WikiLeaks published hundreds of thousands of unredacted government cables only after they had been published by other people on the internet, a court heard yesterday.
Christian Grothoff, an expert in network security from the University of Applied Sciences in Bern, Switzerland, said copies of the documents came into the public domain after the password was published in a book on WikiLeaks.
He was speaking on the 10th day of an extradition hearing held against Julian Assange at the Old Bailey in London.
Assange has been indicted on 17 charges under the US Espionage Act and has been accused of publishing unredacted documents which put the lives of local Afghans and Iraqis who passed information to US forces at risk.
The WikiLeaks founder faces further allegations that he conspired with computer hackers to encourage them to obtain secret US government documents.
During the hearing, Joel Smith, representing the US government, accused Grothoff of bias after disclosing that he had signed a letter sent to US president Donald Trump calling for him to stop the prosecution of Assange.
Passphrase gave access to encrypted documents
Questioned by Mark Summers, QC for the defence, Grothoff said WikiLeaks shared a passphrase with investigative journalist David Leigh giving him access to a website containing the encrypted documents.
“It was described in David Leigh’s book as a very long password,” he said.“ One can look at the password and estimate how long it would take to attack by brute force. It could not be broken in a reasonable amount of time.”
WikiLeaks was hit by a cyber attack in November 2010 after its media partners began to publish the US diplomatic cables in redacted form, Grothoff told the court.
“The WikiLeaks site was under a denial-of-service attack, when someone – we don’t know who – tried to make the site inaccessible,” he said.
WikiLeaks’ DNS service provider later terminated the WikiLeaks DNS service to protect its other customers.
WikiLeaks website ‘mirrored’ after cyber attack
The attack led to other people making “mirrors” of the WikiLeaks site, with the encouragement of WikiLeaks, to duplicate the contents of its site, said Grothoff. Some of these mirrored sites included encrypted copies of the unredacted cables, he added.
However, journalists David Leigh and Luke Harding published a book, WikiLeaks: Inside Julian Assange’s war on secrecy, which reproduced the passphrase Leigh had been given to access encrypted files in February 2011.
Grothoff said WikiLeaks would not have been able to change the passphrase to protect the file which had been mirrored on other parts of the internet.
German newspaper revealed existence of password
Nothing happened until German weekly newspaper Der Freitag published a story saying the password had been leaked and that it could unlock copies of the encrypted files on the internet.
“Now people could easily put two and two together,” said Grothoff.
The court heard that on 31 August 2010, Nigel Parry, who ran a website, had used the passphrase to decrypt the cables.
At about the same time, the decrypted cables appeared in BitTorrent and the website Cryptome published the cables in unredacted form.
“Cryptome is a well-known site for leaking information and it inspired WikiLeaks,” said Grothoff.
One the same day, the website mrkva.eu published a searchable copy of the unredacted document, and the decrypted cables that became available on BitTorrent appeared on the Pirate Bay website.
WikiLeaks published the unredacted documents on 2 September 2010, making announcements on Twitter and on the WikiLeaks website.
“By that time, [the document file] was on the internet in a way that was impossible to stop,” said Grothoff.
Prosecution: ‘You’re biased, you are partial’
Joel Smith, for the prosecution, raised questions about Grothoff’s impartiality as an expert witness.
He asked Grothoff why he had signed a letter from WikiLeaks’ legal defence fund to president Trump.
“I do not recall when I signed it or how this signature came to be,” said Grothoff.
“You don’t remember signing an open letter to the president of the US calling for the cessation of the prosecution of Julian Assange?” said Smith. “You’re biased, you are partial.”
Grothoff said: “I believe that looking at the indictment put forward, you are confusing WikiLeaks’ attempts to hide documents with publishing them. You did not properly do your homework in finding out who published the cables first.”
The computer scientist agreed that WikiLeaks gave 50 media and human rights organisations access to 100,000 unredacted US government papers.
Grothoff said WikiLeaks’ encouragement of people to mirror its contents on the internet may have been an attempt to build a haystack to make it harder to find the encrypted file containing the unredacted documents.
“If someone did realise at WikiLeaks [that the passphrase had been published], this might have been a good way of building a haystack,” he said.
WikiLeaks put out a statement dated 1 September 2010 which cited a paragraph from Leigh’s book quoting the passphrase, and criticising the journalists for publishing it.
WikiLeaks went on to publish all the cables on 1 September 2010 in what it called a “cable bomb”.
Grothoff agreed that Wikileaks had a significant public reach.
All or nothing
Questioned by Summers, representing Assange, Grothoff said he was not aware of any newspaper being given access to the whole set of leaked documents apart from David Leigh at The Guardian.
“David Leigh was a recognised journalist for a major newspaper, so it was recognised he would be qualified to do redactions,” he said.
Leigh had to press Assange to disclose the whole set of documents. Assange initially offered 50%, but Leigh said: “All or nothing.” Assange capitulated after Leigh warned that Assange could end up in Guantanamo before the documents were published.
Grothoff said WikiLeaks had given instructions on how to create mirrors of its site, but some mirrored sites were created by people using other software.
He said that as far as he could tell, the mirrors that were set up through the encouragement of WikiLeaks did not contain encrypted or decrypted versions of the classified cables.
He said the encrypted cache of documents most likely ended up in other mirrored sites by accident. “How exactly they got there I cannot say,” he added.
Summers said that in addition to Grothoff, former US army, CIA and FBI employees had signed the letter asking for Trump to stop the prosecution against Assange.
The case continues.