Since Sony Pictures was hacked earlier this month we’ve seen a slew of stories do the rounds – reporting everything from the studio’s forthcoming films, to internal email arguments between executives and emails from celebrities themselves. Perhaps unsurprisingly, this unfiltered gossip was lapped up by journalists and consumers alike.
Meanwhile, a few months ago in September dozens of celebrities photos were obtained and shared online. The reaction to this was horror – and everyone, especially in the media, was pretty much agreed that viewing or sharing the photos would be an outrageous breach of privacy for the people concerned. To view them, against the wishes of the victims, questions of legality aside, would be morally outrageous.
In both of these cases, it isn’t entirely clear how the information was obtained. In the Sony case, it is thought to be agents of the North Korean government breaking into Sony’s systems and in the case of the celebrity pictures, it was speculated to be the result of a ‘phishing’ attack – with hackers posing as (say) Apple customer support in order to obtain victim’s passwords.
The exact methods used don’t hugely matter – what does matter is that in both cases a large amount of electronic information was obtained in dubious circumstances. So why has the reaction been so different, and what questions does this raise about the way we exchange information has changed, thanks to technology? And perhaps crucially, how can we judge a ‘good’ hack from a ‘bad’ hack?
As we’ve seen with the two hacks highlighted above, it is now easier to end up in a situation where a lot of data can be stolen at once. And this is a new phenomenon, with new implications.
Think about how leaking information happened in an era before computers. If someone wanted to steal documents from a film studio they would not only have to get physical access to the building (which is difficult), but they’d have to figure out how to escape with huge filing cabinets full of papers – and that’s if they’re lucky. If they’re unlucky, papers will be stored all over the building, in physically different locations, in the desks of different people. Compare to what happened with the Sony hack: all the hackers had to do was break into a central email server, where conceivably correspondence with everyone at the company could be downloaded in one go, in minutes, from wherever in the world they were hacking from.
Then there’s the question of how the hackers then go about distributing the new information? Whether the goal is for political, commercial or simply anarchic reasons, they would need a means to get the damaging information to the wider public. Traditionally, leakers and whistleblowers would go to a journalist who could publish it. The professional journalist would then have the important task of parsing the information and figuring out what can be responsibly shared. It was an imprecise science – as who is to say that journalists know best about what the public should know – but it worked pretty well at striking a balance between publishing dubiously obtained information and ruining people’s lives needlessly*.
*(Obviously there is a huge variance here – with at times journalism leaning too far towards invading privacy, and at other times it failing to hold the powerful to account sufficiently, but its the best system we had.).
Fast forward to the present day and this informal process has been upended – with power being put directly into the hands of hackers, with no journalists to mediate. As we saw with the celebrity pictures, the hackers didn’t need a journalist – they were simply able to publish and distribute the photos at will. Similarly with the Sony Pictures hack, the documents have been ‘dumped’ without checking first.
This is significant, as the mediation/checking of documents can be hugely important. Perhaps the most stark example of this is over the Wikileaks Iraq and Afghanistan war logs – and the associated diplomatic cables. Initially in that case, Wikileaks chose to work with The Guardian to properly vet the many thousands of documents that had been supplied by Chelsea Manning – but as dramatised in the film The Fifth Estate, relations soon broke down and as a result, rather the information not get out, Wikileaks opted to dump all of the documents in one go so that anyone could download them instead. This meant that in a keystroke, the genie was out of the bottle: thousands of unredacted names and details were available – including the names of American spies operating around the world. Regardless of whether you think Manning was operating in good faith or not (I think she probably was), it is clear that such an immediate and full disclosure represented huge national security implications for the United States, and the disclosures presumably endangered a number of lives.
The same is true for the celebrity photos. If the pictures had been mediated through a journalist or other artibiter, they never would have been published – but the fact they were anyway has some profound implications for how we should approaching hacking and leaking data.
And this brings me back to the Sony hack. How should we approach this? Should it be treated like a ‘good’ leak, which should be reported and viewed – or should be it be treated like a ‘bad’ hack? There’s a case to be made for both.
On the ‘good’ side, it is genuinely interesting new information, with news value. Sony Pictures is a huge corporation that deals in billions of dollars – surely it is only right that the company be scrutinised by the media and the public? Surely it is within the public interest to know that, for example, female stars of a film have been paid less than their male co-stars? Given the millions of dollars spent on marketing these products to us, and the lies celebrities always tell about how they’ve enjoyed working on films, it is a public service to expose that really there is a lot tension involved in the production process? Sony is a powerful company – and with great power, comes an expectation of greater scrutiny – just as you might expect it would be more justified to dig into Barack Obama’s private life more than your next door neighbour’s?
But then look at the other side: What is the difference between the clear invasion of privacy that was stealing private photos and stealing personal emails? Whilst emails may not have the same salacious quality of nude photos, they could arguably be equally personal. Would you like all of your email correspondence to be made public? What would the impact be for you if your friends and colleagues found out what you have been saying about them? Surely this email hack is going to ruin people’s careers, possibly even their lives – not because they are a deserving because of involvement in impropriety, but because of some chancers breaking into their private inboxes. Do Sony employees really deserve this, just because they’ve ‘won’ a sort of sadistic lottery?
So what is the right thing to do? Should journalists report on the hack? Should internet users download the document dumps and have a look through?
One sensible question to ask might be whether the ends justify the means. Is hacking intrinsically bad? It seems to me that it can’t be: Whilst it may be a useful rule of thumb (or heuristic) to consider it bad – much like how the morality of stealing becomes blurrier when it is stealing food to feed a starving family, hacking can also be used as a force for good.
In other words, just as guns can be used to oppress or liberate, or GPS can be used to guide humanitarian aid convoys or intercontinental ballistic missiles, the technology itself is essentially neutral. Hacking has previously been used to shut down Iran’s nuclear programme and been used to replace a terrorist website’s instructions on how to make bombs with instructions for making a cake. Similarly, large document dumps have been used as tactic for whistleblowers – without leaks (which are essentially the same thing as ‘hacks’, in this instance) we wouldn’t have ever learned of the Watergate scandal, or more recently the NSA revelations for which we have Edward Snowden to thank.
So if the ‘means’ are ambiguous – what of the ends? What technology has done is transform the potential impact of hacks – raising the stakes. The Sony Pictures hack could be devastating – whilst Sony will no doubt suffer big losses from several films being leaked, it also risks damaging its competitiveness as rivals can pour over its internal conversations. It isn’t inconceivable to imagine a similar hack of a company in the future that will release information in such a way that drives it into bankruptcy. For individuals too, if they’re paranoid they cannot speak freely on private communications for fear of it all one day going public, it could mean they cannot operate effectively.
So media organisations and individuals have a choice: Do they want to add oxygen to this story? By talking about the hack, and publicising the details, are they contributing to a toxic situation in which no public interest is served and hackers are incentivised to make similar intrusions in the future? Or are journalists simply doing their job? I’m not sure what is the correct answer.