In the public interest?

coleman_breach.jpg

Contributors to Norm Coleman’s election recount effort might want to cancel their credit cards, according to the campaign.

An e-mail circulated on Wednesday said the Web site, WikiLeaks, which specializes in providing an outlet for people who want to post secret information, has obtained private information from the campaign such as the credit card numbers of donors.

wikileaks_tweet_pregame.jpg

“Let me be very clear: At this point, we don’t know if last evening’s email is a political dirty trick or what the objective is of the person who sent the email,” Campaign official Cullen Sheehan wrote in an e-mail to donors. “What we do know, however, is that there is a strong likelihood that these individuals have found a way to breach private and confidential information.”

While the Coleman campaign e-mail notification might alert some of the donors, 1,500 of the nearly 5,000 people on the spreadsheet did not list an e-mail address.

wikileaks_tweet.jpg

Who’s behind WikiLeaks? Julian Assange, an Australian living in Africa who was interviewed last summer (by email) by the Sydney Morning Herald. “In every negotiation, in every planning meeting and in every workplace dispute a perception is slowly building that the public interest may have a number of silent advocates in the room,” Mr Assange said in an email interview. Wired.com published an extensive profile of him around the same time.

The question to ask, however, is whether there’s a compelling “public interest” in releasing the (partial) credit card information of donors to a political campaign and, if so, what is it? The Coleman campaign may have violated several state privacy laws, but the punishment will be delivered to the innocent.

One of the Society of Professional Journalists’ Code of Ethics is to “minimize harm,” although it adds, “Only an overriding public need can justify intrusion into anyone’s privacy.” By providing links to the spreadsheet in question, have journalists overstepped their own code? Absolutely. Consider this item that’s in the code: “Abide by the same high standards to which they hold others.” One cannot criticize the Coleman campaign for not securing its data, while at the same time publishing — or at least providing a direct link to — that data.

Efforts to close the site down have failed, because of the nature of the Internet in the first place. The organization behind it registered its domain name in Nairobi, Kenya. Last month, a federal judge in San Francisco, citing 1st Amendment considerations, rescinded an order that disabled the Web site when it was registered through a California server. The original order stemmed from a Swiss bank’s lawsuit against Wikileaks, which had posted 14 leaked documents about transactions at the bank.

It’s also the site where a person who broke into then-VP candidate Sarah Palin’s e-mail account posted the messages he retrieved.

Ironically, it also posted a leaked document containing the e-mail addresses of its own contributors.

There’ll be plenty of questions for the Coleman’s campaign alleged mishandling of data, but the story may also present a troubling picture of the collateral damage journalists’ can inflict, too.

Update: MPR’s Mark Zdechlik will update the story during this evening’s All Things Considered.

Update 8:24 p.m. Twin Cities based computer consultant Adria Richards describes how she found the security breach.

This was really interesting. One key fact she dropped was “I didn’t download anything; I just noticed that something wasn’t right.” I have found this to be a trait of I.T. professionals; they’re not interested in spreading the information that they know should be locked down, they want the information locked down.

  • http://s4xton.com/ Aaron
  • http://s4xton.com/ Aaron

    One of the reasons I rarely comment on News Cut is that you’ll frequently edit my comments without indicating an editor edited them, but worse, you’ll change your story based on my comments without crediting that you got the information from me.

  • Bob Collins

    Aaron. Thanks for your comment. The story is being written and rewritten several times. I was well aware of the Gov. Pawlenty’s signing of the privacy bill.

    I also indicated I removed your link to the spreadsheet itself by the [removed] stamp I put in its place.

    I’ve added other links in the piece, provided additional material and changed the title once or twice.

    I think it’s unethical for anyone — especially journalists — to publish direct links to the spreadsheet in question.

    BTW, how ’bout shortening your URLs and using html?

    Update : The identical comment appears on several blogs around the Twin Cities today, with only the references to the location of the blog changed.

  • June B

    I’m tired of hearing about Coleman – as far as I’m concerned, he can pack his bags and head back to NY where he came from. He is not a Minnesotan and never will be!

  • http://john.hoffoss.com John T. Hoffoss

    How ethical is it for Coleman to have stored credit card data in a way that does not comply with Payment Card Industry Data Security Standards, to which they are contractually obligated? How ethical [and illegal] is it that Coleman’s campaign, upon being notified in January, did nothing?

