Towards an Infrastructure for Secure Leaking
The means for securely and anonymously submitting materials are already fairly well established — though of course they can be improved, and constant vigilance is needed for potential attacks. Real difficulties lie on the publication side, as the struggle to keep WikiLeaks online demonstrates.
There are two aspects to this problem:
- We need to create simple and reliable means for mirroring sites and to navigate to those sites in a trustworthy way, so that adversaries leaning on your ISP (so your material is removed from the server) and pulling your DNS (so that readers can no longer navigate to your domain name) can’t expunge your data. There are alternative systems for a peer-to-peer domain name infrastructure being developed; a similar longer term project being discussed is the creation of a protocol to mirror sites over BitTorrent, so that if the main site is under attack, it can pass requests on to peers without the reader/requester having to leave their browser — a step towards a truly uncensorable network.
- WikiLeaks, as the bellwether, has made clear that the funding and donation system is broken when it comes to supporting anything truly contentious or potentially problematic. Methods are needed for funding organizations that are releasing leaked material in their moment of greatest need, when they may be operating overseas and under close governmental scrutiny. Projects like Bitcoin (AnonNews is currently taking Bitcoin donations) suggest steps in this direction — though a far simpler solution may lie not in the creation of new transaction systems, but in existing nonprofits and activist groups managing leaks as one aspect of their operation, which doesn’t imperil their funding stream and access to their resources.
Finally, an additional infrastructural element we must work on is a system for undetectably copying documents and other materials. The Afghan War logs and the SIPRnet cables were likely flukes, with nothing on a similar scale to be made available to authorized users again without systems for logging access and requests, and provided in formats that are very difficult to download to a local machine or circulate online. Techniques and workflows for gathering data and making it portable will be vital.
The points of real security failure for an organization with leak-receiving capabilities are social, not technical. The sole alleged source to be compromised in the history of WikiLeaks appears to have been identified by discussing his activities with a colleague he thought trustworthy.
For secure leaking to be a viable and distributed strategy, three elements would be helpful:
- People who work with leaks in an organization must have training in operations security and risk management — the tradecraft of learning how to travel, communicate, behave and collaborate in secure ways. OPSEC and its related disciplines are already well understood in the military and intelligence communities; we need an activist/geek-friendly training program to produce leak recipients capable of protecting their organizations and themselves.
- One crucial step in that regard would be greater general familiarity with secure communication online. It has never been easier to browse safely (using Tor), encrypt e-mail (using programs like GPG), and chat both securely and deniably (using the Off-the-Record protocol). Spread these habits, so you and your colleagues can use them before they become urgently necessary.
- The act of leaking puts one at potentially enormous risk for the sake of moral courage. It’s easy to be dismissive of social security failures — just don’t talk about what you’ve done, to anyone, ever — but the need for companionship and solidarity, especially given the danger a leaker faces, is profound. To keep secrets of that magnitude, without the benefit of friend, therapist, or confessional, is wearing. A way to enable community and alliance without the danger of discovery would be well worthwhile.
The last issue is a legal one — not simply the legal status of leak-distributing groups, the freedom of speech issues they face, and so on, but clarifying the gray area of legal protection for those who mirror the information. If mirroring is to play its necessary role in the distributed publication of leaks in the future, those who would create mirror sites need to know the risks they run, in terms of their hosting services (can my hosting contract or personal website be terminated?), their relationship to their employers, and the possibility of pressure from the government. What can they expect, and what means of redress are available to them?
Problems of consequence
Finally, there are problems of the longer-term consequences the wide availability of secure leaking; I don’t have answers to these questions, and I invite comments.
- Authentication. The culture of journalistic leaks includes existing relationships of trust, and their patient cultivation, between the journalist and the leaker. It’s how journalists keep from disseminating disinformation and propaganda. In the absence of trust between leakers and the fourth estate, where one can’t know the other, how do we avoid irresponsible and scurrilous and outright fabricated information? Worst case scenario number one: the first 21st-century Protocols of the Elders of Zion, a hate-justifying counterfeit whose pretense of legitimacy partially springs from presenting itself as secret knowledge revealed. Do we need anonymous reputational systems to build trusted relationships with repeat leakers? Double agents have already demonstrated the technique of building trust through true, secret, but nonvital information that builds the relationship for lies down the road.
- Analysis. WikiLeaks works very hard to maintain their analytic layer for the leaks they receive, and journalism has historically had people who will read through all those tedious pages of Pentagon memos to put the significant story together. Can we trust the magic pixie dust of crowdsourcing to handle this? Are we building in stovepiping (as in Cheney wanting to read all the raw intelligence, pre-analysis, and feeding his own paranoia and desire for unilateral power) for the entire population? Will good information actually drive out bad? Worst case scenario number two: a population whipped into a frenzy and marching to war because of the kind of wildly overstated threats presented by self-serving informers and spies with their own agendas — the sort of stuff actual intelligence analysts know to discard, filter, or read with a grain of contextual salt. It’s the Iraq War all over again, but we did it to ourselves. Imagine Glenn Beck and his epigones getting their hands on such material.
- The end of libel. Worst case scenario three, from the city-state of Florence (among other Renaissance metropoli): the tamburo, or anonymous letter-box, which existed for citizens to drop secret denunciations of one another, leading to a constant series of political struggles in which the accused could never face their accusers. Like political character attacks and the work of oppo research, but vastly more widespread, a culture of rampant self-policing, informers, and the possibility of betrayal."