Twitter  Quartz found an unlikely inspiration for its relaunched homepage: The email newsletter. nie.mn/1AQXuxD  
Nieman Journalism Lab
Pushing to the future of journalism — A project of the Nieman Foundation at Harvard
Resized-U4Y69

Hacking in the newsroom? What journalists should know about the Computer Fraud and Abuse Act

At the NICAR conference this weekend, data journalists and legal professionals discussed the ethical and criminal implications of hacking in the newsroom.

Some people who scrape and publish information from the Internet go to jail. Others produce great journalism. It’s easy to understand why you might want to know which person you are — and whether or not you’re protected from prosecution or not — but that can be a difficult task.

That’s why there was a discussion on the topic at the Computer Assisted Reporting conference in Baltimore last week. ProPublica’s Scott Klein, Scripps Howard’s Isaac Wolf, and defense attorney Tor Ekeland participated in a conversation moderated by The Wall Street Journal’s Jeremy Singer-Vine.

Wolf is a Scripps News reporter who garnered some attention last spring when he reported on a major security breach at a company called TerraCom. In the course of a typical PDF search, Wolf discovered that personal information including Social Security numbers, addresses, and other account information had been left vulnerable. Publishing his findings led Wolf and his colleagues to be branded as “hackers.” Sarah Laskow wrote in CJR that the Scripps case may well be the first time a journalist was threatened under the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse Act is a law that prohibits unauthorized access to information on a protected computer. It’s the statute under which Andrew Auernheimer, better known as weev, was prosecuted and sentenced to 41 months in prison for taking evidence of a security flaw in AT&T that left user email addresses vulnerable to Gawker. (It’s also the law that led to the prosecution of Aaron Swartz.)

One of Aurenheimer’s attorneys was Ekeland, who provided a legal perspective for the journalists at NICAR on issues around the CFAA. “It’s a very dangerous statute, because it’s so poorly written,” Ekeland said, “and they’re about to make it worse.”

Klein and Singer-Vine are both journalists who have worked on or edited stories that involved, in different ways, practices that could fall under the hacking umbrella. For example, ProPublica published MessageMachine, a project that used reverse engineering to figure out why certain people received specific personalized emails from the Obama campaign. Singer-Vine worked on a story about online pricing inequality on the Staples website.

The focus of the panel discussion was around how journalists interested in doing this kind of work can protect themselves and ensure that they’re on the right side of law. Because the law is nonspecific in its language — and widely decried as outmoded — interpretations of what’s legal and what’s not vary wildly. “The press is protected by virtue of the fact of who they are,” Ekeland said. “I don’t see any difference between what my client did and what Isaac did, except my client is an asshole.”

At ProPublica, there are deliberate rules about how a journalist seeking information online should represent themselves. Klein said that reporters there are banned from creating “straw men,” or programs that falsely suggest the existence of an actual person. That’s why, for the MessageMachine project, users were crowdsourced, and their information — information pertaining to real people — was used to analyze the campaign email algorithm. “I don’t feel like it would have been morally wrong to create straw people, but I can see why adopting these moral ethics…makes sense,” Klein said.

(Klein said they ultimately realized that creating fake users wouldn’t have worked anyway, and that the crowdsourced user base has more value and longevity.)

At The Wall Street Journal, Singer-Vine said he had a similar debate over self-representation. Ultimately, his team tracked Staples price differentials by modifying the cookies the system relied on to track users, a technique that they felt was significantly different from creating straw men. Whether a judge would consider that action acceptable under the CFAA or is less clear.

“Go find a journalism ethics book that says when you can find and manipulate a variable in a cookie,” said Klein. “Good luck! We’re working without a net.”

It’s worth noting an argument introduced by Ekeland on this topic. Framing the issue as a journalist lying to a computer, perpetuates the notion that they’re dealing with something other than a computer. In point of fact, machines don’t have a sense of truth — there are only inputs and outputs. “The computer isn’t being deceived, it’s doing what it was programmed to do,” he said. “We want there to be physical, real world analogies, but the computer people don’t do that.” Not all agreed, however:

Ultimately, the conventional wisdom seems to be that reporters hoping to stay out of court should be very upfront about their intentions, conservative in their judgments, and confident in the value of what they’re doing.

Klein, for example, explained how easy it can be to violate the law accidentally. ProPublica was working with a series of FCC filings at one point while developing a story about who pays for campaign TV ads. The stations are required to make this information publicly available, which is how ProPublica acquired the documents, only to discover later that scanned personal checks were included in the PDFs. Luckily, their reporters realized in time, and were able to do a search for the phrase “pay to the order of,” and delete the information from DocumentCloud. Clearly, there’s a need to proceed with caution as journalists continue to gain access to sensitive documents that are publishable on the web in full.

While the ethics of various methodologies were up for debate, and while interpretation of the law remains opaque, the panelists largely agreed on how journalists can best protect themselves right now.

“You want to be able to demonstrate that you’re using this information for a journalistic purpose,” said Wolf. “Assume that you’re going to be challenged. What is your story? You’re going to be prodded by the entity or company. Reporters elsewhere are going to be asking you questions.”

In addition, he recommends keeping track of process, so that a step-by-step narrative of what steps were taken and why can be presented if necessary. Journalists are protected, but ultimately, they’re only safe if it can reasonably be proven that leadership at their organization concurred that the measures taken were in pursuit of the public good — that the information is, in Scott Klein’s words, “not gossip — it’s not prurient.”

Just last month, the Department of Justice communicated its interest in working to narrow the scope of the CFAA. There are multiple cases in appeals court; as rulings come down, and as lawmakers push for reform, the hope is that the law will become less vague. As Wolf pointed out, if journalists want to be a part of shaping a statute that has the potential to curtail their tools for gleaning information, now is the time to get involved.

Image of a gavel by Joe Gratz used under a Creative Commons license.

                                   
What to read next
Quartz_homepage
Joseph Lichterman    Aug. 26, 2014
Previously proudly without a homepage, the business site is trying to shift its email success to the web to build loyalty.
  • http://hacktext.com/ AramZS

    IT folks have known basically since its formation that the Computer Fraud and Abuse Act is a mess. It was rushed into service as a reactionary measure to combat crimes whose province and actions were unclear by legislators with little to no knowledge of the mechanics of the actual crimes.

    Many companies use it as a blunt instrument and because using the internet (or even a cellphone these days) pretty much guarantees you will be passing through computers in other states, it’s a great way for prosecutors to jump up state crimes to the federal level.

    Like most of the US’s computer-focused laws, it is a mess.

  • http://googlejourney.weebly.com/ Ishan Gulati
  • Jody Abu Zubaydah

    We today just found out that The Public Record published my husbands full social security number, drivers license #, passport info to go along side a old story they thought would be cool to revamp while exposing us to numerous dangers. With out even thinking that our life could be in danger. They should go to jail.