first glance, to be similarly symbolic. The traditional legal toolset for enforcing laws—indictments, trials, juries, imprisonment—are not especially useful when it comes to going after people who are living in other countries and are protected by (indeed, in these cases, employed by) their home governments. The United States can file as many furious indictments as it likes against the members of foreign intelligence services who have infiltrated U.S. computer systems, but the FBI Wanted posters are unlikely to deter those services from doing their jobs.

Still, this week’s charges against the Russians may be slightly more meaningful and less symbolic than those against the Chinese for two reasons.

First, the newly released charges actually resulted in an arrest—not of either of the two charged FSB officers but of independent hacker Karim Baratov, who allegedly helped the FSB infiltrate Yahoo’s networks and who, inconveniently for him, lived in Canada. The two FSB officers named in the indictment, Dmitry Dokuchaev and Igor Sushchin, and the other independent hacker charged with helping them, Alexsey Belan, all live in Russia and have not been arrested. They probably never will be. But even being able to try one person for complicity in a foreign government’s cyberespionage efforts would be a triumph both because it might actually help deter others from following the same path and, perhaps more likely, the trial could offer even greater insight into the inner workings of Russia's cyber operation.

Second, the the indictment filed against Dokuchaev, Sushchin, Belan, and Baratov gives the rather remarkable impression that arrest and prosecution was not necessarily even the Justice Department’s endgame. Instead, the details of the Yahoo breach laid out in the document seem designed to embarrass the four accused men, perhaps even get them in trouble with their own employer—and to spread distrust of the FSB within Russia and neighboring countries.

The indictment details how the accused allegedly tried to use their compromise of Yahoo’s networks to enrich themselves, not just to provide useful intelligence to the Russian government. For instance, according to the indictment, Belan hijacked Yahoo searches for erectile dysfunction drugs so that people who searched for them would be redirected to the website of an online pharmaceutical company that would, in turn, pay Belan for sending traffic its way. The indictment also accuses Belan of searching compromised Yahoo email accounts for retail gift cards and credit card information. And no surprise he was trying to supplement his income since the FSB’s freelancing fee, per the indictment, is roughly $100 per targeted compromised account.

While much of the indictment covers the compromise of accounts run by U.S. companies, including Google as well as Yahoo, the actual espionage activities it details are largely unrelated to U.S. targets. For instance, their targets apparently included officers of a Russian financial firm, an assistant to the deputy chairman of the Russian Federation, the chairman of a Russian Federation Council committee, a physical training expert employed by the Ministry of Sports of a Russian republic, the CEO of a metals industry holding company in a country bordering Russia, a prominent banker and university trustee in a country bordering Russia, an International Monetary Fund official, employees at a major Russian cybersecurity firm, and an officer of the Russian Ministry of Internal Affairs working in its “Bureau of Special Technical Projects” (which, coincidentally, investigates “cyber, high technology, and child pornography crimes”).

The indictment doesn’t name any specific victims or compromised email accounts but it does offer some largely redacted examples of targeted accounts (******as@gmail.com, for instance, as well as ********ov@yahoo.com and ************va@gmail.com). I can only imagine these were included in an effort to send into a panic every person in Russia (and its neighboring countries) with a last name ending in –va, –ov, or –as.

Indeed, much of the indictment seems to have been written to incite discord and distrust of the FSB by Russian companies and government officials. On the flip side, it could serve as a warning to the FSB that its freelancers are using their assignments not just to gather the requested information but also to pick up a few stolen gift cards and redirect some unwitting online shoppers just trying to find a reputable place to buy their male enhancement drugs. Hopefully, it will also make Russians a little more wary of emails purporting to be from the Russian Federal Tax Service (a phishing technique employed by Sushchin and Dokuchaev to try to compromise accounts of Russian financial officers).

Whether any of that will matter to the Russian government is anybody’s guess, but it’s an interesting way to try to make what would otherwise be a fairly toothless indictment a bit sharper. Rather than a tool of legal process, this indictment reads more as a reminder that the U.S. government can also reveal embarrassing information about the inner workings of the Russian government, even if it can’t get its hands on the men who stole your Amazon gift card.