    Believe what you will about the ethics of linking to the spreadsheet, but do note that the spreadsheet is the story. Seems odd to me not to include that, but it’s nothing Google can’t find.

  • Bob Collins

    John, I think it’s a mistake to interpret anything as a story being EITHER/OR. Yes, of course Coleman’s handling of the data (by the way, it’s not an ethical question there, it’s a legal question there). One doesn’t need to ignore one angle to acknowledge the other.

    But this blog is about looking at stories from several different angles, not just parroting what’s being said elsewhere (and here on the MPR site), and so the question of how journalists report the story is very, very much in play.

    So that’s why I ask what is “in the public interest” about releasing private data of people who did no wrong?

    I haven’t heard a compelling answer to that question, yet.

    And, for the record, telling the story AND protecting people’s privacy CAN be done. I’ve done it, and I made sure nobody got hurt in the process.

    So the only thing I can figure about why someone would intentionally inflict damage on people who did nothing wrong (it’s not illegal to contribute to Norm Coleman), is that they considered it acceptable collateral damage.

    But anyone who suggests that the story couldn’t be told any other way has probably never tried.

    Applying the 1st Amendment doesn’t require one to have ethics, but it still would be a nice thing if it did.

  • krj

    Bob,

    When you are asking if it is in the public’s interest to release this data, I think you have to take into account the outrage that will come from this. If a person was to say “I have all the credit card data from the Coleman’s fund raising, and it is available to anyone.” That person is going to open themselves up to a lawsuit. If that information gets posted for everyone to see, then it’s no longer about the person discovering the flaw in the system, rather it’s about the system that is insecure.

    Yes, this absolutely publishes information about innocent individuals, but the outrage needs to be directed at the administration of the poorly designed system. When anyone buys anything with their credit card, you are ‘trusting’ that the merchant. If that trust is betrayed, the merchant needs to pay the price. You can argue that the people that are paying are the individuals, but to be honest the criminals likely have already gathered the information.

  • Bob Collins

    Thanks, krj. Keep in mind I am in no way saying that the information about the data breach should not be released or should be covered up. I’m saying that journalists and journalist Web sites should not be harming innocent individuals in the process.

    But above all, I think it’s very, very important to get away from the notion that there’s only one place or one organization that be criticized… that outrage can only be directed at one location.

    How these things are handled tells us a lot about the people involved. It tells us, for example, about the Coleman campaigns ability to handle such data. But it also tells us that the people who are participating in making the data public — and let’s face it, they’re strong supporters of Al Franken — have calculated that it is justifiable.

    Others have to determine whether that is, in fact, the case.

    I think there should have been a lot more thought — a LOT more thought — among journalistic organizations before they helped spread the release of private data from people who did no wrong.

    Lately — thanks to the work of Tony Sertich and Margaret Anderson Kelliher — we’ve been debating who’s a journalist and who’s not and I think one way of answering that question is who agrees with the SPJ’s Code of Ethics and who doesn’t.

    I don’t have an argument that this is an important story. It certainly is.

    But I also don’t think that journalists need to use the “24″ approach to the story and blowing up a jetliner just to prove to people that someone can.

    I don’t think this is our finest hour, but I say that in addition to pointing out that it’s not the Coleman campaign’s finest hour, either — not instead of saying that.

  • krj

    One of the things that constantly echos in my mind about this case is that it so closely mimics the discussion about computer and network vulnerabilities. On one hand you have the Virus writers, and criminals, on the other you have the security experts. Between the two are the general population of users. It is still debated in the community if vulnerabilities should be released to the general public when they are found, or if they should be kept quiet and hopefully cleaned up.

    If I had used an online store, like amazon.com, and their records were compromised and my credit card numbers and cvv2 codes were possibly in hands of criminals, I think the publicity that would be generated in this case could help me. Even if this meant that to generate the publicity that meant those codes were released to the world.

    I may not be happy with the work that I would have to go through to cancel my card and I also realize that I would need to be more diligent about my records. But if I was able to reference something that was in the public mindset I think it may be easier to explain when working with the credit agencies and anyone else that I would need to.

    Now, I do agree with most of what you have said in your previous post. Taking things a bit slower and being cautious can be a good thing. As far as using this for political gain, I am very much against that, regardless of if it fits with my views or not.

