Published by The Lawfare Institute
in Cooperation With
The question is provocative, but the answer is hard. The reaction to WikiLeaks’ publication of the fruits of Russia’s DNC hack raises many puzzles about how we should think about publication of truthful secret information that touches on public affairs. These puzzles are important to figure out, since organizational doxing is growing more prevalent and consequential and our intuitions about it are not obviously coherent. I don’t have great answers to what traditional news sources like the Times should do with hacked documents, but in practice I think the Times and other mainstream news organizations operate more like WikiLeaks than we have appreciated. Even if I am wrong about that, I hope the following analysis and questions shed a little light on the problem.
Many people who are appalled by WikiLeaks’ publication of the stolen DNC emails applauded the publication by mainstream news organizations of Snowden’s stolen NSA documents. They emphasize Snowden’s good intent as a whistleblower, the Times’ aim to foster the public interest, and the positive consequences of publication for the public interest (such as exposure of the U.S. intelligence practices, the spread of encryption, more NSA transparency, and a global privacy movement). By contrast, one story goes, Russia and WikiLeaks had bad intent and publication of the DNC emails skewed the public interest.
But this contrast is too easy. Many people question Snowden’s intent and believe the consequences of his disclosure were awful. And many people—including many Trump and Sanders supporters—believe that WikiLeaks’ publication of the DNC materials served the public interest and should have been reported more robustly, and they don’t care about the intent, good or bad, of the hacker/thief or the publisher. On this latter view, what matters to publication is only whether the information is truthful and serves (one’s conception of) the public interest; the intentions of the hacker and publisher are irrelevant.
One way to test intuitions about the relative importance of intent and consequences to publication is to imagine that we learn tomorrow that Snowden was a Russian agent, as some believe. Would this new fact detract from the good outcomes achieved by publication of the NSA documents? Those who liked the Snowden revelations might think differently of Snowden if he were a Russian agent, but should they think differently about the publication of the documents he stole? Does it matter that the ends they otherwise admire were achieved by a Russian operation that aimed to harm the United States?
Some argue that the difference between WikiLeaks and the Times is that WikiLeaks publishes without the Times’ editorial filter, which better ensures that publication serves the public interest and protects innocent identities. The Times is more careful about what it publishes than WikiLeaks. But what is remarkable is how much the Times has been influenced by and moved toward the WikiLeaks model. Consider three examples.
First, following WikiLeaks, the Times now deploys SecureDrop, which is an “open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources.” The Times assures SecureDrop tippers that it does “not ask for or require any identifiable information” or “track or log information surrounding our communication.” It also says that information sent via SecureDrop is stored in encrypted format on its servers and is decrypted and read on a computer unconnected to the Internet.
Second, the Times has lowered the bar on the publication of classified information in recent years. There have been many reasons for this change, but one is that the Times saw the many public interest benefits of WikiLeaks’ early State Department cable release, and noticed that the sky didn’t fall. The Times also got over its fear of legal consequences. Its Assistant General Counsel, David McCraw, recently acknowledged (47:30 ff.) that the newspaper had lowered its bar to publication because of the WikiLeaks and Snowden experiences, which convinced his legal team “that there is no legal consequence from publishing leaks” of classified information, at least where lives are not clearly at stake.
Third, as journalistic norms have changed in the Internet era, the Times has adopted a more capacious understanding of what types of publication are in the public interest. The Times has many more competitors than ever and is desperate for revenue. As WikiLeaks and thousands of less scrupulous competitors around the globe published material that the Times once might not have, the Times necessarily wrote about the news generated by these publications and modified its own scruples in the process. The Times’ great story on the DNC hack made this point indirectly when it referred to the “media’s appetite for the hacked material” and noted that “every major publication, including The Times, published multiple stories citing the DNC and Podesta emails posted by WikiLeaks, becoming a de facto instrument of Russian intelligence.”
To assess how much the Times has become like WikiLeaks, and to see how little the differing aims and intentions of the two publications ultimately matter, consider what the Times would do if it received the DNC emails through its SecureDrop page. The Times reported on WikiLeaks-released emails about DNC machinations against Bernie Sanders, staffer questions about Clinton’s judgment, and DNC connections to big donors and big journalism. Would it have published and reported on the same emails if it had received them anonymously in the first instance?
