Why Sony probably can’t stop the media from publishing stories from the hack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtonpost.com/news/morning-mix/wp/2014/12/15/why-sony-probably-cant-stop-the-media-from-publishing-details-of-the-hack/

The Pentagon Papers. Climategate. Wikileaks. The celebrity nude photo
scandal. Confidential information stolen and leaked.

News organizations have long used material, stolen by others, when they
deem it newsworthy, whether it’s from the files of the government or
private companies and individuals. Lots of people have tried to stop them.
Rarely have they succeeded.

The latest example is Sony Pictures Entertainment. Its lawyer sent a letter
to media organizations on Sunday warning them not to use a trove of
corporate data dumped by hackers who infiltrated the company’s corporate
servers last month. And it wasn’t just any lawyer. The sender of the “Dear
General Counsel” letter was celebrated litigator David Boies.

Can Sony, even with David Boies, force the media to stop reporting the
details of the hack or make news organizations destroy the documents, as
Boies is demanding?

According to legal experts, probably not. Unless the publications
themselves stole the documents, the courts have blanketed them with broad
First Amendment protections that are hard to overcome. So if Sony doesn’t
have much of a legal leg to stand on, what’s the point of sending
threatening letters to the New York Times, the Wall Street Journal, the Los
Angeles Times, Gawker and other media outlets?

Perhaps to scare them. Nobody relishes the prospect of costly legal battle.
Media organizations might postpone publication of stories about the hack
while they consult their lawyers, or exercise more caution and discretion
in what they publish, weighing the real news value as opposed to the click
quotient. The letter also plays to some news organizations’ ethical
sensibilities. Some already feel squeamish about using stolen material,
though it hasn’t stopped them.

In the past week, the media have published hundreds of stories about the
personal e-mails and corporate documents, reporting on Sony executive
salaries, business dealings and e-mail exchanges in which executives took
shots at President Obama and Angelina Jolie, among others. It’s one of the
largest document dumps ever to hit a major corporation.

The letter sent by Boies said the stolen information includes material
protected by attorney-client privilege, trade secrets and private
information otherwise legally protected.

Sony “does not consent to your possession, review, copying, dissemination,
publication, uploading, downloading, or making any use of the Stolen
Information,” the letter said. It warned Sony would have “no choice but to
hold you responsible from any damage or loss resulting from such use or
dissemination by you.”

University of California at Los Angeles law professor Eugene Volokh
explained in a blog post for The Washington Post that as long as media
outlets don’t participate in stealing information, they are generally
protected by the First Amendment if they use it in their reporting.

That what the Supreme Court ruled in Bartnicki v. Vopper, a 2001 case about
a radio host who played a tape of an illegally recorded conversation left
in his mailbox. On the tape, union leaders in the middle of a contract
dispute with the school board discussed taking violent action if their
demands weren’t met. The union leaders sued, saying the radio host violated
federal and state wiretapping laws that prohibit dissemination of stolen
information.

The court sided with the media. The case turned on two things: the fact the
radio host didn’t intercept the conversation himself and claimed not to
know it was illegally recorded, and the fact that conversation was
newsworthy. A “stranger’s illegal conduct does not suffice to remove the
First Amendment shield from speech about a matter of public concern,”
Justice John Paul Stevens wrote for the majority.

That case doesn’t exactly fit the facts of the Sony hack. For one thing,
media outlets know the information was stolen.

But in another case from 1969, reporters did know that photocopied
documents given to them by former employees of Sen. Thomas Dodd (D-Conn.)
were taken without permission. Dodd sued investigative reporters Jack
Anderson and Drew Pearson. The D.C. Circuit Court in Pearson v. Dodd said
giving photocopies to reporters didn’t deprive Dodd of a property right to
the documents, and the reporters didn’t intrude on Dodd’s privacy by
publishing information of public concern that was stolen by someone else.

Sony might argue the stolen information isn’t newsworthy for First
Amendment purposes — for example, an e-mail from movie producer Scott Rudin
calling Jolie a “minimally talented spoiled brat.” The definition of what’s
newsworthy isn’t clear, but is generally forgiving to publishers, Volokh
told The Post in a phone interview. Even seemingly petty details could be
deemed valuable to public discussion. “Personal opinions about Angelina
Jolie might be newsworthy because they reflect on the behavior of two
really important business actors,” Volokh said.

But there are limits to what newspapers can do in the name of press
freedom. Volokh said there are two types of information that the media
could get in trouble for publishing.

The first is personal information about a particular individual — details
about an extramarital affair or the medical records of a low-level employee
whose health, unlike that of a U.S. president, isn’t of public concern.
Bloomberg published an article last week that reveals information about
Sony employees’ private health records without naming names.

But even in such cases, Sony couldn’t sue, Volokh said. Only the person
whose private information was made public could.

The media could also get in trouble for publishing copyrighted
material.Re/Code reported the stolen data includes five unreleased Sony
films. Even e-mails are protected by copyright. Paraphrasing or excerpting
an e-mail isn’t likely to infringe on copyright, but publication of the
full text might, Volokh said.

On the other hand, a strong letter from a lawyer tends to get the attention
of editors and their corporate legal departments. Stories can get slowed
down or even vetoed as not worth the risk from a news standpoint. Right
now, news organizations appear to be pretty freewheeling with the Sony
information, though some journalists already have reservations about
publishing stolen material unless it exposes some significant wrongdoing.

“The more Sony Pictures data keeps leaking, the more my moral compass spins
like a weather vane in a hurricane,” Variety co-editor-in-chief Andrew
Wallenstein wrote in an op-ed titled “Why Publishing Stolen Sony Data Is
Problematic but Necessary.” “It’s getting harder for me to report on the
contents of Sony’s leak without wondering whether I’m somehow complicit
with these nefarious hackers by relaying the details of seemingly every
pilfered terabyte.”

But in today’s social-media environment, the simple fact someone else
leaked private material becomes news, whether or not a publication chooses
to reproduce it. That’s what happened with the nude photo hack of Hollywood
celebrities, during which many outlets publicized the pictures without
publishing them even as they condemned them as a grotesque invasion of
privacy.

“These [Sony] documents are neither the JLaw nude photos nor are they
Snowden’s cache of national security documents,” Anne Helen Petersen wrote
for Buzzfeed. “Yet when it comes to future handling of such information,
the gray area in which they reside — between public and private, between
prurient and illuminating — might not be the exception, but the new normal.”

She sees a function for journalists now. “The new role of journalists, for
better or for worse, isn’t as gatekeepers, but interpreters: If they don’t
parse it, others without the experience, credentials, or mindfulness toward
protecting personal information certainly will.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!