Wikileaks, First Amendment, Espionage, Information Security

I’ve been having some lively discussions surrounding Wikileaks’ release of United States diplomatic cables on November 28, 2010. I seem to be confusing some people with my arguments and statements. I intend to clear this up.

For the record:

• I support Wikileaks’ publication of the diplomatic cables. However that information came into their hands, their right to release the content falls squarely under the First Amendment¹ (either Freedom of the Press or Freedom of Speech, take your pick) in my opinion.
• I support the Government’s right, as designated by Congress under various acts, to prosecute any illegal activity that led to Wikileaks’ possession of the cables.

Those two positions are distinct, and not necessarily contradictory, which seems to be the main point of contention in my conversations. Yes, it’s possible that persons within Wikileaks have committed acts which may qualify as illegal under our various espionage and security laws. But those persons and Wikileaks still remain separate.

The devil is in the details, of course, and I have a sneaking suspicion that the details will be worked out in the courts for next several years. I’m a firm believer in our system of government so I have faith that things will work out for the best.

I should add a further stipulation, though:

• I do not support the government if it uses its position as big dog to suppress the release of information that, while embarrassing, may serve to better educate those of us in the Republic that pay attention and want to make informed decisions.

The information is out. It is now ours, John and Jane Q. Public’s, to deal with and ingest. If the government doesn’t like that, it should have done a better job of hanging on to it. Advocating for Wikileaks to be designated a Terrorist Organization is not upholding the fundamentals our country was founded upon.

This will Happen Again

This incident may have marked a turning point for the government. This may be the final wakeup call that information security isn’t what it used to be. The revelation of these internal memos of the State Department are going to embarrass us internationally and there will be plenty of spadework by Secretary Clinton and whoever her successor ends up being². The wakeup call, however, isn’t that the information needs to be secured even more tightly, until it screams and bleeds, but for it to be managed in a manner that allows for the balance of maximum security along with maximum utility³ acknowledging all the while that in the information era, this type of leak is impossible to prevent.

I am not a government employee. I’ve never been in the military. I do not work in a high-security environment. I make these statements to display the breadth of my ignorance on how the government likely treats its classified and secret information on a day to day basis. I do know that secure communications are the foundation of any activity, be it governmental work, military action, or just chatting about your mother in law. However, the Wikileaks posting isn’t about communications so much as archival storage, access controls and trust.

I don’t see how it’s possible to prevent the type of action that led to the release of the Afghan and Iraq war diaries as well as these diplomatic cables. The size of the releases strongly argues that whoever was responsible⁴ had access to a large database where these documents could be acquired. This wasn’t some random whistleblower who sent a stolen company memo to the newspaper; this was a person with access and means. If the person had been higher in the chain of responsibility and the government has similar controls and databases for its top secret and other communications, who knows what we’d be seeing right now.

This is Hard to Prevent

As I alluded to above, about the balance between security and utility, the easiest way to make sure that no unauthorized person gets access to these types of documents is to ensure that no one has access. That’s not practical of course. We send our diplomats far foreign to liaise with their counterparts and to report back to the government. Without the reports coming back and being read by the decision makers, there’s not much point in sending them in the first place. We aren’t in the grand age of sail anymore where diplomats often had plenipotentiary powers because of the time gap in communications. Today’s diplomats are hooked into the central government 24/7 and communiqués need to flow for useful decisions to be made.

All of the communications could be encrypted, of course, but then the problem of access control rears its head. Who, precisely, gets to send and receive the messages? How are they stored and accessed? Encryption alone wouldn’t have prevented the release of the cables because the alleged leaker probably had the access required. Encryption and database management will help prevent outside agencies from taking the communications, but it seems we’re doing all right on that front already.

An important point to remember is that while “encryption” is a nice buzzword, it’s not useful in a lot of applications. Last year there was a big flap in the media about the Taliban in Afghanistan being able to access the unencrypted video feed from Predator drones flying missions. This was a big yawn because that sort of real-time tactical information is of strictly limited utility to the adversary and the effort required to secure it is well in excess of the possible harm that could come of someone listening in. Encryption has costs, too. Some of them are excessive.

It’s Within Your Power to Secure Your Email Communications

If this stuff makes you a bit paranoid about people reading your emails and letters, good! It’s always good practice to envision what people would think if they received a copy of the email you are writing. The rule of thumb when I was in college was: “What would you think if this were printed on the front page of the newspaper.” This rule has changed a bit for me after I received my Professional Engineer’s license to: “What would you think if this were read into evidence in a court of law.” Those rules are excellent ones to follow but we can’t use them to rule our lives or else we’ll never have electronic communications that are candid and frank. You know, the ones that actually get to the point and get things done. Fortunately or unfortunately, electronic communications are becoming an important (perhaps key) part of our interpersonal and interbusiness relationships now, email being the prime means.

Of course, email is one of the most unsecured communication methods that exist. There are numerous ways to tap into your email stream, the easiest of which is to steal your computer. Even if you maintain everything in the cloud, numerous servers process and copy (and archive) the emails that go through them. All of this is retrievable through legal and illegal means.

I advocate that we all should encrypt our day to day emails⁵, especially between parties where disclosure of that information would lead to embarrassment, lawsuits, or worse. I’ve written about this in the past and even have a tutorial on how I went about it. If you want to exchange secure emails with me, it’s not difficult. Just click through the link and learn. I regularly apply an electronic signature to my emails⁷, which doesn’t do anything for security per se, but you can be sure that the email is from me, or from someone in possession of my passphrase. It’s only one more step, on your end, for you to receive encrypted emails from me, and to send them in return. Then we can discuss Aunt Gladys without worrying about Nephew Jim reading the emails while we’re stupefied on thanksgiving turkey.

None of this prevents the legal system from requiring you to give up your passphrase and disclose those encrypted emails—subpoenas are a pain that way—but it will prevent unauthorized disclosure of information that you wish to remain private and/or secret.⁶

The End

How do I wrap up this essay? I’ve opined in several directions. Perhaps dangerously so. I think we’ll just throw this out there and see what happens. Enjoy. My email is at the top of the blog page but it would be better to respond on this posting.

¹: In the United States alone, of course.
²: Yes, I think there will be fallout for at least 6 years
³: Easiest way to secure these cables would be to never send them, or even write them, but then they would not be very useful. The balance of security/utility is something that individual organizations/people have to work out.
⁴: Allegedly a U.S. Soldier named Bradley Manning
⁵: This is also good practice for avoiding suspicion if you ever need to start protecting your communications from someone. If you are being watched and suddenly all the emails you’re exchanging with your friend Bob are encrypted, there might be some suspicion that “something is going on”. If you encrypt all your communications as a matter of course, this information tidbit is removed.
⁶: Hard drive encryption programs such as Truecrypt say that you can securely hide a portion of your hard drive in such a manner that you would be able to give up a passphrase to “an adversary” (in this case, I envision a subpoena) yet still maintain a separate encrypted area that contains your real information, with a different passphrase, undetected. There are arguments about whether or not that would work. If you’re really really paranoid or want to apparently comply with the court order yet still maintain secret information, I recommend checking it out.
⁷: Which may have caused you to click through to this link because you received some odd text in a message from me.