Is planning to embed "phone home" spyware in its web pages ?

| | Comments (1)

The lack of any published high level security architecture for the project
has been an ongoing failure, which reduces the level of trust and confidence which people can have in it.

Not all of the technical details of how they are trying to achieve the best mix of anonymity, security , scalability and usability techniques need to be made public, however a formal statement of what exactly they are trying to do, would help people outside the project to point out potential problems, or improvements, or to see that these have already been recognised and are work in progress.

In the absence of anything but the most hand waving salespeak from, observers of the project have to critically examine the writings of their central politburo, and read between the lines,

The recently published Wikileaks:Investigator's guide page has some vaguely reassuring legal warnings about journalist / source legal protection in Sweden and Belgium and the USA.

Wikileaks:Investigator's guide

From Wikileaks

This document is for judges, investigating magistrates, judicial officers and investigators. It explains issues and evidence that you may see in an investigation relating to Wikileaks.

This is not, therefore, a discussion document, soliciting ideas or feedback on proposed future project features, it appears to be a fait accompli.

However, the Investigator's Guide also contains some technical inaccuracies or, perhaps, deliberate misinformation, and a description of a very worrying "phone home" spyware "feature".

By which methods does Wikileaks receive documents?

  • Via Tor network anonymized, encrypted uploads.
  • Passed to staff members by affiliated journalists, activists or volunteers in person.
  • Encrypted (SSL) uploads to the site, including via netcafe's or other such "untraceable" random machines.

SSL encryption directly to the website does nothing to protect the anonymity of the IP address, time, date and the potentially characteristic amount of data being transferred.

  • In the regular post.
  • Via encrypted or regular email for low sensitivity documents.

How is any email "encrypted" end to end in transit, the normal meaning of the term "encrypted email" then ?

Any emails we receive on any matter automatically have their headers stripped of all fields except "From:", "To:", "Subject:" and "Reply-To:" and are encrypted with AES256 (approved for US DoD TOP SECRET communications) storage.

That is all very excellent, but is not sufficient to protect the confidentiality of an email from a whistleblower or from a leaked document analyst with specialised access or knowledge, from being snooped on, except, perhaps, in the extreme case of a police raid or burglary of the computers in Stockholm, Sweden.

The option of allowing the public to use PGP encryption has been suggested, and, for a time it was available.

The project effectively stopped using PGP public key encryption last year, when their PGP key expired on November 2nd 2007.

They seem to be claiming that they will publish new PGP keys "soon", but that this cannot be done until a volunteer writes a guide for "the Average Joe" and "the masses", according to the PGP Key Talk page

PGP Keys will be provided soon again. For now Wikileaks is missing a sound and user-friendly guide for usage of PGP that will make sure users contacting use with this method make no mistakes that could compromise them. Individual PGP keys for editors still exist and are available on request.

The situation as of now is purely an issue of lack of time to address the writing of proper guidelines for Average Joe, which we perceive as being fundamental to publishing a PGP key for the masses. A volunteer is currently addressing this issue,...

This is a bit of a puzzle, as they have not bothered to write any detailed beginner's guides "for the Average Joe" and "the masses", for the other sophisticated technologies they make use of, all of which can also be misused to give a false sense of security e.g. SSL / TLS session encryption or Tor Onion Routing.

However, the most worrying part of this Investigator's Guide is this astonishing claim:

I see a large transfer of data from a computer to Wikileaks. Have I found a source?

Probably not:

1. Anytime someone accesses the Wikileaks site, their browser is instructed, without reader awareness, to perform random reads and random large transfers of information to the site.

This is obviously not a misprint, since a bit further down the page it says:

But the size of data transfer to Wikileaks and the size of the document are about the same?

As set out above, random transmissions are made to Wikileaks by any reader of Wikileaks, so the existence of a transmission means nothing. In addition Wikileaks staff reformat nearly all documents, changing their size upto 10 times, specifically to avoid this type of correlation. The originals are destroyed.

This re-sizing and reformatting of documents does not seem to apply to zip compressed archives of several such documents.

But the data transfer took place shortly before the document appeared on Wikileaks?

As set out above, random transmissions are made to Wikileaks by any reader of Wikileaks, so the existence of a transmission means nothing. In addition, publication can either be delayed by Wikileaks upto a year specifically to avoid this type of correlation or the source may have set a specific embargo date for publication.

Firstly, we have not yet seen this behaviour on any of the web pages we have visited so far, perhaps we have just been lucky, so far. It might also mean that this "feature" has been developed, but not yet inflicted on the public website, but that the author of this Investigator's Guide assumes that it will be live soon.

However, if they have implemented, or are planning to install, some sort of Javascript or Flash or Java or other attempt to generate random reads and random writes to the site from a visitor's computer, they should never be doing this in secret, without warning the visitor, and getting their informed consent to do so. That is both ethically wrong, and, under some data protection or computer misuse laws, actually illegal.

N.B. this not the same as what is described as "Cover Traffic" in the Connection Anonymity page, and also in the Investigator's Guide. That is volunteer generated traffic, which may only be partially effective, since the IP addresses of Tor Exit Nodes or other proxy servers are not secret and easily filtered out during Communications Traffic Data Analysis, or blocked by corporate or national level firewalls.

