Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Blind transparency Neil Sanson
13 September 2016

WikileaksFlag

If you have other people’s personal information, it is your responsibility to keep it safe. There are many reasons why you need to keep that information secure. Here’s one recent example of how careless disclosure can put people at risk.

In July, WikiLeaks dumped a lot of files of personal information into the public domain which they justified by claiming the public’s need to know. It happened some days after a failed attempt to overthrow Turkey’s government.

Turkish email leak

The dump of about 300,000 emails - which WikiLeaks called “Erdogan emails” after the country’s president, Recip Tayyip Erdogan - was intended to harm the Turkish government’s efforts to quell dissent.

But, as with a huge collection of Saudi Arabian files in 2015, WikiLeaks chose not to sort through the documents to work out what was in the public interest and what should not be released.

In response, Turkey’s internet governance body swiftly moved to block access to WikiLeaks. Free speech activists, including Edward Snowden, then decided the government was trying to hide the leaked information and drew further attention to it.

WikiLeaks also disclosed links to another dump of Turkish files which were hosted by the Internet Archive. But with both sets of information, the language barrier and a lack of general information meant that little was known for some time about the nature and significance of the information, until a Turkish academic based in the United States took a closer look.

Private, sensitive information

Zeynep Tufekci who is based at the University of North Carolina and is a faculty associate at the Berkman Center for Internet and Society at Harvard, wrote: “Yes, this “leak” actually contains spreadsheets of private, sensitive information of what appears to be every female voter in 79 out of 81 provinces in Turkey, including their home addresses and other private information, sometimes including their cell phone numbers.“

She added that “Snowden couldn’t have been more wrong about an act that was irresponsible, of no public interest and of potential danger to millions of ordinary, innocent people, especially millions of women in Turkey”.

When alerted to the sensitive nature of the personal information disclosed, WikiLeaks deleted the link and the Internet Archive took down the files but the internet is the internet, and the database remained available on torrent sites.

Protecting the information

What then does the law in New Zealand expect if an agency receives leaked information? The Privacy Act in New Zealand says it is the responsibility of agencies to protect personal information from disclosure, even if it is leaked to them. A good way to do this is to delete or safely destroy the information.

If you are ever affected by others publishing your personal information in a similar way, you do have a few options. The first step, because time matters, is to attempt to contact the operators of the site that hosts the information. Some of the big operators do have processes for dealing with such requests and they can quickly take the information down.

If that does not work for you, contact NetSafe. It has established relations with some of the big internet players like Google, Facebook, Twitter, YouTube and others. You can report the threat to you on NetSafe’s reporting site, The Orb.

In the case of the ‘Erdogan emails’, WikiLeaks failed in its responsibility to check if there was a risk of ‘collateral damage’ if the information was leaked to the world.

Further reading

Associated Press has explored the context of the issue. Raphael Satter and Maggie Michael - Private lives are exposed as WikiLeaks spills its secrets (23 Aug 2016)

This Motherboard article provides an overview of where the information came from and how it was distributed. Joseph Cox - How 'Kind of Everything Went Wrong' With the Turkey Data Dump (28 July 2016)

This article discusses the earlier history of the data. Efe Kerem Sozeri - Major ‘Turkish police data dump’ reveals an even bigger scandal (21 Feb 2016, The Daily Dot)

Zeynep Tufekci’s piece published on Huffington Post looked at the data and the ramifications of leaking in a bit more depth - WikiLeaks Put Women in Turkey in Danger for No Reason (Huffington Post, 25 July 2016)

Image credit: Wikimedia Commons

 

2 comments

, , ,

Back

Comments

  • Note: writing this in my personal capacity not as legal advice or in connection with any other position I may have.
    ----/----
    Is deleting or destroying leaked materials that have come into one's possession necessarily the best approach? Obviously securing that information so that further abuse does not occur is critical but one can imagine that it may be useful to keep the material at least until the situation is clear. A couple of reasons spring to mind:

    - the original materials may have been tampered with, encrypted in a ransomware type attack or even deleted, making the leaked version a possible recovery vehicle for the original owner(s).

    - evidentiary purposes in any civil claim or prosecution by original owner(s) or authorities.

    Further, if a police investigation has already begun or civil proceedings already launched, there may be issues with destruction of evidence. Organising a production order or subpoena and then deleting might be an alternative in those circumstances.

    Posted by Rick Shera, 13/09/2016 5:53pm (11 months ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries