Quantcast
Image: SvetaZi/Shutterstock

How to Report on a Hack Without Becoming a Puppet

Joseph Cox

Joseph Cox

Journalists are increasingly relying on data provided by hackers rather than whistleblowers. But with that comes an ethical and professional minefield.

Image: SvetaZi/Shutterstock

Motherboard is hosting a panel on the responsibilities, obligations, and methodologies of journalists when it comes to reporting on hacked data at this year's re-publica conference. The synopsis of the panel is here, and it will be livestreamed on Monday, May 8, at 18:30 CET (12:30 EDT). We will update this piece with the livestream itself at the time.

The next large scale investigation may not come from a whistleblower, but a hacker.

Whether a hacktivist hits what they see as an unethical company, or a likely state-sponsored group steals emails and gives them to journalists for political purposes, reporters are increasingly presented with data that was obtained by a third-party digitally breaking into a target's systems.

These cases provide an incredible opportunity for journalists to report on important issues, but hacked data, and the sources who provide it, can also present an ethical and professional minefield.

YOUR SOURCE'S MOTIVATIONS ARE NOT ALWAYS YOURS

Plenty of hackers want to expose something that is in the public interest, but many have motivations that are totally different to a journalist's. Take The Dark Overlord: this hacker, or group of hackers, has stolen sensitive data from medical centres and corporations, and then sent the information to reporters. These hackers are doing this, however, solely to bolster their own blackmailing efforts. They recently tried to hold Netflx to ransom.

With this in mind, journalists need to acknowledge why their source may be providing this information, and if appropriate, maybe address that in an article itself, so readers can see that for themselves. Ultimately, a reporter's goal is to help inform the public, and if a hacker is distributing information only for ransom purposes, or to influence an election like in the case of Guccifer 2.0 (the suspected Russian front that proliferated data stolen from the Democratic National Committee), that may be just as important as the data breach itself.

DECIDING WHAT TO OMIT IS JUST AS IMPORTANT AS WHAT TO INCLUDE

But acting on this idea isn't just about including extra context; it may also concern omitting certain pieces of information too. Sticking with The Dark Overlord example, during one data breach of a medical center, the hackers tried to encourage reporters to contact and name specific high profile professional athletes who were patients of the clinic. Again, this would likely have been to put pressure on a blackmail target.

But there was very little public interest in doing that: it was possible to report the data breach, convey the significance of it, and produce the article fairly, without invading the privacy of individual victims.

This approach may irritate some sources, but the balance of what to include and what to leave out is constant, and sometimes difficult, when dealing with data that often doesn't just impact, say, government officials, but completely random, ordinary people too. (At one point, The Dark Overlord stopped communicating with Motherboard. Weeks later, someone from the group indicated it was because the articles were not sensationalist enough.)

LOOK AT HOW JOURNALISTS HANDLE LEAKS AND WHISTLEBLOWERS

Although journalists ten or 20 years ago may not have worked with sources who were hackers, in some cases reporting on hacked data is not going to be all that different than obtaining information from a whistleblower.

"The kind of ethical issues that journalists have to deal with in terms of whistleblowing and leaks generally are a pretty strong precedent for this," Paul Bradshaw, course leader of MA Online Journalism at Birmingham City University in the UK, previously told Motherboard.

What is the source trying to achieve? What will the impact be of publishing this material? And is publication more important broadly than any damage it might cause? None of this is an exact science, but as data breaches continue to saturate headlines, and data becomes the currency of journalistic information, reporters need to get acquainted with these questions as quickly as possible.

Subscribe to Science Solved It , Motherboard's new show about the greatest mysteries that were solved by science.