Leak at WikiLeaks A Dispatch Disaster in Six Acts
Some 250,000 diplomatic dispatches from the US State Department have accidentally been made completely public. The files include the names of informants who now must fear for their lives. It is the result of a series of blunders by WikiLeaks and its supporters.
In the end, all the efforts at confidentiality came to naught. Everyone who knows a bit about computers can now have a look into the 250,000 US diplomatic dispatches that WikiLeaks made available to select news outlets late last year. All of them. What's more, they are the unedited, unredacted versions complete with the names of US diplomats' informants -- sensitive names from Iran, China, Afghanistan, the Arab world and elsewhere.
SPIEGEL reported on the secrecy slip-up last weekend, but declined to go into detail. Now, however, the story has blown up. And is one that comes as a result of a series of mistakes made by several different people. Together, they add up to a catastrophe. And the series of events reads like the script for a B movie.
Act One: The Whistleblower and the Journalist
The story began with a secret deal. When David Leigh of the Guardian finally found himself sitting across from WikiLeaks founder Julian Assange, as the British journalist recounts in his book "Inside Julian Assange's War on Secrecy", the two agreed that Assange would provide Leigh with a file including all of the diplomatic dispatches received by WikiLeaks.
Assange placed the file on a server and wrote down the password on a slip of paper -- but not the entire password. To make it work, one had to complete the list of characters with a certain word. Can you remember it? Assange asked. Of course, responded Leigh.
It was the first step in a disclosure that became a worldwide sensation. As a result of Leigh's meeting with Assange, not only the Guardian, but also the New York Times, SPIEGEL and other media outlets published carefully chosen -- and redacted -- dispatches. Editors were at pains to black out the names of informants who could be endangered by the publication of the documents.
Act Two: The German Spokesman Takes the Dispatch File when Leaving WikiLeaks
At the time, Daniel Domscheit-Berg, who later founded the site OpenLeaks, was the German spokesman for WikiLeaks. When he and others undertook repairs on the WikiLeaks server, he took a dataset off the server which contained all manner of files and information that had been provided to WikiLeaks. What he apparently didn't know at the time, however, was that the dataset included the complete collection of diplomatic dispatches hidden in a difficult-to-find sub-folder.
After making the data in this hidden sub-folder available to Leigh, Assange apparently simply left it there. After all, it seemed unlikely that anyone would ever find it.
But now, the dataset was in the hands of Domscheit-Berg. And the password was easy to find if one knew where to look. In his book Leigh didn't just describe his meeting with Assange, but he also printed the password Assange wrote down on the slip of paper complete with the portion he had to remember.
Act Three: Well-Meaning Helpers Accidentally Put the Cables into Circulation
Immediately after the first diplomatic dispatches were made public, WikiLeaks became the target of several denial-of-service attacks and several US companies, including Mastercard, PayPal and Amazon, withdrew their support. Quickly, several mirror servers were set up to prevent WikiLeaks from disappearing completely from the Internet. Well-meaning WikiLeaks supporters also put online a compressed version of all data that had been published by WikiLeaks until that time via the filesharing protocol BitTorrent.
BitTorrent is decentralized. Data which ends up on several other computers via the site can essentially no longer be recalled. As a result, WikiLeaks supporters had in their possession the entire dataset that Domscheit-Berg took off the WikiLeaks server, including the hidden data file. Presumably thousands of WikiLeaks sympathizers -- and, one supposes, numerous secret service agents -- now had copies of all previous WikiLeaks publications on their hard drives.
And, what they didn't know, a password-protected copy of all the diplomatic dispatches from the US State Department.
Act Four: Mudslinging between Assange and Domscheit-Berg
To make matters worse, Julian Assange and Daniel Domscheit-Berg then had a falling out. The German spokesman wrote a vengeful book after being thrown out of WikiLeaks in which he portrayed the WikiLeaks founder as an unreliable egomaniac who tended toward latent megalomania.