March 16 2017 11:29 AM

Netizen Report: Azerbaijani Bloggers Targeted With Legal Threats, Spearphishing

The Netizen Report offers an international snapshot of challenges, victories, and emerging trends in internet rights around the world. It originally appears each week on Global Voices Advocacy. Ellery Roberts Biddle, Arzu Geybullayeva, Leila Nachawati Rego, and Sarah Myers West contributed to this report.

Azerbaijani video blogger Mehman Huseynov was sentenced to two years in prison on charges of slander over videos he shared on his Facebook page. His page, where he covers a range of topics including working conditions and the wealth of government officials, has more than 300,000 followers.

Arresting, silencing, and intimidating journalists, bloggers, and activists is par for the course in Azerbaijan these days, but Huseynov is the first blogger or journalist to be officially sentenced for slander by a court in Azerbaijan. Prior cases of journalists or bloggers being sentenced typically involved charges like narcotics possession (often bogus), hooliganism, abuse of power, and tax evasion.

Targeted surveillance of human rights advocates also appears to be increasingly common. New reports and technical research confirm that multiple advocates in the country have fallen victim to spearphishing surveillance technologies, which create fake accounts or take over real accounts in order to impersonate other human rights defenders in the country.

According to Amnesty International and other researchers, several activists have reported finding someone had impersonated their emails and Facebook accounts in order to identify and compromise others they communicate with. Dissidents in the country have experienced similar attacks in the past, and Azerbaijan is among the countries that sought to acquire targeted surveillance software from the company Hacking Team—but many fear this is a sign the political circumstances for human rights defenders in the country are likely to get worse.

Censorship is rising in France—is anyone watching?
The number of websites blocked and delisted (that is, removed from search engine results) more than doubled in France in 2016 compared with past years. Under a law passed shortly after the 2015 attacks in Paris, 834 websites were blocked and 1,929 were delisted in the last year, an increase likely tied to the counter-terrorism regulation that enables authorities to order the blocking of sites without the approval of a judge. There is no list of which websites have been blocked or delisted, making it difficult to assess how authorities are implementing the rules, and whether or not any sites have been blocked without legitimate cause. The nongovernmental organization coalition European Digital Rights and the website Islamic News, which was blocked shortly after the law was enacted, have both criticized the policy.

China censors scientists who criticize censorship regime
Yet again, Chinese scientists have spoken out against the country’s web filtering system, the Great Firewall, arguing that the system damages research. Luo Fuhe, vice chair of the national advisory body the Chinese People’s Political Consultative Conference, recently submitted a proposal urging the government to improve loading speeds for overseas websites. As in the past, shortly after local media began to pick up coverage of the proposal, reports started to be taken down by national censors.

Pakistani leaders talk again of censoring “blasphemous” content online
In Pakistan’s National Assembly, multiple officials, including Interior Minister Chaudhry Nisar Ali Khan, have called for bans on social media platforms that allow blasphemy. This is not unprecedented by any means: YouTube has been temporarily blocked multiple times and was banned from late 2012 to early 2016, due in large part to content deemed offensive to religious sentiment. Increasingly, individuals and organized groups use accusations of blasphemy to silence others. Two major TV networks have been embroiled in legal blasphemy cases in the last two years.

Representatives also have linked these arguments with concerns about social media users criticizing government officials online. Local news outlet Dawn said that a statement from the interior minister essentially argued that “no country could allow religious sentiments to be hurt or top state functionaries to be subjected to ridicule under the pretext of freedom of expression.”

Facebook: Developers can no longer use data for surveillance purposes
Facebook announced new prohibitions against the use of its data by developers for the purposes of mass surveillance. Last fall, the ACLU found that Facebook, Instagram, and Twitter sold user data to Geofeedia, a company advertising social media surveillance tools to police in the United States to monitor protesters and activists of color. With Facebook’s latest response, all three platforms now have a clearly stated policy that bans the use of their data, which can be obtained through their platform APIs, for surveillance purposes.

