Last week I said we needed an ethical code for dealing with hacking leaks, and promised to explore that.

Now yet another site – “casual sex and cheating network” Ashley Madison – has been hacked and the results leaked, so I thought I’d better deliver.

How do you come up with an ethical framework for dealing with hacked documents? Firstly, it’s useful to look at what concerns are raised when journalists use them.

Looking at previous reporting based on leaked documents these break down into three broad categories:

1. Firstly, that the information was ‘stolen’ (method)
2. Secondly, that the motivation behind obtaining the information was tainted (source)
3. And thirdly, that the information represents an invasion of privacy (effect)

Put another way: people are generally concerned with how the leaked information was obtained, why, and to what effect.

These concerns are not entirely without precedent. In fact, there’s a very close analogy here: undercover reporting.

Obtaining information through misrepresentation

Why? Because the undercover reporter obtains information through misrepresentation: he or she is ‘stealing’ it. That might be anything from documents in an organisation they are working in, to facts divulged in conversations considered private.

Hacking, of course, is obtaining information through misrepresentation. In this case, the hacker convinces a system that they are someone they are not, and obtain information as a result.

The existing framework for dealing with information in those cases requires journalists to ask: “Is it in the public interest? And could the information be obtained by other means?”

At least one story coming out the Ashley Madison hack, for example, meets both criteria, as Krebs on Security reports:

“According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

““Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.””

But hacking is different from undercover reporting in one key way: the decision to ‘go undercover’ is not made by the journalist. Which takes us onto another consideration…

‘This is still a criminal act’

Writing about the Sony leaks, Anne Helen Peterson notes:

“The legal position was straightforward: These documents were obtained through illegal means, but accessing them is not, in fact, illegal; reporting on documents made available through the hack, and even excerpting from them, are covered under both the First Amendment and Fair Use, which protects the reproduction of copyrighted content under the aegis of “enriching” or educating the general public.”

UK media law writer Cleland Thom says the situation is similar in the UK:

“But you’d need to consider individual laws, eg, copyright; privacy; breach of confidence; repeating a libel; breaching an injunction; prejudicing a trial; naming a rape / FGM victim / Under-18; and of course the Official Secrets Act.

“You have a public interest defence for privacy and confidence, but none of the others.”

And what about situations where the legal position is not clear cut? Alan Rusbridger, writing about a former newspaper editor’s inclination to trust the security services on the Snowden leaks, says a journalist has as much right as a policeman or judge to weigh up the considerations in play:

“It seems to me there is an easy answer to the “who am I?’ question posed by Blackhurst: You are a journalist. You are not part of the state or the government. Your job is disclosure, not secrecy. You stand aside from power in order to scrutinize it.

“Your job is to be fully sensitive to all the public interests raised by the story—and to publish what you judge to be significant as responsibly as you know how. Only then is informed debate possible. As a journalist, you have as much right to balance those public interests as a politician or a policeman or a judge.”

The ethical tension here – as I explored previously in a book chapter – is between two forms of ethics: the ethics of virtue (“I do not deceive”) and teleological ethics (good or bad impact of actions – or doing least harm).

As the journalist has not done the hacking itself, the ethics of virtue only come into play in terms of ‘handling stolen goods’. But the teleological ethics are much more complex – not just because of the potential negative impact of publishing, but because of the negative impact of not publishing.

In other words, is it better to not publish information even if it is clearly in the public interest, because it has been obtained by illegal means by another person? On those grounds all whistleblowing material would be a no-go area.

Variety’s Andrew Wallenstein, writing about the Sony leaks, says that:

“Journalism is, in some sense, permissible thievery. We occasionally catch wind of what our subjects would rather us not know, and we don’t hesitate to report it if it contributes to an understanding of what we’re writing about.”

Yet he doesn’t feel comfortable with reporting on the leaks, because Sony is not a government.

Private companies, public interest

Two things separate Wikileaks and Snowden from Sony, Hacking Team and Ashley Madison: firstly, that the leakers were internal, and secondly, that the organisations were public bodies. That allowed the leaks to be more confidently handled by reporters as ‘whistleblowers’ and ‘in the public interest’.

The lack of those elements makes Variety’s Andrew Wallenstein uncomfortable: “Sony is not a government”, he writes.

