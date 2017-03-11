By Anick Jesdanun, Michael Liedtke

WikiLeaks has offered to help the likes of Google and Apple identify the software holes used by purported CIA hacking tools - and that puts the tech industry in something of a bind.

While companies have both a responsibility and financial incentive to fix problems in their software, accepting help from WikiLeaks raises legal and ethical questions. And it's not even clear exactly what kind of assistance WikiLeaks can offer.

The promise

WikiLeaks founder Julian Assange said yesterday that the anti-secrecy site will help technology companies find and fix software vulnerabilities in everyday gadgets such as phones and TVs. In an online news conference, Assange said some companies had asked for more details about the purported CIA cyber-espionage toolkit that he revealed in a massive disclosure on Wednesday.

"We have decided to work with them, to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out," he said.

The digital blueprints for what he described as "cyber-weapons" would be published to the world "once this material is effectively disarmed by us".

Any conditions WikiLeaks might set for its cooperation weren't immediately known. Nor was it clear if WikiLeaks holds additional details on specific vulnerabilities, or merely the tools designed to exploit them.

Legal questions

Tech companies could run into legal difficulties in accepting the offer, especially if they have government contracts or employees with security clearances.

"The unauthorised release of classified documents does not mean it's unclassified," said Stewart Baker, a former official at the Department of Homeland Security and former legal counsel for the National Security Agency. "Doing business with WikiLeaks and reviewing classified documents poses a real risk for at least their government contracting arms and their cleared employees." Other lawyers, however, are convinced that much of the information in the documents is so widely known that they are now part of the public domain. That means tech companies would be unlikely to face any legal liability for digging deeper with WikiLeaks.

Alternatively, suppose tech companies don't accept WikiLeaks' offer - and are subsequently hacked. At that point, they could face charges of negligence, particularly in Europe where privacy laws are much stricter than in the US, said Michael Zweiback, a former assistant US attorney and cyber-crime adviser now in private practice.

Getting too close to WikiLeaks

Public perception might be a bigger problem. "They don't want to be seen as endorsing or supporting an organisation with a tainted reputation and an unclear agenda," said Robert Cattanach, a former US Department of Justice attorney.

But most tech companies already have digital hotlines to receive tips about security weaknesses, even if they come from unsavoury characters. So it wouldn't break new ground for them to consult with an organisation such as WikiLeaks.

A better path

Ideally, the CIA would have shared such vulnerabilities directly with companies, as other government agencies have long done. In that case, companies would not only be dealing with a known entity in an above-board fashion, but they might also obtain a more nuanced understanding of the problems than their engineers could glean from documents or lines of computer code. And if companies could learn details about how the CIA found these vulnerabilities, they might also find additional holes using the same technique, said Johannes Ullrich, director of the Internet Storm Centre at the Sans Institute.

And there are risks obtaining actual hacking tools from WikiLeaks. Some might have unadvertised features that could, for instance, start extracting data as soon as they launch. Ullrich said the CIA also might have left some traps to attack people running its exploits. If these aren't detailed in the documents, only the CIA would be able to help tech companies avoid setting them off.

Better than nothing

There's one more unknown, which is just how much help WikiLeaks can actually provide. Apple, Google and Microsoft say they've already rendered many of the alleged CIA cyber-espionage tools obsolete with earlier updates that patched related software holes.

Still, the companies will probably want to check out what WikiLeaks has, assuming that the organisation hasn't set unreasonable conditions on its cooperation. Some privacy and security experts believe the CIA's own refusal to contact the affected companies about the vulnerabilities gives them little choice.

"We all should have better security, and certainly at this point, not trying to fix them makes no sense," Cohn said.

- AP