In order to actually achieve what they are claiming to be trying to do, i.e. to provide background noise and random traffic to obscure real website user downloads of web pages and uploads of comments or whistleblower leaked files, there would have to be the equivalent of a typical broadband internet Speed Test application, which downloads a random file, from the server (perhaps one generated on the fly), and then uploads some or all of this (or again, generates it on the fly).

The words "random reads and random large transfers of information to the site" and "random transmissions" do not necessarily mean that all of the data being "phoned home" to the webserver is actually random. How can we be sure that it does not also contain IP address, MAC address, operating system details, web browser details and browser cookie information etc ?

This might perhaps be a useful extra anonymity tool, but it should be entirely under the website visitor's control, otherwise it is indistinguishable from malicious spyware

If, for example, someone were to visit the website, whilst using Tor or a relatively anonymous internet connection (e.g. via a WiFi hotspot, or internet cyber cafe etc.), but kept the browser window open (perhaps whilst their laptop computer went into standby mode) and later made a different, more identifiable internet connection (e.g. from their home), the "random reads and random large transfers of information to the site" would then betray their real identifiable IP address to the logfiles of the ISPs in, say the European Union or China, who are, by law, having to retain such logfiles for the police, intelligence agencies and for libel or copyright lawyers etc.

It is also not clear from this Investigator's Guide if the "random reads and random large transfers of information to the site" from the web site visitor's web browser are only via plaintext http:// , or whether they also provide some "cover traffic" for SSL encrypted https:// sessions.

If the data transfers do not initiate proper SSL sessions, then they will stand out as fake traffic, to any Communications Traffic Analysis program, How this is meant to work with SSL connections ia Cover Name domain name aliases which do not match the possibly censored domain name Digital Certificate, without any user intervention, is also a mystery.

If persist with this plan, and actually implement such spyware, even for an allegedly benign purpose, they will suffer the fate of Microsoft, Mozilla, Adobe etc. all of whom have had to withdraw or modify various technical statistical gathering or marketing analysis collection "phone home" applications after the public backlash.


According to the Wikileaks talk page for this Investigator's Guide:

Phone home spyware is called spyware because it transmits data on the user to some other place. As this feature is not transmitting data on the user, his browser version or any other details there is a slight difference. Let alone the fact that spyware typically calls home by itself from a program, not while you are visiting the actual website it calls home to. This feature is only active when surfing the Wiki.
The data is of random length, random content and transferred via HTTPS. This ensures it is not readable by anyone and just creates a lot of cover traffic/noise going back and forth on the line that no one can interpret. As explained no logs are kept, this is the same for these random connections.
This feature has been carefully thought about and implemented, as all features of this Wiki and it is far from invasive or anyhow problematic for a user. Wikileaks

It seems that only SSL traffic is randomly generated, which is useless for providing any cover traffic for unencrypted http:// browsing or uploads to the site. It is very easy for communications data traffic analysis software to filter out and analyse port 80 http:// traffic distinctly from port 443 https:// traffic.

It is unclear if the randomly generated traffic is generated after a random delay after visiting a web page. If so, this could betray your real IP address if you switch between your home or business internet connection (easily traceable) to or from a less traceable one e.g. via Tor or an open WiFi access point.

About this blog

This blog here at (no "S") discusses the ethical and technical issues raised by the project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

email: blog@WikiLeak[dot]org

Before you send an email to this address, remember that this blog is independent of the project.

If you have confidential information that you want to share with us, please make use of our PGP public encryption key or an email account based overseas e.g. Hushmail

Now that the project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link:

BlogSafer - wiki with multilingual guides to anonymous blogging

Digital Security & Privacy for Human Rights Defenders manual, by Irish NGO Frontline Defenders.

Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide (.pdf - 31 pages), by the Citizenlab at the University of Toronto.

Handbook for Bloggers and Cyber-Dissidents - March 2008 version - (2.2 Mb - 80 pages .pdf) by Reporters Without Borders

Reporters Guide to Covering the Beijing Olympics by Human Rights Watch.

A Practical Security Handbook for Activists and Campaigns (v 2.6) (.doc - 62 pages), by experienced UK direct action political activists

Anonymous Blogging with Wordpress & Tor - useful step by step guide with software configuration screenshots by Ethan Zuckerman at Global Voices Advocacy. (updated March 10th 2009 with the latest Tor / Vidalia bundle details)

WikiLeakS Links

The Frequently Asked Questions (FAQ) page.

WikiLeakS Twitter feeds

The website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive: Twitter feed via SSL encrypted session: unencrypted Twitter feed

Internet Censorship

OpenNet Initiative - researches and measures the extent of actual state level censorship of the internet. Features a blocked web URL checker and censorship map.

Temporary Autonomous Zone

Temporary Autonomous Zones (TAZ) by Hakim Bey (Peter Lambourn Wilson)

Cyberpunk author William Gibson

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Save Parliament: Legislative and Regulatory Reform Bill (and other issues)
Save Parliament - Legislative and Regulatory Reform Bill (and other issues)

Open Rights Group

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

Amnesty International's campaign

BlogSafer - wiki with multilingual guides to anonymous blogging

NGO in a box - Security Edition privacy and security software tools

Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

Syndicate this site (XML):

Recent Comments

  • wikileak: According to the Wikileaks talk page for this Investigator's Guide: read more

November 2018

Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30