Opinion: Can Journalists Use Illegally Hacked Data?

(BE’ER SHEVA, Israel) — Logging onto the website Distributed Denial of Secrets (DDOS), my eyes were drawn to the only color on the screen — the image of a computer mouse emblazoned with the Progress Pride Flag. The bright lines and chevrons led to the mouse cord, folded into the shape of crossed bones ending in a USB connector. 

Tearing my eyes from this ominous image, I started reading the text beside it: 

We aim to avoid political, corporate or personal leanings, to act as a beacon of available information. As a transparency collective, we don’t support any cause, idea or message beyond ensuring that information is available to those who need it most—the people.

You can read more about our collective, and our decision to embrace all sources of information. At its core, however, our mission is simple:

“Veritatem cognoscere ruat cælum et pereat mundus”

There was no translation of their simple mission, so I opened a new tab and looked up its meaning: “Know the truth, though the heavens may fall and the world burn.”

Returning to the DDOS homepage, I started snooping around, and one of their “new and updated releases” caught my attention: “Nuclear Power Production and Development Company of Iran.” I clicked the link and discovered that I could download over 100,000 emails hacked from the government of Iran. I felt the sudden need to download the data, comb through it and break a major story exposing Iran.  

This data was stolen by the hacktivist group “Black Reward” during the protests following the death of Mahsa Amini. Once hacked, Black Reward demanded that the government of Iran release all political prisoners, prisoners of conscience, and people arrested in the recent protests within 24 hours, or all the information would be released. The Iranian government ignored the threat, and Black Reward dumped the data.  Now DDOS hosts a link to the files. 

After seeing the cache would take hours to download, I reclined in my chair and wondered, “Is this legal? Is this ethical?”

What is hacking?

Hacking is the art of illegally gaining access to a computer network or system. Once hackers have access, they can take control, corrupt files, disrupt data transfers, or steal data. Stolen data is often used for cyber extortion, where the hackers threaten the victim with a public release of the data unless certain demands are met.

The motives may be ideological or financial. In many cases, the demands are ignored, and the criminals follow through on their threats. An announcement is made, and the data is transferred to a public location, called a data dump. Once dumped, the data is easily copied, and it becomes virtually impossible to stop anyone curious from obtaining a copy.

Finding the ethical line

But is it ethical for a journalist to look at this information often provided by ignoble actors with questionable motives?

“Absolutely,” is what Dr. Tim Gleason, Professor Emeritus of Journalism at the University of Oregon and an expert in communication law and ethics, told me in a phone interview. “Once something is in the public domain, a good journalist should be looking at it. You need to look under every rock if you are doing your job.”

But looking through information is not the same as publishing. Even if the data is in the public domain, specific details are still effectively concealed due to the sheer volume of information released. One gigabyte of data can hold 65,000 pages of Microsoft Word Documents, and data dumps are often dozens (if not hundreds) of gigabytes. Hackers generally leave the gargantuan task of finding the interesting information to journalists. 

In America, the right to report on what you find is protected by the First Amendment. “If you get the material, you are allowed to report on it,” said Susan McGregor, an associate research scholar at Columbia University’s Data Science Institute. “That’s essentially what freedom of speech and freedom of the press means.”     

This legal protection is not a free pass to publish everything. “There are other things [like] standard of accuracy,” McGregor added, “I have an ethical and legal imperative to try to verify it. I have a responsibility to verify it.”

The public’s right to know

Yet a journalist’s responsibilities don’t end once they have verified the data is accurate. The ethical obligation to people potentially endangered by the information may trump the public’s right to know.  “There has to be the greatest care and caution in not revealing information that might imperil intelligence sources or even friendly civilians in hostile countries,” said Samuel Freedman, an author, columnist, and professor at Columbia University.

Everyone involved should share this responsibility, but it mainly falls on the journalist. “If we’re depending on hackers to redact information, we’re fools,” Freedman said, “Hackers tend to be absolutists in that regard. Journalists must take the responsibility.”

Newsworthiness

National security and the safety of other human beings are not the only considerations. Another leak that anyone can access on DDOS displays another issue — newsworthiness. 

In 2015, a hacker group called “The Impact Team” stole the user data of Ashely Madison, a website that advertised itself as a place to enable extramarital affairs. The Impact Team threatened to release the information unless the site was shut down. It wasn’t, and the hackers followed through on their threat.

“I actually gave a talk with some colleagues about the question of how can this [hacked] information be used responsibly in journalism,” said McGregor, “and the Ashley Madison case was our case study.” McGregor acknowledges that some excellent news stories came from the data. She specifically cited Annalee Newitz’s coverage, which argued that the data proved Ashley Madison was a “sophisticated, deliberate, and lucrative fraud” powered by an “army of fembots.” 

But McGregor argues that many other stories amounted to nothing but gossip. “If the Ashely Madison hack had been about dog biscuits,” McGregor pointed out, “how many of the same outlets would have covered it? How many people were drawn to the Ashely Madison hack simply because it was about sex? There is a gossip angle. I don’t think that it is newsworthy.”

Not being “newsworthy,” which is open to debate, is only part of the problem. Sometimes the information in a hack can cause harm to private individuals. “Our bar for exposing information about private individuals should always be the highest,” McGregory said, “They are the most vulnerable and have the most to lose.” According to the BBC, two people associated with the leaked customer details committed suicide. 

Public safety, public interest

But sometimes, information found in a hack must be reported for the public’s safety. In “Blueleaks,” another data dump accessible on DDOS, there is a telling example.

In 2020, hacktivist collective “Anonymous” released more than one million hacked police documents. Inside this massive data set, journalists found evidence that the Maine Information and Analysis Center was spending substantial resources tracking protesters who were only exercising their first amendment rights. As a result, lawmakers took an interest in the secretive police unit’s activities. One of the lawmakers, Rep. Charlotte Warren, accused the unit of “building cases against people who haven’t committed any crime.” 

When journalists stumble across certain information, they have an obligation to publish a story for the public’s good. “If what [the journalist] is finding is information that in their judgment, or their news organizations judgment is in the public interest, then, they have an obligation to publish,” said Gleason. 

Gleason made the same point as McGregor. “When I say it’s in the public interest, I don’t mean that the public is interested in it,” said he said. “I mean that it serves some greater good, not simply that it’s something that’s voyeuristic or sensational or [just] going to get clicks. I mean, that it’s information that the public needs to know, [not] a bunch of salacious details about somebody’s private life.” 

Now what?

Websites like DDOS are not perfect — they may provide access to sensitive information that should be protected and private information that is very interesting but does not serve the public interest. But they provide a critical function — giving journalists access to information that the public needs. Responsible journalism minimizes the problems and maximizes the benefits of data dumps made accessible by DDOS and similar websites. 

As I waited for the download to complete, I checked my email, and reality struck. I can’t handle the 10,346 emails in the Social tab of my gmail. What exactly was I going to do with 100,000 emails from Iran?

My daydream of breaking a huge story faded. But I took solace in knowing that DDOS was keeping this information accessible so another journalist could find the important stories hidden in the data and report on them. I decided I could do my part by maintaining a copy of the information in case DDOS disappears.  

So instead of figuring out what a TGZ file is and how to open it, I returned to the task which brought me to DDOS in the first place — writing a story for my Journalistic Law and Ethics class.