Proactive IT Security
 

Complete access to all information

2010-08-20 [Privacy issues, Trends & predictions]

Introduction

Most people would agree with both the following statements:

We believe that transparency in government activities leads to reduced corruption, better government and stronger democracies. All governments can benefit from increased scrutiny by the world community, as well as their own people. We believe this scrutiny requires information. Historically that information has been costly - in terms of human life and human rights. But with technological advances - the internet, and cryptography - the risks of conveying important information can be lowered.

and

Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

The first statement is an excerpt from one of the world's most controversial organizations in recent months. It is from WikiLeaks' About us. The second statement is from the United Nations Universal Declaration of Human Rights (Article 19), an organization, which is not viewed as particularly controversial with respect to the information it provides the public.

In this security article we shall examine several aspects of organizations like WikiLeaks. We will strive not to be opinionated, but rather try to look at this phenomenon from a detached perspective.

WikiLeaks' media exposure

WikiLeaks' web site came online in 2006. Since then it has published lots of information, some of which has received substantial interest (and disapproval). Among the most notable are:

  • Sarah Palin's email account on Yahoo (September 2008)
  • Email correspondence between climate scientists (November 2009)
  • More than half a million pager messages from the 11 September attacks on USA  (November 2009)
  • Collateral Murder - Military footage from attacks in Baghdad by a U.S. helicopter that killed 12 persons, including news staff from Reuters (April 2010)
  • Afghan War Diary 2004-2010 - 75 000 documents (June 2010)

The Afghan War Diary documents leakage is the most controversial. WikiLeak has an additional 15 000 documents that are not made public as of this writing. However, WikiLeaks announces on its web site:

After further review, these reports will be released, with occasional redactions, and eventually in full, as the security situation in Afghanistan permits.

The Afghan War Diary leak has led to much controversy. Not surprisingly it was criticized by representatives from the U.S. military. More intriguing is the fact that independent organizations and commentators also expressed concern, in particular that the information might endanger persons named in the documents.

WikiLeaks published 29 July an additional file in the Afghan War Diary section of the web site - a file called Insurance file, which is a huge encrypted file. There have been speculations that the password/-phrase to encrypt this will be released to the public if WikiLeaks or its spokespersons for some reason are attacked.

The major Swedish newspaper Aftonbladet published 14 August information (the link is to a Swedish web page) that WikiLeaks' founder Julian Assange was to become a columnist in this newspaper. The chief editor writes about this in his blog (Norman's translation):

The most important [reason why Assange chooses Aftonbladet] is the fact that we are located in Sweden. Our laws governing freedom of print offer the world's best protection of sources. It is even a violation of Swedish law to investigate sources.

The strong standing that the freedom of information has in Sweden, is also probably the reason why WikiLeaks places several of its servers in that country, as numerous sources reported earlier this month.

Generalizations

Whenever discussing phenomenons like WikiLeaks it is important to attempt scrutinize the general principles rather than one particular organization and its actions. We shall attempt to accomplish this by asking some questions.

Who stands behind? Political agendas?

According to WikiLeaks' web site, it is a project of "The Sunshine Press". The people behind is

a global group of people with long standing dedication to the idea of improved transparency in institutions, especially government. We think better transparency is at the heart of less corruption and better democracies. By definition spy agencies want to hoard information. We want to get it out to the public.

The public spokesperson is the Australian Julian Assange, which we mentioned above.

We have no reason to distrust this information.

However, it is not that complicated for an organization with sufficient funding (from wealthy interest groups or nations) to set up organizations and web sites of the same type and use this to spread information that advocates a special political point of view. After all this is done (arguably amateurishly) each day on lots of web sites.

This setup would of course have to be quite subtle in order to function as intended, but with sufficient resources it is not far-fetched at all. What looked as a noble service encouraging freedom of information, might then turn out to actually be a vehicle for seeding misinformation or at least biased information.

The general problem with information from sources that one does not know who are behind, is that the accountability is difficult to check.

Potential for no censorship

Information that may be impossible to publish in one country (due to legal, moral and political considerations) can be published without problems in another country or countries. And it will be fully accessible from Internet users all over the globe. That is in principle the nature of the Internet (*).

Examples have shown, however, that authorities in one country may assert pressure on another country's authorities attempting to ascertain that unwanted web content is removed. Occasionally this succeeds.

Advocates for the complete freedom of information therefore set up servers in several countries with different types of jurisdictions, in order to circumvent such pressure. WikiLeaks' setup is a typical example of this.

The Internet has a huge potential for avoiding censoring even though it may require more effort than "the Internet founders" initially intended.

The necessity of securing information

Perhaps the most important lesson to learn from the WikiLeaks cases, is that securing information is essential!

The information published by WikiLeaks indicates that both internal and external personnel have been involved in obtaining the information and leaking it to WikiLeaks. Historically, information getting into the wrong hands as a result of internally involved personnel, are more common than through penetration from outside the organization.

Sensitive information stored digitally should of course be encrypted. This will at least ensure that those who might be able to access the files, cannot read the content,

It is further essential to have rules and regulation regarding who has access to information of a sensitive character. This also applies to printed information.

What's next?

It will be interesting to see how the WikiLeaks story turns out. As of now, the outcome and implication for organizations and entities that are exposed throguh WikiLeaks' Afghan War Diary, are not clear.

Further, we are intrigued whether other setups piggybacking on the success of WikiLeaks, will appear. And if these will be used as political instruments (even) more that what is the case with WikiLeaks.

(*) This is of course not fully accurate. Some countries have in place powerful filtering mechanisms that restrict substantial parts of the information available on the Internet. Other countries have entered into voluntary agreements with its Internet Service Providers to disallow certain types of Internet content, typically child pornography. The general principles applies, though.