A digital rights group has called on government to regulate the way their intelligence agencies hoard and use vulnerabilities that affect devices owned by millions of ordinary people.

The call comes after Wikileaks published details of US Central Intelligence Agency (CIA) hacking tools that exploit zero-day vulnerabilities in most desktop and mobile operating systems.

“While targeted surveillance is a legitimate aim, we need to know that government regulation of this area is sufficient,” said Open Rights Group campaigner Ed Johnson-Williams

“From what we learnt during the passage of the Investigatory Powers Act, it appears that the ‘creation’ of techniques is not really regulated at all,” he wrote in a blog post.

The leaked CIA documents indicate that US intelligence agencies are working with the UK to stockpile vulnerabilities that can be used on Microsoft Windows, Mac and Linux computers ,as well as iOS and Android smartphones and smart TVs.

In the light of the fact that many of the vulnerabilities disclosed came from UK intelligence agencies, Johnson-Williams said the UK government has serious questions to answer, such as:

How does the government ensure that GCHQ’s process for deciding whether to exploit or report a vulnerability is adequate?

Are they creating unnecessary risks for organisations and individuals?

How do oversight bodies check that GCHQ’s policies for assessing the risk of keeping an active vulnerability secret are sufficiently robust?

Did any hacking operations reduce the security and privacy of an individual/organisation with respect to other actors?

Is the authorisation process sufficient to avoid future problems?

How will the UK government and agencies work to clean up the mess created by their decision not to report these vulnerabilities to the suppliers?

Johnson-Williams said while the spy agencies will use these vulnerabilities for targeted surveillance, the same vulnerabilities can also be discovered and exploited by criminals and other countries’ intelligence agencies.

“GCHQ’s decision to keep their exploits secret could have devastating effects for society at large. It is likely that the CIA and GCHQ are not the only organisations with knowledge of these vulnerabilities with the capability to exploit them,” he wrote.

“The agencies have, possibly through their own mistakes, increased the risks vastly by failing to ensure that the vulnerabilities are either reported or kept to themselves.”

Whatever benefits there may have been to GCHQ and the US agencies in stockpiling these vulnerabilities to use for “good”, Johnson-Williams said the “race is now on” to repair them as fast as possible.

Open Rights Group is calling on the US National Security Agency (NSA) and GCHQ to disclose what they know about repairing these vulnerabilities and how they might be exploited to assist in this effort.

“The agencies must now work with the manufacturers of internet-connected devices such as phones, laptops, TVs and routers, but potentially also fridges, toasters and home automation systems to repair the vulnerabilities,” said Johnson-Williams.

Open Rights Group said manufacturers of internet-connected devices that make up the internet of things (IoT) have an ongoing responsibility to prioritise security, to actively test the security of the devices they sell and to push out security updates to fix known vulnerabilities.

“At the moment, we have a secretive and unaccountable system of device hacking, badly in need of accountability and oversight,” wrote Johnson-Williams.

“We should remember that our worry is only partly the agencies. It is the results of their actions, especially through enabling criminality, that we most need to worry about.”