The WikiLeaks Battle: Should Information Be Shared or Censored?

: Knowledge@Wharton
(http://knowledge.wharton.upenn.edu/article.cfm?articleid=2653)

The WikiLeaks Battle: Should Information Be Shared or Censored?

Published : December 08, 2010 in Knowledge@Wharton

Julian Assange, the Australian founder of WikiLeaks, the controversial

website that has been posting classified government documents, is now
being held without bail in the U.K., awaiting extradition to Sweden for
questioning regarding an alleged rape. But sensational news aside, his
site's recent release of confidential U.S. State Department cables has
implications for businesses and corporations with sensitive information to
shield, according to experts at Wharton and the University of
Pennsylvania. This is a single/personal use copy of
Knowledge@Wharton. For multiple copies, custom
reprints, e-prints, posters or plaques, please
"WikiLeaks is a fascinating microcosm of a larger trend -- that the contact PARS International: reprints@parsintl.com
P. (212) 221-9595 x407.
Internet allows freer flow of information, including things we want to be
available and things we don't," says Wharton professor of legal studies
and business ethics Kevin Werbach. While premeditated leaks and other types of unauthorized
disclosures are nothing new, he adds, digital technology makes it much easier for "one disgruntled
individual" to unleash massive troves of information almost instantaneously.
For many, the WikiLeaks case has opened up a fundamental debate over privacy of information versus
public access on the open web. In a column on The Guardian's website on December 6, John Naughton
wrote: "The most obvious lesson [of the WikiLeaks case] is that it represents the first really sustained
confrontation between the established order and the culture of the internet. There have been skirmishes
before, but this is the real thing." Indeed, while Assange is behind bars, WikiLeaks and other "mirror
sites" that have sprung up to distribute its material are threatening to release a code that would unleash
more sensitive, uncensored data from governments and corporations if Assange is killed or convicted. On
December 8, the site said the arrest would not stop it from posting new revelations, and WikiLeaks
subsequently published a new set of cables about the British government's decision to release convicted
Libyan Lockerbie bomber Abdel Baset Ali al-Megrahi.
For companies, the WikiLeaks case may ultimately serve as a parable on guarding sensitive information. Joseph Turo
Joseph Turow, professor of communication at the University of Pennsylvania's Annenberg School for
Communication, says the State Department cables released by WikiLeaks, while controversial, are
perhaps more well-thought-out than most internal corporate communications. "If I were a CEO, this
would not make me feel comfortable. I would be very concerned that this would happen in my company,"
he says. "The cables that have been released look incredibly tame compared to the e-mail that people send
around corporations."
Bad Publicity and Trade Secrets
Bruce Schneier, an author of books on cyber-security and founder of BT Counterpane, a security firm,
argues that WikiLeaks rose up because of an excessive amount of classification of information and a weak
press that "acts like a stenographer" for the government. He adds that the U.S. government is now
experiencing what the music and entertainment industries have endured during the past several years --
digital distribution networks that sprang up as alternatives to the systems that recording labels and
producers tried to control.
Although WikiLeaks has been disseminating information for 18 months, much of it about the Iraq and
Afghanistan wars, Werbach notes that the state department communiqués seem to have raised the site's
profile and generated a strong reaction. For example, credit card companies, PayPal and Amazon decided
to cut off links that helped fund WikiLeaks, apparently under pressure from government officials. "It's
dangerous when [the] government tells private companies that certain content should be kept off the

  All materials copyright of the Wharton School of the University of Pennsylvania.                    Page 1 of 3 
The WikiLeaks Battle: Should Information Be Shared or Censored?: Knowledge@Wharton
(http://knowledge.wharton.upenn.edu/article.cfm?articleid=2653)

