How To Stop Wikileaks?
A method to mitigate the damage of insider leaks
Wikileaks is a notorious/famed website that makes it a practice to disclose alleged documents from governments and corporations. They are presently in the news, of course, for the release of about 250,000 classified documents, most concerning the internal workings of the United States Department of State.
Today I want to discuss a method that could be used to deflect attacks like those of Wikileaks, if not defeat them.
No it is not a better security system, a better firewall, a better method of watching for intrusions, or even a better method for guarding against insider attacks. I wish I had really good new ideas on how to enhance security of systems——we need more of them. But they will never stop Wikileaks (WL) from getting classified material. There will always be ways around the best security systems; there will always be “holes” in any system; and there will always be the insider threat.
A disclaimer. I have mixed feelings about today’s discussion. I am well aware that Wikileaks has won many awards for their journalism. Yet leaks of documents can damage the security of legitimate governments, who are trying to make their countries safe. However, leaks can also expose lies and mistakes that even legitimate governments make, and are almost always unwilling to admit.
I do believe that privacy and the protection of information of the government is of great importance. Thus, I decided to risk discussing this timely issue:
How do we stop leaks from causing damage?
I hope those on both sides of this issue can discuss the ideas here for their own merit.
I have consulted with a number of colleagues about this post, especially because of the nature of the problem. I want to thank Rich DeMillo for many interesting additions, and Patrick Traynor with whom I had a long conversation about these ideas weeks ago. As always I thank Subrahmanyam Kalyanasundaram and Ken Regan. Any errors, any mistakes, are as always mine.
How To Stop Leaks?
I have no idea. I think leaks are like gravity, it is impossible to turn them off. No matter how terrific your security is, there will continue to be leaks of all kinds. What I do think is there is a mitigation strategy that can make leaks less damaging.
How to Mitigate Leaks?
Suppose that Alice runs an agency that handles very sensitive information. The thousands of people in her agency have access to millions of documents that would be potentially interesting to WL. Alice does nothing special until a leak occurs—although see a later section for a more “on-line” approach.
Suppose that WL gets documents from some source inside Alice’s agency. They publish them on their web site, and then Alice is faced with a major problem.
Today she can do nothing to stop the leak. She can try to find the insider who made the leak, and use the legal system to deal with them. But that does nothing to mitigate the damage that is already done. There is an American idiom that says:
close the barn door after the horse has bolted.
This means: “Trying to take action when it is too late.” Today this is where Alice is—the horse is gone—the documents have been leaked. Closing the source of the leak does not help get the horse back.
However, she can do something to stop the leak. Here is the mitigation strategy: She runs a special program over the documents and creates new ones . These new documents are similar to the ones leaked, but they are different in many ways. Alice then “leaks” her fake documents .
What is the point of this? Now the media and the public are confused. Is right or ? If is cleverly constructed, it should contain some “bad” information, but will differ from in important ways. For example, if has a passage that says:
Let’s pay X ten million dollars to do Y.
The documents could have a passage:
Let’s not pay X ten million dollars to do Y.
If Alice is smart she may even make some of the passages in worse than those in . Thus she could have a passage:
Let’s pay X fifty million dollars to do Y.
The critical point is and will look alike, but will differ in many places.
The existence of will increase everyone’s uncertainty. What are the correct facts, what is true, and what is not? This increase in uncertainty will muffle the effectiveness of the released documents . Consider the dilemma facing a media outlet: would they feel comfortable in stating something if there is great uncertainty? Not clear.
Alice can do more to increase the uncertainty. She could, and probably should, release multiple versions of . These versions would flood the media system. It could take a long time for them to unravel, if ever, which are “real” and which are not. She can even release information that is more damaging than the real documents. She can denounce all of them as fake, or claim some of them as fake.
Hiding Policies, Not Options
Ken Regan noted that the above simple example still leaves it certain that option Y was “on the table”—and that might be the shock of the leak regardless of whether and how much bribery was involved. A way to further mitigate this shock is to release publications that mention Y alongside other options Z,W,…, and then obfuscate with documents that rotate which one was mentioned. Moreover, one can already have published non-secret documents that chatter about all these options in an abstract manner—proceedings of public policy conferences, for example. This gets everything “out there” so that no single mention of Y raises the fear of the unfamiliar. Thus Alice’s task becomes the easier one of not having to hide Y itself, but only that Y was the option favored by her agency.
How To Do This?
My colleagues have made several interesting suggestions.
Rich has several clever ideas on how to create the alternative documents. One is the use of automatic language translators: take a document and translate it to another language and back. Since translators are not perfect, this will change the document. I used this method previously here. There are theory ideas based on methods to protect database information that could perhaps be used—especially for numerical data.
Rich and Patrick both thought that a more “on-line” system approach might be better. The advantage of this is that the alternative documents could be created even by the authors of the originals. Or they could be created automatically, but would be available for immediate release when needed. Patrick even suggested, in some situations, there could be a stream of constant “leaks” that would be more proactive in protecting Alice’s agency.
Is there a way to make this work? Can we implement an automatic system that would make the “fake” documents? These would have to seem to be real, or they would not be of any use.
I would like to end with why I was thinking about this question in the first place. I believe that a fundamental problem with many social networks, for example Facebook, is that people can post information that they may later regret sharing. The folk “theorem” is once on the web there is no way to erase the information—it is there forever. I thought that there might be a way to use the addition of information to solve that problem. What do you think?