WASHINGTON — WikiLeaks, condemned by the U.S. government for posting secret data leaked by insiders, may have used music- and photo-sharing networks to obtain and publish classified documents, according to a computer security firm.
Tiversa Inc., a company based in Cranberry Township, Pa., has evidence that WikiLeaks, which has said it doesn't know who provides it with information, may seek out secret data itself, using so-called "peer-to-peer" networks, Chief Executive Officer Robert Boback claimed. He said the government is examining evidence that Tiversa has turned over.
The company, which has done investigative searches on behalf of U.S. agencies including the FBI, said it discovered that computers in Sweden were trolling through hard drives accessed from popular peer-to-peer networks such as LimeWire and Kazaa. The same information obtained in those searches later appeared on WikiLeaks, Boback said. WikiLeaks bases its most important servers in Sweden.
"WikiLeaks is doing searches themselves on file-sharing networks," Boback said in an interview, summing up his firm's deductions from the search evidence it gathered. "It would be highly unlikely that someone else from Sweden is issuing those same types of searches resulting in that same type of information."
Tiversa's claim is "completely false in every regard," said Mark Stephens, WikiLeaks' London attorney, in an e-mail. Stephens regularly represents media organizations, including Bloomberg News.
Tiversa declined to say who its client was when it noticed the Swedish downloads. Howard Schmidt, a former Tiversa adviser, is cybersecurity coordinator and special assistant to President Barack Obama.
Tiversa researchers said the data-mining operation in Sweden is both systematic and highly successful.
In a 60-minute period on Feb. 7, 2009, using so-called Internet protocol addresses that every computer, server or similar equipment has, Tiversa's monitors detected four Swedish computers engaged in searching and downloading information on peer-to-peer networks. The four computers issued 413 searches, crafted to find Microsoft Excel spreadsheets and other information-rich documents among some of the 18 million users the company estimates are on such file-sharing networks at any given moment.
Those searches led to a computer in Hawaii that held a survey of the Pentagon's Pacific Missile Range Facility in that state. Tiversa captured the download of the PDF file by one of the Swedish computers. The document was renamed and posted on the WikiLeaks website two months later, on April 29, 2009, according to a mirror image of the site.
A product of the U.S. Navy's Space and Naval Warfare Systems Center, the document exposed sensitive details of infrastructure changes for outfitting the base with a new sensor system. The mirror site said only that the file "was first publicly revealed by WikiLeaks working with our source."
Boback said the retrieval and posting follows a pattern his researchers have tracked over and over. They estimate that as much as half of the postings by the group could originate from information siphoned from peer-to-peer users, he said.
"There are not that many whistleblowers in the world to get you millions of documents," Boback said. "However, if you are getting them yourselves, that information is out there and available."
Tiversa provided its findings to federal agencies to aid what Boback called the early stages of an investigation into the matter. A separate criminal probe is being conducted by a federal grand jury in Virginia regarding tens of thousands of diplomatic cables and other secret material allegedly provided by Army Pvt. Bradley Manning, Stephens said in December.
WikiLeaks founder Julian Assange is in Britain fighting extradition to Sweden, where he faces allegations of sexual molestation and rape. Lawyers for Assange have said the accusations in Sweden are politically motivated and tied to the actions of WikiLeaks.
The Justice Department declined to comment on whether there was an official investigation regarding the downloads Tiversa concluded were done by WikiLeaks, said Dean Boyd, a spokesman.
Lime Group, which owns the rights to LimeWire software, shut its operations in December and an e-mail to Tiffany Guarnaccia, a spokeswoman, couldn't be delivered. The network can be used by anyone who previously downloaded the software, peer-to-peer experts said. Sharman Networks, which owns Kazaa, referred inquiries to ICON Communications in Sydney, Australia, which didn't return e-mails seeking comment.
The investigations could provide authorities an alternate path for prosecuting WikiLeaks and Assange, said Paul Ohm, an expert in cybercrime at the University of Colorado in Boulder.
Boback, whose firm has made such searches for the FBI and the Internal Revenue Service to trace unauthorized downloads, argued that such conduct is just information scavenging, not illegal hacking.
Assistant U.S. Attorney Kathryn Warma in Seattle, who successfully prosecuted similar cases of unintended searching, said the systematic pillaging of computer contents through peer- to-peer networks could be pursued under federal anti-hacking statutes.
Even if not criminal, such conduct, if traced to WikiLeaks, would contradict its stated mission as a facilitator of leaked material by insiders, whose identities, Assange has said, the group takes measures not to know. The group provides an encrypted drop box on its website that it said prevents any tracing back to the source of documents.
