The lack of any published high level security architecture for the WikiLeakS.org project
has been an ongoing failure, which reduces the level of trust and confidence which people can have in it.
Not all of the technical details of how they are trying to achieve the best mix of anonymity, security , scalability and usability techniques need to be made public, however a formal statement of what exactly they are trying to do, would help people outside the project to point out potential problems, or improvements, or to see that these have already been recognised and are work in progress.
In the absence of anything but the most hand waving salespeak from WikiLeakS.org, observers of the project have to critically examine the writings of their central politburo, and read between the lines,
The recently published Wikileaks:Investigator's guide page has some vaguely reassuring legal warnings about journalist / source legal protection in Sweden and Belgium and the USA.
Wikileaks:Investigator's guide
From Wikileaks
This document is for judges, investigating magistrates, judicial officers and investigators. It explains issues and evidence that you may see in an investigation relating to Wikileaks.
This is not, therefore, a discussion document, soliciting ideas or feedback on proposed future project features, it appears to be a fait accompli.
However, the Investigator's Guide also contains some technical inaccuracies or, perhaps, deliberate misinformation, and a description of a very worrying "phone home" spyware "feature".
By which methods does Wikileaks receive documents?
- Via Tor network anonymized, encrypted uploads.
- Passed to staff members by affiliated journalists, activists or volunteers in person.
- Encrypted (SSL) uploads to the site, including via netcafe's or other such "untraceable" random machines.
SSL encryption directly to the WikiLeakS.org website does nothing to protect the anonymity of the IP address, time, date and the potentially characteristic amount of data being transferred.
- In the regular post.
- Via encrypted or regular email for low sensitivity documents.
How is any email "encrypted" end to end in transit, the normal meaning of the term "encrypted email" then ?
Any emails we receive on any matter automatically have their headers stripped of all fields except "From:", "To:", "Subject:" and "Reply-To:" and are encrypted with AES256 (approved for US DoD TOP SECRET communications) storage.
That is all very excellent, but is not sufficient to protect the confidentiality of an email from a whistleblower or from a leaked document analyst with specialised access or knowledge, from being snooped on, except, perhaps, in the extreme case of a police raid or burglary of the WikiLeakS.org computers in Stockholm, Sweden.
The option of allowing the public to use PGP encryption has been suggested, and, for a time it was available.
The WikiLeakS.org project effectively stopped using PGP public key encryption last year, when their PGP key expired on November 2nd 2007.
They seem to be claiming that they will publish new PGP keys "soon", but that this cannot be done until a volunteer writes a guide for "the Average Joe" and "the masses", according to the PGP Key Talk page
PGP Keys will be provided soon again. For now Wikileaks is missing a sound and user-friendly guide for usage of PGP that will make sure users contacting use with this method make no mistakes that could compromise them. Individual PGP keys for editors still exist and are available on request.
The situation as of now is purely an issue of lack of time to address the writing of proper guidelines for Average Joe, which we perceive as being fundamental to publishing a PGP key for the masses. A volunteer is currently addressing this issue,...
This is a bit of a puzzle, as they have not bothered to write any detailed beginner's guides "for the Average Joe" and "the masses", for the other sophisticated technologies they make use of, all of which can also be misused to give a false sense of security e.g. SSL / TLS session encryption or Tor Onion Routing.
However, the most worrying part of this Investigator's Guide is this astonishing claim:
I see a large transfer of data from a computer to Wikileaks. Have I found a source?
Probably not:
1. Anytime someone accesses the Wikileaks site, their browser is instructed, without reader awareness, to perform random reads and random large transfers of information to the site.
This is obviously not a misprint, since a bit further down the page it says:
But the size of data transfer to Wikileaks and the size of the document are about the same?
As set out above, random transmissions are made to Wikileaks by any reader of Wikileaks, so the existence of a transmission means nothing. In addition Wikileaks staff reformat nearly all documents, changing their size upto 10 times, specifically to avoid this type of correlation. The originals are destroyed.
This re-sizing and reformatting of documents does not seem to apply to zip compressed archives of several such documents.
