Skip to main content

Apparent string of errors unties WikiLeaks' bundle of secret cables

By Atika Shubert, CNN
A book about WikiLeaks founder Julian Assange compromised the website's security, it says.
A book about WikiLeaks founder Julian Assange compromised the website's security, it says.
  • NEW: The State Department says it was notified of the problem
  • Thousands of secret U.S. cables are now online
  • WikiLeaks blames the writer of a book on WikiLeaks founder Julian Assange
  • "Nonsense," say the writer and his publisher

(CNN) -- More than 250,000 secret U.S. diplomatic cables are now available in full and unfiltered online, exposing scores of U.S. diplomatic sources and informants that were meant to be protected often for their own safety, according to the website WikiLeaks.

But this is not an official WikiLeaks release. Rather, what appears to be a string of errors has lead to both the raw file and the password that unlocks that file to be released into the public domain, without WikiLeaks control.

In a statement posted on Twitter, WikiLeaks said, "Guardian investigations editor, David Leigh, recklessly, and without gaining our approval, knowingly disclosed the decryption passwords in a book published by the Guardian."

In February, Leigh released the book "WikiLeaks: Inside Julian Assange's War on Secrecy." In it, he describes in detail how WikiLeaks editor Julian Assange gave him the password to unlock the massive archive of diplomatic cables.

The London-based Guardian newspaper responded to the WikiLeaks tweet with its own statement: "It's nonsense to suggest the Guardian's WikiLeaks book has compromised security in any way. Our book about WikiLeaks was published last February. It contained a password, but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours.

"It was a meaningless piece of information to anyone except the person(s) who created the database. No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files. That they didn't do so clearly shows the problem was not caused by the Guardian's book."

So how did it happen?

In November, WikiLeaks announced that it would begin releasing the diplomatic cables together with select media partners, including the Guardian, Germany's Der Spiegel, France's Le Monde and Spain's El Pais, among others. WikiLeaks now says it has more than 90 participating media and human rights partners.

WikiLeaks shared both the raw file containing the cables and the password with its partners in order for them to jointly comb through the files and research their contents.

Most media, including WikiLeaks, redacted the material before publishing their findings. WikiLeaks itself promised to publish all of the diplomatic cables on its website but only after vetting the documents and conducting its own "harm minimization" policy of removing any information that might endanger diplomatic sources and informants.

However, in that process, the raw file was unwittingly posted online by WikiLeaks supporters and available for anyone to download, according to former WikiLeaks insider Daniel Domscheit-Berg. WikiLeaks often asks its supporters to help back up its website by downloading and sometimes mirroring the material it has already released.

"The people releasing the file were not aware of the password issue, and vice versa. At least that is how it appears to me," Domscheit-Berg told CNN. "That's the precise sort of miscommunication that must not happen when dealing with such serious information, and one of the problems that made me and others leave the project."

The file was encrypted, so anyone downloading it would not have been able to open it without the password. Several month later however, according to WikiLeaks, the Guardian released that password.

Now, anyone with access to the downloaded file and the password can see all of the unfiltered information from these cables, including protected sources.

It's not clear exactly when WikiLeaks discovered the security breach. But in the last week, WikiLeaks has dramatically sped up the publication of the diplomatic cables. Before last week, the website had released less than 10% of the entire cache. As of Wednesday evening, more than 140,000 had been released, more than half of the entire cache.

In a statement explaining the sudden rush to publish, WikiLeaks said it was part of its "commitment to maximizing impact, and making information available to all" -- inviting the public to "crowdsource" the files and post their findings on Twitter as a form of public journalism.

WikiLeaks said Wednesday it took "emergency action" two weeks ago in the hopes of preventing the password from being spread. That included accelerating its publication schedule "to get as much of the material as possible into the hands of journalists and human rights lawyers who need it."

WikiLeaks also says it contacted the U.S. State Department to warn the department of the breach. According to the statement, WikiLeaks personnel spoke for 75 minutes with a State Department legal advisor by phone, in the hope that the U.S. government would be able to warn any sources that may be put in danger by the now-public cables.

State Department spokesperson Victoria Nuland said Thursday that "WikiLeaks did advise us of the impending release of information and of its intention to continue to release classified documents."

"We have made clear our views and concerns about illegally disclosed classified information and the continuing risk to individuals and national security that such releases cause," Nuland said. "WikiLeaks has, however, ignored our requests not to release or disseminate any U.S. documents it may possess and has continued its well-established pattern of irresponsible, reckless, and frankly dangerous actions. We are not cooperating with them."

WikiLeaks denies it is responsible for the security breach. In an earlier Twitter posting, WikiLeaks said: "There has been no 'leak at WikiLeaks'. The issue relates to a mainstream media partner and a malicious individual."

That was a thinly veiled referenced to the Guardian newspaper and Domscheit-Berg, the former WikiLeaks insider who now runs Openleaks, another whistle-blowing site, and who is currently embroiled in a war of words with Assange.

Domscheit-Berg told CNN that he discovered the security breach "by chance" and alerted his media partner, the German newspaper Die Freitag.

WikiLeaks blames Domscheit-Berg for directing attention to the breach and the Guardian for leaking the password.

Domscheit-Berg counters that ultimate responsibility lies with WikiLeaks. "The password should never have been shared with anyone at all," he said. "This was a fixed agreement within WikiLeaks. It was not meant to be given to anyone at all. Ironically, not even I knew the password or had any access to the data. Why it had been passed on, only Julian (Assange) knows."

Assange was not available for comment.