There’s recently been a lot of discussion about government secrecy: how much of it is desirable, and how and when that secrecy must be violated in service of the greater good. Unfortunately, we now found ourselves in the position of having to make such a disclosure.

Many of you may be familiar with NORAD’s Santa Tracker. As the story goes, back in the late fifties a typo on an ad for a hotline to Santa misrouted calls to the predecessor of the North American Aerospace Defense Command. The colonel on duty instructed the men answering the phones to report Santa’s position to the children who called, and a new tradition was born. It’s grown from there: there’s a Twitter feed, an iGoogle gadget, Google Earth functionality, a mobile site and even an SMS interface. It’s all a charming way for a defense agency with a very serious mission to get in the holiday spirit. Or is it?

Upon this year’s relaunch of the tracker, those of us in the labs naturally took a few minutes to examine whether this important government function was utilizing open data formats, appropriate technology, etc. This led us to a startling discovery. In the rush to create more interfaces, NORAD’s engineers appear to have committed a crucial security breach. If you inspect the code to the iGoogle gadget, you’ll find a reference to http://www.noradsanta.org/js/data.js. Click through to that file and you’ll find Santa’s complete flightpath, with destinations that begin in Russia and end in Hawaii. They know where he’s going to be — and when.

Obviously, this is deeply troubling. Most of us have assumed Santa to be a stateless agent whose continued benign behavior is ensured by close scrutiny from institutions like NORAD, mall security guards, etc. But with this disclosure it seems clear that he is coordinating his activities with the governments of the US and/or Canada to a substantial degree (NORAD has a joint charter). An uncharitable reading would say that Santa’s mission amounts to a false flag operation under which Western powers are able to gain entry to private residences throughout the world, commandeer whatever items they deem to have been “left out for them” (e.g. cookies), then leave behind an increasingly sophisticated array of electronic devices. All of this seems to be done without any kind of judicial review or congressional oversight.

Some of you may remember this admittedly cryptic tweet from @sunlightlabs back on December 1. That’s the day when the Santa tracker relaunched and we made this discovery. The hexadecimal MD5 hash in that tweet corresponds to the original version of the file; I broadcast it to establish the date on which we had possession of the file. However, since then the file has changed.

As I write this, some whitespace has been added — naturally, that changes the hash. Accounting for that, a diff reveals some new attributes for many of the records, like “time” and “radius_miles.” Perhaps most interesting are the destinations that have changed. Gone from the list: Port Elizabeth, South Africa; Palembang, Indonesia; Medford, Oregon; Puerto Natales, Chile; Aomori, Japan; Valparaiso, Chile; Multan, Pakistan; Running Springs, California; Aparri, Philippines; Melo, Uruguay; Cartagena, Spain; Qom, Iran; Cordoba, Argentina; Marshall Islands, Micronesia; Daegu, South Korea; and Dundee, Scotland. Recently added: Yokohama, Japan; Edinburgh, Scotland; Denver, Colorado; Morgan Hill, California; Kyoto, Japan; Santiago, Chile; Ashland, Oregon; Madrid, Spain; Sao Paulo, Brazil; Islamabad, Pakistan; Buenos Aires, Argentina; Millennium Stadium, Wales ; Jakarta, Indonesia; Johannesburg, South Africa; Barcelona, Spain; Manila, Philippines; Seoul, South Korea; Tehran, Iran; New Delhi, India; and Florence, Italy. Presumably these modifications reflect changes in strategic priorities that have occurred since the beginning of the month. By the time you read this, the destination list may have changed again.

This post will necessarily raise more questions than it answers; I’ll largely leave it to others to pose them. But at the very least it seems important that we reevaluate Santa’s place in our broader geopolitical framework. If his affiliations (or lack thereof) have changed, the public deserves to know about it. Similarly, his alleged connections to the Vatican — always murky and difficult to understand — should probably be promoted from Dan Brown-style conspiracy-mongering and given a closer look. In the 21st century, “jolly old elf” is not a sufficient level of transparency.

At any rate, I’m sorry to inject a note of Le Carre-style paranoia into your holiday season. All of us at Sunlight hope it’s a happy one!