South Africans to government: #HandsOffSocialMedia
South African social media users pushed back strongly against reported plans to regulate social media to counter false narratives and the spread of fake news. Rallying around the hashtag #HandsOffSocialMedia, South Africans have accused the government of seeking to control expression and discourse in the country.

The Philippines moves to accredit bloggers—with strings attached
The Philippine government announced plans to give media accreditation to bloggers and social media publishers. Accreditation will grant bloggers easier and faster access to media passes for government events, but would restrict the use of “offensive, inflammatory, or provocative” language. The proposal would also require that they publish press releases and statements from the Presidential Communications Operations Office. Several prominent independent media workers expressed concern about these requirements at a recent town hall meeting, including journalism professor Danilo Arao, who later wrote that the policy would reduce accredited bloggers to “mere mouthpieces” of the Presidential Communications office.

Why did Russia add a secure app to its “information dissemination organizer” list?
Russian media regulator added the messaging app Threema to its Registry of Information Dissemination Organizers, the first time it has included a foreign app to the list. The list was introduced after a federal law was passed requiring all websites to store Russian users’ metadata and make it available to authorities. Threema claims it offers users full anonymity, though it has not released its full code to the public for vetting that this is the case.

Syrian web developer has been in prison for five years
On March 15, 2012, web developer and human rights activist Bassel Khartabil was imprisoned by the Syrian government in Damascus. Since October 2015, his whereabouts have been unknown. Creative Commons and the FreeBassel campaign are proposing a set of actions that friends and followers can take to express their support for his release.

March 15 2017 1:30 PM

Future Tense Newsletter: What Algorithms Can Learn From a Single Photograph

Greetings, Future Tensers,

Maybe you should think twice before hitting “share” on that photo. As former Amazon chief scientist Andreas Weigend wrote this week, photo-analyzing software has advanced to the point where it can recognize faces, deduce place and time of day, speculate whether you’re in a fancy restaurant or gay bar, guess your emotional sentiments, or even copy your fingerprints. As these algorithms bring us closer to a post-privacy world, he argues, “we need to start thinking about how these images of us might be used to make decisions about us”—and how we might protect against algorithmic discrimination.

Engineers are also creating algorithms with the potential to predict something else significant about us—when we’ll die. But, says end-of-life care researcher Ravi Parikh, that may not be as unsettling as it seems. In their increasingly accurate prognoses, he explains, these mortality-prophesizing machines may actually give us more humanity.

Here are some other things we read between generating Texas oilmen aliases for our all climate change–related correspondences:

Whack hacking claims: Despite some fearmongering reports, the WikiLeaks documents detailing CIA hacking tools do not show that the spy agency has compromised secure messaging apps like Signal. Instead, it shows they found risky, expensive, hard-to-scale ways to hack the phones they run on, writes Yael Grauer. They didn’t “break Signal any more than looking at your phone over your shoulder breaks Signal,” one expert told Grauer.

Dumped, again: Trey Herr explains that though we don’t know who provided the CIA files to WikiLeaks last week, political rivals have taken notice of the damage that leaking their opponents’ espionage tools can do. Expect a lot more of these sorts of dumps in the future.

5 fast facts about Heavy.com: Will Oremus gives us the lowdown on Heavy.com, the site that’s been dominating your Google news search results, in the signature quintet style the site has come to be known for.


Could technology—from high-tech helmets to virtual training to real-time biometric data—make sports safer? And how will it change the state of play? Join Future Tense in Washington, D.C., on March 23 for drinks and conversation with those working to sideline injuries. RSVP to attend in person or watch online here.

Algorithms tell us what to read, where to go, and whom to date, but do we really understand them? Join ASU’s Ed Finn, author of the new book What Algorithms Want: Imagination in the Age of Computing, and the New Atlantis Christine Rosen in Washington on March 28 for a conversation about why we need to understand the systems that increasingly steer our lives.* RSVP to attend in person or watch online here.

Bon voyage, Boaty McBoatface,
Kirsten Berg
for Future Tense

*Correction, March 15, 2017: This post originally misstated the location of the Future Tense event about the book What Algorithms Want. It will be held in Washington, not New York.