  • Bob Collins

    But is the choice really keep quiet vs. say something in this case?

    It seems to me the choice is actually say something about it but protect the data vs. say something about this and show everyone all the data (or most of it) that everyone says they want to protect.

    To me, the incompetence of the Coleman IT team is not a question here; they obviously left the data wide open. Bad thing.

    But most of the players in this are also pretty hard core Franken supporters — and in one case a Franken volunteer. That’s not illegal, but it does raise a legitimate question — in my opinion — of whether the issue is a concern about the privacy of data or whether the issue is doing whatever it takes to prove the Coleman organization’s incompetence.

    What makes it a legitimate question? Any expressed concern for the sanctity of private data. As I said originally, one cannot make a public claim about concern for the security of data, and at the same time participate in spreading that data.

    I don’t think it takes a rocket scientist to figure out who leaked the data to WikiLeak.

    From what I can tell, the most professional person in this whole mess was Adria Richards.

  • Brenda

    The people who made the data public are strong supporters of Franken? Who are they and why have you not named them? Are you saying wikileaks personel are strong supporters of Frankin? Perhaps the IT professionals who gave the info to wikileaks were … create any scenerio, you are limited only by your imagination, yet you have given me no links or credible evidence to support your claim. Or its late and I missed you announcing who it was and their obvious support of Franken. Well good luck with that. Just sayin’

  • Bob Collins

    //The people who made the data public are strong supporters of Franken?

    I said most of the players in this…

    Watch Adria’s video. She provides the names of the people she alerted to the original problem and describes their role. They did a good job.

    Again, there’s nothing wrong with being a Franken supporter. There’s nothing wrong (at all) with being concerned about the right to privacy that people who give credit card numbers should expect. There’s nothing wrong with finding out a campaign left sensitive data wide open. There’s nothing wrong with publicizing the fact they did. There’s nothing wrong with criticizing the fact they did.

    The person who broke the original story claiming Coleman’s campaign faked reports of a Web site “crash” did an outstanding job and obviously is way smarter at detecting these sorts of things than anybody else in the room.

    But in all of the rhetoric that was flying around today, it’s important to remember that it was being exchanged between two very partisan groups, so that you can fairly evaluate the context of each. I think it’s right to question the competence or honesty of the Coleman campaign on this issue. I think it’s equally right to question the actions of the people who released the data to the public, even if only by calling more attention to where exactly it could be found. One does not preclude the other, especially when both are claiming the moral high ground.

    I do think it explains why some people thought the best way to alert people to the danger that private information could be seen by eyes that shouldn’t see it, is to show it to them.

    And that is also explained in the “manifesto” to wikileaks that accompanied the release. It made quite clear that the primary reasons for the release are an anti-Coleman belief. The wording of the manifesto (I’m not going to link to it because that also links to the data) also sounds remarkably like a comment that was cut-and-pasted in the comments section of several area blogs today.

    I still haven’t seen a reasonable explanation why it’s logical that any — even partial — amounts of private data that they acknowledge is “sensitive” should be further disseminated. You either ARE an advocate for the privacy rights of people or you AREN’T.

    And as I wrote in the original post, I think the same organizations who are trying — and I think correctly so — to gain access to the House of Representatives by asserting their role as journalists, should be called on to explain why they violated the SPJ’s Code of Ethics in supplying quick pathways to the “sensitive data”?

  • Ryan Melena

    As I understand it, WikiLeaks only posted last 4 digits of the credit card numbers (the same thing you’d see on a receipt at a gas station). I can see why they would want to do this to confirm the data isn’t fake. I guess I don’t see the harm in what WikiLeaks did. Can you explain why you think it is so wrong?

  • Ryan Melena

    “I said most of the players in this…

    Watch Adria’s video. She provides the names of the people she alerted to the original problem and describes their role. They did a good job.”

    First, I don’t think you really understand the nature of the security issue. This wasn’t some super clever thing that Adria did and then explained to the world. This is something a thousand individuals could have (and maybe did) discover independently. In fact, I would argue that there is a very good chance that someone much more nefarious probably found this data before Adria and didn’t tell anyone about it.

    In addition, what Adria did was far more damaging than what Wikileaks did. She basically pointed to the exposed database file and said, “Hey everyone, look at what I found”. This gave people the opportunity to download the unfiltered database file with full CC#s.