But the data transfer took place shortly before the document appeared on Wikileaks?As set out above, random transmissions are made to Wikileaks by any reader of Wikileaks, so the existence of a transmission means nothing. In addition, publication can either be delayed by Wikileaks upto a year specifically to avoid this type of correlation or the source may have set a specific embargo date for publication.
Firstly, we have not yet seen this behaviour on any of the WikiLeakS.org web pages we have visited so far, perhaps we have just been lucky, so far. It might also mean that this "feature" has been developed, but not yet inflicted on the public website, but that the author of this Investigator's Guide assumes that it will be live soon.
However, if they have implemented, or are planning to install, some sort of Javascript or Flash or Java or other attempt to generate random reads and random writes to the site from a visitor's computer, they should never be doing this in secret, without warning the visitor, and getting their informed consent to do so. That is both ethically wrong, and, under some data protection or computer misuse laws, actually illegal.
N.B. this not the same as what is described as "Cover Traffic" in the Connection Anonymity page, and also in the Investigator's Guide. That is WikiLeakS.org volunteer generated traffic, which may only be partially effective, since the IP addresses of Tor Exit Nodes or other proxy servers are not secret and easily filtered out during Communications Traffic Data Analysis, or blocked by corporate or national level firewalls.
In order to actually achieve what they are claiming to be trying to do, i.e. to provide background noise and random traffic to obscure real WikiLeaks.org website user downloads of web pages and uploads of comments or whistleblower leaked files, there would have to be the equivalent of a typical broadband internet Speed Test application, which downloads a random file, from the server (perhaps one generated on the fly), and then uploads some or all of this (or again, generates it on the fly).
The words "random reads and random large transfers of information to the site" and "random transmissions" do not necessarily mean that all of the data being "phoned home" to the WikiLeakS.org webserver is actually random. How can we be sure that it does not also contain IP address, MAC address, operating system details, web browser details and browser cookie information etc ?
This might perhaps be a useful extra anonymity tool, but it should be entirely under the website visitor's control, otherwise it is indistinguishable from malicious spyware
If, for example, someone were to visit the WikiLeakS.org website, whilst using Tor or a relatively anonymous internet connection (e.g. via a WiFi hotspot, or internet cyber cafe etc.), but kept the browser window open (perhaps whilst their laptop computer went into standby mode) and later made a different, more identifiable internet connection (e.g. from their home), the WikiLeakS.org "random reads and random large transfers of information to the site" would then betray their real identifiable IP address to the logfiles of the ISPs in, say the European Union or China, who are, by law, having to retain such logfiles for the police, intelligence agencies and for libel or copyright lawyers etc.
It is also not clear from this Investigator's Guide if the "random reads and random large transfers of information to the site" from the web site visitor's web browser are only via plaintext http:// , or whether they also provide some "cover traffic" for SSL encrypted https:// sessions.
If the data transfers do not initiate proper SSL sessions, then they will stand out as fake traffic, to any Communications Traffic Analysis program, How this is meant to work with SSL connections ia Cover Name domain name aliases which do not match the possibly censored http://secure.wikileaks.org domain name Digital Certificate, without any user intervention, is also a mystery.
If WikiLeakS.org persist with this plan, and actually implement such spyware, even for an allegedly benign purpose, they will suffer the fate of Microsoft, Mozilla, Adobe etc. all of whom have had to withdraw or modify various technical statistical gathering or marketing analysis collection "phone home" applications after the public backlash.
According to the Wikileaks talk page for this Investigator's Guide:
http://wikileaks.org/wiki/Wikileaks_talk:Investigator%27s_guide
It seems that only SSL traffic is randomly generated, which is useless for providing any cover traffic for unencrypted http:// browsing or uploads to the site. It is very easy for communications data traffic analysis software to filter out and analyse port 80 http:// traffic distinctly from port 443 https:// traffic.
It is unclear if the randomly generated traffic is generated after a random delay after visiting a wikileaks.org web page. If so, this could betray your real IP address if you switch between your home or business internet connection (easily traceable) to or from a less traceable one e.g. via Tor or an open WiFi access point.