Monday, December 07, 2009

Digging into "Freedom of Information"

I'm trying to figure out from internal clues whether the file at the heart of "Climategate" was hacked or leaked. A close analysis of the directory structure and vestigial email headers supports the theory that the .zip file was assembled in response to a freedom of information act request.

Here's the letter rejecting Steve McIntyre's FOI request:

Pursuant to Mr. Palmer’s letter of 21 September 2009 to you regarding the handling of your appeal of 24 July to our response of the same date in regards your FOI request of 26 June 2009, I have undertaken a review of the contents of our file and have spoken with Mr. Palmer and other relevant staff involved in this matter.
According to McIntyre's blog post on this topic, the files in the file go up to the day before the FOI request was refused. This comprehensive network analysis of the emails and other documents supports the hypothesis that the files were gathered pursuant to a FOI request.

Tracking back through the Internet, I find plenty of correspondence about Steve McIntyre's FOI requests. Here's one from July 24, 2009, documenting his request and CRU's rejection. The internal naming conventions revealed in this correspondence with CRU is "FOI_09-44," which certainly fits with somebody at CRU assembling a file named "FOI-something."

An Internet search for all documents containing "FOI_99" turns up lots of correspondence with CRU, and includes direct references to the relevant law--the British "Freedom of Information Act." That suggests that the original directory structure might easily have been FOIA, meaning there is no internal evidence to suggest the file came from anywhere but CRU's own official files.

The timing of the dates of emails in the directory helps track down where the file came from. Files were being added to the directory up until 2:17 pm on Thursday, Nov. 12, 2009, the day before the rejection decision was made on Friday, Nov. 13, 2009. The file first appeared on the Internet on Nov. 17, 2009. Given the size and nature of the file, it seems likely that CRU staff were compiling the directory in response to one or more requests for information.

Somewhere during the five days between Nov. 12 and Nov. 17, somebody grabbed the file. If the contents of the directory seemed directly relevant to Steve McIntyre's FOI_99-44 request, it would seem like the file could have been grabbed at any time during those five or six days. If, on the other hand, the directory covers a lot more than just the files that would be assembled in response to FOI_99-44, then is makes more sense to assume the file was copied off on Nov. 12 or Nov. 13 by someone who was involved in either compiling the directory or in rejecting the request.

BUT--just to make things MUCH more interesting, the BBC got a copy of SOMETHING a full six weeks before the file went rogue on November 17. That makes it very hard for me to think we're dealing with a hacker rather than a leaker.

No comments: