When Is it Ethical to Publish Stolen Data?

When Germanwings Flight 9525 crashed in the French Alps on March 24, the deaths of the 150 people on board were initially assumed to be a tragic accident. But within 48 hours, a transcript of the plane’s voice recorder was leaked to the media. It revealed that co-pilot Andreas Lubitz had set the aircraft on a collision course. Just before the plane crashed the pilot, who was locked out of the cockpit, could be heard screaming, “Open the damn door!”

The recording was evidence that the crash was not an accident, but a deliberate act of mass murder. It duly led news bulletins around the world. But should the media have published the transcripts, particularly when the investigation was still in progress? The International Federation of Air Line Pilots’ Associations condemned the leak, calling it a “breach of trust” with investigators and victims’ families that harmed flight safety by stoking “uninformed” speculation.

The media were unmoved. There was no navel-gazing about the ethics of publishing the transcript, and no groundswell of public opinion against it. That makes it relatively unusual among cases involving leaked, stolen, or hacked information, which often provoke controversy. Such sources are familiar ways to obtain stories—consider the impact of the Pentagon Papers being leaked in 1971—but the emergence of WikiLeaks in 2006 made it clear they will become ever more important in the digital era. Since then, there have been questions over the publication of Sony executives’ corporate e-mails in late 2014, the publication of leaked celebrity nude photos last August, and Edward Snowden’s revelations in 2013 about the extent of U.S. intelligence operations.

Journalists have been accused of invading privacy, threatening national security, and breaching copyright by publishing such stories, and their sources might lose their jobs, their freedom, or even their lives. So how should reporters and editors decide whether to publish and how much to redact? And what technical know-how do they need to protect whistleblowers?

The Sony hack provided something of a test case, as did the iCloud leak, which included naked photographs of actresses including Jennifer Lawrence. The New York Times was reluctant to report on the huge dump of e-mails and other confidential material taken from Sony’s servers, with executive editor Dean Baquet asserting that the paper would only cover newsworthy information surfaced by other outlets, and would not dig through the files itself. The Times gave op-ed space to screenwriter Aaron Sorkin to call publishing the leaked information “morally treasonous and spectacularly dishonorable,” although its public editor Margaret Sullivan later defended reporting on the e-mails when the contents were newsworthy. “No, this isn’t a Snowden Redux, but when top Hollywood figures make racially tinged jokes about the president, that’s legitimate news,” she wrote in a blog post on December 12, 2014.

Other sites had already made the same decision. Gawker dived into the Sony data with something approaching glee, creating a microsite to host the revelations. Notable headlines included “The Natalie Portman-Ryan Seacrest Gaza Strip Reply-All Chain from Hell,” “Hollywood Executives Think Jaden and Willow Smith Are Crazy, Too,” and “Sony’s Embarrassing Powerpoints Are Even Worse Than Their Shitty Movies.” Sam Biddle, who led Gawker’s reporting, defends its coverage by arguing that the hack was the biggest technology story of the year. “It exposed the way an enormous, publicly traded multinational company functions and revealed a lot about the people making decisions at an institution of huge cultural power,” he says. “If that’s not newsworthy, I don’t know what is.”

Biddle is also keen to stress that there were plenty of juicy nuggets of information Gawker did not publicize, even though they were already public because the data was dumped online. “I think that’s something that hasn’t been said enough,” he points out. “We would have never published something like Social Security numbers or addresses or credit card information, things that were all there.” (That said, in April, Gawker’s sister site Jezebel did publish part of a Sony executive’s Amazon order history, which included pubic hair dye.)

What not to publish is a key concern for anyone dealing with leaked or stolen data. In July 2010, WikiLeaks was criticized by the Pentagon for its handling of the U.S. embassy cables, as details of informers, activists, and opposition politicians in autocratic regimes were not redacted before the documents were made available on file sharing sites. The Guardian and The New York Times had largely removed such sensitive information before publication.

Reporters working with sensitive information should take particular care with files stored as PDFs. In 2005, a blogger discovered that the Pentagon had inadequately redacted PDFs of an official U.S. military inquiry into the accidental killing of an Italian agent in Baghdad. The “redaction” consisted only of highlighting the text in black shading, and so copying and pasting it into another document restored its readability.

