The WikiLeakS.org website has yet again extended its "publication strike", which it has been on since before Christmas 2009, until, supposedly
January 15th 2010.
[UPDATE: 19th January 2010: - the Yet Again Extended Deadline of Monday 18th January has come and gone, but the WikiLeakS.org "anonymous" publication service is still suspended, with no announcement of any new target date]
They did seem to re-introduce a link for "secure submissions" on the 11th January, but why should anyone leak stuff to them, with no immediate prospect of publication ?
Their Disclaimer makes some bold claims:
Submit a document for us to publish and, in order to maximize its impact, distribute amongst our network of investigative journalists, human rights workers, lawyers and other partners.
We will publish and keep published the document you submitted, provided it meets the submission criteria. Your data is stored decentralized, encrypted and as a preserved historic record, accessible in full by the public.
The information you submit will be cleaned by us to not be technically traceable to your PDF printing program, your word installation, scanner, printer.
We also anonymize any information on you at a very early stage of the WikiLeaks network, and our services neither know who you are nor do they keep any information about your visit.
We will never cooperate with anyone trying to identify you as our source. In fact we are legally bound not to do so, and any investigation into you as our source is a crime in various countries and will be prosecuted.
Note, however,that this Disclaimer link does create a presumably unique session tracking URL, probably so that they can show, via yet another link, a meta re-fresh page which shows the upload progress of your file submission.
The Disclaimer says "our services neither know who you are nor do they keep any information about your visit. ", but it is still unclear if this really applies to these presumably unique session identifiers which may well be stored in logfiles or content management database associated with the "decentralized" file storage system.
Remember taht one way of identifying a potential whistleblower using an SSL / TLS encrypted web submission form, is to analyse the amount of data uploaded.
If , say, a large document or video clip appears on WikiLeaks.org, and the only person who has uploaded several megabytes of data to them is you, then you may have betrayed your identity to local investigators, regardless of the fact that they didi not read the contents of the encrypted session.
Perhaps people should be encouraged to upload several dummy "chaff" files ,clearly marked as such to be deleted, simply to help hide the true "leak" document".
This should never be a sneaky "automatic by default" action, but should be an option which is transparent to the whistleblower.
On a more positive note, at least the new Submission form, now gives some space for the whistleblower to add some notes into a separate field:
If you want to give us more context and details about your submission please, feel free. Any information you can provide will help with verification and maximing the impact of your submission
This could include "anonymous" contact details, email addresses, PGP Encryption / SIgning keys, disposable mobile phone numbers etc
However it should be made much clearer, that this potentially identifying personal information will not be published.
There must also be credible assurances as to how this whistleblower contact data will be protected within the WIkiLeakS.org organisation.