The Who and How of the AKP Hack, Dump and WikiLeaks Release

Yesterday it was discovered and reported that some of the data in the AKP Turkey hack included “private, sensitive information of what appears to be every female voter in 79 out of 81 provinces in Turkey, including their home addresses and other private information, sometimes including their cellphone numbers.” WikiLeaks was strongly criticized for posting links to the expanded database that included this information. However, at least some of the blame should be leveled at me – I was the one who uploaded the files that WikiLeaks linked to.

Let me clarify a few points up front:

  1. WikiLeaks did not upload the files with the voter information, nor did they provide them to me. I did offer to mirror their release when it was announced, but they never responded.
  2. The files were obtained by Phineas Fisher, who was the source. As far as I can tell, Fisher did not intend to dump all of the files publicly, and Fisher has not indicated that he meant to give any of the files to WikiLeaks to publish. However, they received a partial set of the documents and decided to publish them.
  3. Following the WikiLeaks release of the partial set, Fisher decided to release his complete set. Since the files came from a known source (Fisher has been responsible for many high profile hacks, including the hack on the Hacking Team), I used the torrent file that the files were released through to create a bittorrent instance on the Internet Archive’s server. The server proceeded to download the torrent and create the item that was linked to by WikiLeaks.
  4. After the personal information was discovered, the AKP files were removed from the Internet Archive’s server.
  5. Although I wasn’t aware that it was included in the release at the time, I accept my responsibility in increasing the distributing the personal information. The explanation as to how it happened is not an excuse for the fact that it did happen.

After I contacted her, Zeynep said: “I actually never had a conclusion on who the uploader was, since it wasn’t central to my complaint about actions of Wikileaks: that they had misrepresented what the emails were, and that they had repeatedly publicized these doxing databases as “full data for our Turkey AKP emails + more”. I’m glad to see one party step up and take responsibility, but this doesn’t absolve Wikileaks of their role in all parts of this “leak” which never should have happened since it exposed no wrongdoing by a government or a powerful actor, merely the emails of ordinary people, and sensitive personal information of 20-30 million ordinary people. I tried to explain this directly to Wikileaks, but they blocked me after I started showing them tweets from Turkey’s leading anti-censorship activists who were disgusted and horrified by these actions, especially since they will now become a strong talking point for pro-censorship forces in Turkey.”

The fact that after the release was first announced I had tweeted WikiLeaks an offer to mirror it for them, along with the fact that WikiLeaks and I follow each other on Twitter, may have also made it easy for people to assume there was collaboration. For the record, there wasn’t. As far as I’m aware, the role of WikiLeaks and Julian Assange in the AKP hack ended with their initial release and resumed only when they tweeted out my link.

What happened was a perfect storm of events that I could have prevented, and wish I had.

First, Phineas Fisher penetrated the AKP network because he supported the efforts in Rojava and Bakur and opposed Turkey’s assault on them. Fisher believes that leaking is a means to an end, and didn’t plan on dumping the full set. He was in touch with locals in Rojava and Bakur about how to use the access he had gained to help them, and in the process he shared the files he had obtained so far. He was still in the system at the time and retrieving more, but there was a miscommunication and one of them passed the materials to WikiLeaks. The materials at that point included about half of the akparti.org.tr emails.

According to Fisher’s statement, the individual fixed the miscommunication and asked WikiLeaks to hold off on the release. WikiLeaks was unaware that Fisher was still in the network retrieving more data. WikiLeaks decided to release sooner rather than later due to the attempted coup.

Another hacker who is well known and has previously distributed materials obtained by both Phineas Fisher and I (on separate occasions; Fisher and I have never worked together) provided the torrent file that I uploaded to the Internet Archive. The torrent file was used to download the full set of the AKP release to the Internet Archive’s servers, which then allowed others to download them directly from there. I tweeted the link at 6:44 AM local time and at 11:23 local time WikiLeaks also tweeted the link.

WikiLeaks AKP Archive tweet

Several days went by and focus shifted to the DNC leak along with the allegations that the files may have come from the recently reported DNC hack, which has been linked to Russia. I became aware of the personal information in the AKP release yesterday afternoon, but it wasn’t until this afternoon that I became aware that it was my upload that was the main source of the public information. My focus at the moment had been on building a timeline of the DNC and AKP hacks and releases. At a few minutes after 5:00 PM local time yesterday, I received an email from the office manager at the Internet Archive informing me that the AKP upload had been disabled due to privacy concerns. He offered to speak with me about it by phone or email; it wasn’t a form letter or automatic decision to remove the item. I emailed him back thanking him and agreeing with the decision in light of what had been found in the release. If I’d realized that my version was the primary offending one, I would’ve removed it myself immediately. I mistakenly assumed that it was also on WikiLeaks’ site in a form that didn’t require downloading 100GB of files.

//platform.twitter.com/widgets.js

//platform.twitter.com/widgets.js

//platform.twitter.com/widgets.js

I agree with the Internet Archive’s removal policy so strongly that when I started That 1 Archive, I simply linked to the same policy they did. The policy provides removing private and personal information, and this undoubtedly qualifies so I agree with their decision. The fact that no government prodding was necessary for the removal is an excellent example of how the internet can be self-correcting without extensive over-regulation.

