The success of Wikileaks in obtaining and releasing information has inspired mainstream media outlets to develop proprietary copycat sites. Al-Jazeera got into the act first, launching the Al-Jazeera Transparency Unit (AJTU), an initiative meant to "allow Al-Jazeera's supporters to shine light on notable and noteworthy government and corporate activities which might otherwise go unreported." AJTU assures users that "files will be uploaded and stored on our secure servers" and that materials "are encrypted while they are transmitted to us, and they remain encrypted on our servers."
On May 5, the Wall Street Journal (WSJ), a subsidiary of Dow Jones & Co., Inc., launched its own site, SafeHouse. That same day, the Atlantic published a story describing SafeHouse as a “secure uploading system” with “separate servers,” two layers of encryption, and a policy of discarding information about uploaders “as quickly as possible.” You can “keep yourself anonymous or confidential, as needed,” the SafeHouse site promises, as you “securely share documents with the Wall Street Journal.”
Immediately after its launch, however, online security experts ripped SafeHouse apart. The Atlantic published its story online at noon on May 5 and by 5 p.m., the page was updated with a link directing readers to the Twitter feed of Jacob Appelbaum, a security researcher and Wikileaks volunteer, who had already exposed an embarrassing number of security problems with SafeHouse.
EFF’s review of the legal side of these websites doesn't fare any better. While some of the more egregious technical problems with SafeHouse have been fixed since its launch, its terms of use haven't changed. We read through the Terms of Service for both SafeHouse and AJTU (pdf). Don't fall for the false promises of anonymity offered by these sites. Here's what you should know.
They Reserve the Right to Sell You Out
Despite promising anonymity, security and confidentiality, AJTU can “share personally identifiable information in response to a law enforcement agency’s request, or where we believe it is necessary.” SafeHouse’s terms of service reserve the right “to disclose any information about you to law enforcement authorities” without notice, then goes even further, reserving the right to disclose information to any "requesting third party,” not only to comply with the law but also to “protect the property or rights of Dow Jones or any affiliated companies” or to "safeguard the interests of others.” As one commentator put it bluntly, this is “insanely broad.” Neither SafeHouse or AJTU bother telling users how they determine when they'll disclose information, or who's in charge of the decision.
Whistleblowing by definition threatens "the interests of others." Every time someone uploads a scoop to SafeHouse, they jeopardize someone's interest in order to inform the public of what’s actually going on. That's the whole point. In the United States, submitting documents to journalists is protected speech under the First Amendment. But people in totalitarian countries cannot expose the secrets of their governments without breaking those governments' laws. And neither news outlet acknowledges that governments might abuse their police power to find out who leaked damaging information -- even here in the good old U.S. of A.
You Have to Make Promises No Whistleblower Can Keep
By uploading to SafeHouse, you represent that your actions "will not violate any law, or the rights of any person." By uploading to AJTU, you represent that you "have the full legal right, power and authority" to give them ownership of the material, and that the material doesn't "infringe upon or violate the right of privacy or right of publicity of, or constitute a libel or slander against, or violate any common law or any other right of, any person or entity."
This isn't a representation most whistleblowers can make honestly. The whole point of a leak is to expose internal information to the public. Even if your documents aren't stolen, you might be violating someone's rights.
SafeHouse further requires users to agree that WSJ can transfer the material to any country where Dow Jones does business. This means that the “law enforcement authorities” provision could even implicate laws of other countries with more intense internet monitoring, laws with which the whistleblower is unfamiliar. That makes it pretty hard to honestly claim that the content does not violate "any law."
Communications are Neither Anonymous Nor Confidential
Despite their public claims to the contrary, both SafeHouse and AJTU disclaim all promises of confidentiality, anonymity, and security.
SafeHouse offers users three upload options: standard, anonymous, and confidential. The “standard” SafeHouse upload "makes no representations regarding confidentiality." Neither does the “anonymous” upload which, as Appelbaum pointed out, couldn't technically provide it anyway. For “confidential” submissions, a user must first send the WSJ a confidentiality request. The request itself, unsurprisingly, is neither confidential nor anonymous. And until the individual user works out a specific agreement with the paper, nothing is confidential.
Similarly, AJTU makes clear that "AJTU has no obligation to maintain the confidentiality of any information, in whatever form, contained in any submission." Worse, AJTU's website by default plants a trackable cookie on your web browser which allows them “to provide restricted information to third parties.” So much for anonymity!
These Sites Don't Deliver What They Promise
It's understandable that news organizations would want to have access to news scoops provided by whistleblowers. That sort of competition is great. But these websites are misleading and based on our review of the fine print, use of them by people who risk prosecution or retaliation for bringing sunshine to corruption, illegal behavior, or other topics worthy of whistleblowing, is risky at best and dangerous at worst.
This article was co-authored by Leafan Rosen, law student at Rutgers Camden School of Law.