“Conflating the imperatives behind covering a government and a corporation feels like a false equivalence to me.”

But is it really? The Verge justified reporting on one revelation from the leaks – plans by the Motion Picture Association of America (MPAA) to “broadly and significantly impact the distribution of information, which would impact how free speech works on the internet” based precisely on how the corporation was involved in a campaign to influence public policy:

“As we’ve combed through this hack … we’ve been weighing each potential story against where it came from. Studio notes on Chappie: worth it? The script for Underworld 5: worth it? The revelation that Sony and the MPAA are engaged in a years-long secret campaign to essentially resurrect SOPA, this time with better PR: worth it?

“On that last one, ultimately, yeah, I think so. It’s not a matter of whether Sony now “deserves” to be cyberterrorized or not, but rather whether the value of what we have learned outweighs how we learned it. We decided that it was important for you to know how the MPAA plans to influence how you experience the internet, and by extension, how they intend to shape the future of the information marketplace; we could all agree that it had more impact on our world and our lives than top-secret internal intelligence that Scott Rudin is a meanie.”

Equally, Hacking Team may be a private company, but it deals with governments, intelligence agencies and police forces. On that basis, even the fact that the company’s MD “used ‘Passw0rd’ as a password – for every system” is of quite demonstrable public interest.

Wallenstein supports his argument with the following question:

“What if instead of Sony, it was your favorite charity organization or advocacy group that had its documents leaked? Would journalists descend on that data with equal fervor or give them a pass?”

The answer is that hopefully journalists would not ‘give them a pass’ based merely on charitable status.

The Charities Commission regularly investigates charities; the Daily Mail has been consistently highlighting exploitative behaviour by charities in the UK. The Mirror investigated a charity worker who misused funds; and four US cancer charities did the same.

And the broader point is that the public interest does not just mean ‘public body’.

Hackers you like – or hackers you don’t like?

One of the peculiarities of leaks is that the journalist is never quite sure why the information has been leaked. Sony’s hacked documents in particular were problematic for some journalists because they felt they may be being manipulated by the North Korean government.

The Verge’s entertainment editor Emily Yoshida, for example, wrote:

“I felt that if this hack was indeed carried out by the North Korean government or their sympathizers (which, it should be emphasized, has not been confirmed, but seems the only operable conclusion from what we know so far), the data released by this hack should be considered tainted by its provenance. Not factually, but ethically. Information does not have feelings or agendas, but the people who grant us access to it often do. And by all appearances, the attack on Sony was intended as a knife in the heart of free speech. Which was why part of me was surprised — not shocked, but surprised — at how eager the media was to twist it in.”

Trying to unpick this, I see two ethical considerations at play. The first is about a virtue of ethics again: the journalist wanting to be independent, unmanipulated. Regardless of the wider good, they want to feel personally good.

The second is about a virtue of impact: doing good or preventing harm. The argument is that by supporting North Korea’s (at that time suspected) attack on Sony’s free speech, they are not preventing harm.

This is a very difficult judgement to make, especially when there is no proof of either the motivation (North Korea’s involvement or not) or the effect (would it really stop Sony making films that might offend North Korea?).

In seeking to be independent of North Korea’s manipulation the journalist may actually be manipulated by another actor who may be spreading the false suggestion that North Korea was involved.

And of course that manipulation may itself cause harm. Remember that in the 1970s a White House aide asserted that the leaked Pentagon Papers had been given to the Soviet embassy.

As Heather Brooke puts it: “This is where we get into the information war, that speculative blood became more important than the actual blood.”

And of course the leak itself – or part of it – may be faked. So verifying what has been found is as important as with any source.

Tl;dr

Ultimately all the above comes back to that recurring ethical balancing act: does the public interest outweigh the impact of reporting on a company or individual? Will you be doing more harm on the whole by reporting – or by not reporting?

CNET’s list of 13 Sony hack revelations provides a useful test: which of these would you publish, and why? For a timeline to provide context to those decisions, see this comprehensive write up.

PS: a disclaimer: this post is supposed to be a starting point, not an attempt at a definitive ethical framework. So the most important stuff happens now: please pile in with your own interpretation or references.

UPDATE [April 8 2016]: I was interviewed on this topic for a piece in Vice Motherboard, which explores them further and is well worth a read.