March 15 2017 11:05 AM

What Algorithms Want: A Future Tense Book Event

It’s easy to think of algorithms as magical beings, delivering purely objective, admirably efficient, and sometimes startlingly insightful solutions to our everyday problems, but in his new book What Algorithms Want: Imagination in the Age of Computing, Ed Finn reveals them to be more like Captain Kirk than Spock. The algorithm shares roots with Alan Turing and ancient Babylonian mathematicians, but also the boundaries of language, cognition and magical thinking.

How are algorithms changing our lives, from the aesthetics of television shows to the structure of the economy? What, really, do algorithms want from us? Do they have an imagination of their own? An agenda?

CUPERTINO, CA - OCTOBER 27: Emoticons are displayed on the Touch Bar on a new Apple MacBook Pro laptop during a product launch event on October 27, 2016 in Cupertino, California. Apple Inc. unveiled the latest iterations of its MacBook Pro line of laptops and TV app. (Photo by Stephen Lam/Getty Images)

Photo by Stephen Lam/Getty Images

On Tuesday, March 28, Ed Finn—the director of Arizona State University’s Center for Science and the Imagination and the academic director of Future Tense—will discuss What Algorithms Want at a happy hour event at the New America office in Washington, D.C. He’ll be joined by Christine Rosen, a Future Tense fellow and senior editor of the New Atlantis, to examine why we need to understand algorithms and how computational intelligence can build (or prevent) an enhanced (human) future.

The reception and registration will open at 5:30 p.m., followed by the conversation at 6 p.m. For more information and to RSVP, visit the New America website.

March 9 2017 4:02 PM

Can Technology Make Sports Safer? A Future Tense Event.

We’re a nation of sports nuts. We rally around our favorite teams, deify athletes, and sustain a multibillion-dollar industry built to celebrate athleticism and human endurance. As a result, athletes face intense pressure to consistently outperform one another and their own prior outings, often at their own expense. Despite how effortless athletes make their performances look on the field, their bodies are constantly under duress, constantly on the verge of the next injury, often maximizing short-term glory at the expense of longer-term health and well-being. Now technologies like high-tech helmets, mobile virtual players, training robots, and biometric data services are being deployed with an eye toward sidelining most sports injuries.

Join Future Tense—a partnership of Slate, New America, and Arizona State University—on Thursday, March 23, in Washington, D.C., to consider the effectiveness of these efforts to make sports safer, and our relationship as fans to the bravado sports culture that can at times romanticize injuries and view them as an integral part of the game.

The reception will begin at 5:30 p.m., followed by the main program at 6 p.m. For more information and to RSVP, visit the New America website.


Ellen Arruda
Professor of mechanical engineering, biomedical engineering, and macromolecular science and engineering, University of Michigan

George Atallah
Assistant executive director for external affairs, NFL Players Association

Derek Belch
Co-founder and CEO, STRIVR Labs

Victoria Jackson
Sports historian, Arizona State University

Josh Levin
Executive editor, Slate

Roderick Moore Jr.
Vice president of sports performance, Catapult Sports

Nicholas Schmidle
Staff writer, The New Yorker

Kenneth Shropshire
Director, Wharton Sports Business Initiative, University of Pennsylvania

Buddy Teevens
Head coach, Dartmouth Football

March 8 2017 10:58 AM

Future Tense Newsletter: Space Exploration Isn’t Just About Scientific Discovery

Greetings, Future Tensers,

Nothing gets me in the spirit of International Woman’s Day quite like reading two accomplished female leaders on the future of space exploration. Lindy Elkins-Tanton, director of the School of Earth and Space Exploration at Arizona State University, and Ellen Stofan, the former chief scientist of NASA, continue our March Futurography unit on the “New Space Race” by exploring the role of competition and collaboration in space endeavors. Elkins-Tanton writes that the purpose of space exploration is more than just scientific discovery—it’s about inspiration. She warns that if India or China beats the U.S. to Mars, it would be akin to a military defeat. Stofan says that we won’t get to our next big space milestone without international collaboration, writing, “When you are exploring space, going it alone has never been, and will never be, an option.”

