Jerry Brito

Some interesting questions about LulzSec, WikiLeaks and Stratfor

On my podcast this week I talk to Gabriella Coleman, a McGill University anthropologist who is an expert on Anonymous. We talk about the origins of the movement, about its LulzSec offshoot, and the recent arrests. It’s a fascinating topic and I hope you’ll take a listen. There’s one thing about the investigation, that I find especially fascinating: that the Stratfor breach and the transfer of its emails to Wikileaks happened as the FBI watched.

The timeline of events as I understand it from news reports and court documents is this:

Hector Xavier Monsegur, a.k.a. Sabu, was arrested on June 7, 2011, and plead guilty to computer crimes on August 15, 2011.

Jeremy Hammond, a.k.a. Anarchaos, told Monsegur (and by extension the FBI) about his plans to target Stratfor as early as December 6. By December 14, Hammond had successfully rooted Stratfor. Around December 19, at the direction of the FBI, Monsegur offered Hammond a server on which to store the pilfered Startfor emails, which he accepted.

On December 24, the group made the hack public by defacing the Stratfor website. “By January 11,” according to Ars Technica, “the group working with Hammond had started to unpack the contents of the Stratfor servers onto the server provided by Monesgur—providing a treasure trove of evidence for the FBI.”

They did not, however, release the emails publicly as they’d previously done when they’d breached law enforcement servers. Instead, the emails would not begin to be released until February 27 when Wikileaks announced it had acquired them and would be their exclusive distributor. How the emails got from Hammond to Wikileaks remains a mystery.

The FBI began physical surveillance of Hammond on February 29, 2012 and he was arrested on March 6.

First interesting question: Did the FBI warn Stratfor about the impending attack? Or were they allowed to be a sacrificial lamb? There are sketchy and conflicting reports on this.

The New York Times cites an anonymous FBI sources saying that “they learned of the Stratfor breach on Dec. 6, after hackers had already infiltrated the company’s network and were knee-deep in Stratfor’s confidential files. … The F.B.I. said that it immediately notified Stratfor, but said that at that point it was too late.” This seems to be at odds with the complaint filed against Hammond, which states that on December 6 he was merely attacking the Stratfor server and had not yet gotten full access.

Then we have this from Security News Daily:

An FBI official briefed on the matter told SecurityNewsDaily Thursday (March 8 ) that Stratfor was indeed tipped off about the impending attack.

“We told them it was going to happen, but they kept us at arm’s length and said they could handle it themselves,” the official, who declined to be named, told SecurityNewsDaily. “Then when it did happen, they came running back to us.”

So did the FBI warn Stratfor before or after the hack? As far as I can tell, no one else has reported on this.

The other interesting question is what the FBI knew about the connection to Wikileaks and when did it know it. At some point between December 6 and February 27, the small group that hacked Stratfor had to discuss giving the emails to Wikileaks, and one would imagine that Monsegur would have been included in that conversation. How did the idea emerge? Who first suggested it? Did they approach Wikileaks or did Wikileaks approach them?

The chat transcripts released in court documents contain no mention of Wikileaks, and there’s no reason they should. Prosecutors would only have included evidence to support the charges at hand. But, how much did the FBI know of the hand-off to Wikileaks, and could it have prevented it?

Some are suggesting that the entire LulzSec/Antisec investigation is actually a carefully orchestrated operation meant to nab Julian Assange. I have a hard time believing federal investigators were playing that long of a game. Yet it’s very likely the FBI has evidence of the transfer of emails to Wikileaks. What, if anything, will it do with that information?

Why Bill Keller is insuferable

I can’t complain about the one in Madrid, where, after holding forth in a packed auditorium, the American, British, German, French and Spanish editors who broke news based on WikiLeaks commemorated the collaboration with an after-hours prowl through the Prado Museum and a 27-course meal cooked by master chef Ferran Adrià.

That is the third sentence in his column today, which is ostensibly about how Wikileaks was a fluke, and therefore insignificant in the grand scheme of things.