We don’t need to speculate much about this question, since we saw what the Times did when someone anonymously gave it three pages from Donald Trump’s 1995 tax return. The Times never learned the identity of the source. Instead, it assigned a slew of reporters to authenticate the document, it hired tax experts to analyze the document, and it spoke with Trump’s former accountant who prepared the 1995 return. After determining that the document was authentic and would serve the public interest, it published and reported on it even though doing so posed some legal risk. In general, this is how major news outlets proceed: They publish truthful information they deem to be in the public interest even if the documents are extracted unlawfully. (Note that, in an important contrast to some of its less exalted competitors, the Times did not publish the salacious Trump dossier because it could not authenticate it.)
If the Times’ treatment of Trump’s taxes are a guide, it would have authenticated the anonymously delivered DNC emails and then published them. It would not have published the whole cache, as WikiLeaks did, but it would have published an edited selection that included emails involving the Sanders bias, Clinton’s poor judgment, and the DNC’s connections that were so relevant to and consequential in the public debate. And it would have done so even if it could not confirm the source of the leak. The Times might have had more honorable intentions than WikiLeaks in publishing the information in the anonymously received emails, but the pre-election impact would have been similar. If anything, the impact might have been greater, since some people discounted the DNC emails due to the identity of the actual publisher (WikiLeaks) and the source of the documents (Russia). (As noted below, the Russia attribution likely heightened the hack’s post-election impact.)
These are some of the reasons why I doubt there are material differences between WikiLeaks and the Times when it comes to publishing truthful information in the doxing era. Whether I am right or wrong, the analysis suggests the following hard but important questions:
1. In an era of SecureDrop, how can the Times tell the difference between a whistleblower and a foreign intelligence service running an information operation? If we are troubled that the Times might have published DNC emails delivered anonymously by Russia, should we question the legitimacy of mechanisms like SecureDrop? Should the Times rethink its policy of publishing anonymously delivered truthful information? If not, doesn’t that mean that the Times doesn’t care about the identity or intention of the actor who stole and delivered the information?
2. If Trump lost a close election and a contributing factor was the public reaction to the Times’ story about his 1995 tax return, would those who are angry now about publication of the DNC emails be angry about the Times’ tax return story? Would it matter whether the tax return was published by WikiLeaks rather than the Times? What if we learned that the tax return tip to the Times was an information operation by China that aimed to help Clinton win? How do we know the tax return tip wasn’t such a Chinese information operation? Should our reaction to the publication of Trump’s 1995 tax returns differ depending on whether the source was China, Marla Maples, or the Clinton campaign? Or is the public interest served no matter who is responsible?
3. Why didn’t the Russians hide their tracks better, and why didn’t they give the information to the Times a mainstream publication via SecureDrop rather than to WikiLeaks?* Could it be that—as David Ignatius speculated in the context of the Trump dossier in the news last week—they wanted to be discovered in order to heighten the post-election impact of the revelations? The information in the DNC emails would have been much less disruptive after the election if it had been published in the Times a mainstream publication rather than WikiLeaks, and if the identity of the hacker was never revealed.
4. Will we see a race to the bottom (or top, depending on your perspective) in which both WikiLeaks and the Times will be circumvented entirely? Recall that portions of the stolen DNC information first appeared on Gawker and then on DC Leaks before being published in much larger quantities by WikiLeaks. As Susan wrote in comments on an earlier draft: “Any idiot can create a website and post information directly. That may eliminate the need for press or other intermediaries entirely, which we will eventually need to grapple with as well.” How will we grapple with this possibility, especially given the extraordinarily destructive impact that the “not particularly sophisticated” and thus easily replicable DNC operation is having on American politics?
5. How much worse is this all going to get when organizational doxing starts to include—as it inevitably will—documents that are mostly accurate but subtly altered, with great consequence? Will mainstream journalists demand authentication of every element of anonymously tipped information before publication? Will their less fastidious competitors?
*After publication of this post a smart reader pointed out that the Times’ SecureDrop only went online on December 15, 2016 even though other mainstream publications, like the Washington Post, had launched SecureDrop much earlier. The Russians thus could not have given the information to the Times anonymously last summer, though it could have given it to the Post or other mainstream publications. It is unclear why the Times waited so long to create a secure channel for anonymous tips even though other mainstream news outlets had done so much earlier and even though opinion writers in the Times itself had urged such measures as early as 2011. It is also curious that the Times decided to launch SecureDrop at the height of the controversy over WikiLeaks and the election.