Nieman Foundation at Harvard
A Swiss publisher is trying to attract a paying audience with an app sampling stories across publications
ABOUT                    SUBSCRIBE
March 3, 2014, 10:30 a.m.

Hacking in the newsroom? What journalists should know about the Computer Fraud and Abuse Act

At the NICAR conference this weekend, data journalists and legal professionals discussed the ethical and criminal implications of hacking in the newsroom.

Some people who scrape and publish information from the Internet go to jail. Others produce great journalism. It’s easy to understand why you might want to know which person you are — and whether or not you’re protected from prosecution or not — but that can be a difficult task.

That’s why there was a discussion on the topic at the Computer Assisted Reporting conference in Baltimore last week. ProPublica’s Scott Klein, Scripps Howard’s Isaac Wolf, and defense attorney Tor Ekeland participated in a conversation moderated by The Wall Street Journal’s Jeremy Singer-Vine.

Wolf is a Scripps News reporter who garnered some attention last spring when he reported on a major security breach at a company called TerraCom. In the course of a typical PDF search, Wolf discovered that personal information including Social Security numbers, addresses, and other account information had been left vulnerable. Publishing his findings led Wolf and his colleagues to be branded as “hackers.” Sarah Laskow wrote in CJR that the Scripps case may well be the first time a journalist was threatened under the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse Act is a law that prohibits unauthorized access to information on a protected computer. It’s the statute under which Andrew Auernheimer, better known as weev, was prosecuted and sentenced to 41 months in prison for taking evidence of a security flaw in AT&T that left user email addresses vulnerable to Gawker. (It’s also the law that led to the prosecution of Aaron Swartz.)

One of Aurenheimer’s attorneys was Ekeland, who provided a legal perspective for the journalists at NICAR on issues around the CFAA. “It’s a very dangerous statute, because it’s so poorly written,” Ekeland said, “and they’re about to make it worse.”

Klein and Singer-Vine are both journalists who have worked on or edited stories that involved, in different ways, practices that could fall under the hacking umbrella. For example, ProPublica published MessageMachine, a project that used reverse engineering to figure out why certain people received specific personalized emails from the Obama campaign. Singer-Vine worked on a story about online pricing inequality on the Staples website.

The focus of the panel discussion was around how journalists interested in doing this kind of work can protect themselves and ensure that they’re on the right side of law. Because the law is nonspecific in its language — and widely decried as outmoded — interpretations of what’s legal and what’s not vary wildly. “The press is protected by virtue of the fact of who they are,” Ekeland said. “I don’t see any difference between what my client did and what Isaac did, except my client is an asshole.”

At ProPublica, there are deliberate rules about how a journalist seeking information online should represent themselves. Klein said that reporters there are banned from creating “straw men,” or programs that falsely suggest the existence of an actual person. That’s why, for the MessageMachine project, users were crowdsourced, and their information — information pertaining to real people — was used to analyze the campaign email algorithm. “I don’t feel like it would have been morally wrong to create straw people, but I can see why adopting these moral ethics…makes sense,” Klein said.

(Klein said they ultimately realized that creating fake users wouldn’t have worked anyway, and that the crowdsourced user base has more value and longevity.)

At The Wall Street Journal, Singer-Vine said he had a similar debate over self-representation. Ultimately, his team tracked Staples price differentials by modifying the cookies the system relied on to track users, a technique that they felt was significantly different from creating straw men. Whether a judge would consider that action acceptable under the CFAA or is less clear.

“Go find a journalism ethics book that says when you can find and manipulate a variable in a cookie,” said Klein. “Good luck! We’re working without a net.”

It’s worth noting an argument introduced by Ekeland on this topic. Framing the issue as a journalist lying to a computer, perpetuates the notion that they’re dealing with something other than a computer. In point of fact, machines don’t have a sense of truth — there are only inputs and outputs. “The computer isn’t being deceived, it’s doing what it was programmed to do,” he said. “We want there to be physical, real world analogies, but the computer people don’t do that.” Not all agreed, however:

Ultimately, the conventional wisdom seems to be that reporters hoping to stay out of court should be very upfront about their intentions, conservative in their judgments, and confident in the value of what they’re doing.

Klein, for example, explained how easy it can be to violate the law accidentally. ProPublica was working with a series of FCC filings at one point while developing a story about who pays for campaign TV ads. The stations are required to make this information publicly available, which is how ProPublica acquired the documents, only to discover later that scanned personal checks were included in the PDFs. Luckily, their reporters realized in time, and were able to do a search for the phrase “pay to the order of,” and delete the information from DocumentCloud. Clearly, there’s a need to proceed with caution as journalists continue to gain access to sensitive documents that are publishable on the web in full.

While the ethics of various methodologies were up for debate, and while interpretation of the law remains opaque, the panelists largely agreed on how journalists can best protect themselves right now.

“You want to be able to demonstrate that you’re using this information for a journalistic purpose,” said Wolf. “Assume that you’re going to be challenged. What is your story? You’re going to be prodded by the entity or company. Reporters elsewhere are going to be asking you questions.”

In addition, he recommends keeping track of process, so that a step-by-step narrative of what steps were taken and why can be presented if necessary. Journalists are protected, but ultimately, they’re only safe if it can reasonably be proven that leadership at their organization concurred that the measures taken were in pursuit of the public good — that the information is, in Scott Klein’s words, “not gossip — it’s not prurient.”

Just last month, the Department of Justice communicated its interest in working to narrow the scope of the CFAA. There are multiple cases in appeals court; as rulings come down, and as lawmakers push for reform, the hope is that the law will become less vague. As Wolf pointed out, if journalists want to be a part of shaping a statute that has the potential to curtail their tools for gleaning information, now is the time to get involved.

Image of a gavel by Joe Gratz used under a Creative Commons license.

POSTED     March 3, 2014, 10:30 a.m.
Show comments  
Show tags
Join the 15,000 who get the freshest future-of-journalism news in our daily email.
A Swiss publisher is trying to attract a paying audience with an app sampling stories across publications
Tamedia’s 12-App collects the 12 best stories each day from the company’s 20-plus publications.
What does it take to be a “full-service” digital journalism organization? Ask Discourse Media
“We’ve gone down lots of experimental rabbit holes.”
Spain’s has 18,000 paying members, and its eye on the next several million
“We have a potential of six million readers. You may not convince all six million people to be your socios, but if you learn more about their interests, you can get closer.”
What to read next
Newsonomics: In the platform wars, how well are you armed?
“Think about platforms as fishing places where you can find large, engaged audiences and build a relationship with them by providing content. Then offer these users some other services off-platform.”
0BuzzFeed is building a New York-based team to experiment with news video
It is the “center of a Venn diagram” between BuzzFeed Motion Pictures and BuzzFeed News.
0Newsonomics: Can a Bezos buddy act help fend off Gannett’s bid for Tribune?
Tribune Publishing’s Michael Ferro says he wants to bring The Washington Post’s Arc CMS to its newspapers. Is that a grasp at credibility or a model for other news companies to outsource their tech stacks?
These stories are our most popular on Twitter over the past 30 days.
See all our most recent pieces ➚
Fuego is our heat-seeking Twitter bot, tracking the links the future-of-journalism crowd is talking about most on Twitter.
Here are a few of the top links Fuego’s currently watching.   Get the full Fuego ➚
Encyclo is our encyclopedia of the future of news, chronicling the key players in journalism’s evolution.
Here are a few of the entries you’ll find in Encyclo.   Get the full Encyclo ➚
Tribune Publishing
The Boston Globe
Davis Wiki
Poynter Institute
The Washington Post
Daily Kos
USA Today