The Who and How of the AKP Hack, Dump and WikiLeaks Release

Yesterday it was discovered and reported that some of the data in the AKP Turkey hack included “private, sensitive information of what appears to be every female voter in 79 out of 81 provinces in Turkey, including their home addresses and other private information, sometimes including their cellphone numbers.” WikiLeaks was strongly criticized for posting links to the expanded database that included this information. However, at least some of the blame should be leveled at me – I was the one who uploaded the files that WikiLeaks linked to.

Let me clarify a few points up front:

  1. WikiLeaks did not upload the files with the voter information, nor did they provide them to me. I did offer to mirror their release when it was announced, but they never responded.
  2. The files were obtained by Phineas Fisher, who was the source. As far as I can tell, Fisher did not intend to dump all of the files publicly, and Fisher has not indicated that he meant to give any of the files to WikiLeaks to publish. However, they received a partial set of the documents and decided to publish them.
  3. Following the WikiLeaks release of the partial set, Fisher decided to release his complete set. Since the files came from a known source (Fisher has been responsible for many high profile hacks, including the hack on the Hacking Team), I used the torrent file that the files were released through to create a bittorrent instance on the Internet Archive’s server. The server proceeded to download the torrent and create the item that was linked to by WikiLeaks.
  4. After the personal information was discovered, the AKP files were removed from the Internet Archive’s server.
  5. Although I wasn’t aware that it was included in the release at the time, I accept my responsibility in increasing the distributing the personal information. The explanation as to how it happened is not an excuse for the fact that it did happen.

After I contacted her, Zeynep said: “I actually never had a conclusion on who the uploader was, since it wasn’t central to my complaint about actions of Wikileaks: that they had misrepresented what the emails were, and that they had repeatedly publicized these doxing databases as “full data for our Turkey AKP emails + more”. I’m glad to see one party step up and take responsibility, but this doesn’t absolve Wikileaks of their role in all parts of this “leak” which never should have happened since it exposed no wrongdoing by a government or a powerful actor, merely the emails of ordinary people, and sensitive personal information of 20-30 million ordinary people. I tried to explain this directly to Wikileaks, but they blocked me after I started showing them tweets from Turkey’s leading anti-censorship activists who were disgusted and horrified by these actions, especially since they will now become a strong talking point for pro-censorship forces in Turkey.”

The fact that after the release was first announced I had tweeted WikiLeaks an offer to mirror it for them, along with the fact that WikiLeaks and I follow each other on Twitter, may have also made it easy for people to assume there was collaboration. For the record, there wasn’t. As far as I’m aware, the role of WikiLeaks and Julian Assange in the AKP hack ended with their initial release and resumed only when they tweeted out my link.

What happened was a perfect storm of events that I could have prevented, and wish I had.

First, Phineas Fisher penetrated the AKP network because he supported the efforts in Rojava and Bakur and opposed Turkey’s assault on them. Fisher believes that leaking is a means to an end, and didn’t plan on dumping the full set. He was in touch with locals in Rojava and Bakur about how to use the access he had gained to help them, and in the process he shared the files he had obtained so far. He was still in the system at the time and retrieving more, but there was a miscommunication and one of them passed the materials to WikiLeaks. The materials at that point included about half of the akparti.org.tr emails.

According to Fisher’s statement, the individual fixed the miscommunication and asked WikiLeaks to hold off on the release. WikiLeaks was unaware that Fisher was still in the network retrieving more data. WikiLeaks decided to release sooner rather than later due to the attempted coup.

Another hacker who is well known and has previously distributed materials obtained by both Phineas Fisher and I (on separate occasions; Fisher and I have never worked together) provided the torrent file that I uploaded to the Internet Archive. The torrent file was used to download the full set of the AKP release to the Internet Archive’s servers, which then allowed others to download them directly from there. I tweeted the link at 6:44 AM local time and at 11:23 local time WikiLeaks also tweeted the link.

WikiLeaks AKP Archive tweet

Several days went by and focus shifted to the DNC leak along with the allegations that the files may have come from the recently reported DNC hack, which has been linked to Russia. I became aware of the personal information in the AKP release yesterday afternoon, but it wasn’t until this afternoon that I became aware that it was my upload that was the main source of the public information. My focus at the moment had been on building a timeline of the DNC and AKP hacks and releases. At a few minutes after 5:00 PM local time yesterday, I received an email from the office manager at the Internet Archive informing me that the AKP upload had been disabled due to privacy concerns. He offered to speak with me about it by phone or email; it wasn’t a form letter or automatic decision to remove the item. I emailed him back thanking him and agreeing with the decision in light of what had been found in the release. If I’d realized that my version was the primary offending one, I would’ve removed it myself immediately. I mistakenly assumed that it was also on WikiLeaks’ site in a form that didn’t require downloading 100GB of files.


I agree with the Internet Archive’s removal policy so strongly that when I started That 1 Archive, I simply linked to the same policy they did. The policy provides removing private and personal information, and this undoubtedly qualifies so I agree with their decision. The fact that no government prodding was necessary for the removal is an excellent example of how the internet can be self-correcting without extensive over-regulation.

There are several things that I feel should be noted about WikiLeaks’ response to all of this:

  1. Because they tweeted the link to the item, they were blamed by the article. This provoked what seems in hindsight to be an overly defensive reaction. Given the accusations that Russia supplied WikiLeaks with information to publish and some construing this to mean that WikiLeaks is controlled by Russia, it’s easy to see how this could happen.
  2. Even though my name was on the page as the uploader and I had tweeted it out first, WikiLeaks never tried to pass the buck to me or say that it was my upload or my fault. They never reached out to me privately to ask me to do or say anything about it, despite the fact that that would have made things easier for them or taken the pressure off of them. I can only conclude that this is because doing so would have violated the spirit, if not the letter, of their source protection policy by placing the blame on me or pointing the Turkish government in my direction. For that, I’m grateful.
  3. WikiLeaks didn’t delete the tweet with the link, possibly because they mistakenly thought the article about the personal information was an attempt by the Turkish government to censor or smear WikiLeaks instead of the good faith attempt it was to protect the privacy of innocent individuals. If that was their assumption, then I can’t blame them for deciding not to back down.
  4. WikiLeaks is now free to point out that I’m the one who uploaded the file they linked to and that it was obtained and released by Phineas Fisher, who has acknowledged being the one to release it through Mr. White.

The most important thing we can do now is try to minimize the potential damage of all of this.

 

You may want to read the follow-up.