Pentagon: The leak on Discord is more significant than we think
From time to time, the intelligence of US agencies and its allies are exposed in major leaks. April’s leak of 50-or-so top secret documents on the gaming chat service Discord was one of the most egregious.
The release of diplomatic cables by WikiLeaks in 2010, the 2013 disclosures by Edward Snowden, and the disclosure of the National Security Agency and CIA’s hacking tools in 2016 and 2017 rank among the world’s biggest modern-time leaks.
Outrage or shrug? Diminishing response
Every new leak seems to generate less and less outrage on a global level. So when another US intelligence leak surfaced in April on Discord (a relatively unknown social platform), it hardly caused a blip on the radar. While sensationalism can hinder law enforcement’s efforts, disinterest isn’t exactly helpful either.
The Discord leak was revealed on 6 April by the New York Times. Behind the leak was 21-year-old Jack Teixeira, an airman first class in the Massachusetts Air National Guard.
It wasn’t difficult for the FBI to identify him. He uploaded the documents to an online community on Discord (a server) that he was unofficially administrating, and tracked the FBI investigation into his own leak. He was charged a few days later.
Mistaken for fake news
In that short time, the leaked documents were spread to other social media platforms by users who thought the documents were fake. The possibility of the documents being top secret didn’t seem to register.
As CNN reported: ‘Most [Discord] users distributed the files because they thought they were fake at first,’ one Discord said. ‘By the time they were confirmed as legitimate, they were already all over Twitter and other platforms.’
Very bad timing
Not that there is ever a good time, but this leak arrived at a particularly sensitive moment in Russia’s ongoing conflict against Ukraine.
Although the data was not as comprehensive as in previous leaks, this latest breach provided intimate details about the current situation in Ukraine, as well as intelligence on two of the US’s closest allies: South Korea and Israel.
While Europe was mostly spared, the leaked information uncovered that Ukraine has European special forces on the ground and that almost half of the tanks en route to Kyiv are from Poland and Slovenia. The collateral consequences of the leak extend to many countries.
Still out there
Days after the Pentagon announced its investigation, the leaked documents could still be accessed on Twitter and other platforms, promoting a debate about the responsibility of social media companies in cases involving national security. There’s no one solution that can solve the content moderation issues on social media, complicating the follow-up.
Unfortunately, but unsurprisingly, leaks are bound to happen, especially when classified information is accessible to so many people. In 2019, there were 1.25 million US citizens with clearance to access the USA’s top-secret information.
One solution, therefore, is for social media platforms to strengthen their content policies when it concerns leaks of intelligence information. If the former Twitter employee interviewed by CNN is correct, ‘the posting of classified US military documents would likely not be a violation of Twitter’s hacked materials policy’. Another possibility is for companies to strengthen their content moderation capabilities. To avoid imposing impossible burdens on start-up or small platforms, capabilities should be matched to the size of a platform’s user base (the framework used by the EU’s Digital Services Act is a good example).
The issue becomes more complex when illegal material is shared on platforms that use end-to-end encryption. As law enforcement agencies have emphasised time and time again, while there’s no doubt that encryption plays an important role in safeguarding privacy, it also hampers their ability to identify, pursue, and prosecute violations.
For now, we should focus on the fact that the latest leak was uploaded by a user to a public forum on social media, despite the potential damage to the national security of their own country (the USA) and the risk to citizens of a war-torn country (Ukraine). That is undoubtedly the biggest concern
Digital policy developments that made global headlines
The digital policy landscape changes daily, so here are all the main developments from April. There’s more detail in each update on the Digital Watch Observatory.
Global digital governance architecture
G7 digital ministers will start implementing Japan’s plan for a Data Free Flow with Trust (DFFT) through a new body, the Institutional Arrangement for Partnership (IAP), led by the Organisation for Economic Co-operation and Development (OECD). They also discussed AI, digital infrastructure, and competition.
Sustainable development
The UN World Data Forum, held in Hangzhou, China, called for better data governance and increased collaboration between governments to achieve a sustainable future. UN Secretary-General António Guterres said that data remains a critical component of development and progress in the 21st century.
Security
The Pentagon started investigating the leak of over 50 classified documents that turned up on the social media platform Discord. See our story on pages 2–3. A joint international law enforcement operation seized the Genesis Market, a dark web market.
The European Commission announced a EUR1.1 billion (USD1.2 billion) plan to strengthen the EU’s capabilities to fend off attacks and support more coordination among member states.
TikTok was banned on government devices in Australia; the Irish National Cyber Security Centre also recommended that government officials refrain from using TikTok on devices.
The annual report of the Internet Watch Foundation (IWF) revealed that severe child sexual abuse imagery is on the rise.
E-commerce and the internet economy
The UK’s Competition and Markets Authority (CMA) blocked Microsoft’s acquisition of Activision Blizzard over concerns that it would negatively affect the cloud gaming industry. Microsoft will appeal.
The European Commission designated 19 tech companies as very large online platforms (VLOPs) (17) and very large online search engines (VLOSEs) (2), which will need to comply with stricter rules under the new Digital Services Act.
