On weaponized transparency

by and

We all need journalists and publishing platforms to consider carefully how they publish sensitive information, whether it has been leaked or hacked from an institution, scraped from public websites or reported out using shoe leather and traditional journalistic sources and methods.

Sunlight, as an open government advocate and a publisher and provider of data, articulates meaningful principles around data collection, use and analysis by journalists, governments and the public writ large. We support government transparency, accountability and protecting privacy when releasing open data, including making thoughtful decisions about what should be released and what shouldn’t. We support both lawful, rules-based approaches to transparency, and whistleblowers whose work becomes necessary when those systems fail.

Sunlight wholeheartedly supports investigative journalism that publishes primary source documents and data online. We know from a decade of open government advocacy, however, that one of the biggest barriers to transparency consistently expressed by government officials responsible for protecting and serving the public’s privacy equities is the fear that information will be misused and that individuals will be harmed.

When reporting on a hacked database, journalists’ and publishers’ responsibilities are not just to verify what happened, when it happened, who was in it, how it was hacked or why it occurred: It’s to protect the privacy of the people represented in that data. That may mean working with multiple parties in and outside of government to minimize harms before publishing a story against that data, or carefully redacting information for publicly shared sources.

This weekend, Wikileaks again failed the due diligence review we expect of putatively journalistic entities when it published the personal information of ordinary citizens, including passport and Social Security numbers contained in the hacked emails of Democratic National Committee staff. We are not alone in raising ethical questions about Wikileaks’ shift from whistleblower to platform for weaponized transparency. Any organization that “doxxes” a public is harming privacy.

Wikileaks argues that publishing the names, addresses, passport numbers and Social Security numbers in the DNC hack is “important for investigative journalism.” That’s an ideological position worth recognizing. Compare how the International Coalition of Investigative Journalists was able to report out the Panama Papers through a consortium of dozens of media organizations, or the way it subsequently published a database of the entities in the leaked materials it received.

Or consider how Glenn Greenwald, the Pulitzer Prize winning journalist who reported on the leaks from Edward Snowden on government surveillance, explained how he thinks about the public interest balancing test and transparency to Slate:

“There are two important values in conflict with one another. One is the need to impose transparency on powerful institutions. Companies like Sony do all kinds of business with the government. They influence the public in really significant ways. You cannot deny that they are powerful. The same with the DNC. The same with government agencies. So maybe you have different standards. But I think we do benefit from imposing more transparency on these institutions.

On the other hand, you can start to seriously violate people’s privacy if you have indiscriminate dumping of information. And the Sony hack was a great example, where Jezebel wrote a story about the feminine hygiene products of Amy Pascal—things that would make your stomach turn if you believe in any value of privacy at all. And the interesting thing here is that we have been attacked—we being the journalists who have kind of shepherded the Snowden archive reporting—by a lot of people, including WikiLeaks, in fact led by WikiLeaks, for not dumping all the information but instead redacting information that we thought might harm innocent people. Most of the information that we have withheld I’ve withheld on the grounds that it would invade people’s privacy, like emails that the NSA has collected between people, documents where they accuse people of engaging in certain bad acts without any proof. We’ve done a lot of withholding information in order to protect people’s privacy or reputational interests or other legitimate interests. We tried to balance these two competing values. WikiLeaks has said, criticizing us, that they no longer believe in any form of redaction. I do not ascribe to that view.”

The irresponsibility of the publisher or criminality of the method of the email’s exfiltration does not mean that the source documents do not have public interest value, as we have seen from the last week of reporting. The political relevance of those emails is indisputable: the head of the Democratic party has now resigned. This same public interest value, however, could have been achieved alongside responsible redaction. The Center for Responsive Politics was able to report that the DNC asked the White House to reward donors with slots on boards and commissions without exposing unnecessary personal information.

It’s important to be able to recognize the complex value of the contents of the leak, which will be analyzed more in the coming weeks, while also evaluating whether the publication process was appropriate and why.

Responsible media outlets report on a breach by confirming what happened, how it happened, and whom it affects, not by making the personal data of the victims of a hack more liquid nor linking readers to where they can find the raw documents.

The geopolitical implications of the timing and source of these emails and what they mean for our electoral process will need to be addressed separately, as more facts are established. Despite repeated warnings about their lax security, the DNC was careless in how it handled the personal information of donors internally, and Wikileaks exposed that lack of care to the world. The DNC clearly needs to improve its security posture – organizations that hold sensitive data need to model potential threats and manage risk accordingly – but that too can be handled ethically by security researchers notifying a given institution of vulnerability instead of publishing data.

Investigative journalists need to review sensitive raw data or original documents to verify facts but do not have to publish them on the Internet. Publishers need to ensure that everyone involved in a story knows when is it ethical to publish stolen data, or data with questionable provenance. As publishing is democratized, anyone with a website or social media account has to think through how to avoid the pitfalls of data journalism in the digital age. The weakest link in a newsroom’s security can expose sensitive data that would change someone’s life forever — or even end it.

Over the longer term, it’s likely that personal or sensitive data will continue to be hacked and released, and often for political purposes. This in turn raises a set of questions that we should all consider, related to all the traditional questions of openness and accountability. Weaponized transparency of private data of people in democratic institutions by unaccountable entities is destructive to our political norms, and to an open, discursive politics.

Indeed, campaign finance information itself, a subject implicated by the hacked emails, faces opposition from those who see any campaign finance regulation as an attack on a free politics. Wikileaks’ indiscriminate disclosure in this case is perhaps the closest we’ve seen in reality to the bogeyman projected by enemies to reform — that transparency is just a Trojan Horse for chilling speech and silencing political enemies.

Traditional publishers operate within the boundaries of traditional restraints, from political norms to funding sources to government licenses for broadcasting on public spectrum. Shifts in technology have now enabled non-traditional platforms to rise that are not bound by any of those norms. As long as we can expect security practices to be unable to prevent such hacks, the vacuum of available remedies makes overreaction from governments too tempting, and invites regulatory over-response.

The threat of future reprisals or censorship by proxies that stifle speech in unaccountable ways, however, is real and relevant to open government everywhere. Overreaction could be well be worse than no reaction. The prospect of restraints on freedom of expression or the press in a networked Fourth Estate without due process is toxic to democracy.

Public debate and disclosure of any potential remedies in Congress is critical, given the way that extra-judicial actions taken by Facebook, Google or payment processors can act to censor publication of data that was properly redacted and informs the public of corruption or criminality. The methods proposed to combat online piracy in legislation proposed in 2011 closely mirror the mechanisms that a public-private partnership between government and technology companies could pursue today, from the DNS system to blacklists on social media. That doesn’t make them wise, but political uproar could reinvigorate their application.

As a society, we’re going to need to decide what governments, financial institutions and technology companies should be empowered to do, and what constraints they should face in the face of massive hacks and subsequent online disclosures. The history of U.S. government censorship of websites for copyright violations does not give us confidence that an appropriate balance will be struck.

What we can say with certainty today is that in the wake of this series of intentional privacy violations, whistleblowers nor “white hat” hackers should consider who they’re leaking to, and why. Private data gives people great power, which in turn carries with it great responsibility. In every case, for every person described in the data, there’s a public interest balancing test that includes foreseeable harms. Every person who is entrusted with collecting, protecting or reporting on data needs to think through how open public records should be and to whom, with what friction, in a more transparent age.