The £12m question: how WikiLeaks gags its own staff

“A typical open market valuation.”

This blog has previously described the bizarre legal world of WikiLeaks where, for example, the organisation claims some form of commercial ownership over the information that has been leaked to it.

Today, the New Statesman can reveal the extent of this legal eccentricity as we publish a copy of the draconian and extraordinary legal gag that WikiLeaks imposes on its own staff.

Clause 5 of this "Confidentiality Agreement" (PDF) imposes a penalty of "£12,000,000 – twelve million pounds sterling" on anyone who breaches this legal gag.

This ludicrous – and undoubtedly unenforceable – amount is even based on "a typical open-market valuation" for the leaked information that WikiLeaks possesses.

This phraseology is consistent with WikliLeaks's perception of itself as a commercial organisation in the business of owning and selling leaked information. Indeed, there is no other sensible way of interpreting this penalty clause.

Other parts of the legal gag are just as extraordinary. The second recital paragraph, "B", provides that – like a superinjunction – the fact of the legal gag itself is subject to the gag.

So is "all newsworthy information relating to the workings of WikiLeaks". On the face of it, even revealing one is under this agreement could result in a £12m penalty, as would sharing information on how the directors conduct the organisation.

The fifth recital paragraph, "E", is just as astonishing. It purports to extend what WikiLeaks can sue for beyond any direct loss that it might suffer if the gag is breached. WikiLeaks says it can sue for both "loss of opportunity to sell the information to other news broadcasters and publishers" and "loss of value of the information".

All this legalese can only mean that WikiLeaks takes the commercial aspect of selling "its" information seriously: there would be no other reason for this document to have such precise, onerous and unusual provisions.

On the basis of this legal gag alone, it would be fair to take the view that WikiLeaks is nothing other a highly commercially charged enterprise, seeking to protect and maximise its earnings from selling information that has been leaked to it. If so, WikiLeaks is nothing other than a business.

One suspects that the various brave and well-intentioned people who have provided the leaked information would be quite unaware of – and perhaps horrified by – the express commercial intentions of WikiLeaks, as evidenced by this document.

However, for some time it has been apparent that WikiLeaks and its founder, Julian Assange, have had a "pick'n'mix" attitude to legal obligations. They seem to feel free from any restrictions in respect of confidentiality and official secrecy; but on the other hand they make routine legal threats, especially against the Guardian, so as to uphold their perceived rights to their supposed commercial "property" – leaked, sensitive information. Abidance by the law is, it would seem, something for other people.

And, as the legal gag shows, WikiLeaks sought to use the full force of the law to deter or punish anyone who leaks against it – to the tune of £12m a time.

David Allen Green is legal correspondent of the New Statesman and is a practising media lawyer. He was shortlisted for the George Orwell Prize for blogging in 2010.

David Allen Green is legal correspondent of the New Statesman and author of the Jack of Kent blog.

His legal journalism has included popularising the Simon Singh libel case and discrediting the Julian Assange myths about his extradition case.  His uncovering of the Nightjack email hack by the Times was described as "masterly analysis" by Lord Justice Leveson.

David is also a solicitor and was successful in the "Twitterjoketrial" appeal at the High Court.

(Nothing on this blog constitutes legal advice.)

Getty
Show Hide image

Marcus Hutchins: What we know so far about the arrest of the hero hacker

The 23-year old who stopped the WannaCry malware which attacked the NHS has been arrested in the US. 

In May, Marcus Hutchins - who goes by the online name Malware Tech - became a national hero after "accidentally" discovering a way to stop the WannaCry virus that had paralysed parts of the NHS.

Now, the 23-year-old darling of cyber security is facing charges of cyber crime following a bizarre turn of events that have left many baffled. So what do we know about his indictment?

Arrest

Hutchins, from Ilfracombe in Devon, was reportedly arrested by the FBI in Las Vegas on Wednesday before travelling back from cyber security conferences Black Hat and Def Con.

He is now due to appear in court in Las Vegas later today after being accused of involvement with a piece of malware used to access people's bank accounts.

"Marcus Hutchins... a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan," said the US Department of Justice.

"The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015."

His court appearance comes after he was arraigned in Las Vegas yesterday. He made no statement beyond a series of one-word answers to basic questions from the judge, the Guardian reports. A public defender said Hutchins had no criminal history and had previously cooperated with federal authorities. 

The malware

Kronos, a so-called Trojan, is a kind of malware that disguises itself as legitimate software while harvesting unsuspecting victims' online banking login details and other financial data.

It emerged in July 2014 on a Russian underground forum, where it was advertised for $7,000 (£5,330), a relatively high figure at the time, according to the BBC.

Shortly after it made the news, a video demonstrating the malware was posted to YouTube allegedly by Hutchins' co-defendant, who has not been named. Hutchins later tweeted: "Anyone got a kronos sample."

His mum, Janet Hutchins, told the Press Association it is "hugely unlikely" he was involved because he spent "enormous amounts of time" fighting attacks.

Research?

Meanwhile Ryan Kalember, a security researcher from Proofpoint, told the Guardian that the actions of researchers investigating malware may sometimes look criminal.

“This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure," said Kalember. "Lots of researchers like to log in to crimeware tools and interfaces and play around.”

The indictment alleges that Hutchins created and sold Kronos on internet forums including the AlphaBay dark web market, which was shut down last month.

"Sometimes you have to at least pretend to be selling something interesting to get people to trust you,” added Kalember. “It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference.”

It's a sentiment echoed by US cyber-attorney Tor Ekeland, who told Radio 4's Today Programme: "I can think of a number of examples of legitimate software that would potentially be a felony under this theory of prosecution."

Hutchins could face 40 years in jail if found guilty, Ekelend said, but he added that no victims had been named.

This article also appears on NS Tech, a new division of the New Statesman focusing on the intersection of technology and politics.

Oscar Williams is editor of the NewStatesman's sister site NSTech.