Why have WikiLeakS.org abandoned the use of PGP Encryption ?

| | Comments (7)

Why have WikiLeakS.org abandoned the use of PGP Encryption ?

The Contact page still has a link to a http://wikileaks.org/wiki/Wikileaks_PGP_key page:

Wikileaks:PGP Keys

Do not use PGP to contact us. We have found that people use it in a dangerous manner. Further one of the Wikileaks key on several key servers is FAKE.

wikileaks_pgp_key_warning_300.jpg

This warning now replaces a copy of the PGP Public Encryption Key which expired on 2nd November 2007 (PGP Key ID: 0x11015F80).

Instead of publishing a new PGP Key, the WikiLeakS.org staff have, without bothering to hold any sort of discussion on the relevant wiki discussion page, arbitrarily put up this stupid warning.

It is entirely possible for the public and for journalists and for whistleblowers to use unencrypted plaintext email, or the SSL / TLS web encrypted web session submission forms for new "whistleblower document" uploads, or the Tor Hidden Service methods, or the Postal mail box methods of submission, or the Discussion pages for publishing comments and analyses, and to make technical security or anonymity errors

in a dangerous manner.

Why is PGP any different ?

Presumably because the WiklLeakS.org team have deliberately not bothered to explain its correct use - they just published a link to a PGP public key, with nothing else in the way of instructions or warning advice.

The point about the PGP keyservers is utterly irrelevant, given that WikiLeakS.org were, correctly, publishing their PGP key primarily on their own web servers

Fake PGP keys on keyservers or elsewhere are not a problem - that is what the PGP key fingerprints are designed to help with.

This outright refusal to use widely available, tried, tested, and secure PGP / GnuGP / OpenPGP etc . software. has further damaged the reputation for trustworthiness of the WikiLeakS.org project.

Some people will conclude that some of the WikiLeakS.org people must be in cahoots with some intelligence or police agency or other, which is why they do not wish to promote the option of using strong end to end encryption like PGP for protecting whistleblowers.


7 Comments

Presumably because the WiklLeakS.org team have deliberately not bothered to explain its correct use

I had a discussion with some people involved in Wikileaks a few months ago about this issue. We argued about this issue back then already and the main conclusion was that explaining people how-to use PGP is not as easy as how-to use a submit form correctly. It's all about usability and making it proof for the enduser to not make any unwanted mistakes.

Another major issue is time to write such a false-proof document/howto, which seems to be constantly short in the project and therefore no one can address this issue properly.

Which then in turn makes it even more sad to see that you yourself rather waste your time bragging about how bad this is and how stupid everyone else is, instead of using the time to help out creating such a document. Your time could be spent much more useful, especially as you in contrast to me seem seem to understand the topic and would be in a position to help with it.

Just a few cents.

@ roman - the WikiLeakS.org project has had plenty of reasonable suggestions but they act just like a Government propaganda department with an insulting, patronising, "We Know Best" attitude.

There is no need for WikiLeakS.org to re-write all the guides about how to use PGP securely - a few links to the existing online documentation would suffice.

PGP is not a replacement for their other document submission methods, but it does have its place as another option.

There are a few issues specific to whistleblowing, which I could write up in a few minutes, but what is the point, when they refuse to use PGP at all ?

Well, from my experience they were very eager to have people involve into the project. Very open bunch of people appreciating any help. The Wiki is open after all, why not just create a page then and write it up in a way it is sound, helpful and comprehensive. I cannot imagine it would be turned down. But I am not sure how much just some links will help to direct an unknowing user, like me for example, someplace that will ensure I have sufficient understanding of the process of using PGP.

Also I still think suggestions are not the problem but rather the doing, as everyone seems to be constantly busy with things, shuffling around priorities to address what needs to be addressed. And writing prose for an add-on instead of something of operationally critical might just be hard to address.

If its that easy, go ahead please, I would myself be interested to read more about it. What Operating Systems can you cover, for what base knowledge of readers? I would be happy to learn from it but I am not much of a technical person ...

@ roman - WikiLeakS.org is not a wiki in the usual sense, even though it does use the MediaWiki software.

You can make contributions to the Discussion pages, but unless you are one of the chosen core central team, you cannot create any new pages, or edit existing ones.