network," he notes. It is also "reasonable for companies to be thinking about whether WikiLeaks crossed
the line in its most recent disclosures."
Andrea Matwyshyn, Wharton professor of legal studies and business ethics, says society is struggling to
find a balance between control of information and disclosures that may help the nation "better plot its
own trajectory." Governments and corporations should focus less on WikiLeaks and more on the initial
source of disclosures, she notes, because "once [information] goes out into the wild blue yonder of the
Internet, getting it back from cyberspace is impossible."
Indeed, Australian Foreign Minister Kevin Rudd, who was identified as a "control freak" in the cables,
says it is not Assange who is responsible for the unauthorized release of more than 200,000 diplomatic
documents. "The bad people in this little exercise are the people who gave the information to him,
because they are the people who breached the trust. They deserve to be chased and prosecuted," Rudd
told reporters. Army Pfc. Bradley Manning has confessed in online chats that he downloaded classified
documents from Army networks -- including U.S. State Department cables -- and gave them to
WikiLeaks. He is being held at the U.S. Marine Corps brig at Quantico, Va. and faces 52 years in prison
on charges of passing unauthorized information from military computers.
In addition to preventing bad publicity, Matwyshyn points to the importance of a proactive strategy to
protect corporate trade secrets in the courts. She notes that a company does not really know if its
information is a trade secret until it is forced to challenge a suspected violator in court. Rulings on
whether a legitimate trade secret has been breached depend heavily on whether a company can prove that
it valued a piece of intellectual property enough to take adequate steps to protect it from leaking outside
the organization.
Companies "fail chronically" to establish a system-wide approach to the protection of information and
rely, too often, on technology-based security solutions, Matwyshyn says. "They think that if they have a
strong IT department they are covered. That's the wrong approach, because information flows need to be
monitored not only through information technology, but holistically throughout the entire organization."
Wharton management professor Lawrence Hrbeiniak says that the WikiLeaks disclosures have prompted
him to think about the strategic implications of outsourcing -- for better or worse. He notes that one
WikiLeaks release was a so-called "hit list" of government and private sector facilities around the world --
including vaccine and essential medicines plants, mines and industrial facilities -- that, if attacked, could
harm the U.S. population. "Outsourcing for governments and companies has benefits, but it also increases
one's dependency [on] or vulnerability [to] those who control what the governments or companies need,"
he says. "WikiLeaks suggests this vulnerability for governments, but the same implications exist for
companies. Extreme dependency on others can increase their power and control over us."
A 'Cyborg Dynamic'
Top managers need to have the mindset that information security is important and work collaboratively
across internal divisions to preemptively plug sources of potential leaks, Matwyshyn and other experts
say. In the case of the diplomatic cables, the State Department decided that for the sake of convenience,
employees would be able to use thumb drives which resulted in "default permission" to copy materials,
according to Matwyshyn. "And this person copied it and walked out the door."
Even employees restricted by confidentiality agreements break those contracts with results that can have
ramifications beyond the employee-employer relationship, Matwyshyn notes. Organizations that depend
on keeping secrets need to develop systemic processes covering information sharing. She observes that a
duality is taking place throughout business in approaches to corporate information. On the one hand, the
rise of social media has made companies eager to embrace the Internet to connect with new customers and
build a greater presence in communities. "For marketing purposes," Matwyshyn says, "technology and
outreach is a boon." At the same time, she continues, a "cyborg dynamic" is developing. Companies are
increasing the use of technology internally. As they become more mechanized, and less human, they rely
on the integration of computer systems to secure sensitive information, which she notes "may or may not
be operating optimally."
Matwyshyn argues that computer-based information systems need "human backstops" who are able to
look at the larger picture of information security on an ongoing basis to determine where information

  All materials copyright of the Wharton School of the University of Pennsylvania.                    Page 2 of 3 
The WikiLeaks Battle: Should Information Be Shared or Censored?: Knowledge@Wharton
(http://knowledge.wharton.upenn.edu/article.cfm?articleid=2653)

look at the larger picture of information security on an ongoing basis to determine where information
flows are being used and where they might need to be redirected. She suggests corporations develop new
systems for information sharing from the top down through the collaboration of the chief technology
officer, chief security officer, the CEO and other officer-level positions. Working together, high-level
executives should be able to develop integrated and thoughtful information sharing policies along with the
corporate culture to enhance and enforce the rules. "These are decisions that need to come from the top
and create a culture of information care within an organization -- not only for its own information but for
the security of consumer information the organization possesses."
Businesses now possess huge amounts of customer data that is vulnerable to premeditated, as well as
accidental, disclosure, Matwyshyn points out. Consumers, she notes, are growing increasingly alarmed
about letters they receive from companies indicating that their private information has been breached. In
the past decade, 45 states have created statutes requiring companies to notify consumers of the possibility
that their secure information may have been breached. "The arrival of a widespread regime of law is
unprecedented in its speed," she says, reflecting "a consumer outcry and heightened concerns over
control." Consumers want to be able to share the information to gain better access to products and
services, but they also want that information contained, leading to what academics call the "privacy
paradox."
"Consumers are looking for a regime of trust and the ability to have some kind of input on their data
usage. Essentially, [they want to] have a stronger contractual regime around the licensing of their
information," says Matwyshyn, who adds that it is possible to imagine a time when companies would be
liable for damages for lapses in protecting consumer information. "But consumers aren't really interested
in seeking damages. They simply want to control their information."
It Boils Down to Trust
In the aftermath of the WikiLeaks furor, Pentagon and State Department officials have said some foreign
officials now seem reluctant to trust U.S. officials. "We have already seen some indications of meetings
that used to involve several diplomats and now involve fewer diplomats," said State Department
spokesman P.J. Crowley. "We're conscious of at least one meeting where it was requested that notebooks
be left outside the room."
According to Turow, there is a tension between the need for corporate executives to be able to
communicate honestly and openly and the potential fallout if frank discussions are later revealed. He
suggests highly sensitive matters should not be committed to writing or should have tight information
controls. While companies can adopt best practices for information management, such as limits on the
amount of material an individual can download, there is no technology to guard against a determined
rogue individual. "In the end, it comes down to the trust of your employees. Their loyalty is what
[counts]."
Werbach says the most recent WikiLeaks information releases reflect less focus on scandal than in the
past. The cables, he notes, are mostly day-to-day communications that are interesting, but do not seem to
represent dangerous secrets. It is likely the U.S. government has more sensitive communications behind
tighter security, he adds. Still, "the number of corporate laptops that are stolen and are not encrypted is
truly frightening."
And while the volume of leaks of U.S. communications seems large, it is probably only a small fraction
of the "daily chatter" in diplomatic networks, Werbach points out. He notes that high level discussions
between the President and Chinese leaders or about nuclear strategy are likely protected by tight access.
Any organization needs to prioritize the level of information it wants to protect and set up appropriate
levels of security, he says. "You can't just put a cone of silence around everything."

This is a single/personal use copy of Knowledge@Wharton. For multiple copies, custom reprints, e-prints, posters or plaques, please contact
PARS International: reprints@parsintl.com P. (212) 221-9595 x407.

  All materials copyright of the Wharton School of the University of Pennsylvania.                    Page 3 of 3