There are several things that I feel should be noted about WikiLeaks’ response to all of this:

  1. Because they tweeted the link to the item, they were blamed by the article. This provoked what seems in hindsight to be an overly defensive reaction. Given the accusations that Russia supplied WikiLeaks with information to publish and some construing this to mean that WikiLeaks is controlled by Russia, it’s easy to see how this could happen.
  2. Even though my name was on the page as the uploader and I had tweeted it out first, WikiLeaks never tried to pass the buck to me or say that it was my upload or my fault. They never reached out to me privately to ask me to do or say anything about it, despite the fact that that would have made things easier for them or taken the pressure off of them. I can only conclude that this is because doing so would have violated the spirit, if not the letter, of their source protection policy by placing the blame on me or pointing the Turkish government in my direction. For that, I’m grateful.
  3. WikiLeaks didn’t delete the tweet with the link, possibly because they mistakenly thought the article about the personal information was an attempt by the Turkish government to censor or smear WikiLeaks instead of the good faith attempt it was to protect the privacy of innocent individuals. If that was their assumption, then I can’t blame them for deciding not to back down.
  4. WikiLeaks is now free to point out that I’m the one who uploaded the file they linked to and that it was obtained and released by Phineas Fisher, who has acknowledged being the one to release it through Mr. White.

The most important thing we can do now is try to minimize the potential damage of all of this.

 

You may want to read the follow-up.

Advertisements

9 comments

  1. In the old days, every house owner was listed in the telephone book white pages, so anyone could scan the book and get the complete database. Ordinarily a country-wide dump of names and addresses shouldnt be such a big deal. But women only??
    Why did AKP or Turkish government keep a separate database of women voters? If for promoting development or for education, why wasnt the info aggregated into statistics like it is in other countries?

    Like

  2. But women only?

    In Argentina voters data was separated, because men data was linked to military enrolment information. This changed, there is no mandatory conscription (only profesional army now) so data is integrated.

    Like

  3. also worth noting is Wikileaks’s libel of Zeynep as an “Erdogan apologist” in response to her criticism of Wikileaks’s promotion of the doxing link. Also, I’ve yet to hear them apologize/take responsibility for their role in this.

    Like

  4. I find it bizarre how far you are willing to go to defend Tufekci.

    She opens her article by her description of Wikileaks claim of releasing 300k emails and then says it is “an act that was irresponsible, of no public interest and of potential danger to millions of ordinary, innocent people, especially millions of women in Turkey.” She is simultaneously implies that in the emails there are the spreadsheets with all of the personal information she is complaining about and that the emails are nothing of consequence from Google groups. She then implores Wikileaks to “take down these files”. She even goes to lengths of detailing how no one seems to have actually looked at the emails.

    She is either intentionally dishonest or negligently making implications and her defense is that she did not want to lead people to the voter spreadsheets. Well gee, if I think a massive breach of personal information has gone completely unnoticed and I am trying to minimize harm my first instinct is to write a news article about it and demand that someone that has no control over where it is being distributed to delete it. I certainly wouldn’t quietly contact the place it is actually being hosted and let them know my concerns because that would be sane and inline with my stated principals.

    There is plenty of blame to go around to all parties in this incident, but it takes real hubris to say that you are holding up a high standard for journalism by publicizing a massive leak of personal information with the same breath you are criticizing someone for doing the selfsame act.

    Like

    • I only mean to explain the events as best I can, I’m not in any position to judge or excuse anyone. I’ll let the data speak for itself at this point, but I do wish she had contacted me immediately. The issue could’ve been dealt with much more quickly and quietly, without drawing extra attention to the problem data and without the drama that ensued.

      Like

  5. This is all that you have to say after making millions of women, nearly all Turkish women vulnerable to attack??? After breaching the private sphere of ALL WOMEN of an entire country??? Whose address, sometimes phone, personal details any fucking criminal and weirdo could use???? This is what you call fighting for the citizens and their rights for transparency? Attacking the citizens instead? Do you know that that thousands of people (women) can get financially ruined, stalked, robbed, raped, just because of one stupid action of you that thinks he is god and does publsih something without even looking what it is? And than you write this text??? Shame on you.

    Like

    • I wasn’t the person who breached the networks or released the content. I uploaded the most commonly referenced copy of it early on, and it was removed when the voter’s PII was reported. That report could have been done much more quietly and privately, without alerting everyone to the existence of that particular information and causing many people to attempt to seek it out. Instead, Zeynep announced it as publicly as possible and didn’t make any attempts to reach out to me. I had to reach out to her, despite my name and email being on the page she referenced. Despite that, she made it a more public affair than it needed to be in order to try to score cheap points against WikiLeaks.

      Did I fxck up? Yes. I admit that and I’ve done everything I can to minimize the damage.

      Like

  6. This should clear everything up and stop further attacks on Assange. But everyone understands US is embarrassed, angry, self righteous, put in defensive mode and reaction is to attribute everything to WikiLeaks.
    Let’s hope more will share. Sorry I got to this late.
    Sincere Best Wishes

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s