The same simple mistake was made by The New York Times in January 2014 when it published a PDF from documents handed over by Edward Snowden. Pasting the text into a new document revealed the name of a National Security Agency agent as well as the target of an operation in Mosul, Iraq. When asked about this mistake by John Oliver, host of HBO’s “Last Week Tonight,” in an April episode, Snowden replied, “It is a f**kup and these things do happen in reporting. In journalism we have to accept that some mistakes will be made. This is a fundamental concept of liberty.”

In order to reduce the chances of such a mistake happening, reporters working with sensitive information should ask themselves first if any redactions are needed; if they are, they must be carried out by someone with the relevant expertise. It is also best practice to open sensitive documents only on a computer that is “air gapped”—not connected to the Internet—in case viruses or malware have been hidden within the files, which could alert their owners. While working on the Snowden leaks, The Guardian went further and established a secure room, into which reporters were not allowed to bring phones or other electronic equipment in case they were bugged.

Shielding a source’s identity can be tricky when documents or photos have metadata

Understanding the content of leaked documents as fully as possible also makes it easier to protect sources. In 1983, Peter Preston, who edited The Guardian from 1975 to 1995, published a story based on a leaked document containing plans for cruise missile deployment in Britain. The government forced the newspaper to turn over the documents, and some seemingly unintelligible squiggles in the top corner allowed it to be traced to a Foreign & Commonwealth Office photocopying machine and, ultimately, to the source, Sarah Tisdall, who was jailed for six months for violating the Official Secrets Act. “I feel that, once The Guardian used the document in that story, we owed its provider protection,” Preston says now. “But providing it sight unseen—and looking in the wrong direction anyway—was a nightmare.”

Because digital documents often carry all kinds of metadata hidden underneath their visible contents, making originals available should be handled with care. This applies to pictures as well as text. The hiding place of fugitive tech entrepreneur John McAfee, who was named as a “person of interest” in a death in Belize, was unwittingly revealed by Vice in 2012 when the magazine posted a photo of editor in chief Rocco Castoro posing with him. The picture, part of a post entitled “We Are with John McAfee Right Now, Suckers,” still contained its Exif data, revealing not only that it was captured on an iPhone 4S, but the exact location in Guatemala where it was taken. (McAfee, who is still wanted for questioning, fled the country and now lives in Tennessee.)

It is possible to strip metadata from photos, something Vice belatedly did in the McAfee case. And according to Guardian tech reporter Alex Hern, the saga carries two basic lessons for journalists working with digital information: Know your tools, and think twice before publishing original documents exactly as you received them. “The former is harder, but the latter obviously goes against what you want to do as a journalist,” he says. “If you create a new image/document, and paste in what you want to share, it’s a fairly safe way to ensure that the metadata isn’t carried over.” There is a tradeoff, however: “You also ensure that independent researchers can no longer verify that your document is genuine.”

Quinn Norton, a tech reporter who has written for Wired, also tells a story about a source losing access to information because of metadata. She had set up a relationship with an anonymous contact who had access to mail servers at four Syrian embassies. She worked with ProPublica, following security protocols—for example, only opening the encrypted documents on a computer that was air-gapped. Unfortunately, Norton says, ProPublica may not have scrubbed the documents clean of all the metadata before sending them to the Syrians for comment. Within two hours, Norton’s source lost access but was not identified.

Although metadata is unlikely to endanger journalists’ lives, it might affect their livelihood. Norton argues that the law has not yet caught up with the realities of handling digital information. For example, she says, possessing child pornography is a strict liability offense in some jurisdictions. It does not matter if you have not looked at the material; you only have to be in possession of it to be committing a crime. So any journalist opening up a parcel of encrypted data runs the risk that hackers have embedded something nasty in there for which he or she is now legally responsible.

If that sounds far-fetched, consider that, according to Norton, hackers inserted encrypted links to child porn websites into the blockchain, or shared database, used to trade the cryptocurrency Bitcoin, intending to make it so everyone who owns Bitcoins would be committing a criminal offense. It was their idea of a prank. Similarly, she warns that being part of a large media organization does not necessarily provide protection against prosecutions for computer fraud or misuse. Wronged companies or the Department of Justice can choose to target individuals rather than institutions.

