Thousands of documents said to detail the CIA’s hacking tools were published by Wikileaks on Tuesday.
They included allegations that the CIA had developed ways to listen in on smartphone and smart TV microphones.
“Our digital security has been compromised because the CIA has been stockpiling vulnerabilities rather than working with companies to patch them,” said Nathan White, from the civil liberties group Access Now.
Should we be worried?
“It’s not a surprise that people who have a mission to find bad guys and protect nations are using every means at their disposal to gather intelligence on a focused target,” said Don Smith from cybersecurity firm SecureWorks.
“If the CIA doesn’t have capabilities for eavesdropping, it’s not doing its job.”
“Most of the leaked documents are about targeted attacks. This is not about mass surveillance and vacuuming up a haystack of data to search for a needle,” he told the BBC.
“They need warrants, they can’t just tap in to any phone – it doesn’t work like that. One of the reasons people have faith in the security services is that they tend to obey the law, and when they don’t it comes out.”
Whistleblower Edward Snowden criticised the scope of the CIA’s methods.
Are ‘smart’ devices safe?
Homes are becoming increasingly “smart”, with everything from light switches to voice-activated kitchen appliances connected to the internet. If unsecured, these could reveal our activities in the home.
“The concept that intelligence agencies are doing broad personal surveillance using these devices is not realistic,” said Mr Smith.
“I would be amazed if that was the case because the resources to make sense of all the data just aren’t there.
“My concern is much more what online criminals might be able to achieve with these devices. There are plenty of examples of things such as baby monitors being open to the wider internet.”
The documents published by Wikileaks detail ways in which some Samsung televisions could be used to spy on their owners. Mr Woodward said it was unlikely the exploit was widely used.
“They’re talking about a few models of Samsung TV. If you read the documents, they have been vulnerable for a while. It would be surprising if the CIA was not looking into that,” he said.
“Has the CIA remotely hacked them? No. They have to get into your home and plug a USB drive in to them. It’s a high risk. If you have to get in to somebody’s house you can give yourself away.”
Mr Woodward said anybody worried that their appliances were spying on them could “unplug them at the wall”.
That advice may not help those with a modern voice-controlled fridge-freezer, the likes of which have started to go on sale.
However, SecureWorks’ Mike McLellan, who previously worked at the UK government’s National Cyber Security Centre, said the average household should have “bigger concerns”.
Can the CIA read my WhatsApp or Signal messages?
The CIA documents describe methods to compromise smartphone operating systems such as Android and iOS, which could let agents read messages sent via encrypted services such as WhatsApp and Signal.
Mr Woodward said the documents did not suggest the CIA had “cracked” the encryption of either platform. Instead, messages could be read by compromising the “end point” – the sender or receiver’s smartphone – where the messages are already decrypted.
He said the documents indicated that governments “accept that encryption is going to become commonplace on networks” and that they must focus efforts on “getting in to the end points to read messages”.
“They know banning encryption is not going to work,” he said.
Should the CIA have helped fix security flaws?
Mr Snowden has described the CIA as “reckless beyond words”, for keeping knowledge of security holes in devices such as smartphones to itself.
“The CIA reports show the [United States government] developing vulnerabilities in US products, then intentionally keeping the holes open,” he wrote on Twitter.
Mr Woodward said he was not surprised that the CIA had not disclosed security holes it had found to manufacturers such as Apple and Google.
“If your mission is to spy, are you going to tell people something only you know about?” he asked.
Mr McLellan said it was “a fact of life that intelligence agencies will look for security vulnerabilities”, but added that private companies were also searching for flaws and “selling them to the highest bidder”.
That concerns Mr White, who suggests keeping flaws secret puts ordinary citizens at risk.
“It’s simply a fantasy to believe that only the ‘good guys’ will be able to use these tools,” he said in a blogpost.
“It is critical for governments, law enforcement, technologists, and civil society to have an honest conversation about the impact of government hacking in the digital age.”
However, Mr Woodward said it was likely that many of the security flaws in the leaked documents had already been fixed.
“The idea that the CIA is hoarding [security flaws] is not true. These things are relatively rare… and fixes for them move so quickly that a year or two is almost another era in technical terms,” he said.
“I would be surprised if they were ‘stockpiling’ such exploits. I think you’ll find they use them while they still can.”
Will artificial intelligence threaten our privacy?
Routine recording of the population would be a huge, and potentially unfeasible, undertaking for an intelligence agency. However, developments in artificial intelligence could make processing data faster and easier.
Companies – including Amazon and Google – already sell voice-controlled speakers and smartphones that can understand commands and transcribe speech. Such technology could one day be used to help monitor citizens.
“There is the ability to collect telephony en masse now,” said Mr Smith. “AI may speed it up and make more sense of the data, but I don’t think it’s something the average person should be worried about. It could be a future risk, among many future risks.”
Mr Woodward added: “Think of the volumes of data you’d be dealing with. They don’t have the ability to record every phone conversation in the world, let alone every conversation within ear-shot of a phone.
“If you’re not a person of interest, they just don’t have the capacity.”