WikiLeaks Was Launched With Documents Intercepted From Tor

WikiLeaks, the controversial whistleblowing site that exposes secrets of governments and corporations, bootstrapped itself with a cache of documents obtained through an internet eavesdropping operation by one of its activists, according to a new profile of the organization’s founder. The activist siphoned more than a million documents as they traveled across the internet through Tor, […]

WikiLeaks, the controversial whistleblowing site that exposes secrets of governments and corporations, bootstrapped itself with a cache of documents obtained through an internet eavesdropping operation by one of its activists, according to a new profile of the organization's founder.

The activist siphoned more than a million documents as they traveled across the internet through Tor, also known as "The Onion Router," a sophisticated privacy tool that lets users navigate and send documents through the internet anonymously.

The siphoned documents, supposedly stolen by Chinese hackers or spies who were using the Tor network to transmit the data, were the basis for WikiLeaks founder Julian Assange's assertion in 2006 that his organization had already "received over one million documents from 13 countries" before his site was launched, according to the article in The New Yorker.

Only a small portion of those intercepted documents were ever posted on WikiLeaks, but the new report is the first indication that some of the data and documents on WikiLeaks did not come from sources who intended for the documents to be seen or posted. It also explains an enduring mystery of WikiLeaks' launch: how the organization was able to amass a collection of secret documents before its website was open for business.

Tor is a sophisticated privacy tool endorsed by the Electronic Frontier Foundation and other civil liberties groups as a method for whistleblowers and human rights workers to communicate with journalists, among other uses. In its search for government and corporate secrets traveling through the Tor network, it's conceivable that WikiLeaks may have also vacuumed up sensitive information from human rights workers who did not want their data seen by outsiders.

The interception may have legal implications, depending on what country the activist was based in. In the United States, the surreptitious interception of electronic communication is generally a violation of federal law, but the statute includes a broad exception for service providers who monitor their own networks for legitimate maintenance or security reasons. "The statutory language is broad enough that it might cover this and provide a defense," says former U.S. federal prosecutor Mark Rasch.

The New Yorker article did not indicate whether WikiLeaks continues to intercept data from the Tor network. Assange did not immediately return a call for comment from Threat Level.

WikiLeaks uses a modified version of the Tor network for its own operations, moving document submissions through it to keep them private. WikiLeaks computers also reportedly feed "hundreds of thousands of fake submissions through these tunnels, obscuring the real documents," according to The New Yorker.

The intercepted data was gathered from Tor sometime before or around December 2006, when Assange and fellow activists needed a substantial number of documents in their repository in order to be taken seriously as a viable tool for whistleblowers and others.

The solution came from one of the activists associated with the organization who owned and operated a server that was being used in the Tor anonymizing network. Tor works by using servers donated by volunteers around the world to bounce traffic around, en route to its destination. Traffic is encrypted through most of that route, and routed over a random path each time a person uses it.

Under Tor's architecture, administrators at the entry point can identify the user's IP address, but can't read the content of the user's correspondence or know its final destination. Each node in the network thereafter only knows the node from which it received the traffic, and it peels off a layer of encryption to reveal the next node to which it must forward the connection.

By necessity, however, the last node through which traffic passes has to decrypt the communication before delivering it to its final destination. Someone operating that exit node can therefore read the traffic passing through this server.

According to The New Yorker, "millions of secret transmissions passed through" the node the WikiLeaks activist operated -- believed to be an exit node. The data included sensitive information of foreign governments.

The activist believed the data was being siphoned from computers around the world by hackers who appeared to be in China and who were using the Tor network to transmit the stolen data. The activist began recording the data as it passed through his node, and this became the basis for the trove of data WikiLeaks said it had "received."

The first document WikiLeaks posted at its launch was a “secret decision” signed by Sheikh Hassan Dahir Aweys, a Somali rebel leader for the Islamic Courts Union. The document, which called for hiring hit men to execute government officials, had been siphoned from the Tor network.

Assange and the others were uncertain of its authenticity, but they thought that readers, using Wikipedia-like features of the site, would help analyze it. They published the decision with a lengthy commentary, which asked, “Is it a bold manifesto by a flamboyant Islamic militant with links to Bin Laden? Or is it a clever smear by US intelligence, designed to discredit the Union, fracture Somali alliances and manipulate China?"

The document’s authenticity was never determined, and news about Wikileaks quickly superseded the leak itself.

Since then, the site has published numerous sensitive documents related to the U.S. military, foreign governments and corporations. WikiLeaks made headlines in April when it published a classified U.S. Army video showing a 2007 attack by Apache helicopters in an Iraqi neighborhood. The raid killed at least 18 people -- including two Reuters employees -- and injured two children.

WikiLeaks, whose website is hosted primarily through a Swedish Internet service provider called PRQ.se, never reveals the sources of its documents, and in the case of the Apache video, Assange has said only that it came from someone who was angry about the military's frequent use of the term "collateral damage."

The New Yorker doesn't identify the WikiLeaks activist who was the source for the documents siphoned from Tor, but the description of how the documents were obtained is similar to how a Swedish computer security consultant named Dan Egerstad intercepted government data from five Tor exit nodes he set up in 2007 -- months after WikiLeaks launched -- in Sweden, Asia, the United States and elsewhere.

Egerstad told Threat Level in August 2007 that he was able to read thousands of private e-mail messages sent by foreign embassies and human rights groups around the world by turning portions of the Tor internet-anonymity service into his own private listening post. The intercepted data included user names and passwords for e-mail accounts of government workers, as well as correspondence belonging to the Indian ambassador to China, various politicians in Hong Kong, workers in the Dalai Lama's liaison office and several human rights groups in Hong Kong.

Egerstad, who says he has no association with WikiLeaks and was not the source for the intercepted Tor documents the site received, told Threat Level at the time that he believed hackers were using the Tor network to transmit data stolen from government computers and that he was able to view the data as it passed through his node unencrypted.

Egerstad was never able to determine the identity of the hackers behind the data he intercepted, but it's believed that he may have stumbled across the so-called Ghost Net network -- an electronic spy network that had infiltrated the computers of government offices, NGOs and activist groups in more than 100 countries since at least the spring of 2007.

The Ghost Net network was exposed by other researchers last year who discovered that hackers -- believed by some to be based in China -- were surreptitiously stealing documents and eavesdropping on electronic correspondence on more than 1,200 computers at embassies, foreign ministries, news media outlets and nongovernmental organizations based primarily in South and Southeast Asia.

It's not known if the data the WikiLeaks activist siphoned was data stolen by the Ghost Net hackers.

Photo: Julian Assange
Lily Mihalik/Wired.com

Wired.com and The New Yorker* are both owned by Condé Nast.*

See also: