We are in the age of massive, informative data breaches. From Italian surveillance company Hacking Team, to extra-marital affairs site Ashley Madison, and perhaps Mossack Fonseca, the company at the centre of the Panama Papers, journalists are increasingly being presented with opportunities to uncover significant stories using data that has been illegally pulled from databases or servers by hackers.
In parallel, commentators have claimed that some stories gleaned from dumps have little public interest. The BBC has asked me why I reported on the contents of emails from a data breach. As hacked caches become a much more common source for important stories, maybe it's time for journalists, and readers, to assess what is really being asked when a media outlet dives into a freshly released dump.
Because of the increased number of data breaches recently, reporting on hacked data "is something that journalists need to get to grips with sooner rather than later," Paul Bradshaw, course leader of MA Online Journalism at Birmingham City University, told Motherboard in a phone call.
When handling potentially stolen information, journalists need to confirm, as much as possible, the veracity of the data; understand that the source may not be impartial; and decide what aspects and parts of the data to publish or report on. This sounds a lot like dealing with whistleblowers, Bradshaw pointed out.
"The kind of ethical issues that journalists have to deal with in terms of whistleblowing and leaks generally are a pretty strong precedent for this," he said.
The data analysed might include apparent company emails, internal documents, or even product source code, and reporting such data could result in criminal charges or litigation, especially if the journalist has not reported on the data responsibly. Whether the publication of certain details is responsible is not an exact science, but it's pretty easy to see examples of articles based on hacked data that were not.
"In a sense, it's no different to any other story that a journalist handles."
A 2015 piece in Jezebel took information buried in hacked emails from Sony, and laid out Amy Pascal's Amazon shopping list, which included some rather embarrassing personal items. Pascal is a public figure, which opens her life up to more scrutiny than some random person, but in this case, nothing significant has been uncovered, and instead, confidential data has been used to simply mock.
"When data has been hacked, it's been stolen, and it might well be confidential in its nature," Caroline Kean, a media litigator with London firm Wiggin, told Motherboard in a phone call. "So the journalist then has to decide is it right, is it in the public interest, is it appropriate, for me to break that confidence and publish something?"
When journalists handle something they know to have been obtained in a breach of confidence, the duty to keep that information confidential runs through to them. In general, journalists are protected from reporting on illegal acts, including a hacked data dump, as long as the journalist was not involved in the illegal act itself. But a secondary question remains: What is in the public interest?
Plenty of important stories have emerged from data breaches. Documents revealed Hacking Team had sold its malware to Sudan despite the country being on a United Nations sanction list. Emails showed that Noel Biderman, the founder of Ashley Madison, wanted to hack a competing dating site when the opportunity arose. The poor security practices of Hong Kong-based toymaker VTech were exposed when a hacker managed to grab headshots and chatlogs of children from the company's server.
It's seems unlikely that any of these stories—which cover commercial deception, criminal conduct, and corporate negligence—would have come to light if it wasn't for journalists being able to download, corroborate and report on hacked data.
And perhaps more commonly, journalists dig through data breaches of customer passwords, logins, and other personal information to verify their authenticity, and inform those infected about the limits and scope of the hack.
So perhaps, more fundamentally, reporting on hacked data really is nothing new, as the key questions circulating around publication are still the same as with any story. Is this information in the public interest? What sort of details need to be published, and which others should be kept private?
"The publication in newspapers is the disclosure of material that other people think is confidential, on the whole," Kean added. "The mere fact that it's been acquired by an illegal means like that doesn't affect that you then have to carry out your normal analysis."
"In a sense, it's no different to any other story that a journalist handles," Kean said.