Skip to content

Leaks to the mainstream

From the Summer 2011 issue of The News Media & The Law, page 12. The success WikiLeaks has had in…

From the Summer 2011 issue of The News Media & The Law, page 12.

The success WikiLeaks has had in acquiring leaked documents has resulted in traditional media entities launching their own document drop box websites.

The Wall Street Journal and Qatar-based television network Al Jazeera launched online drop boxes earlier this year, and former New York Times Executive Editor Bill Keller told Yahoo in January that the paper may launch a similar service.

Although the Journal and Al Jazeera promise anonymity to those leakers who request it, the terms of use for the sites make it clear that people who upload documents are doing so at their own risk.

SafeHouse

“Keep your identity anonymous or confidential, if needed,” boasts the website for the Journal’s drop box, SafeHouse, which was launched in May.

SafeHouse provides users with three options for submitting content: a standard option, an anonymous option and an option to request confidentiality.

The standard option is for those who have no qualms about providing contact information. Under the anonymous option, the user is not required to provide contact information, but is not guaranteed confidentiality. Instead, the amount of identifying information is “minimized,” according to the site’s terms of use.

The Journal will only agree to protect a user’s confidentiality if the paper and the user reach a confidentiality agreement prior to the uploading of any documents.

Except when a confidentiality agreement has been negotiated, “we reserve the right to disclose any information about you to law enforcement authorities or to a requesting third party, without notice, in order to comply with any applicable laws and/or requests under legal process, to operate our systems properly, to protect the property or rights of Dow Jones or any affiliated companies, and to safeguard the interests of others,” the terms of use say. Dow Jones is the owner of The Wall Street Journal.

Even still, SafeHouse’s terms say a confidentiality agreement is not absolute.

“If we enter into a confidential relationship, Dow Jones will take all available measures to protect your identity while remaining in compliance with all applicable laws,” the terms say.

The terms also note that “[w]e are unable to ensure the complete confidentiality or anonymity of anything you send to us.”

In a statement released shortly after SafeHouse’s launch, the Journal said it is committed to protecting its sources and the terms of use are for “extraordinary” circumstances.

The Al Jazeera Transparency Unit

Four months prior to the launch of SafeHouse, the Al Jazeera satellite television network, which is owned by state-controlled Qatar Media Corp., launched its online drop box: Al Jazeera Transparency Unit.

The project has already resulted in the release of nearly 1,700 confidential documents related to the Israeli-Palestinian peace process, dubbed the Palestine Papers.

Providing contact information to the Transparency Unit is optional, but, unlike SafeHouse, the Transparency Unit does not provide an option to enter into a confidentiality agreement.

“While AJTU will make every attempt to ensure your identity is confidential when using the Services, your content submissions are deemed non-confidential and AJTU has no obligation to maintain the confidentiality of any information, in whatever form, contained in any submission,” the site’s terms of use say.

However, the site promises to protect user’s identities.

“We recognize that — despite the best technology — our readers and viewers are taking a risk by submitting materials, particularly those living in countries where such disclosures are not protected by law,” the Transparency Unit’s “How to Submit” page says. “Our journalists will ensure that the identities of our sources are protected, and that submissions are scrubbed of sensitive information — like the ‘metadata’ that contains authoring information — before those submissions are released to the public.”

Al Jazeera recently deactivated the Transparency Unit to address security concerns and to make it more user-friendly. The company has not said when it plans to make the drop box available again.

The risks in using online drop boxes

“I think whistleblowing is inherently risky and you take a risk when you decide to turn something over that could potentially impact other people,” said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation.

“And, while I applaud The Wall Street Journal and Al Jazeera for trying to make it easier for people to do that, I think people who do decide to whistleblow need to be very, very aware and very clear that neither The Wall Street Journal nor Al Jazeera completely guarantee their anonymity.”

Fakhoury noted that, based on the terms of use, it is unclear what types of information could result in a leaker’s loss of anonymity.

He used the recent News of the World scandal in the U.K. as an example.

Like The Wall Street Journal, News of the World was, before being shut down in July, part of the News Corporation media conglomerate.

“Maybe someone wanted to leak this cell phone hacking scandal in England to The Wall Street Journal; The Wall Street Journal is reserving the right to turn that information over to other people,” Fakhoury said. “If the person who found out about that reported it to SafeHouse, would The Wall Street Journal have turned that over to News Corp.? . . . The terms of service seem to indicate: maybe. And that’s part of the problem, it’s hard for a person to know what is likely to get turned over and what is not likely.”

Both companies have terms of use that say “we’ll try to keep [the information] confidential, but we don’t promise you that,” Fakhoury continued. “We don’t promise that we won’t turn it over to police. We don’t promise that we won’t turn it over to other parties . . . who may be affected by the information you may be turning over. That puts the whistleblower at a lot of risk that they could not be anonymous, not have their submissions remain confidential and find themselves in trouble.”

Fakhoury said it would be helpful if the terms of use included more definitive guidance on which types of information could be turned over to other parties.

“Not so much examples, like here are the six things you can do that will get your name turned over — I’m not saying they need to provide a definition with that level of specificity . . . but they could do a lot better than what they’ve done in defining what is and is not likely to get your information turned over,” Fakhoury said.

How good is “pretty good”?

SafeHouse and Al Jazeera Transparency Unit say their sites encrypt uploaded documents and offer a PGP encryption key for users to download for additional protection. PGP is an acronym for “pretty good privacy.”

“We do not log any personal information when you submit a file,” the Transparency Unit’s terms of use say.

PGP encryption is “generally very good,” Fakhoury said, but added that, while it’s useful in protecting the information when it’s on one’s own computer, it doesn’t help with protecting communication between the leaker and SafeHouse or the Transparency Unit.

Also, in order for a reporter at the Journal or Al Jazeera to remove the encryption, he would need an encryption key from the leaker, meaning the leaker would likely need to provide some identity or contact information to the reporter.

As of August, Qualys SSL Labs gave SafeHouse’s encryption an “A” rating, while Al Jazeera Transparency Unit received a “C” rating in July, prior to being taken down. Qualys SSL Labs is a website set up by information technology security company Qualys that enables users to perform security assessments of websites.