What Cablegate tells us about cyber-conservatism

Over a year ago Adam Thierer and Berin Szoka penned an essay seeking to define the contours of cyber-libertarianism, and they drew a contrast with the digital commons movement, part of what they called “cyber-collectivism.” They were criticized, however, for not drawing a similar contrast to “cyber-conservatism.” The reason they didn’t do this, Adam explained, was because they didn’t “think there really is a coherent ‘cyber-conservative’ movement out there the same way we see a rising ‘Digital Commons’ movement.” I think the reaction to Cablegate might be allowing us to see the outlines of cyber-conservatism a bit better.

The most vocal and strident reaction against Wikileaks has come from folks we can identify as neocons. Aside from demanding that the U.S. hunt down Julian Assange, Charles Krauthammer wrote, “Putting U.S. secrets on the Internet, a medium of universal dissemination new in human history, requires a reconceptualization of sabotage and espionage — and the laws to punish and prevent them.” Meanwhile Marc Thiessen, ignoring the distributed nature of WikiLeaks, called for the U.S. to “rally a coalition of the willing to defeat WikiLeaks by shutting down its servers and cutting off its finances.” And William Kristol, for his part, asked rhetorically, “Why can’t we disrupt and destroy WikiLeaks in both cyberspace and physical space, to the extent possible? Why can’t we warn others of repercussions from assisting this criminal enterprise hostile to the United States?”

I won’t say there’s a fully developed theory of internet policy in these statements, but you can definitely see a rejection of an unregulated internet, not to mention of internet exceptionalism. Information control in the name of security, they seem to argue, is more than justified. And despite his technical cluelessness, Marc Thiessen does grasp that pressuring internet intermediaries, like Amazon and PayPal, is an important way to control information. Joe Lieberman, often associated with neocon sensibilities, has led the charge to apply just such political pressure. As a result, some have pointed out how ironic it is that Sen. Lieberman is a founding member of the congressional Global Internet Freedom Caucus. (John McCain is also a founding member.) But maybe that shouldn’t be so surprising.

In his forthcoming book, The Net Delusion, Evgeny Morozov talks about the neocons’ embrace of the cause of internet freedom as a cheap and easy way of extending the “freedom agenda” of exporting democracy. In the book, Morozov coins the “cyber-con” moniker and points out that the first big event of the George W. Bush Institute (headed by former BBG Chairman and Undersecretary of State for Public Diplomacy James Glassman) was a conference on internet freedom in support of “cyber-dissidents” under authoritarian regimes. He also points out that many neocons have taken up the cause of the Falun Gong and have supported their campaign of cyber-resistance in China, sometimes with U.S. funding.

These contradictory views are problematic for a coherent cyber-conservative position, and to the extent that cyber-conservatism does develop into a unified vision, they’ll have to deal with this problem. I can imagine, though, that if you believe in American exceptionalism and national greatness, these two viewpoints can be reconciled.

Also this week, another edge of cyber-conservatism’s contours peeked through in an article Jim DeLong wrote for the American Enterprise Institute endorsing the Combating Online Infringement and Counterfeits Act (COICA). The bottom line of that piece is that there are limits to free speech, and protecting intellectual property is one of them, so allowing the DOJ to force intermediaries to act against suspected pirates is legitimate.

The internet is a means of communications, and communications is speech. Regulating the internet is regulating speech. I noted in my previous post on Cablegate that there are arguably legitimate reasons to limit speech, and I gave the example of child pornography (an example with which cyber-conservatives no doubt agree). Cyber-conservatives, it seems, would add to that list national security and the protection of intellectual property rights. Others, generally from the Left, would add privacy and human dignity to the list. According to Adam and Berin, together the ideas of information control from the cyber Left and Right form “cyber-collectivism,” which they define as “the general belief that cyber-choices should be guided by the State or an elite class according to some amorphous ‘general will’ or ‘public interest,’” and to which cyber-libertarianism stands in contrast.

An aside: I’m not crazy about the “collectivist” label. Wiktionary defines “collectivism” as “an economic system in which the means of production and distribution are owned and controlled by the people collectively.” A much better definition of “collectivism” for what Adam and Berin have in mind comes from the Concise OED: “the practice or principle of giving the group priority over each individual in it.” To my mind, however, the fact is that the word “collectivism” is too wrapped up with the former definition to be very useful. And if you’re including information control in the name of intellectual property protection in the definition, then I’m not sure collectivism is the word I’d use. What’s a better label? I’m not sure, but off the top of my head, how about simply “statist”?