On a more terrestrial note, WikiLeaks has released thousands of new documents detailing the CIA’s hacking capabilities. The document dump shows the CIA’s ability to hack smartphones, computers, and smart TVs—not just your AOL email accounts. (I’m looking at you, Vice President Pence.)

Other things we read this week while testing our reading comprehension before trolling the comments section:

  • When A.I. can’t be trusted: Using Google’s Home smart speaker and Uber’s self-driving cars as examples, Will Oremus discusses the consequences of releasing consumer technologies with A.I. too soon.
  • Wikipedia’s battle over short articles: If you, like so many, turn to Wikipedia for quick answers, you should be wary of how volunteer editors interpret Wikipedia’s policies in favor of longer articles.
  • Cyber extortion: Josephine Wolff argues that no one should pay hackers holding data for ransom unless it’s a life or death situation.
  • The origins of the rubella vaccine: Meredith Wadman, author of The Vaccine Race: Science, Politics, and the Human Costs of Defeating Disease, shares the untold story of the aborted fetus that helped created the rubella vaccine.*
  • Prenatal testing: Read an excerpt from Bonnie Rochman’s new book, The Gene Machine, on how prenatal genetic testing will change the way we procreate and the ethical dilemmas it raises for us.

Sent from my iPhone,
Emily Fritcke
For Future Tense

*Correction, March 9, 2017: This post originally misspelled Meredith Wadman's last name.

March 8 2017 10:54 AM

WikiLeaks Says the CIA Can “Bypass” Secure Messaging Apps Like Signal. What Does That Mean?

When WikiLeaks released Vault7, a series of leaks on the CIA’s hacking tools, people who use secure messaging apps were alarmed. The press release accompanying the trove of documents stated that the CIA was able to “bypass” the encryption of secure messaging tools—including Signal—“by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”

This led some to believe that the CIA broke Signal, compromising their favorite secure messaging app. But a closer look reveals that the situation isn’t as dire as it seems. The CIA does not have a way around the cryptographic elements of the app. “They did not break Signal any more than looking at your phone over your shoulder breaks Signal,” said Nicholas Weaver, a computer security researcher at the International Computer Science Institute.

The CIA and other government agencies can circumvent messaging apps if they compromise your smartphone. But that’s not something they can do on a mass scale at the push of a button. Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, says that the kind of bulk surveillance we learned about through Edward Snowden’s revelations is now much more difficult to accomplish thanks to the proliferation of end-to-end encryption (including HTTPS, iMessage, and Signal).

Open Whisper Systems, developers of the Signal app and the Signal protocol used by WhatsApp (and others) wrote a series of three tweets saying as much:

The CIA/WikiLeaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption. The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working. Ubiquitous e2e [end to end] encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.

Weaver says the term “bypass,” which showed up in the WikiLeaks press release, isn’t inaccurate, even though it’s misleading. “It does bypass encryption, but it actually means the encryption is good, so this is the only way left,” he says.

No app or tool is foolproof. But Hall both points out that hacking target phones and installing tools surreptitiously is an expensive, risky, and time-consuming process. That said, governments have been known to target both activists and terrorists, and they are definitely capable of breaking into the underlying operating system and capturing information on the device. So it’s not a good idea to share secret information about your plans to overthrow dictatorships on Signal, or to blast out incriminating information when you’re on the run from the state. If a government agency breaks into your device and your phone operating system is compromised, no messaging app or tool can protect your information.

For phones that haven’t been compromised, Signal has a myriad of benefits over many messaging apps. (Learn how to set it up here.) It’s impervious to Stingrays, or cell-site simulators that trick phones into connecting to them and capture the content of their communications. “Signal does not use your actual phone. It’s mimicking a phone in software, and because it’s not using the radio on your phone that’s associated with your cellular network, it can’t be tricked,” says Hall. Since Signal uses your internet connection rather than your cell signal, it bypasses any kind of eavesdropping technique designed for cellular or mobile networks.

Another benefit is that Signal keeps extremely limited data on its users. When Open Whisper Systems received a subpoena from the Eastern District of Virginia requiring it to provide information about two Signal users for a federal grand jury investigation, the only information the company had was the date and time one of the two users registered with Signal, and the last date of that person’s connectivity to the service.