"If their information gathering doesn't consist simply of being a receptacle for leaks but of this more aggressive effort to go out and cull this information, then you're moving a clear step further from anything that resembles traditional journalistic practice," said Mark Jurkowitz, the associate director for the Washington-based Project for Excellence in Journalism.
The evidence could also be used by congressional committees, which Boback said are pursuing a separate inquiry to undermine WikiLeaks' claim that it's a legitimate media organization with protections under the First Amendment.
"There is a difference between being given information that may have been obtained in violation of some agreement or law versus the media itself violating the law or an agreement in order to obtain information," said Sandra Baron, the executive director of the Media Law Resource Center in New York. "The media is not allowed to steal."
The WikiLeaks site has posted hundreds of thousands of documents in the past four years. With the exception of classified material allegedly provided by Manning, the source of its leaked documents has never been publicly identified.
On Jan. 17, a former Swiss banker, Rudolf Elmer, turned over information to Assange on almost 2,000 account holders Elmer claims are guilty of tax evasion and other crimes. The data has yet to be published by WikiLeaks.
Assange based the group's primary servers in Sweden because of the strength of that country's media laws, which prohibit authorities from inquiring about journalistic sources, he has said. The group said in 2010 that the Swedish Pirate Party, which aims to reform copyright law and ensure citizens' right to privacy, would host some of the group's servers as well.
Assange has told interviewers he aims to make leaks untraceable to avoid retaliation against providers by governments or others harmed by the information.
The vulnerability of vast amounts of confidential and secret information on peer-to-peer networks is a risk well-known to researchers and security experts, as well as to information scavengers and foreign intelligence agencies, according to Eric Johnson, an expert on peer-to-peer technology at Dartmouth College's Tuck School of Business.
The networks are popular with U.S. soldiers in Iraq and Afghanistan, who use them to download music and videos, as do teenagers who sometimes download material on their parents' computers, Johnson said. A congressional subcommittee held hearings in 2007 and 2009 on inadvertent sharing on such sites.
In 2009, Tiversa found the entire blueprints and avionics package for Marine One, the presidential helicopter, on a computer linked to Iran, according to Boback's 2009 testimony at the hearings. His firm also found a leak of a file of a LimeWire user that showed the safe-house location of the president's family.
In late 2009, WikiLeaks published a spreadsheet detailing vulnerable, potential terrorist targets in Fresno County compiled by State of California security officials and the Department of Homeland Security. It noted locations for caches of bomb-grade fertilizers; the location of large gasoline and propane reserves; and the coordinates of key military and law enforcement sites and their functions.
Asked to aid in the investigation of the leak by U.S. authorities that the company declined to identify, Tiversa found the spreadsheet was inadvertently exposed by a California state employee using a peer-to-peer network in August 2008, more than a year before WikiLeaks posted it.
A WikiLeaks post of Army intelligence documents in 2009 included reports on Taliban leaders and their movements, as well as confidential notes of meetings where complaints were voiced about the performance of Iraqi police. Those documents were exposed to unauthorized searching on peer-to-peer networks more than eight months earlier in September 2008, Tiversa investigators found after they were asked to investigate the matter by a client the company declined to identify.
The Pentagon's 58-page Afghanistan Order of Battle was exposed in a file-sharing network in January 2009 and posted on WikiLeaks four months later. For a downloaded list of every Chevron Corp. property in the U.S. and Canada, the posting gap was two months — from March to May 2009, the firm found.
Confidential documents can be mined from peer-to-peer networks using malicious software that sucks out information unrelated to the song, photo or other material users want to share. In most cases, Johnson said all that is needed is weak security settings or user mistakes that allow searchers to dig into the computers of users who don't realize that confidential files on their hard drives can be tapped.
The House last year approved a bill that would prohibit peer-to-peer file sharing software on any U.S. government computer.
If federal prosecutors can definitely link the theft of confidential information directly to WikiLeaks and its core of paid staffers and volunteers, they would still face significant challenges. The legal tools available to them for a criminal prosecution aren't firmly tested, according to lawyers and peer- to-peer experts.
"It's not a slam dunk either way" said Ohm, a former Justice Department prosecutor.
comments on this story
In 2008, a federal court in Oklahoma found that removing pornographic pictures from a computer by an FBI agent using LimeWire didn't constitute an illegal search. In contrast, Warma successfully prosecuted two Seattle cases recently involving individuals who retrieved financial information through LimeWire "in excess of authorization." Warma said retrieving confidential information through peer-to-peer networks could be prosecuted under the federal Computer Fraud and Abuse Act.
"I can almost guarantee you there is a task force at the Department of Justice that's been tasked with creatively coming up with theories to use against WikiLeaks," Ohm said. "I'm sure that in those conversations the Computer Fraud and Abuse Act has come across the board, especially with this new twist of peer-to-peer networks."