Don't Leak to the Wall Street Journal's New Wikileaks Knockoff
The Wall Street Journal is trying to make a play for whistleblowers with its very own Wikileaks clone, SafeHouse. But SafeHouse is the opposite of safe, thanks to basic security flaws and fine print that lets the Journal rat on leakers.
SafeHouse, which launched today to much fanfare, promises to let leakers "securely share information with the Wall Street Journal," by uploading documents directly to its servers, just like Wikileaks! But unlike Wikileaks, SafeHouse includes a doozy of a caveat in its Terms of Use:
"Except when we have a separately negotiated confidentiality agreement… we reserve the right to disclose any information about you to law enforcement authorities or to a requesting third party, without notice, in order to comply with any applicable laws and/or requests under legal process, to operate our systems properly, to protect the property or rights of Dow Jones or any affiliated companies, and to safeguard the interests of others."
So, go ahead and upload your explosive documents to SafeHouse. But if they publish a scoop based on your material and someone gets mad, they can sell you out to anyone for any reason, including the insanely broad one of safeguarding "the interests of others." (And Rupert Murdoch, who controls the paper, sure has a lot of interests!)
Although you might get outed by hackers before you're sold out to the cops. Despite the WSJ's assurances that the SafeHouse submission system is secure, it is "rife with amateur security flaws." Security researcher Jacob Appelbaum has been tweeting out a stream of holes he's spotted in SafeHouse's security. He calls the Journal's claim that people submitting documents can remain anonymous if they choose a "blatant lie". Appelbaum knows a thing about security: He's one of the chief developers of the anonymizing software TOR, which SafeHouse ironically recommends leakers use to help hide their identity. (Granted, Appelbaum has a horse in the race, since he's been a prominent Wikileaks volunteer.)
Bottom line, writes Appelbaum: "[The Wall Street Journal is] negligent and this is the wrong project to beta-test on an open internet."
Wikileaks has attracted its high-profile leaks because of its unequivocal promise to protect the anonymity of all leakers and its super-secure submission system. SafeHouse portrays itself as a similarly, um, safe space for leakers. In fact it offers threadbare protections and could sell you out on a dime. SafeHouse's only real similarity to Wikileaks is that both benefit megalomaniacal Australians.
By all means, call up Journal editors with a hot tip if you've got one. But leak to SafeHouse at your peril.
Update: A WSJ spokeswoman told Forbes that SafeHouse is updating its encryption. (Forbes has a good in-depth account of the security holes.)
As for the sketchy terms of service, she says:
"There is nothing more sacred than our sources; we are committed to protecting them to the fullest extent possible under the law. Because there is no way to predict the breadth of information that might be submitted through SafeHouse, the Terms of Use reserve certain rights in order to provide flexibility to react to extraordinary circumstances.
So, just don't send any extraordinary documents and you should be OK.