Analysis: For Journalists, Using Hacked and Surveillance Data Creates Tough Ethical Decisions

(HACKETTSTOWN, N.J.) — Joseph Cox, a senior staff writer at Motherboard, received a message from a bounty hunter: I can see the location of your cell phone for $300.

As a journalist, Cox had to weigh two ethical conundrums: paying for source data and that data being surveillance information — that is, data that can track and potentially identify a person with or without their consent.

Newsroom standards and practice handbooks might not always include guidelines on how to handle such a request. Three hundred dollars for data that locates any T-Mobile phone in the country is a serious story in many aspects — one some, like Cox, would argue is worth reporting on in the name of public interest. It’s also a story that some privacy advocates would flag as a dangerous normalization of surveillance and cybercrime.

As the technologies we use to communicate and store information advance, ethics guides for journalists are at risk of falling behind in addressing these new means of gathering material for stories. That manila folder that used to land on one’s desk with no return address on it is now potentially a zipped digital folder landing in your email inbox. How a journalist uses that information demands a lot of ethical questions to be considered.

Hacked information is source material that someone obtained by digitally breaking into another computer or server. The stolen information often lands in the hands of journalists in two ways: a hacker contacts a trusted journalist and gives it to them or journalists obtain the information from online depositories that publish this raw data for the public to see.

Distributed Denial of Secrets is one of those online depositories that releases, often hacked, information to the public. The nonprofit is led by a coalition of members, some of whom identify as journalists, that are strong advocates for the First Amendment and are often compared to WikiLeaks. However, the organization is fairly adamant about separating itself from the image conjured up by Julian Assange.

“[Hacked data] provides a window into systems that would otherwise be obscured. It’s a truth-telling mechanism,” Lorax Horn, a journalist and board member of DDoS, told The Click. “Hacked data is valuable to researchers because it’s a source document often that in another day and age might have come to us in a different way, but we live in 2021, and this is how information is stored and transmitted electronically.”

As far as the ethics of using hacked data, Horn sees the question of whether or not to use it as being the “least interesting ethical question” for a journalist to ask. The ethics of what that hacked data is potentially exposing is far more relevant, he said.

For instance, DDoS made waves when it released “269 gigabytes of internal US law enforcement data obtained by the hacktivism collective Anonymous” in June 2020, which is called the BlueLeaks. Quickly, journalists had noticed and began parsing the data for research.

The BlueLeaks trove of data uncovered numerous malpractices in police departments across the country and in the federal government. From the truth about the danger of far-right extremists compared to Antifa protestors (despite what the White House was saying) to police departments sending information on activists to corporations, DDoS’s data allowed journalists to disseminate this information in a way that benefited the public. Using the hacked data was evidently not so much an ethical concern because the data was deemed to be in the public interest for what it was exposing.

When data leaks like this are not openly available in a depository like DDoS, hacktivists (hackers leaking data as a form of activism) may, at times, give the information over to journalists in hopes that it will be used as evidence for an important story. That’s what happened when ProPublica reviewed more than 500 videos downloaded by a hacktivist who archived posts from the conservative-leaning social media site Parler before the platform was taken down. What was created from that collection of hacked data was a comprehensive, interactive piece of journalism that documented the January 6 insurrection on Capitol Hill.

“We’re releasing this material so that people who weren’t on Parler, and who can’t write code or easily navigate digital archives, can take stock of it,” ProPublica noted in defending their decision to release the videos to the public in January 2021.

Unlike the BlueLeaks data, the Parler videos were originally posted publicly, but the means of scraping the social media site and collecting that data technically involved hacking it. In this case, again, the ethics of what the videos exposed were a more important question than whether or not to use them.

For Horn, DDoS, ProPublica, and the countless number of journalists who have used hacked data for research and evidence, the ends justify the means of obtaining the information in this manner.

“Hacked data can help us to understand the systems that were a part of in really powerful ways, and I think that’s what journalism is supposed to do,” Horn said. “It’s fair game.”

The type of information obtained in hacked and leaked data isn’t homogenous. While some information is more generalized, other information can be far more personal – names, email addresses, home addresses, phone numbers, credit card details – that can identify a person. Publishing that type of information can have a varying degree of consequences, from embarrassment to even death.

Using that hacked data then, given the potential consequences, brings with it an ethical responsibility to publish it with care by redacting certain pieces of information that don’t necessarily contribute to the story.

“We don’t want to amplify any sources of data that could lead to harassment or cybercrime or anything like that. So we will sometimes paint very broad contours of where this information may be.” Cox said. For instance, “we simply say that the data is on an ‘underground forum.’ We don’t name the forum.”

There is another type of data that can be paid for and, at times, identify people without their consent: surveillance data. Though it’s often not obtained via hacking, this data can prove more challenging to journalists who consider using it.

“If there’s a type of data being collected by governments, being collected by police, it’s also likely available on the open market for journalists or anyone else who has the cash to purchase it. That can mean our cell phone location data, GPS data, app data,” Albert Fox Cahn, Founder and Executive Director of the Surveillance Technology Oversight Project, a pro-privacy nonprofit, told The Click.

For journalists debating on using this type of data, Cox suggested weighing its importance in the story itself.

“I only think there’s really a public interest in buying the data when the purchase itself is part of the public interest story,” Cox said.

As for the bounty hunter that offered to locate any T-Mobile phone in the US for $300, Cox did pay for that data, noting in his January 2019 article that the person whose phone was located gave Cox consent beforehand. The data was actually purchased from T-Mobile who, among other telephone companies, was selling users’ real-time location to anyone “from car salesmen, property managers, bail bondsmen, and bounty hunters.” Although it wasn’t obtained via hacking and required Cox to essentially pay for this source, he argued it’s ethical to do this at times when the payment itself is crucial to the importance of the story.

“The fact that I can buy the data is the story,” Cox said.

Some privacy advocates, though, fear that purchasing geolocation and other surveillance data can normalize the use of this technology.

Following the Capitol insurrection in January 2020, the New York Times published an article that illustrated how geolocation data from smartphone apps could be used to track the movement of those participating in the riot. Their goal was to highlight the dangers of this type of surveillance data. Cahn, along with Chris Gilliard, a privacy advocate, wrote in an op-ed that the Times failed to do that.

The data, Cahn notes, is often marketed as “de-identified” but not anonymous.

“Location data is uniquely difficult to de-identify because we are distinctly identifiable by the place we live, by the place we work,” he said.

The authors of the New York Times piece could not be reached for comment.

“It’s hard to highlight the potential consequences of this sort of technology when used by police or the military if you then have your own byline on stories that are using the exact same sort of tactics,” Cahn said. “I think it goes up to the imperative for journalists to model behavior that reflects the ethics they want to convey to society overall.”

The ethical codes of conduct that newsrooms each write for their journalists are continually evolving, but just how fast they keep up with the times worries Cahn, for one.

“There are all of these rules that have been established over decades to prevent abusive conduct by members of the press, even when they are pursuing important stories. And one concern I have is that professional ethics codes simply haven’t kept up with the technology,” he said.

Data can be hacked data, leaked data, and surveillance data all the same time. It can be just one of those things; two at other times. Regardless, it’s clear that when journalists venture into these waters, a fresh conversation about the ethics of using the data on a case-by-case basis is likely the smartest approach.