BRANDY ZADROZNY This is On the Media, I'm Brandy's Zadrozny, Micah Loewinger, On the Media reporter, hello!
MICAH LOEWINGER Hey, Brandy!
BRANDY ZADROZNY How are you?
MICAH LOEWINGER Good, thanks for having me.
BRANDY ZADROZNY OK, so what are you working on?
MICAH LOEWINGER So a couple of weeks ago I got a tip from a listener. They sent me a photo of a car that had a sticker of a far right group on it, a far right group's insignia, and they wanted me to identify the person's car. And they kind of had a hunch of who it belonged to. I wasn't sure what to do. So I went to another journalist at WNYC. His name is George Joseph, and I said, George, "what do you think we do?" And he says, Actually, I think we can look up the license plate using hacked data from an app called Park Mobile. Now, Park Mobile is like a pretty common app. You use it to pay a parking meter, and so I went to a hacker forum, downloaded this big file and typed in the license plate number. And out came a person's name, their email address and their phone number.
BRANDY ZADROZNY Woooow.
MICAH LOEWINGER At first I was like, really psyched, kind of feeling like a little bit of a god. You know, I was like, "there's no knowledge that I cannot consume."
BRANDY ZADROZNY Oh lord.
MICAH LOEWINGER But very quickly, the excitement started to give way to a deep uneasiness. Is this ethical? Is it fair game to do this? I wanted to speak with a journalist who's grappled with these questions and might be able to help me think through some of the ethics of this kind of reporting.
KEVIN COLLIER Well, it's complicated. I don't know how to get into it without kind of really getting into it.
MICAH LOEWINGER So I reached out to your friend, Kevin Collier.
BRANDY ZADROZNY Yeah, Kevin Collier. He's great. He's like the hack man at NBC News.
KEVIN COLLIER I don't think there are very many reporters out there who don't look at something like the Pentagon Papers, and say, you know, there is this kind of almost ideal scenario where a dream source will land this incredible file set or document in your lap. And it will be one of the biggest stories of a generation. And I think that primed a lot of reporters to think, wow, this could happen to me.
MICAH LOEWINGER Then the very notion of a leak fundamentally changed in 2010 with whistleblower Chelsea Manning.
NEWS REPORT American soldiers opening fire from an Apache helicopter.
AMERICAN SOLDIER Oh, yeah, look at that. Right through the windshield.
NEWS REPORT on what would turn out to be civilians, including children.
CHELSEA MANNING Everything that you need to know about warfare is right there. In one 47 minute video. [END CLIP]
MICAH LOEWINGER That last voice is Manning discussing a classified video known as Collateral Murder, which she downloaded from military servers during the Iraq war. And then she gave to Julian Assange, who posted the video with a lot of other information to WikiLeaks, his website, which he started for this exact purpose. You know, a place for well-intentioned whistleblowers to leak information that was in the public interest.
NEWS REPORT So why WikiLeaks then?
CHELSEA MANNING I tried to go to The Washington Post first and I tried to go to The New York Times.
NEWS REPORT Over the course of four months, she leaked diplomatic cables, battlefield reports, more than 700,000 documents in all.
MICAH LOEWINGER And 3 years later, we had Edward Snowden's bombshell leak about the secret NSA surveillance program.
KEVIN COLLIER I think that led to a scenario where we, the press, were too primed to think that because files were secret and then hacked and then delivered to us, that meant that there was something inherently newsworthy about that. In 2016, when what we now know was Russian military intelligence, the GRU, hacking Democratic servers and the lead up to a very contentious presidential election. The large story was an adversary to the U.S. was attacking a presidential campaign and trying to influence elections.
NEWS REPORT WikiLeaks released some 20,000 emails from DNC staffers, which led to the resignation of Chairwoman Debbie Wasserman Schultz. Assange has already teased that he would be releasing documents with enough evidence to get Clinton arrested. [END CLIP]
KEVIN COLLIER I think some elements of the press were more guilty than others, and I think we'd largely recognize in retrospect that that was kind of getting played.