    Your claim that “The people who made the data public are strong supporters of Franken” is totally wrong. The people that made the data public are the people from the Coleman campaign who made it internet accessible without any protection.

    The fact is that Wikileaks posting the data in the form they did was at worst harmless (because the CC#s weren’t complete) and I would argue it was helpful. It proved the leak was real in the face of denials from the Coleman campaign and informed the innocent victims that their data had been exposed. Wikileaks posting didn’t expose usable CC#s to anyone (like Adria’s blog post did) and actually proved to people that their CC#s had been compromised.

  • Bob Collins

    //First, I don’t think you really understand the nature of the security issue.

    I think if you reread what I wrote above, I said that the Coleman campaign apparently left the data wide open.

    //The people who made the data public are strong supporters of Franken” is totally wrong. The people that made the data public are the people from the Coleman campaign who made it internet accessible without any protection.

    I have made quite clear in my writing about Coleman’s handling of the data. My mention of supporters of Franken has to do with the people who made it an issue, and the people who helped point people to the data on Wednesday.

    See, what both sides are trying to do here is set up a smokescreen to claim that there is only a single issue involved and that the responsibility for it rests with their opposition. As I’ve written there are several issues here.

    The release of a little bit of “sensitive information” is still the release of sensitive information.

    The motivation for doing so — as the manifesto notes — is first about getting back at Coleman and only later in the document is there real concern expressed about the sensitivity of the available information. If the only issue — or even the main issue was the sanctity of privacy, I would think that would be #1 on the list, not number 3 or 4.

    As I’ve written numerous times, pointing out that fact does not provide a “pass” to the Coleman campaign for their apparent transgressions.

    //As I understand it, WikiLeaks only posted last 4 digits of the credit card numbers (the same thing you’d see on a receipt at a gas station).

    You won’t see the three-letter security code on that receipt, however. Data that is mined in pieces can — and is — pieced together by those who wish to steal identities to get usable data. You won’t see someone’s home address (although this would be on campaign reports in the future), you won’t see their phone number .

    Is this data a big deal? Probably. I notice the person who sent a letter to the attorney general complaining about the handling of the information, redacted the same information from copies he distributed to the media.

    What the Franken supporters are doing in the fallout of this is the same that the Coleman supporters are doing, trying to shift the spotlight to the actions of the other. I heard the same stuff from the Republicans when I broke the story about their data mining CD back in the ’06 campaign. But why not just shine it on both?

    //and actually proved to people that their CC#s had been compromised.

    Maybe, but this gets back to the hypocrisy of the argument that there is a courtesy of some sort being extended to those whose private information was disseminated.

  • Paul

    This is another established media vs. emerging media debate. Mr. Colins, you can complain about way Wikileaks handled the story, but the point is… they got the story. You had your chance to cover the story the way you think the story should have been covered, where’s your story? We can complain about the way this story came to light but the fact is didn’t come to light in a big way until Wikileaks did it’s thing. I suspect that had Wiki not published, this would never have gotten the attention it deserved and thousands of people’s CC info would still available for download for months to come, in addition to new donors.

    As far as weather or not Wikileaks harmed anyone, I see you implying that but I don’t see you making a case for it. This info has been up and accessible for months. The fact that it’s been up for months, and reported, means the Coleman team has been aware of this situation AND DID NOTHING TO SECURE THE DATA OR NOTIFY THE AFFECTED PEOPLE. In other words, they tried it your way, it didn’t work. One can make the case that only way to get Coleman to do right thing here was to expose this, and had it not been exposed the way it was, the establishment media wasn’t going to cover the story, which means it wouldn’t be exposed. Wikileaks put a stop to something that was going on for months, did they do more harm than good? Did they do any harm at all? This folks I saw on TV that used to the wikileaks site to see if they’d been exposed weren’t complaining about Wiki, they were using it to protect themselves.

    At the heart of the matter here is a growing fundamental lack of trust in the established media. The concern is that even if you are aware of these stories you won’t report them. Indeed, until Wiki leaked this and Coleman was forced to make a statement this story did not appear on the radar in any major way. People turn to the emerging media because they don’t trust the established media to get or report the story.

    And then there’s this:

    “Lately — thanks to the work of Tony Sertich and Margaret Anderson Kelliher — we’ve been debating who’s a journalist and who’s not…”

    Let me get this straight, these guys start tossing journalist out for no good reason and you THANK them for engaging a dialogue?

