Live by the leak, die by the leak. Apparently that’s the motto at Wikileaks.org, the whistle-blowing site that provides one-stop shopping for stuff other folks really don’t want you to see.
Wikileaks made headlines last year when it published documents accusing Swiss bank Julius Baer of money laundering and other activities not-entirely-on-the-up-and-up. The bank sued, inspiring some laughably lame attempts to shut the site down and generating even more bad PR.
About a month later the site published various “secret documents” for the Church of Scientology. The site has also been instrumental in documenting torture at Abu Ghraib, human rights protests in Tibet, and civilian casualties in Afghanistan.
But Wikileaks is now dangling by its own petard, after someone in its fundraising arm sent out an e-mail shilling for donations but put the addresses of its 58 recipients on the “To:” field instead of “Bcc:”. Someone quickly submitted the e-mail to the Wikileaks foundation as a “leaked” document, presumably to test just how devoted Wikileaks is to its own mission.
Egg meet face.
To its credit (and probably to some donors’ horror) the site posted the document in full, including all 58 email addresses. Many of them feature aliases like “eekameeka” and “phantom 7266,” while other less fortunate folks included what appear to be their real names and work email addresses. But even a pseudonymous address can yield a lot of information about someone if they use it to sign onto multiple sites across the Web.
Nothing wrong with giving money to a site that exists to promote freedom of the press. But now one question becomes whether organizations that got pwned by Wikileaks will start harassing the site’s donors, if only to shut off the money spigot.
The bigger question is, how can you trust Wikileaks to protect whistle-blowers’ identities when it can’t protect its own donors? Wikileaks claims it’s better at protecting the sources of its information, even if it’s not so hot at protecting the sources of its funding. In a comment posted on Wired’s Threat Level blog, organization spokesdude Jay Lim says:
“…while definitely not good form, the mistake was a missed shortcut made by one of our admin people and is not related to the efforts or systems involved in source protection.”
If I’m someone who could lose my job because I posted secret information to Wikileaks, I would find this statement cold comfort.
Really, Wikileaks was hosed regardless of what it decided to do; if your whole schtick is exposing the unvarnished unredacted truth, you can’t suddenly start making exceptions for yourself. But this dumb mistake is likely to cost it contributions, both monetary and otherwise.
Should these leaky wheels continue to get greased? E-mail me: firstname.lastname@example.org.