When dealing with documents obtained under murky circumstances, news organizations should follow standard procedure and question the motives of their sources. Jane E. Kirtley, the Silha Professor of Media Ethics and Law at the University of Minnesota, recalls a 1982 story in which a Republican campaigner named Dan Cohen approached two major papers in Minnesota with information on the Democratic candidate for lieutenant governor, who had been charged with a shoplifting offense in 1970. (The conviction was later vacated.) Both papers’ reporters agreed to Cohen’s terms: They would publish the story without naming him as their source. But, independently, both sets of editors overruled them. “Their editors overrode their promises on the ground that the real story was not the minor shoplifting charge, but the fact that a political operative was trying to smear an opposing candidate shortly before the election,” says Kirtley. For her, the case illustrates the fact that “this was a situation where the reporters should have questioned the source’s motives before agreeing to his terms.” Cohen later sued both papers. The case went to the U.S. Supreme Court, which ruled that the First Amendment did not protect the newspapers from being sued for breach of contract.

After the Sony hack, Andrew Wallenstein, co-editor of Variety, went public with his doubts over whether to publish information that might have been obtained by foreign spies. Writing on the Variety site last December, he asked: “What if suspected hacker North Korea bombed Culver City [site of Sony Pictures headquarters]? Can I sift through the rubble for Sony executives’ hard drives? … Outlandish as that sounds, it’s also strange that because the nature of the Sony attack was virtual instead of physical, it’s fair game to scavenge for data.” Despite his ambivalence, he concluded that there was sufficient public interest in reporting on a major company. Besides, he added, “journalism is, in some sense, permissible thievery.”

This is a characterization Kirtley disputes. “Under U.S. law, a critical factor is whether the news organization itself broke the law to get the documents,” she says. “Simply being the recipient, especially if the documents come from an unknown source through a brown paper envelope or digital dropbox, is not considered ‘theft,’ even if the source broke the law in obtaining or passing on the documents.” This is the key issue in the “Lux Leaks” case, where French TV journalist Edouard Perrin was charged on April 23 as an accomplice to theft, alongside two employees of accountancy firm PwC, for his part in publishing details of corporate tax avoidance in Luxembourg. The authorities there allege that Perrin did not simply receive leaked documents, but directed his source to look out for particular files, thus playing a “more active role in the committing of these offenses.”

Kirtley adds that there is an ethical distinction, as well as a legal one: “For me, it always comes down to a balance between the value of the information to the public interest as compared to the harm that would be caused to the individual by publication.” Gawker’s Biddle believes the idea of harm to individuals can be overstated, not least by those whose embarrassing secrets are revealed by stolen or leaked documents. “I think the ‘Well, the Pentagon Papers, sure, but Sony…’ argument is silly,” he says. “Leaked data doesn’t have to be world historical to be worthwhile. How high we want to apply the public interest test is probably more a matter of squeamishness.”

For reporters dealing with the Sony hack, the leak gave an insight into how those controlling a multibillion-dollar business that shapes our cultural landscape functioned behind closed doors. WikiLeaks, which produced a searchable index of the Sony files in April, argued on its website that “behind the scenes this is an influential corporation, with ties to the White House (there are almost 100 U.S. government e-mail addresses in the archive), with an ability to impact laws and policies, and with connections to the U.S. military-industrial complex.” Sony disagrees. “The cyber attack on Sony Pictures was a malicious criminal act, and we strongly condemn the indexing of stolen employee and other private and privileged information on WikiLeaks,” the company said in a statement.

The involvement of WikiLeaks points to another consideration news organizations must bear in mind: If they don’t publish, someone else will. In the case of the Sony hack, Wallenstein at Variety argues, “Our very real qualms about motive were superseded not just by the contents of the leak but by the incontrovertible fact that [they] were thrust into the public domain by the hackers and other media. Tiptoeing around the elephant in the room seemed pointless.”

For journalists in the digital marketplace, how to treat stolen data that is available elsewhere is an increasingly pressing question. The commercial pressure is always to follow up a story that other outlets have run, particularly when it involves gossip about Angelina Jolie and what powerful people say when they think no one can overhear them. It is more important than ever to have “red lines”—clear guidance on what an organization will and will not publish under any circumstances—and an internal procedure for applying a public interest test to the gray areas. “Ultimately, what news organizations offer is credibility,” says Kirtley. “By this I mean not only accuracy—because I do think there is a clear responsibility to authenticate anything we publish—but also the practice of vetting information and doing one’s best to put it in the proper context.”