  • Ryan Melena

    The first thing I should make clear is that I believe “Franken supports” is being conflated with those people playing a part in publicizing the data leak. I don’t see that the problem here needs to be viewed politically at all… I’d be making all the same arguments if the leaked data had come from the Dept. of Health.

    As such, I’ll replace “Franken supports” and the like with “leak exposers” in my replies. If you believe them to be one and the same that is fine.

    // I have made quite clear in my writing about Coleman’s handling of the data. My mention of supporters of Franken has to do with the people who made it an issue, and the people who helped point people to the data on Wednesday.

    Do you believe the leak exposers shouldn’t have made an issue of it? I would be interested to know how you would have handled the situations (both discovering the data initially and having it sent to you).

    As a discoverer of the security flaw would you have let the campaign know about the issue trusting they would alert the possible victims? Would you have downloaded a copy of the db to hold on to just in case they fixed the flaw and tried to sweep it under the rug?

    In Wikileaks situation would you have simply announced that you have the file? Would you have released the document if the campaign denied its existence or if they refused to alert the victims? Would you have redacted more information?

    // You won’t see the three-letter security code on that receipt, however. Data that is mined in pieces can — and is — pieced together by those who wish to steal identities to get usable data. You won’t see someone’s home address (although this would be on campaign reports in the future), you won’t see their phone number .

    I guess I don’t see the harm in this data to be honest. The CC#s had already been compromised, the cards would have needed to be canceled even if Wikileaks hadn’t posted the Last 4 + CCV. The data was available to the public and as such it has to be assumed to be in the wrong hands. As for the other data, it strikes me as more or less the same data I could get from a phone book (or as you mentioned future campaign reports).

    // What the Franken supporters are doing in the fallout of this is the same that the Coleman supporters are doing, trying to shift the spotlight to the actions of the other.

    I don’t agree with this characterization. In my mind you can shine the spotlight on leak exposers all you like because I don’t believe they’ve done anything wrong in this. In my opinion, any trouble caused by the relatively benign data released by Wikileaks is overshadowed by the good it has done in confirming the leak, exposing negligent behavior, and alerting potential victims of CC fraud. It is an inherently difficult situation to be in possession of data/knowledge that one group would probably like to keep quiet and that another group would almost certainly like to know about.

    Now, if you point me to a leak exposer (Franken supporter or otherwise) who posted the unfiltered data I will gladly decry their actions right along with those of the Coleman campaign.

    // Maybe, but this gets back to the hypocrisy of the argument that there is a courtesy of some sort being extended to those whose private information was disseminated.

    I guess I don’t agree that Wikileaks posting was hypicritical. If they had posted the full credit card numbers I would fully agree with you. Perhaps they could have redacted more information before publishing but I think that is a bit of a subjective judgment call. I would assume there is some level of redaction at which you would not have been apposed to the posting of the document.

  • Bob Collins

    //his is another established media vs. emerging media debate. Mr. Colins, you can complain about way Wikileaks handled the story, but the point is… they got the story. You had your chance to cover the story the way you think the story should have been covered, where’s your story?

    Let’s review this paragraph one more time:

    Again, there’s nothing wrong with being a Franken supporter. There’s nothing wrong (at all) with being concerned about the right to privacy that people who give credit card numbers should expect. There’s nothing wrong with finding out a campaign left sensitive data wide open. There’s nothing wrong with publicizing the fact they did. There’s nothing wrong with criticizing the fact they did.

    //This info has been up and accessible for months.

    And yet, virtually every Web site that participated in pushing the story yesterday (the legitimacy of which has never been questioned here), reports a huge traffic spike yesterday.

    //In other words, they tried it your way, it didn’t work. One can make the case that only way to get Coleman to do right thing here was to expose this, and had it not been exposed the way it was, the establishment media wasn’t going to cover the story, which means it wouldn’t be exposed.

    So what you’re saying here is “by any means necessary” to get the media to cover the story that people’s private information was in peril. And the way to do that was to further disseminate the actual information about which you are concerned?

    I also note that the person who sent a letter to AG Swanson yesterday, filing a complaint over this, is also the person who helped uncover the breach last January. So why wait until March 11 to send the letter?

    //At the heart of the matter here is a growing fundamental lack of trust in the established media.