BRANDY ZADROZNY What happened with WikiLeaks is this pretty huge cautionary tale. Do you think that the DNC email hack changed how journalists approach leaks?
MICAH LOEWINGER One thing I don't think has changed since WikiLeaks is the fundamental calculus of the media weighing the newsworthiness of the leaked information against its potential harms.
BRANDY ZADROZNY Right. So like nude celebrity photos or somebody's random medical records, they're too harmful to publish in a legit media outlet. And it's not particularly newsworthy.
MICAH LOEWINGER Exactly. But at the same time...
KEVIN COLLIER If something was unbelievably newsworthy and it was a clear, let's say, Russian hacking operation, but it was legitimate, I think most outlets would still go for it.
KIM ZETTER There is no single standard. Every media outlet sort of decides on its own what it feels comfortable doing.
MICAH LOEWINGER That's Kim Zetter, a journalist covering cybersecurity, she's also the author of Countdown to Zero Day: Stuxnet and the launch of the World's First Digital Weapon. She points to an interesting decision that The New York Times made back in 2014 when North Korean hackers released emails from Sony employees.
KIM ZETTER They said that they would report on newsworthy things that other journalists discovered in sifting through the documents, but they themselves wouldn't sift through the documents.
BRANDY ZADROZNY It's a cop out, but also, what do you do? Like, you can't just ignore information.
MICAH LOEWINGER Yeah, I mean, like if a hacker reveals that Joe Biden is a robot and it seems credible, like, are we just going to pretend Joe Biden is not a robot?
BRANDY ZADROZNY Oh, my God. That's going to be a new conspiracy theory now, thank you.
MICAH LOEWINGER [LAUGHS] It started here. But while the times might be a little shy with this kind of hack and leak thing, other groups are actively pushing the boundaries.
LORAX HORNE There isn't another place now that would publish hacks and leaks. The way that we do.
MICAH LOEWINGER This is Lorax Horne, a journalist with a nonprofit called Distributed Denial of Secrets or DDos Secrets for Short. They refer to themselves as a journalism collective.
LORAX HORNE The word collective is meant to imply a sort of horizontal structure and a lack of centralized leadership. A group of people who can disagree with each other and correct course if that's what needs to happen.
MICAH LOEWINGER The notion of a more ethical version of WikiLeaks is really fascinating to me, but in many ways, ddosecrets is a lot like their predecessor. ddosecrets published hacked donation rules from a right wing crowdfunding site that showed that U.S. officials and police officers had donated to Kyle Rittenhouse’s relief fund after he killed two people in Kenosha, Wisconsin. Their latest release features chat logs from an anti-vaxx group in the UK demonstrating their strategy to lobby members of parliament, but their most notorious leak was released during the George Floyd protest last year.
NEWS REPORT The BlueLeaks data dump includes 269 gigabytes of hacked law enforcement records posted online earlier this year. [END CLIP]
MICAH LOEWINGER After the BlueLeaks went live, German police complied with U.S. law enforcement, raided their server in Berlin, and then pushed ddosecrets onto the dark web, where they are now.
BRANDY ZADROZNY Fascinating. So can anyone access their files like WikiLeaks?
MICAH LOEWINGER I think like 90 percent of the files they host on their site are available to the public. Anyone can download it. 10 percent,
BRANDY ZADROZNY the Good Stuff.
MICAH LOEWINGER Yeah, the data sets that are most likely to contain potentially sensitive information, that's only available to journalists and researchers. When they receive information from a hacker, they explain what they believe the motivations of the hacker might be, political or otherwise. They're also careful not to break the law that the Department of Justice is using to prosecute Julian Assange right now.
LORAX HORNE Basically, the second that you talk to one of us while you were in the course of committing the breach, then you would be able to testify against us. And we're not really interested in a charge under the Computer Fraud and Abuse Act, and so, yeah, that will burn a source pretty quickly.
MICAH LOEWINGER How do you know you can trust a hacker?