The iCloud leak provides an instructive example of where media organizations voluntarily impose limits on material that would interest the public but which is not in the public interest. News organizations across the world happily wrote stories about starlets’ intimate photographs being dumped on file-sharing sites—and reaped the traffic benefits from search engine optimization that reeled in anyone Googling “naked celebrity pictures.” However, no major news outlets published the pictures themselves. Biddle’s explanation for this is simple: “The iCloud hack itself was deeply interesting, which is why we covered it. But the pictures themselves? Not at all. We’re a lurid tabloid site, but not a pornography site.”

A pressing question for journalists is how to treat stolen data that other media outlets are covering

Many agree that individuals have a greater right to privacy than corporations and that revealing financial details or personal opinions is less invasive than revealing naked photographs. But not everyone. Brad Pitt compared the Sony leak to the News of the World’s phone-hacking, when reporters illegally accessed the voicemails of celebrities, politicians, and athletes as well as families of dead U.K. soldiers and a 13-year-old murder victim over several years in the early 2000s, and declared: “I don’t see any difference in [News of the World parent company] News Corp hacking phone calls and people hacking e-mails.” Preston echoes this: “Nothing much in the Sony celeb package even came near a public interest reason for publishing. Yet lofty Brits and lofty Americans just scooped it all up—something as illegal, as stolen, as anything on the [News Corp chairman Rupert] Murdoch charge sheet.”

It is also worth noting that news organizations may not have hacked the Sony e-mails, but someone did—and that person has committed an offense for which the penalties are severe. Aaron Swartz, who downloaded more than four million paywalled academic articles with the intention of making them freely available online, was facing 35 years in prison when he killed himself in January 2013. Andrew “weev” Auernheimer, who exposed a flaw in AT&T’s security and passed the information to Gawker, was sentenced to 41 months in federal prison. He served just over a year before his conviction was vacated. Chelsea, formerly Bradley, Manning was sentenced to 35 years’ imprisonment for passing classified U.S. government data to WikiLeaks.

While the idea of “public interest” is important in the newsroom, it provides little protection in the U.S. for sources who have broken the law to acquire newsworthy information. In the U.K., the situation is fractionally better. The Data Protection Act recognizes a public interest defense. For this reason, Norton says it is vital for journalists to do what they can to protect sources. She uses Tor and Tails, free tools that make her Web usage almost impossible to track. “But what I need is for my source to use Tor and Tails,” she says. “When I write the piece, my name is going to be attached to that. I’m not going to be anonymous.” Just interacting with her publicly could put a source in danger, she adds: “I’m a high-value target. I don’t know why law enforcement wouldn’t hang around and watch who I talked to.”

Richard Sambrook, director of the Centre for Journalism at Cardiff University and a former head of news at the BBC, says it’s also important to prepare a source psychologically for the effects of publication. He worked at the BBC during one of its biggest controversies, when reporter Andrew Gilligan claimed that the Tony Blair government had “sexed up” a report on Iraqi weapons capabilities to provide a better pretext for invading the country in 2003. Gilligan relied on an unnamed source. The Ministry of Defence investigation into the leak focused on UN weapons inspector David Kelly. Kelly, who told his bosses that he had talked to Gilligan, was distraught at his identity becoming public knowledge, and he was found dead a week later. “The BBC went to some lengths to protect his identity, even allowing misunderstandings about the source’s role to perpetuate, for which it was strongly criticized by the Hutton Inquiry [into the leak],” Sambrook says. “However, to have corrected misunderstandings would have risked identifying him … Kelly understood he was talking to journalists about matters he shouldn’t, but I do not believe he recognized the scale of risk or what would happen to him once he came forward.”

Handling stolen documents is a fraught and fractious business, one where the ethical and legal boundaries are ill defined. It is therefore vital that news organizations develop robust procedures to protect their sources and their staff and to give their readers the information they need to make sense of the world. As Preston notes, “It’s the job of editors to publish, not to keep secrets.”