Wikileaks blames newspaper over 'insurance' file password disclosure

Legal action is under way by Wikileaks against the Guardian newspaper, after the whistleblowing organisation alleges an editor published the 'insurance' file password in a book.
Written by Zack Whittaker, Contributor on

Wikileaks, the whistleblowing organisation, has acknowledged that it "has commenced pre-litigation action" against the Guardian newspaper and an individual in Germany -- believed to be former Wikileaks spokesperson Daniel Domscheit-Berg -- for disclosing the password to the 'insurance' file "for personal gain".

The 'insurance' file, created by Wikileaks and published on the web in a highly encrypted format, contained the full U.S. diplomatic cables cache.

A book, written by David Leigh and published in February 2011, disclosed the password.

As Wikileaks claims:

"Guardian investigations editor, David Leigh, recklessly, and without gaining our approval, knowingly disclosed the decryption passwords in a book published by the Guardian. Leigh states the book was rushed forward to be written in three weeks—the rights were then sold to Hollywood."

Wikileaks claims that the disclosure of the password is a "violation of the confidentiality agreement between Wikileaks and [the editor-in-chief] of the Guardian".

The Guardian newspaper, one of the few partnered media organisations to receive the diplomatic cables before they were released, wholly denies the allegations.

Wikileaks said it contacted the U.S. Department of State late last month to warn that the full publication of the cables "may be imminent", and checked to see whether the department had a programme to inform potential sources and informants was operational.

What appears to be the case is this.

Wikileaks, or someone close to Wikileaks, distributed the 'insurance' file, in a highly encrypted format over the BitTorrent network, which could only be cracked by a password.

That password appeared to be in the hands of David Leigh, the Guardian editor, who worked on getting the cables out into the public domain. Leigh had the unredacted cables, and forwarded them on elsewhere to other media organisations, it is believed. All media outlets then redacted and blacked out the cables manually to prevent the names of sources and informants from being exposed.

While the Guardian noted in a statement that it accepted Leigh's book contained the password, it added:

"...but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours."

That password went into the book, while the Guardian believed that it was only a temporary password -- not knowing that the same password was holding together the encrypted 'insurance' file that was distributed on the web.

The Guardian reports the measures of security it undertook to ensure that the files were transferred and stored securely.

"The embassy cables were shared with the Guardian through a secure server for a period of hours, after which the server was taken offline and all files removed, as was previously agreed by both parties. This is considered a basic security precaution when handling sensitive files.

But unknown to anyone at the Guardian, the same file with the same password was republished later on BitTorrent, a network typically used to distribute films and music. This file's contents were never publicised, nor was it linked online to WikiLeaks in any way."

It seems that one giant miscommunication stuff-up may have released the unredacted U.S. diplomatic cables.

Interestingly, however, while Wikileaks denied that the "'insurance' files have not been decrypted" in a tweet, it appears that indeed they were -- leading to further questions about Wikileaks' stand of trustworthiness.

Related content:

Editorial standards