LORAX HORNE Oh, you can't. We say the data speaks for itself and that data is only a part of the story.
MICAH LOEWINGER How can you possibly be sure when you're, when we're talking about terabytes of information that there may not be sensitive personal information like, let's say my Social Security number or my credit card number?
LORAX HORNE I don't think we can know. We do our best to review data sets and to put things in the limited distribution category when we think that there's a high probability of their being personally identifiable information. The distribution of secrets hasn't created the world that we're in, but so far, I'm quite happy with the work that we've done and with the ability to manage that risk.
BRANDY ZADROZNY There's something about that phrasing that makes me deeply uncomfortable.
MICAH LOEWINGER Why?
BRANDY ZADROZNY Before something is published or goes on the air, I'm sure of it. And so I think maybe it's just that not knowing, I just, if you're a journalist and you don't do that.
MICAH LOEWINGER Yeah, I understand that. They are actively testing the limits of journalism because the hacker landscape is different than it was when Julian Assange was still leaking.
NEWS REPORT Cyber criminals are using ransomware as a tool that in this case could block hospitals from accessing their own data.
NEWS REPORT Ransomware attack targeted Colonial Pipeline and forced the company to shut down over the weekend.
NEWS REPORT Small Newhall School District in California was attacked last fall. A teacher, payroll, grades and lesson plans locked up for nearly two weeks as hackers demanded big money. [END CLIP]
MICAH LOEWINGER Between 2019 and 2020, ransomware attacks rose by 158 percent in North America and over 60 percent worldwide, and hackers have turned to a new trend called "double extortion."
BRANDY ZADROZNY What is double extortion?
MICAH LOEWINGER Normally, if you want your data back, you pay the ransom, right? That's just regular old extortion. But people are getting a little wiser to this whole ransomware thing and they're saying either I'm not going to pay the ransom or they back up their data all the time. So the double extortion is when the hackers also threaten to leak the data if they don't get their money, which is what happened earlier this year to Jones Day one of the biggest law firms in the country.
LORU LIGHTFOOT This entity that supposedly hacked these emails tried to get a ransom from Jones Day, which was not paid, and then from the city, which we obviously didn't pay. [END CLIP]
MICAH LOEWINGER That's Lori Lightfoot, the mayor of Chicago. The city government actually got mixed up in the Jones day hack because of something that happened back in 2019.
NEWS REPORT Anjannette Young, a social worker, had just finished her shift at the hospital when 12 Chicago police officers raided her home.
ANJANETTE YOUNG And it happened so fast I didn't have time to put on clothes.
NEWS REPORT She was completely naked, surrounded by all male officers. Young tells the raid team at least 43 times they are in the wrong place. [END CLIP]
MICAH LOEWINGER After the botched raid, Young began to press charges against the city, which is why Mayor Lightfoot asked the law firm Jones Day to review police policies. Basically figure out how to stop this from happening again in the future, which in turn exposed the city to the ransomware attack earlier this year.
NEWS REPORT City Hall emails, 60000 of them, provide a glimpse into how Mayor Lightfoot and her team operate. The hacked emails were posted online by Distributed Denial of Secrets. [END CLIP]
MICAH LOEWINGER Some of the emails revealed how the city was like quietly scraping together money for a new police drone program during this time that they were trying to earn back trust with the public. And the reason I use this Anjanette Young example is that it's actually kind of a rare and novel example of traditional news outlets like Reuters, CBS and Chicago Sun-Times, not just reporting on ransomware hacks, but actually digging into the content of what was leaked to the dark web, which, of course, is thanks to ddosecrets, because they're the ones who went out, got the leak, and then repackaged the emails in a way that was easier for journalists to sift through. And now they currently host about 30 data sets from other ransomware attacks.
LORAX HORNE WikiLeaks didn't have to consider the question as like, how is this different from other hacked data? If it's economic versus another mode of–
MICAH LOEWINGER political.
LORAX HORNE Yeah.
