The Wikileaks affair raises sharply various questions of legality in relation to computer use and misuse
Wikileaks is the whistleblowing website which is in the process of making available for download more than 250,000 confidential US diplomatic cables. The cables contain correspondence between American embassies throughout the world and the US State Department, and their contents are proving to be highly embarrassing for the US Government and its allies.
Wikileaks’ founder Julian Assange is currently in England fighting extradition to Sweden on sex crime charges. It’s been suggested that these charges have been exaggerated due to political pressure from the US Government, which is keen to have Assange brought to justice – be it for sex crimes, contravention of the Espionage Act, conspiracy or trafficking in stolen property, or some other as yet unspecified crime.
By the time you read this, a valid charge may have been identified, but at the moment, and sex crimes aside, it’s fairly hard to identify a legal basis upon which federal prosecutors would validly pursue Assange. There are some provisions of the Espionage Act that might apply, such as those regarding “gathering, transmitting, or losing defense information”, while it also criminalises the act of “obtaining” a document “connected with the national defense”, if done “for the purpose of obtaining information respecting the national defense with intent or reason to believe that the information is to be used to the injury of the United States, or to the advantage of any foreign nation”.
However, relying on the Espionage Act in these sort of circumstances isn’t usually successful. See, for example, the famous “Pentagon Papers” case of 1972, which involved a failed attempt to prosecute the New York Times.
In the present day, and in light of Pentagon Papers, could the US Government realistically show that Assange intended to harm the United States or help a foreign nation? It’s unclear. Assange is sure to argue that he and/or Wikileaks merely disseminated information, and that the US Constitution's First Amendment defends this right to speech and also the public’s right to receive that speech. (Incidentally, it appears not to matter that Assange is a non-US citizen, because immigration cases aside, it’s hard to identify circumstances in which non-citizens are treated differently than citizens.)
In the UK, the Official Secrets Acts of 1911 still provides the main legal protection against “espionage” of the type which Julian Assange and/or Wikileaks have allegedly been perpetrating. Under s 1, a person commits the offence of “spying” if he or she, for any purpose prejudicial to the safety or interests of the state, “obtains, collects, records, or publishes, or communicates to any other person any secret official code word, or pass word, or any sketch, plan, model, article, or note, or other document which is calculated to be or might be or is intended to be directly or indirectly useful to an enemy”. This suggests that, in the event of Assange and/or Wikileaks disclosing UK Government information, the same problems in relation to proving actual intention to help enemies would arise.
Of course, the information wasn’t originally obtained legally. Arguably, the only clear-cut crime in the present scenario is the alleged leak of the cables by Bradley Manning, the State Department or Pentagon employee who, if guilty, has surely breached either his contract of employment or some other duty of confidentiality given to him when he was granted access to the sensitive information. On the assumption that Manning disclosed the cables to Assange, and that his disclosure was unlawful, does this affect the legality of Assange’s own disclosure of information?
US cases regarding subsequent dissemination of unlawfully disclosed information indicate that as long as the speaker or disseminator is not the party which broke the law, the speaker or disseminator cannot be punished. The classic case is Bartnicki, in which the court stated: “a stranger's illegal conduct does not suffice to remove the First Amendment shield from speech about a matter of public concern”.
A possible chink in the protection afforded by this case is that the reporter should not induce the illegality. Does Wikileaks’ widely known appeal for anonymous submissions constitute inducement? Time will tell.
The other big legal issue is direct denial of service (DDoS) attacks. The Wikileaks website, or more accurately, the computer servers which hold or “host” its content, have been bombarded from mysterious sources by DDoS attacks. While the means, motives, and targets of a DDoS attack vary, they generally consist of concerted efforts by a person or persons using computers to flood the target system and force it to shut down, thereby denying service by the system to legitimate users, temporarily or indefinitely.
Supporters of Wikileaks have retaliated by attacking sites such as mastercard.com and the Swedish prosecution authority’s site. Governments and corporations across the world are preparing at the time of writing for what the tabloids are referring to as “cyber war”.