Many people, myself included, refuse to get involved directly in the WikiLeakS.org project, until they answer some of the fundamental Questions which arose as soon as they announced their plans. e.g. the lack of publication of even a high level security and anonymity architecture, the risks of their single point of failure server hosting in Stockholm, the ongoing questions about their funding, and their obvious political bias etc.


Now you had me curious. I went to the chat, asked some questions and tried some things on the Wiki.

- You can edit the Wiki, all it needs is a registered user. Registration is open, so no problem with that. Some pages are protected according to what I was told, which makes sense, like published analysis, those pages with the leaked document etc.

- There is no single point of failure hosting, Sweden is just an entrypoint I was told as Sweden has very strong protection laws for media outlets.

- Funding seems to be non-existant, at least the guy I talked to in the chat told me it is driven by people involved in the project. Sounded like another reason to get involved as there is no funding to buy manpower and it all relies on volunteers.

About the other things I dont know. I didnt feel they had a bias yet, and I think not publishing the architecture is kind of security issue. After all I assume it is quite good to create some blurry cloud around the project.

In any way, I felt questions are being answered as long as you ask them. Did not have the feeling anyone being overly secretive there but rather welcoming a potential helping hand.

@ roman - thanks for investigating this for yourself, rather than relying on just a single potentially biased source like me, however:

- You can edit the Wiki, all it needs is a registered user. Registration is open, so no problem with that.

That has not been true for most of the time which WikiLeakS.org has been online.

Compared with the whistleblower leak document submission methods, there is almost no anonymity protection or even advice, for people who want to comment on or analyse those documents, without revealing their computer's real IP addresses, and times and dates of new comments, which could be used by libel lawyers or law enforcement or intelligence agencies to identify them, regardless of whether the WikiLeakS.org servers themselves keep log files or not.

You may be just as much at risk from the authorities if you have expert knowledge to comment on or analyse a classified document, as the original whistleblower themselves. Any "leak" investigation will assume that any of the people commenting on or analysing such a leak, might in fact be the whistleblower who they are trying to hunt down.

Some pages are protected according to what I was told, which makes sense, like published analysis, those pages with the leaked document etc.

The PGP Key page and the important About page are both Protected, so only core insiders can edit those.

- There is no single point of failure hosting, Sweden is just an entrypoint

That entrypoint certainly is a Single Point of Failure - see several instances where the whole system has been unavailable for hours or days: Website Infrastructure downtime and denial of service blog category archive

I was told as Sweden has very strong protection laws for media outlets.

Not any more they do not, at least from a whistleblower anonymity viewpoint.

Sweden's National Defence Radio Establishment - Försvarets radioanstalt (FRA), their equivalent of the USA National Security Agency or the UK GCHQ has been illegally snooping on Swedish internet and other communications for years. The Swedish Parliament has this year passed a draconian wiretapping law, which gives the FRA direct access to all internet traffic passing through Sweden, even stuff that is simply being routed on elsewhere.

See The Register for some links: World+dog ignores Sweden's Draconian wiretap bill

PRQ Internet, the hosting company in Sweden, used to host The Pirate Bay bit torrent site, and has been physically raided by the Swedish Police in the past.

- Funding seems to be non-existant, at least the guy I talked to in the chat told me it is driven by people involved in the project. Sounded like another reason to get involved as there is no funding to buy manpower and it all relies on volunteers.

I am inclined to believe that.

About the other things I dont know. I didnt feel they had a bias yet,

Count the number of US Military documents which have been leaked, and heavily promoted to the media, and compare this with the number of Russian or Chinese ones, of any sort, which have been made public.

That certainly looks like a political bias.

and I think not publishing the architecture is kind of security issue. After all I assume it is quite good to create some blurry cloud around the project.

Publishing a high level security and anonymity architecture would not be detailed enough to compromise the security of the system at all, but it might give people who are thinking of helping out some confidence that the WikiLeakS.org team are not trying to re-invent the wheel and are not fatally compromising the individual components of the system.

Currently there is no such assurance.

All that is available at the moment is the totally inadequate and misleadingl statement on the About page, which claims:

"For the technically minded, Wikileaks integrates technologies including modified versions of MediaWiki, OpenSSL, FreeNet, Tor, PGP and software of our own design."

In any way, I felt questions are being answered as long as you ask them. Did not have the feeling anyone being overly secretive there but rather welcoming a potential helping hand.