    I think that’s probably true mostly among people who are engaged in non-mainstream media. So you’re saying that the best way to establish that trust is to assist in disseminating shreds of people’s private information?

    So you’re saying that the reasons for the actual leak of the data now wasn’t what the manifesto said it was? But that the reason for it was to get the media to report about it? Why not say that in the manifesto if that’s the case?

  • Bob Collins

    // I don’t see that the problem here needs to be viewed politically at all.

    Well, let’s go tothe #1 item on the manifesto that accompanied the posting of the data on wikileaks:

    The Coleman campaign’s effort to impugn the election processes in the State of Minnesota

    have gone beyond mere political rigor into partisan malfeasance of the sort that has plagued

    this country for the past eight years, to the benefit of nobody and the great detriment of

    the citizens of this State;

    How can anyone reach a conclusion that the motives were not based in politics when the person who leaked it said it was?

    //As a discoverer of the security flaw would you have let the campaign know about the issue trusting they would alert the possible victims? Would you have downloaded a copy of the db to hold on to just in case they fixed the flaw and tried to sweep it under the rug?

    I wrote about this earlier because I have already written stories about security flaws and how I handled. I didn’t have any problem — as a blogger — getting attention for my findings without revealing the actual data. I also didn’t provide any means for anybody else to find the data. The first thing we did was make contact with the people in charge of the server to make sure they knew about the problem and locked the data down. It wasn’t to post it on Twitter.

    //I don’t agree with this characterization. In my mind you can shine the spotlight on leak exposers all you like because I don’t believe they’ve done anything wrong in this.

    So why use WikiLeaks at all, then? And why not sign your name to the manifesto. If there’s no problem with you having the data, what’s the big deal?

    As for the suggestion that the data leak isn’t that bad because only a little bit of the information is exposed, the violation of the law for which the leakers are criticizing Coleman, specifically mentions the illegal retention of the card’s security code. So how can contend that the leaked security codes aren’t that big of a deal? The law that the leakers cite would seem to suggest otherwise.

  • Paul

    “I think that’s probably true mostly among people who are engaged in non-mainstream media.”

    Yes, and we all know that number is increasing.

    “So you’re saying that the best way to establish that trust is to assist in disseminating shreds of people’s private information?”

    No, I’m saying uncover the stories and report them instead of complaining about how others are doing it. Clearly places like Wikileaks don’t operate within your status quo, maybe you should look at your status quo.

  • Ryan Melena

    // Well, let’s go to the #1 item on the manifesto that accompanied the posting of the data on wikileaks:

    How can anyone reach a conclusion that the motives were not based in politics when the person who leaked it said it was?

    First, I didn’t claim political motives were not involved. Only that the issue being discussed (namely whether it was right to expose the leak and/or release the document) could be argued without the politics cluttering it up.

    Second, the quote you provided from the manifesto doesn’t prove the kind of Left vs. Right (Coleman supporters vs. Franken supports) context you’ve been injecting. It could just as easily and (given the stated goal of Wikileaks) probably more correctly be explained as Honest Government vs. Dishonest Government.

    // I wrote about this earlier because I have already written stories about security flaws and how I handled. I didn’t have any problem — as a blogger — getting attention for my findings without revealing the actual data. I also didn’t provide any means for anybody else to find the data. The first thing we did was make contact with the people in charge of the server to make sure they knew about the problem and locked the data down. It wasn’t to post it on Twitter

    I would be interested in to read more about how you’ve handled security flaws that you’ve discovered in the past. Could you provide a link?

    I’d also be curious as to how closely the flaws you have found resembled this situation. Specifically, did any of them have the potential to do lasting damage to 3rd parties after the flaw was fixed (as this obviously did)? Did any of the flaws you found expose possible illegal activity on the part of the owner? Did the owner of any of the flaws have a history (real or perceived) of lying about, attacking, or suing people who point out their errors?

    It seems to me those circumstances would have a great impact on how one would handle the discovery of a security flaw.

    // So why use WikiLeaks at all, then? And why not sign your name to the manifesto. If there’s no problem with you having the data, what’s the big deal?

    This is an absolutely frightening (and I’m hoping fallacious) argument coming from a journalist! Why would anyone ever talk to the press under the condition of anonymity? Why would a journalist ever conceal or protect a source? Why don’t we allow warrantless wiretapping, if you’re not doing anything wrong you have nothing to fear… right?