So, should Signal users do anything different in light of the leaks? If you use Signal on an iPhone, Nexus, or Pixel, Weaver recommends looking at your threat model. If you don’t think you’re at risk of the CIA or another government risking a $1.5 million zero-day exploit to access your phone, you can rest easy. But he recommends other Android users toss their phones in the trash. “Most Android phones don’t meet the security requirements of a teenager,” he says. But that’s not exactly a secret. These phones have long been criticized for slow updates and out-of-date software that makes users vulnerable to a whole host of publicized security flaws.

It’s always a good idea for users to update their phones and apps to the newest versions, if possible. In fact, Apple told Tech Crunch that many of the iOS exploits in the WikiLeaks dump have already been patched—and it’s working on the rest of them.

But vendors can only create patches for flaws they know about, and another thing that makes both Android and iOS users vulnerable to security flaws is when the CIA holds onto these vulnerabilities rather than disclosing them. In a blog post, the Electronic Frontier Foundation points out that stockpiling these vulnerabilities rather than ensuring that they are patched makes everyone less safe.

March 7 2017 2:34 PM

No One Should Give In to Cyber Extortion Unless It’s a Life or Death Situation

In time, we may look back on Russia’s interference with the 2016 presidential election as the good old days of cybercrime and information warfare. Sure, poorly protected computers enabled some fairly dramatic attempts at large-scale manipulation and humiliation—but on the bright side, there was nothing subtle or secret about it. Large-scale dumps of embarrassing political documents on Wikileaks are far preferable to the activity that Bloomberg attributed to Russian hackers this week: demanding payments from liberal U.S. organizations to prevent their stolen data from being released.

According to Bloomberg reporter Michael Riley, at least a dozen progressive groups have been told to make payments ranging from $30,000 to $150,000 or face the public release of compromising stolen emails and files. It’s not yet clear whether the Russian government is actually driving these extortion efforts, and the sums of money demanded in anonymous Bitcoin payments seem far too small to be of much interest to a major national government. But, Riley writes, the perpetrators of these extortion attempts “used some of the techniques that security experts consider hallmarks of Cozy Bear,” the Russian government hacking group.

Whether or not a foreign government is making these particular ransom demands, they’re an important reminder that governments certainly could leverage their ability to compromise computer networks as a tool for demanding money or other concessions from U.S political organizations. Wikileaks dumps are a fairly crude, blunt instrument for manipulation. Targeted blackmail has the potential to be a much defter and more dangerous one.

Online extortion is not new—ransomware has been plaguing victims for years, enabled by the development of anonymous, largely untraceable cryptocurrencies like Bitcoin—and it undoubtedly has a bright criminal future. Extortion eliminates the need for cyber thieves to find customers for their stolen data or risk wading into black market forums where law enforcement officials may be lurking. It allows criminals to wring value out of even the least interesting or commercially valuable information by selling it back to the one person to whom it has value: you.

Furthermore, we’re hurtling toward a future of more and more Internet-connected devices that will perform crucial everyday functions but store very little interesting data. In this world, extortion will give criminals a way to profit off compromising your light bulbs or refrigerator or toaster oven. There’s unlikely to be data of any value to you (or anyone else) stored on those devices, but you’d probably be willing to pay a small ransom to someone who figured out how to make them malfunction in sufficiently irritating ways.

But you shouldn’t. And the groups currently being targeted shouldn’t pay up, either, even if the release of profoundly humiliating—or even compromising—information is at stake. There may be a small number of special, life-threatening circumstances in which paying an online ransom demand is the right choice—at a hospital, for instance, or stuck inside a compromised moving vehicle. But otherwise, it is absolutely the worst thing victims can do both for themselves and for everyone else.

That may seem sort of counterintuitive—obviously there are some kinds of public humiliation that it could be worth $30,000 to avoid. To some organizations, it may even seem easier (and perhaps cheaper, too) to pay off online intruders than to invest in better protections for their computer systems. But an organization that agrees to pay the hush money has no guarantees that the information won’t still end up being released—or, even more likely, that their adversary won’t return a few months later to demand an additional payment. Unlike a kidnapping victim who can be safely returned, or even a hard drive encrypted by ransomware that can be decrypted upon payment, someone who has stolen your data will likely always retain a copy of that data. That means no amount of paid ransom will ever definitively resolve the situation to the victim’s satisfaction.

