What's Wikileaks, the net's foremost document leaking site, supposed to do when a whistle-blower submits a list of email addresses belonging to the site's confidential donors as a leaked document?
That's exactly the conundrum Wikileaks faced this week after someone from the controversial whistle-blowing site sent an emergency fund-raising appeal on Saturday to previous donors. But instead of hiding email addresses from the recipients by using the bcc field, the sender put 58 addresses into the cc field, revealing all the addresses to all the recipients.
Someone then submitted the email as a leaked document, writing "WikiLeaks leaks it's own donors, aww irony. BCC next time kthx."
Wikileaks, which has been criticized for lacking discretion in deciding whether to release documents or not, published the email and the donors' email addresses on Wednesday. The entry noted that the email was submitted "possibly to test the project's principles of complete impartiality when dealing with whistleblowers."
One notable email address belongs to convicted former hacker Adrian Lamo, who now runs his own security company. In a Twitter post on Saturday, Lamo noted the screw-up, writing "Thanks WikiLeaks, for leaking your donor list.[...] That's dedication." See more in his comment to this story.
Earlier this month, Wikileaks scored another leaking coup, publishing hundreds of thousands of pages of copyright-free but rarely seen Congressional Research Service reports. Congress members and their staff rely on those reports to craft laws and policy, but the reports are rarely made public. The site also just recently published an unseen NATO civilian casualty 2008 report for Afghanistan, showing the country's civilians casualties jumped 46% last year.
Wikileaks says that no one leaking documents to the site has ever been identified, but the site's amateur slip-up isn't likely to be soothing to those who have or are thinking about slipping docs to the fearless site.
In the comments, Jay Lim of Wikileaks says whistle-blowers need not worry.
"[W]hile definitely not good form, the mistake was a missed shortcut made by one of our admin people and is not related to the efforts or systems involved in source protection," Lim wrote.