Friday, May 6, 2011

May 6 - Absurd rules make WSJ's new leak site a non-starter

Absurd rules make WSJ's new leak site a non-starter

Paul Marks, senior technology correspondent

The Rupert Murdoch-owned Wall Street Journal has become the latest news outfit to launch a website where people can leak documents, Wikileaks style. It's certainly an interesting move for a publishing firmThe News Of The World, to intercept the voicemails of celebrities and politicians. currently under legal and regulatory scrutiny for allowing journalists at its weekly tabloid.

But the WSJ's nascent SafeHouse leaksite appears to suffer from the same kind of problems as one recently launched by Arab newscaster Al Jazeera: its terms of use place onerous - if not absurd - demands on the would-be leaker. And experts checking out SafeHouse last night found a raft of security risks.

If the plight of alleged leaker Bradley Manning has thrown anything into sharp relief, it's the utter peril that leakers of sensitive information can find themselves in. So the organisations jumping on the leakserver bandwagon with sites of their own really ought to be shoring up the security of their offerings and the terms under which they can be used.

As we detailed in January, Al Jazeera launched its Transparency Unit website, with a button allowing people to leak "documents, emails, photos, audio and video". But the site's terms of use turn leaking into an exercise in copyright law: leakers must assure Al Jazeera that the owner of the leaked documents (etc) have assigned all rights to the leaker and that they in turn grant such rights to Al Jazeera. WTF? as they say on Twitter.

So when the SafeHouse story was abroad online last night, I read its terms of use, too. Like Al Jazeera, the WSJ says leakers should have "all the necessary legal rights to upload or submit such Content". Having done that, they must grant the WSJ "a non-exclusive, transferable, worldwide, fully paid-up, royalty-free, perpetual, irrevocable right and license to use, distribute, publicly perform, display, reproduce, and create derivative works from, the Content in any and all media".

What is it they don't get about the status of leaked documents? In addition, Al Jazeera and the WSJ both say they reserve the right to identify leakers to law enforcement if pressed to. 

No one is suggesting either outfit will compromise sources, but this thicket of caveats does little to engender confidence in their leakservers.

If you were to get past these onerous terms of use and actually leak something, experts are not impressed with the anonymity defences either. At the University of Washington, computer scientist Jacob Applebaum, a leading light in the Tor Project widely believed to be aiding infoflow in the ongoing Arab enlightement, criticised the way the site insecurely handles https, secure socket layer encryption and Tor.

Applebaum said on his twitter site, @ioerror:
Pro-tip: if you're going to create a document leaking website - have a clue!

If Wikileaks is feeling smug, however, it has no grounds to. Former Wikileaks spokesman Daniel Domscheit-Berg has detailed in his book Inside Wikileaks how risky the whole process really is. Anyone thinking of submitting info to WikiLeaks should read it.

Facebook iconDigg iconDelicious iconStumbleUpon iconTwitter iconTechnorati iconReddit iconAddThis icon

No comments:

Post a Comment

At midday on Friday 5 February, 2016 Julian Assange, John Jones QC, Melinda Taylor, Jennifer Robinson and Baltasar Garzon will be speaking at a press conference at the Frontline Club on the decision made by the UN Working Group on Arbitrary Detention on the Assange case.