The emails replies I have had in the past have been been patronising and, frankly, insulting.

Hi again,

thanks for the extensive comments.

I see things still a little bit different. There are plenty of ways to connect to the Wiki staying anonymous and the Wiki its self also is anonymized. All IP addresses seem to be changed on the way to the server, so the server doesnt see a single real source IP address.

Protecting the PGP page is pretty important I would say and I hope you agree there. I dont see why you could not contribute via some Draft: page or a Talk: page and this would be merged into the Wiki by someone with appropriate access rights. From what I could observe so far thats how it works with them. At least for summaries for example.

The same goes for guidelines on howto write analysis. There is the writers kit which I am sure could use some enhancements but why not just contribute. I can only repeat, I am fully convinced that help would be appreciated with open arms.

Regarding Sweden I have read about this but it does not change the fact that journalists and their work is proteced by I think the third law of the constitution.

I am sorry to hear about your email experiences, mine have been completely different. Might depend on the attitude with which you write those mails, I dont know. In general I get along with most people though, so might just be that I am pretty easy.

Just some thoughts again.

About this blog

This blog here at WikiLeak.org (no "S") discusses the ethical and technical issues raised by the WikiLeakS.org project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the WikiLeakS.org project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

email: blog@WikiLeak[dot]org

Before you send an email to this address, remember that this blog is independent of the WikiLeakS.org project.

If you have confidential information that you want to share with us, please make use of our PGP public encryption key or an email account based overseas e.g. Hushmail

LeakDirectory.org

Now that the WikiLeakS.org project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The LeakDirectory.org wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The WikiLeakS.org Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

BlogSafer - wiki with multilingual guides to anonymous blogging

Digital Security & Privacy for Human Rights Defenders manual, by Irish NGO Frontline Defenders.

Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide (.pdf - 31 pages), by the Citizenlab at the University of Toronto.

Handbook for Bloggers and Cyber-Dissidents - March 2008 version - (2.2 Mb - 80 pages .pdf) by Reporters Without Borders

Reporters Guide to Covering the Beijing Olympics by Human Rights Watch.

A Practical Security Handbook for Activists and Campaigns (v 2.6) (.doc - 62 pages), by experienced UK direct action political activists

Anonymous Blogging with Wordpress & Tor - useful step by step guide with software configuration screenshots by Ethan Zuckerman at Global Voices Advocacy. (updated March 10th 2009 with the latest Tor / Vidalia bundle details)

WikiLeakS Links

The WikiLeakS.org Frequently Asked Questions (FAQ) page.

WikiLeakS Twitter feeds

The WikiLeakS.org website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive:

WikiLeakS.org Twitter feed via SSL encrypted session: https://twitter.com/wikileaks

WikiLeakS.org unencrypted Twitter feed http://twitter.com/wikileaks

Internet Censorship

OpenNet Initiative - researches and measures the extent of actual state level censorship of the internet. Features a blocked web URL checker and censorship map.

Temporary Autonomous Zone

Temporary Autonomous Zones (TAZ) by Hakim Bey (Peter Lambourn Wilson)

Cyberpunk author William Gibson

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg
FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Save Parliament: Legislative and Regulatory Reform Bill (and other issues)
Save Parliament - Legislative and Regulatory Reform Bill (and other issues)

Open_Rights_Group.png
Open Rights Group

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

irrepressible_banner_03.gif
Amnesty International's irrepressible.info campaign

anoniblog_150.png
BlogSafer - wiki with multilingual guides to anonymous blogging

ngoiab_150.png
NGO in a box - Security Edition privacy and security software tools

homeofficewatch_150.jpg
Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

rsf_logo_150.gif
Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

committee_to_protect_bloggers_150.gif
Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg
Wikileaks.org - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

Syndicate this site (XML):

Recent Comments

  • roman: Hi again, thanks for the extensive comments. I see things read more
  • WikiLeak: @ roman - thanks for investigating this for yourself, rather read more
  • roman: Now you had me curious. I went to the chat, read more
  • WikiLeak: @ roman - WikiLeakS.org is not a wiki in the read more
  • roman: Well, from my experience they were very eager to have read more
  • WikiLeak: @ roman - the WikiLeakS.org project has had plenty of read more
  • roman: Presumably because the WiklLeakS.org team have deliberately not bothered to read more

December 2014

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31