Paying ransoms and caving to extortion demands just encourages more of the same activity, directed at both previous victims and new ones. The only way to effectively discourage this kind of crime is to make it so fruitless, so unprofitable, so profoundly ineffective that the perpetrators find a new outlet for their energies. And the only way to do that is to stop relying on individual victims and organizations to make these choices themselves and implement policies that explicitly penalize the payment of online ransoms in most circumstances.

Comparable policies outlawing the payment of ransoms for kidnapping victims—and freezing the assets of their families to prevent such payments—have, unsurprisingly, been very controversial. A 2013 study of the 1991 Italian law that froze kidnapping victims’ families’ assets found that the policy ultimately reduced the number of kidnappings in Sardinia as well as the duration of such incidents. Others have argued pretty persuasively that, in the case of kidnapping, when victims’ lives are at stake, an outright ban may be too stringent a policy, leading to deaths that might otherwise have been avoided.

These arguments lose much of their force when transferred to the realm of online extortion where, for now at least, few lives hang in the balance and all hope of tracking the perpetrators by following the payment pretty much disappears given the nature of cryptocurrencies. Most of these payments, including the ones demanded of breached liberal groups, should be illegal—or, at the very least, heavily taxed.

That may seem like an unfair burden to put on the victims of these crimes when it's the perpetrators who are at fault and deserve to be punished. But as is so often the case when it comes to online crime, identifying the perpetrators is difficult—and even if they can be identified, there’s no guarantee they’ll fall within the jurisdiction of U.S. laws. So the onus has to fall on the rest of us, even if it means sometimes sacrificing our pride, our data, and our reputations when we might have much preferred to just spend a little money.

March 7 2017 1:34 PM

WikiLeaks Has Released a Trove of Documents Detailing the CIA’s Hacking Capabilities

On Tuesday, WikiLeaks released thousands of new documents it claimed were from the Central Intelligence Agency. The documents, which detail some of the CIA’s hacking capabilities, are part of a larger trove of data WikiLeaks says it will continue to release in a series. WikiLeaks is calling the series Vault 7 and has named Tuesday’s dump Year Zero:

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

“Year Zero,” WikiLeaks writes, “introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of ‘zero day’ weaponized exploits” against vulnerabilities in smartphones, computers, and Samsung smart TVs. The smartphone vulnerabilities reportedly allow the CIA to hack into phones running popular secure messaging apps like Signal and WhatsApp and intercept messages and data before the apps’ encryption is applied. (While some on Twitter have interpreted this to mean that Signal has been "broken,” that isn’t the case.) The dump also reportedly reveals ways in which the CIA has attempted to cover its digital tracks in its hacking efforts and the location of a major base for CIA hackers in Europe.

WikiLeaks says many of the hacking tools described in Vault 7 were made unclassified to skirt rules on posting classified information to the internet—most of the CIA’s malware requires the use of the internet for communication. “This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained,” WikiLeaks claims. “The CIA has primarily had to rely on obfuscation to protect its malware secrets.”

WikiLeaks says it has elected not to release the actual code for the CIA’s malware and cyberweapons “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.”

The New York Times reported that a former intelligence officer it contacted has said the some of the information included in the dump “appears to be genuine.” David Kennedy, CEO of the information security firm TrustedSec, told Wired the dump’s information appeared genuine as well:

“From what I can tell, this seems to be legitimate,” says David Kennedy, CEO of TrustedSec, who formerly worked at the NSA and with the Marine Corps’ signals intelligence unit. “It shows expansive capabilities of the CIA and divulges NSA tools as well. But a lot of it seems to be missing, as far as direct codebase used for these.” Wikileaks says it redacted much of that more specific information.
Those redactions, in part, make it difficult to ascertain just how comprehensive the leaked information is. In spite of Wikileaks’ claims, it is only a small fraction of the CIA’s total arsenal.