MICAH LOEWINGER Do you think they're fundamentally different?
LORAX HORNE Fundamentally, no. Data that comes from a ransomware hack. Sometimes its higher value data because it's been used to extort an action, and so it's been collected by someone who paid a lot of attention to this company and to what data they would most not like to lose.
KIM ZETTER Here's the thing, that leaked data is going to get used even if the media doesn't use it.
MICAH LOEWINGER Kim Zetter.
KIM ZETTER Corporation's competitors are going to use it, they are going to lap up that data. There are also foreign intelligence agencies that will be sifting through this information.
MICAH LOEWINGER It still feels like we're sort of playing into their hand, though.
KIM ZETTER Right. That gives the ransomware attackers leverage over the victim. You know, journalists using it, of course, is amplifying it in ways that it might not otherwise be amplified and also rewarding the attackers who steal it because they're getting the attention that they wanted for it.
BRANDY ZADROZNY So at the start of this piece, you said you had no idea how you felt about reporting on hacked data. Do you have any clarity now?
MICAH LOEWINGER If I'm being honest? Not really. I think what's clear to me now is that it's like a total minefield out there. You don't know who you can trust. You don't know what information you can trust. You kind of have to be watching your back, trying to verify as much as you can all the time. But I think one thing I have learned is and maybe this is like, widely applicable in journalism in general, is that you don't actually have to hide from the unknowns. You can embrace them.
KIM ZETTER ProPublica recently published a whole series on leaked tax returns that exposed that, you know, Jeff Bezos hadn't been paying taxes and all of these other really wealthy people had found loopholes to not pay taxes, and that's definitely newsworthy. They concluded that even if this was data that was intentionally stolen by a nation state or some other hacker with an agenda, even a political agenda, what came down to it was that this was newsworthy information. But I think that ProPublica did a really responsible thing, is saying we grappled with this question and this is what we concluded. I think you engender trust with your readers when you provide as much transparency as you can.
BRANDY ZADROZNY I actually have something for you that I thought might help you make a decision about maybe your future story.
MICAH LOEWINGER OK. All right. What do you got?
BRANDY ZADROZNY So I'm a librarian, as you know.
MICAH LOEWINGER Yes, I know.
BRANDY ZADROZNY So I was trying to find older examples of when we grappled with technology and privacy and issues like that. And I found this paper by Carl Hausman. He was writing for the Journal of Mass Media Ethics, and this was in 1994. Hausman is looking in 1994 at these, what he calls, computer sifted information. And also it's called re-massaged information. Basically, it's data collected for one reason, but used for another. And he specifically talks about this bill that was meant to restrict access to motor vehicle information. And this is during the time when all of that information was sold by the state. It was your home address, your height, your weight, medical restrictions on your license. And in a lot of states, actually, your Social Security number. That was all open season for journalists and the general public for 5 bucks in 1993.
MICAH LOEWINGER That's just insane. [LAUGHS]
BRANDY ZADROZNY I know! Who knew? Yeah. And this guy and a lot of other people said that it wasn't the public's right to know, and it wasn't journalists’ right to know. He testified before the House Subcommittee on Civil and Constitutional Rights actually in favor of that bill. And so it actually passed. And that is why we now do not have that data available. And it's why you had to get it from a hack.
MICAH LOEWINGER That's crazy. [SIGHS] I was fully about to end this story by saying that I'd come around to the fact that the data's out there, and as long as I'm able to verify by other means that this car belongs to the person I think it belongs to, then using the hacked data as a jumping off point isn't such a big deal. But now you have me kind of scratching my head and I've got to think about it.
BRANDY ZADROZNY Well, good luck to you. And thank you so much, Micah.
MICAH LOEWINGER Thank you.
BRANDY ZADROZNY OTM Reporter, Micah Lowinger. Coming up, a priest is outed, and Catholic media are in the spotlight. This is On the Media.
New York Public Radio transcripts are created on a rush deadline, often by contractors. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of New York Public Radio’s programming is the audio record.