The tricky thing about cyber-libertarianism is that, at least as I would define it, it is not categorically opposed to information control, and it’s important that we coherently articulate the contours of our own ideology. To me, libertarians simply have a narrower view of what information control is desirable, with harm to individuals as the relevant standard. They also prefer individual choices and self-regulation to state control. And to the extent that state control is unavoidable, they want to ensure robust due process and protection of individual liberties. I hope to flesh out these ideas some more in future posts.

Some thoughts on Cablegate

It’s been surprising to me that none of my TLF colleagues has yet ventured a post about this latest WikiLeaks controversy. But perhaps it shouldn’t be so surprising because the Cablegate case presents some very hard questions to which there are no easy answers. I’m not sure that I know myself exactly how I feel about every issue related to leaks. But to try to get some conversation going, and to try to pin down my own feelings, I thought I’d take a stab at writing down some thoughts.

Is it legitimate for states to keep secrets from their citizens? It’s a good question, but not one I’m interested in addressing here. The fact is that they do keep secrets.

Should the disclosure of classified information be a criminal offense? Given state secrets, this is a bit of a moot question because a state’s ability to keep a secret depends on it’s ability to punish disclosure by anyone entrusted with secrets. If nothing else, someone so entrusted has likely made a promise not to disclose. (There should, of course, be whistleblower protections in place that make exceptions to the rule.)

Therefore, the interesting question is this: Should there be liability for third parties who publish disclosed information?

Something that I think is easily overlooked in the present controversy, thanks in part to the fixation on Julian Assange, is that Wikileaks is simply a publisher. It did not steal the documents it is now releasing.

Making publishers liable for the distribution of information is nothing new. For example, it is illegal to publish child pornography, even if the publisher was not involved in its creation. One justification for such a rule is the further harm visited upon victims by the continued publication of images of their abuse. So we can conceive of a scenario in which the publication of classified information by a third party could cause real harm to persons.

What would constitute sufficient harm to merit third-party liability for the publication of classified information? Well, one would certainly imagine that the threat of physical harm to operatives, informants or other persons would qualify. Short of that, it’s difficult to imagine the type of information that would not be protected by the freedoms of speech and the press upheld in cases like Near v. Minnesota and New York Times Co. v U.S. Certainly political embarrassment or the uncovering of corruption should not apply. To quote President Obama:

The Government should not keep information confidential merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears. Nondisclosure should never be based on an effort to protect the personal interests of Government officials at the expense of those they are supposed to serve.

Now, to the extent that there is some sort of third party liability for the publication of classified information, we must ensure that it is accompanied by due process. Several online intermediaries that provide WikiLeaks the tools it uses to publish, including Amazon, have booted Wikileaks off their platforms. Amazon acted after a call from Sen. Lieberman’s office. The threats implicit in political pressure has no place in a free society.

Despite the foregoing discussion of the legalities of leaks and third-party publication, the practical effect is that it is nearly impossible to completely eliminating any particular bit of information from the Internet. Peer-to-peer distribution, mass-mirroring, and even the possible forking of the DNS root stand in the way of censorship. That is a reality that transcends any normative questions about the WikiLeaks case.

If it can’t censor after the fact, what can government do? First, it can reevaluate how much information it is classifying as secret. The more classified information there is, the more there is available to leak; the more loosely one applies the “secret” stamp, the less meaning it has. Again, that is a positive statement, not a normative one. Second, government can shore up it’s security protocols. If we are to believe the reports in the papers, nearly 3 million persons with clearance had access to the leaked cables. Tightening security will no doubt have an effect on information-sharing, but that’s an inevitable trade-off that my first recommendation will make easier to asses.

Finally, to the extent that the U.S. government’s policy is to attempt to censor embarrassing disclosures about its operations, it would be contradicting its own foreign policy of internet freedom. And if in fact information can only be marginally suppressed, then I hope the U.S. recognizes that relative to other nations, especially authoritarian ones, it might have more to gain than lose from internet freedom.