Predictably, Assange was furious and made several statements that were intended to besmirch Domscheit-Berg. But when he repaired the WikiLeaks server, Domscheit-Berg apparently didn't just take all of the collected WikiLeaks documents, but he also took the secure submission system designed to allow whistleblowers to anonymously submit data. As a result, WikiLeaks was temporarily out of action.
Domscheit-Berg also repeatedly accused Assange of not being sufficiently vigilant about protecting his sources. And he launched a competing platform called OpenLeaks which he is now developing with other former WikiLeaks employees and other supporters.
Act Five : Exposed Disclosures
The conflict between Domscheit-Berg and Assange has become increasingly aggressive. Germany's Chaos Computer Club recently made the surprising decision to revoke Domscheit-Berg's membership because he allegedly misused their name to hype his OpenLeaks project. While that was their official reason, unofficially the tension stems from the data that Domscheit-Berg took with him from Wikileaks.
In an effort to prove that Assange couldn't be trusted, people associated with the OpenLeaks project recently began talking about the hidden diplomatic cables -- and the dataset which has been coursing through the Internet for months, though no one knew about it.
Then someone betrayed the location of the password -- Leigh's book -- to a journalist for German weekly Der Freitag, which is also an OpenLeaks partner. The weekly published a cautiously formulated version of the story, that without naming the exact location of the password, still revealed it was "out in the open and identifiable to those familiar with the material." Speculation on Twitter and elsewhere ran wild, and hobby investigators began to edge closer to which password it could be.
Meanwhile the mudslinging continued unabated between Assange and Domscheit-Berg.
Act Six: Cablegate-Gate
An account of the story of Leigh, the hidden data and the password then cropped up on a platform normally used by open-source developers to exchange programming codes. A link to the entry spread quickly through Twitter. Suddenly, anyone could access the entire "Cablegate" file with a bit of effort.
On Wednesday afternoon the Wikileaks Twitter account announced "important news," and a few hours later character sequences and links were distributed to download an encoded, 550-megabyte file via a BitTorrent client. The password was to be delivered later.
The distribution apparently didn't work at first, and complaints appeared on Twitter. But later the problem was fixed, and the data began to circulate.
It remains unclear whether this was the Cablegate data set. Meanwhile Wikileaks' Twitter account has called on users to vote on whether they agree with the publication of the unredacted cables. They can register their vote with the hashtag "WLVoteYes" or "WLVoteNo" on Twitter.
A Wikileaks statement on Twitter blames the Guardian and Leigh for the fact that the cables are now freely available online. "We have already spoken to the (US) State Department and commenced pre-litigation action," it said, adding that their targets were the Guardian and a person in Germany who gave out the paper's password. Leigh breached a confidentiality agreement between Wikileaks and the Guardian, it added. The US Embassy in London and the US State Department had been notified of the possible publication already on August 25 so that officials could warn informants.
In a statement the Guardian rejected the accusations from Wikileaks, explaining that the paper had been told the password was temporary and would be deleted within hours. "No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files," the statement said. "That they didn't do so clearly shows the problem was not caused by the Guardian's book."
Finale: In the Open
It is possible that intelligence agencies in a number of countries have already gained access to the data. "Any autocratic security service worth its salt" would have already done so, former US Assistant Secretary of State for Public Affairs P.J. Crowley told news agency AP on Wednesday. Intelligence agencies that haven't already gotten their hands on the data "will have it in short order," he added.
By Wednesday evening Crowley's prediction was confirmed. The "Cablegate" cables are now completely public. For many people in totalitarian states this could prove life-threatening. For Wikileaks, OpenLeaks, Julian Assange, Daniel Domscheit-Berg and many others, it is nothing short of a catastrophe.
A chain of careless mistakes, coincidences, indiscretions and confusion now means that no potential whistleblower would feel comfortable turning to a leaking platform right now. They appear to be out of control.
© SPIEGEL ONLINE 2011
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH