Wikileaks, security research and policy

A number of media organisations have been asking us about Wikileaks. Fifteen years ago we kicked off the study of censorship resistant systems, which inspired the peer-to-peer movement; we help maintain Tor, which provides the anonymous communications infrastructure for Wikileaks; and we’ve a longstanding interest in information policy.

I have written before about governments’ love of building large databases of sensitive data to which hundreds of thousands of people need access to do their jobs – such as the NHS spine, which will give over 800,000 people access to our health records. The media are now making the link. Whether sensitive data are about health or about diplomacy, the only way forward is compartmentation. Medical records should be kept in the surgery or hospital where the care is given; and while an intelligence analyst dealing with Iraq might have access to cables on Iraq, Iran and Saudi Arabia, he should have no routine access to stuff on Korea or Brazil.

So much for the security engineering; now to policy. No-one questions the US government’s right to try one of its soldiers for leaking the cables, or the right of the press to publish them now that they’re leaked. But why is Wikileaks treated as the leaker, rather than as a publisher?

This leads me to two related questions. First, does a next-generation censorship-resistant system need a more resilient technical platform, or more respectable institutions? And second, if technological change causes respectable old-media organisations such as the Guardian and the New York Times to go bust and be replaced by blogs, what happens to freedom of the press, and indeed to freedom of speech?

11 thoughts on “Wikileaks, security research and policy

  1. Absolutely. If flaws in the design of the US comms system cause embarrassment (or worse) for the US, that is entirely their problem. They designed the system, they used the system.

    The NHS Spine comparison is perfect. We have not designed the system, but are expected to succumb to it all the same.

  2. Modern manifestation of the age-old struggle for power. Governments have had it easy thanks to asymmetric access to technology and know-how, now that the unwashed masses have both the balance of power is changing. Let’s hope it will contribute to a more transparent world where the politburos of this world do not commit their very often disgraceful deeds in dark but face the light of the day…

  3. On the engineering side, one of the challenges is that the cables mix intelligence with source attribution. It is not clear that 3m people world wide need to know the sources for every item of intelligence. Typically you only need the actual sources, as opposed to some generic label (eg private sector executive) for certian types of analysis.

    It is not like the intelligence community doesn’t understand the separation of data and metadata. It looks like the systems used by the US State Dept failed to implement this separation.

    If you strip out the sources – Minister Counsellor N said – you would have something similar to the reports the NYT, Economist and the like publish on a regular basis.

    The US Congressional Research Service does have an analysis of the legal position (via EFF and FAS) “Criminal Prohibitions on the Publication of
    Classified Defense Information” 6 Dec 2010., which cites New York Times vs US (the 1971 Pentagon Papers case) and considers prosecution of the Grey Lady problematic.

    http://www.fas.org/sgp/crs/secrecy/R41404.pdf

  4. Thanks, Zyg – and there is more legal background in Lilian Edwards’ blog. It seems that Amazon had no real choice but to take Wikileaks down (they do not inherit any right of press freedom from their customers) while the situation in respect of blocking Wikileaks is more complex. However, in the UK at least, Mandelson’s Digital Economy Bill could fix that.

  5. I’m surprised that it’s taken nearly 20 years for something like this to happen – though the technical aspects are completely beyond me. How difficult would it be to spoof IP addresses back to 127.0.0.1 and run it from a laptop for example? I’ve had emails from “banks” that don’t exist in the past – but if I had downloaded the message that is what would have appeared in the from section – the rest of the email header was padded out with 127.0.0.1 for other servers.

    However, politicos shouldn’t be duplicitous in their remarks – if they say something in public – it should also stack up in private. if they are not happy dealing with President X of country Y they should say so, negating the need for WL. After all if country Z says it doesn’t spy on others, but in reality it does – it is more than likely to get caught with it’s pants down, so to speak.

    Politicos seem unaware of technology – fortunately some tech advocates are aware of politics, which is a good thing as it keeps said politicos on their toes.

    What also gets me is that governments around the world have pushed the Internet and “digital” life(style) broadband, interactive and other such nonsense as ESSENTIAL to life in the 21st century, but it really isn’t. Fair enough, it’s useful to have, and Martha Lane Fox is still evangelising about it. Now it’s all gone horribly wrong, the same politicos are desperately trying to stem the flow of these leaked cables. I just find the whole situation ironic. Genies & bottles, cats & bags spring to mind…

  6. Ross,

    In the case of the leaks ask the question “what makes them believable?”

    apart from the quantity it’s the style and format.

    As was noted above does the intel have to be directly attributable to particular individuals or even job roles?

    Whilst I realise it is well neigh impossible to make the data anonymous taking a lot of these details out would make “authenticatinc” a leak before publication more difficult and would thus slow down the more respectable news outlets with reputations to protect.

    As for what is happening to the wikileakes “editor in chief” I will simply note that the Swedish authorities initialy investigated the claims and then publicly dropped them. And that since little or no further information has come publicly to light (officialy) to justify the change.

    As for the use of the European arrest warrant it was bad legislation to start off with and the fact it has been used for some of the flimsyist cases that often appear politicaly motivated should not be overly surprising.

  7. […]”does a next-generation censorship-resistant system need a more resilient technical platform, or more respectable institutions?”

    We could always do with more respectable institutions, but that’s unlikely to happen any time soon. Technical platforms seem to be mature enough. I would like to see the “next generation” focusing on usability.

    We need a version of Tor that our mothers can use.

    A strong, global user base would bolster a censorship-resistant system much more than that 5% of extra engineering perfection.

  8. I’m writing a thesis on Public Trust in WikiLeaks, the Media and the Government and need to know what your opinions are. The online survey is multiple choice and will take approximately 10 minutes to complete. Please follow the link: http://www.kwiksurveys.com/?s=ILLLML_9669e09d. Would be great if you would encourage others to do the survey also.

Leave a Reply

Your email address will not be published. Required fields are marked *