"We can't demand trust"
Interview In an Interview with German weekly "Der Freitag" Openleaks founder Daniel Domscheit-Berg explains why he invites hackers to try to crack his new whistleblowing-platform
Der Freitag: Why should we trust Openleaks?
Daniel Domscheit-Berg: For the same reasons that you trust some people in your environment – when you can have positive experiences with them, when they can react openly to critical questions and when you can find out about their background. In any case, this is what we're working towards with Openleaks. We don't just want to create transparency, we also want to work transparently.
Does this mean that you don't demand people trust Openleaks, but rather hope that people keep tabs on the project?
Yes. The trust of whistle-blowers is, of course, the foundation for our work, but we can't demand it. To the contrary: we have to do something for people to trust us. I suspect that scepticism will remain with some. But that's okay, too. We don't want to be the solution for everyone, but rather want to also help other portals who have goals similar to ours. The more whistle-blower platforms there are, the better.
You are now going public with Openleaks' submission platform for the first time for a couple of days. What do you aim to achieve with this?
We're calling hackers and users across the board – but primarily at the Chaos Communication Camp – to test our system. Everyone can look at Openleaks for five days, and should try to hack the platform, to destroy it or whatever. We hope to win some insight through this stress test as to how we can make the system more secure – or ideally, to receive the reply: Openleaks is so secure that even after five days of constant bombardment, it will still preserve its documents.
So you don't yet know if your system is secure?
Mistakes can always surface in the details. You can't delude yourself.
Are you expecting that whistle-blowers will be uploading explosive documents to Openleaks during the test phase despite that?
Would you put a secret file into an electronic mailbox currently being attacked by hackers?
I would definitely put something into our mailbox. From a practical point of view, I don't really see a problem for whistle-blowers.
Could you explain that?
Every uploaded document is immediately locked with a code that even the Secret Service couldn't break. The digital key, which is required for reading the file, also doesn't even sit on Openleaks servers. That means: even if a hacker got access to one of the uploaded documents, he wouldn't be able to open it.
What happens with the documents submitted during the tests?
Everything that comes in now will be distributed to our partners.
You left Wikileaks in conflict. Did you at that time take unpublished documents with you from which Openleaks could now profit from?
No, I didn't take any documents from Wikileaks. We don't have a treasure chest we can just dip into. That would also falsify the results of our test: we want to get a realistic view of how much material comes in.
How is Openleaks different from Wikileaks?
It's different in that an informant is no longer led to a central website to which he uploads his documents, and then has to wait for Wikileaks to evaluate it, see if people there have time for it, if they find it interesting enough for global politics and so on. Wikileaks is too centralized. If it functions successfully – and it did – it develops massive bottlenecks in the process of receiving and publicizing documents.
How do you want to avoid this problem?
On our site, the informant has more choices in determining what happens with his material: he can, for example, give it to a partner of his choosing, for instance, to a newspaper he trusts and where he knows that they have the resources and are also working with material that others leave to the side. In contrast to Wikileaks, Openleaks will not publish any documents itself. We won't even be able to read the material ourselves – because everything will immediately be locked with codes from our partners. How documents are best published, how they will be worked with, if parts of them have to be blacked out to protect those who are not involved – all the questions of content and editing are things we want to leave to those who professionally engage with these issues. Journalists, for example.
And what happens when journalists tell you: this document absolutely cannot be published, otherwise human lives will be endangered. Does Openleaks have a way to keep a document locked against the will of the source?
We have various answers to this question, but not a conclusive one yet. We have to work out an internal evaluation process during the test phase in order to be able to act responsibly in such cases.
You say Openleaks will work transparently. What are you doing towards that goal?
It starts with the fact that we are building our organization to be legally sound. We would like not only to be able to pay our bills, but would also like to be able to properly account income and expenses. Even in the very first posts on our blog, we itemized how many donations we had received and what they were being used for. This is one thing that's very important to us: if everything runs correctly, we will issue montly reports about our activities and donations, so long as we receive something noteworthy. Until now, by the way, it's been about 2,000 Euros.
But you can't pay employees with that. Where does the money come from, then?
Until now, everyone at Openleaks has to take care of themselves, how they earn the money that they need to live. In that sense we've re-introduced the old Wikileaks model.
There aren't any financers in the background?
No, and we've consciously done so for this phase of the project. We want to be independent so that no one can influence the content, or push us to act according to deadlines, rather than doing the best work possible.
Are the media partners supposed to pay anything?
No. The goal – also for the future – is that no media partner pays. We would like for the partners to take part in the fixed costs later, for example, for the upkeep of the server. But Openleaks will never, in any way, incur costs from partners.
But then where should the money for you and your colleagues come from?
We have different ideas. First, we hope donations will increase as soon as Openleaks goes online; secondly, in the forseeable future we will offer training for journalists and media organizations who want to make their electronic communication more secure. And then, in the medium-term, we want to set up a foundation which can support us.
Which organizations are permitted to become partners? According to what criteria are they chosen?
We still don't have a final word on how we seek out partners. But we would like to assign approximately 50 of the 100 partnerships through a public recommendation process, so that people can participate in choosing who can work with us through the net.
And the other 50 slots?
Those will be received by organizations which have already approched us.
Is everyone allowed to participate in Openleaks?
We understand ourselves to be a politically neutral organization. We are not journalists, but rather technical service providers who provide for the secure transfer of data.
Right-wing populists are then also welcome as partners?
Political parties fundamentally cannot become partners of Openleaks. I can assure you: we have not yet received any requests from any extreme group.
And what would happen if any showed up?
It's difficult to say, simply because we don't yet have a definitive answer for that. At the moment we have other concerns.
What kind of legal status will Openleaks have?
Our lawyers are currently working on how to find out which form is the best. It could take the form of a nonprofit limited liability company under German law (gemeinnützige GmbH).
When will that be concrete?
I don't know how long lawyers need for that kind of thing. However, when you want to qualify officially as “not for profit” in Germany, you have to be recognized by the tax authorities. That is a tedious process.
Will Openleaks have a legal status when it starts normal operations after the tests?
I assume so. By then this will certainly be taken care of.
When will that be?
That depends on the results of the tests which we have begun. It will show the weaknesses of our system, and hopefully will be conducive to creating trust in Openleaks.
This Interview is also available in German language (Original)