The CIA Has Secretly Run a “Bulk Collection” Program

Cryptocurrency was everywhere this week, funding anti-Russian resistance groups and hacktivists in Ukraine and being seized by the US Department of Justice in a massive trove of laundered bitcoin worth $3.6 billion. If you’re just wading into crypto yourself and need a place to store your digital dough, we’ve got a guide for picking and setting up a cryptocurrency wallet.

Microsoft took a huge security step this week by announcing that it will disable its often-abused macros feature by default in Microsoft Excel and Word files downloaded from the internet. Health privacy researchers published findings about medical and genetic-testing companies that left details about their third-party ad tracking and lead generation methods out of their privacy policies. And pro-democracy activists, many of whom are in hiding after Myanmar’s 2021 coup, fear that their phone records—and by extension the identities of their loved ones and resistance networks—could be at risk of falling into the junta’s hands.

And if you’re getting freaked out about the possibility of being tracked using Apple AirTags, here’s our guide to scoping things out and protecting yourself.

And there’s more. We’ve rounded up all the news here that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

Partially redacted documents released on Thursday night by the US intelligence community reveal a secret CIA surveillance dragnet that has collected some Americans’ data under a program that did not have congressional approval or oversight. Senate Intelligence Committee members Ron Wyden (D-Oregon) and Martin Heinrich (D-New Mexico) sent a letter to the director of national intelligence and CIA director on April 13, 2021, demanding that information about the program be declassified. “Among the many details the public deserves to know are the nature of the CIA’s relationship with its sources and the legal framework for the collection,” the senators wrote in their letter.

The program was authorized under the 1981 presidential executive order “United States Intelligence Activities.” Referring to the Foreign Intelligence Surveillance Act, the senators said in a statement on Thursday that “FISA gets all the attention because of the periodic congressional reauthorizations and the release of DOJ, ODNI, and FISA Court documents” and the data-collection programs Congress authorizes under the law. “But what these documents demonstrate is that many of the same concerns that Americans have about their privacy and civil liberties also apply to how the CIA collects and handles information under executive order and outside the FISA law.”

The Senate Judiciary Committee advanced a familiar bill, the EARN IT Act, on Thursday. The legislation aims to increase tech company responsibility for child sexual abuse materials posted or distributed through their services. Technologists and privacy advocates have repeatedly and urgently warned that EARN IT would have significant cybersecurity and human rights implications by disincentivizing tech companies from implementing end-to-end encryption schemes. The legislation would force online services to “earn” some of the Section 230 protections that currently shield them from liability for material posted by their users. The bill was first introduced in 2020 and also advanced out of committee then, but it did not receive a floor vote before the end of the congressional session.

In a report this week, Google’s Project Zero bug hunting team said that companies are getting faster at patching after the group discloses a vulnerability to them. Project Zero is known for setting deadlines for developers to release fixes for their products, anywhere from seven to 90 days depending on the severity of the bug. Once the deadline expires, sometimes with an additional grace period of up to 14 days, the group publicly discloses the flaws. Project Zero said this week that it took companies an average of 52 days to fix vulnerabilities in 2021, down from an average of about 80 days in 2018. Additionally, it has become very rare for organizations to miss a Project Zero time limit. Only one bug exceeded its deadline in 2021, though the group noted that 14 percent of bugs do use the grace period. The group emphasized that the findings may not be generalizable across the industry, because Project Zero is well known and has a particular reputation for being strict and effective at getting bugs fixed. Companies may be more likely to take swift action when Project Zero shows up. Nonetheless, the trends are promising and show that there is more mainstream understanding of the vulnerability disclosure process.


More Great WIRED Stories