Thoughts on the Assange Indictment: Where’s Vault 7?

I am not a fan of Julian Assange. In fact, I’ve even managed to get the WikiLeaks official Twitter account to block me. But now that the U.S. government appears to have decided that no additional charges will be filed against Assange—meaning that his prosecution will rest on the superseding indictment and will not involve any charges concerning the Vault 7 release—I am forced into the uncomfortable position of publicly defending him. The Justice Department’s approach to Assange’s prosecution seems maximally engineered either to fail badly or to succeed in setting a very dangerous precedent.

As the U.S. has now formally requested Assange’s extradition, under the U.S.-U.K. treaty the charges against him in U.S. court will be limited to those in the superseding indictment released in May. The charges filed against Assange include one count of conspiracy to receive classified information, seven counts of receiving classified information, nine counts of disclosing classified information, and one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), all related to government information procured by Chelsea Manning. For most of these charges, the government does not attempt to differentiate Assange’s behavior from that of a national security reporter.

The CFAA charge is rather uncontroversial, as the conduct described does not represent normal behavior for a reporter—and conspiracy to obtain classified documents sounds like unusual behavior for a reporter. Unfortunately, the evidence presented showing an active conspiracy is slight. Given Manning’s skill level, the only evidence presented for the hacking conspiracy is a simple chat message in which Manning provides a password hash to Assange who claims to be able to break it. The government doesn’t even present evidence of an espionage conspiracy beyond WikiLeaks publishing a “Wish List” of information that, seemingly unbidden, Manning followed. Manning is the only person who could testify to a more overt conspiracy, but she refuses to participate in the grand jury process based on her principles.

The rest of the charges, concerning Assange receiving and then publishing classified information, do not meaningfully distinguish WikiLeaks’s behavior from the behavior of every national security reporter.These charges also run the very real risk of failing to extradite Assange, who managed to tie up the extradition process to Sweden over straightforward sexual assault allegations for nearly two years before fleeing to the Ecuadorian embassy in London. Imagine how much more fraught the extradition proceedings will be now that Assange will be able to point to a prosecution he can easily describe as political, a potential sentence measured in decades and charges that seriously implicate U.S. press freedoms.

Against this backdrop, it is notable that the Justice Department did not include any information about WikiLeaks’s involvement in the “Vault 7” disclosures. Vault 7 involved WikiLeaks’s release of information on CIA hacking tools, coupled with an effective disinformation campaign. WikiLeaks coupled the initial bulk release of these documents with a set of deliberately deceptive analyses, designed to be picked up by reporters in a hurry. But the group eventually released only one tool, a utility for controlling compromised computers. Everything else was simply documentation on hacking tools, including instructions on use and developer notes—albeit classified instructions and developer notes. WikiLeaks also distributed “insurance” files when teasing the leak—large encrypted blocks of data without the corresponding key. This served two objectives: gaining attention from journalists and creating an implicit threat that if the U.S. government did something counter to WikiLeaks’s interests, then WikiLeaks would release the key.

The tools, although technically interesting to geeks like myself, did not reveal substantial abuses nor even unusual capabilities. It was rather WikiLeaks’s spin on the release that led to dramatic headlines like “WikiLeaks: The CIA is using popular TVs, smartphones and cars to spy on their owners.”

The alleged source for the leak, Joshua Schulte, is currently facing prosecution in the Southern District of New York over a whole host of charges—not just involving Vault 7 but also post-arrest misconduct, criminal contempt of court, child pornography and (in state court) sexual assault. The government’s filings in Schulte’s case don’t explicitly list Vault 7 and WikiLeaks but do refer specifically to “Organization-1” and “U.S. Intelligence Agency.”

The lack of charges for Assange in the Vault 7 case is particularly problematic. The Schulte case has dragged on for more than a year, reportedly due to conflicts between the Justice Department and the CIA over the use of classified information for Schulte’s prosecution. It’s not clear to me why the CIA is so reluctant to cooperate with the prosecution: Identifying Schulte should have simply involved querying the datastore to see who accessed the data. There should be no need for parallel construction nor worries about hiding unclean search warrants.

Likewise, the CIA may be reluctant to acknowledge that Vault 7 is genuine, but I can’t think of a reason for this beyond intertia in CIA’s internal culture. Any damage was already done upon release. And, truth be told, the damage seems minor: Excluding WikiLeaks’s deceptive spin, the documents revealed that the CIA acquires tools necessary to do its job. Every adversary could easily have guessed that the CIA had every capability revealed by Vault 7.

I’d strongly urge the CIA to take a few of the documents, preferably the ones describing the more creative tools, and acknowledge their provenance for the purpose of prosecuting both Schulte and Assange. The CIA should be rightly proud of its more creative tools. (And “Weeping Angel,” a tool described in Vault 7, not only has a better program name but also is clearly far more successful than the cold war “Acoustic Kitty” program—in which the CIA attempted to train cats to spy on the Russians.)

Prosecuting Assange for the Vault 7 leak would offer advantages not present in the Manning leaks. Schulte, unlike Manning, at least offers the possibility of cooperation. The court revoked Schulte’s bail in December 2017, a situation that likely increases the odds of his cooperation. Hypothetically, if Schulte had contacts with Assange before obtaining the information, this might offer a cleaner conspiracy charge not complicated by the difficulties of distinguishing WikiLeaks from journalistic entities like the Washington Post or the New York Times. If Schulte communicated with Assange, and then Assange encouraged Schulte to obtain the information, this could amount to a conspiracy to acquire, not just receive and publish, classified information.

Overall, I’m simply mystified, both by the charges chosen and by the charges ignored. I do not know what the Justice Department intends in the prosecution of Assange. But given the charges selected, even if the department’s strategy proves “successful,” I would regard it as a failure.