DDoS attacks are clearly illegal in a lot of jurisdictions. In the UK, ss 33 to 36 of the Police and Justice Act 2006 amend the Computer Misuse Act 1990 to criminalise the carrying out of “any unauthorised act in relation to a computer” where the person “has the requisite intent and the requisite knowledge” to carry out the act. The requisite intent is to carry out the act by: (i) impairing the operation of any computer; (ii) preventing or hindering access to any program or data held in any computer; or (iii) impairing the operation of any program or the readability of any data.
The intent need not be directed at any particular computer or any particular program or data, and the wording is wide enough that paying someone else to launch an attack will still be a crime, with a maximum penalty of 10 years in prison. The US has similar laws in place, and a man was jailed in 2009 for instigating DDoS attacks against Scientology websites.
What will happen next in the Wikileaks saga is hard to predict. It may be that the US Government decides to eschew legal solutions and apply pressure to Wikileaks through more pragmatic and practical means. For example, online payment service provider PayPal cut off the Wikileaks account, eliminating one of the easiest means for donors to send money to the organisation.
Wikileaks’ original method of defending itself from DDoS attacks was to move to a larger internet provider whose servers would be more likely to withstand a DDoS assault. Wikileaks’ provider of choice was Amazon.com and its much-vaunted EC2 cloud computing system (aws.amazon.com/ ec2/) which operates on vast banks of computers, meaning that network capacity can be quickly scaled up or down to meet surges in traffic.
The tactic was working well until Amazon.com decided to terminate Wikileaks’ contract. In a blog post (aws.amazon.com/message/ 65348/), Amazon.com denied that it was acting under pressure from politicians, saying Wikileaks had breached its terms by not owning the rights to the content it was publishing. I imagine Amazon.com might also have been a bit nervous about potential liability for the allegedly illegally obtained cables. Whatever the case, for organisations which have adopted cloud computing and made their IT dependent on a third party, it’s arguably an alarming precedent. A clear lesson is that organisations should closely examine a cloud computing provider’s terms and conditions of service before signing up to the offering.
Post-Amazon, Wikileaks moved back to Swedish internet service provider (ISP) Bahnhof AB, whose chief executive officer Anna Mossberg has stated that the company will only cease to support Wikileaks if Swedish police show that the site is breaking Swedish law.
In the EC, the Directive on Electronic Commerce shields ISPs from liability for content they host. The directive defines the circumstances under which internet intermediaries should be held accountable for material which is hosted, cached or carried by them, but which they did not create. In the case of Wikileaks, it is likely that ISPs such as Bahnhof AB are within their rights to host contentious content, at least until it is shown to the ISP that to publish the information is unlawful. It is far from clear whether that is so.
The next problem for Wikileaks is that its wikileaks.org web address was withdrawn because its domain name service provider EveryDNS.net claimed that Wikileaks had violated part of its acceptable use policy, which requires members not to “interfere with another member’s use and enjoyment of the service or another entity’s use and enjoyment of similar services”. Wikileaks had interfered with other members’ service because, said EveryDNS, “wikileaks.org has become the target of multiple DDoS attacks. These attacks had, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, endangering access to almost 500,000 other websites”. It seems odd that Wikileaks can be said to be “interfering” with use of the service by being the victim of a crime. At best, EveryDNS has interpreted its acceptable use policy very widely.
Wikileaks’ solution has been to move to Switzerland, with a new domain (wikileaks.ch). The domain name is registered by the Pirate Party of Switzerland, associated with an IP address in Sweden, and points to a web address in France (where the Wikileaks documents are actually believed to be hosted). If wikileaks.ch is also withdrawn, Wikileaks has announced that content will still be accessible by bypassing the DNS look-up and typing in Wikileaks’ actual IP address (http://22.214.171.124/)
Sweden’s move to have Assange detained in the United Kingdom for now, on whatever charge, provides time for a case to be fashioned against him. In light of the Wikileaks affair, and the likely high-profile casualties of the “cyber war” resulting from it, the pressure to charge Assange is likely to become intense. But would it change anything to do so?
John D McGonagle is a senior solicitor with Brodies LLP, Glasgow