South Korea’s Fair Trade Commission (FTC) fined Google for unfair business practices. A group of Indian start-ups asked a local court to suspend Google’s new in-app billing fee system. In the UK, Google will let Android developers use alternate payment options.
Infrastructure
The EU’s Council and Parliament reached a political agreement over the new Chips Act, which aims to double the EU’s global output of chips by 20% by 2030.
Digital rights
Governments around the world launched investigations into OpenAI’s ChatGPT, principally over concerns that the company’s practices violated people’s privacy and data protection rights. See our main story.
The Indian government is considering opening up Aadhaar, the country’s digital identity system, to private entities to authenticate users’ identities.
European MEPs voted against a proposal to allow personal data transfers of EU citizens to the USA under the new EU-US Data Privacy Framework.
Content policy
The Central Cyberspace Administration of China will carry out a three-month nationwide campaign to remove fake news about Chinese businesses from online circulation. The aim is to allow enterprises and entrepreneurs to work in a good atmosphere of online public opinion.
Jurisdiction and legal issues
Brazil’s Supreme Court blocked – and then reinstated – messaging app Telegram for users in the country after the company failed to provide data linked to a group of neo-Nazi organisations using the platform.
A Los Angeles court dismissed a claim for damages by a Tesla driver, after the company successfully argued that the partially automated driving software was not a self-piloted system.
New technologies
In the USA, the Biden administration is studying potential accountability measures for AI systems. The National Telecommunications and Information Administration’s (NTIA) call for feedback runs till 10 June. A US Democratic Senator has introduced a bill that would create a task force to review AI policy. The US Department of Homeland Security also announced a new task force to ‘lead in the responsible use of AI to secure the homeland’ while defending against malicious use of AI.
A group of 11 members of the European Parliament are urging the US President and European Commission chief to co-organise a high-level global summit on AI governance.
The Cyberspace Administration of China (CAC) proposed new measures for regulating generative AI services. The draft is open for public comments until 10 May.
Dozens of advocacy organisations and children’s safety experts called on Meta to halt its plans to allow kids into its virtual reality world, Horizon Worlds, due to potential risks of harassment and privacy violations for young users.
Why authorities are investigating ChatGPT: The top 3 reasons
With its ability to replicate human-like responses in text-based interactions, OpenAI’s ChatGPT has been hailed as a breakthrough in AI technology. But governments aren’t entirely sold on it. So what’s worrying them?
Privacy and data protection
Firstly, there’s the central issue of allegedly unlawful data collection, the all-too-common practice of collecting personal data without the user’s consent or knowledge.
This is one of the reasons why the Italian privacy watchdog, the Garante per la Protezione dei Dati Personali, imposed a temporary ban on ChatGPT. The company addressed most of the authority’s concerns, and the software is now available in Italy again, but that doesn’t solve all the problems.
The same concern is being tackled by other data protection authorities, including France’s Commission nationale de l’informatique et des libertés (CNIL), which received at least two complaints, and Spain’s Agencia Española de Protección de Datos (AEPD). Then there’s the European Data Protection Board (EDPD)’s newly-launched task force, whose ChatGPT-related work will involve coordinating the positions of the other European authorities.
Concerns around data protection have not been limited to Europe, however. The complaint by the Center for Artificial Intelligence and Digital Policy (CAIDP) to the US Federal Trade Commission (FTC) argued that OpenAI’s practices contain numerous privacy risks. Canada’s Office of the Privacy Commissioner is also investigating.
Unreliable
Secondly, there’s the issue of inaccurate results. OpenAI’s ChatGPT model has been used by several companies, including Microsoft Bing, to generate text. However, as OpenAI itself confirms, the tool is not always accurate. Reliability was one of the issues behind Italy’s decision to ban ChatGPT, and in one of the complaints received by the French CNIL. The CAIDP’s complaint to the FTC also argued that OpenAI’s practices were deceptive since the tool is ‘highly persuasive’, even if the content is unreliable. In Italy’s case, OpenAI told the authority it was ‘technically impossible, as of now, to rectify inaccuracies’. That’s of little reassurance, considering how these AI tools can be used in sensitive contexts such as healthcare and education. The only recourse, for now, is to provide users with better ways to report inaccurate information.
Children’s safety
Thirdly, there’s the issue of children’s safety and the absence of an age verification system. Both Italy and the CAIPD argued that, as things stand, children can be exposed to content that is inappropriate for their age or level of maturity.
Even though OpenAI has returned to Italy after introducing an age question on ChatGPT’s sign-up form, the authority’s request for an age-based gated system still stands. OpenAI must submit its plans by May and implement them by September. This request coincides with efforts by the EU to improve how platforms confirm their users’ age.
As long as new AI tools keep emerging, we expect to see continued scrutiny of AI technologies, particularly around their potential privacy and data protection risks. OpenAI’s response to the various demands and investigations may set a precedent for how AI companies are held accountable for their practices in the future. At the same time, there is a growing need for greater regulation and oversight of AI technologies, particularly around machine learning algorithms.