  • Bob Collins

    //No, I’m saying uncover the stories and report them instead of complaining about how others are doing it. Clearly places like Wikileaks don’t operate within your status quo, maybe you should look at your status quo.

    I did report a story. The story was journalists violate two of the Society of Profesisonal Journalists Code of Ethics.

    Your beef seems to me that I didn’t report the story you wanted in exactly the way you wanted it told.

  • Bob Collins

    //Only that the issue being discussed (namely whether it was right to expose the leak and/or release the document) could be argued without the politics cluttering it up.

    Completely agree.

    //I would be interested in to read more about how you’ve handled security flaws that you’ve discovered in the past. Could you provide a link?

    Search “Polinaut GOP marriage CD”. BTW, you’ll recognize some of the rhetoric in the Republican reaction. And some of the fairly lame excuses (“it was a test” “it wasn’t done yet” etc.)

    //Specifically, did any of them have the potential to do lasting damage to 3rd parties after the flaw was fixed (as this obviously did)? Did any of the flaws you found expose possible illegal activity on the part of the owner? Did the owner of any of the flaws have a history (real or perceived) of lying about, attacking, or suing people who point out their errors?

    The only issue I was concerned with was the data itself. There is no scenario that you can describe in which I would have felt justified exposing people’s private data. For maximum effect, I could’ve waited a week until actual data was coming into the open database, but I didn’t.

    //It seems to me those circumstances would have a great impact on how one would handle the discovery of a security flaw.

    I can’t imagine any ethical exemption that could be applied into exposing people’s data in the name of protecting it. I just can’t get my head around that concept.

    It just sounds too much like an episode of “24″ to me like when the bad guys blew up an airliner in order to prove to President Taylor that they could, so that she could take steps to prevent more from being blown up.

    //This is an absolutely frightening (and I’m hoping fallacious) argument coming from a journalist! Why would anyone ever talk to the press under the condition of anonymity? Why would a journalist ever conceal or protect a source? Why don’t we allow warrantless wiretapping, if you’re not doing anything wrong you have nothing to fear… right?

    So are you arguing that Wikileak is a journalist site? The difference here is that someone who provides anonymous information to a journalist, gets quizzed by the journalist who — if he/she is doing his/her job to unearth all potential motives for the leak.

    That isn’t the case here unless you’re arguing that wikileak is journalism, in which case I would — again — subject it to review by the SPJ Code of Ethics.

  • Paul

    I said:

    //No, I’m saying uncover the stories and report them instead of complaining about how others are doing it.”

    That was a stupid and ill considered thing to say, I apologize. Obviously everyone has the right to critique public conduct, and valid and useful critiques can come from any quarter. My brain just took wrong turn and my fingers followed.

  • Bob Collins

    Not a prob. I’m not taking it personally. We can still mix it up. It’s a good discussion; you’re making good points — as you usually do — even though I may not agree with them.

  • Ryan Melena

    \\ I can’t imagine any ethical exemption that could be applied into exposing people’s data in the name of protecting it. I just can’t get my head around that concept.

    Really? There is no level of redaction which, while exposing some personal data, wouldn’t have justified the upside to you? What if it was just First Name, Last Initial, CC# Last 4?

    \\ So are you arguing that Wikileak is a journalist site? The difference here is that someone who provides anonymous information to a journalist, gets quizzed by the journalist who — if he/she is doing his/her job to unearth all potential motives for the leak.

    No, I’m not arguing that Wikileaks is a journalist site but I do believe it can serve a useful journalistic purpose. Either way, you disregarded my last example (warrantless wiretapping) which I added specifically to clarify my point. There are MANY reasons why someone might want to be anonymous even if they’re not doing anything wrong.

  • Bob Collins

    //Really? There is no level of redaction which, while exposing some personal data, wouldn’t have justified the upside to you? What if it was just First Name, Last Initial, CC# Last 4?

    We’re back at the beginning of the discussion. There didn’t need to be an accompanying release of data to have a story about the availability of the data. Now, it was argued earlier that the data had to be released because mainstream media wasn’t paying enough attention.

    But it was only late yesterday afternoon that one of the people involved in finding and disseminating the original information sent a letter to the attorney general citing the violation of state law on the part of Coleman.

    Theoretically, that letter could’ve been sent at any time after it was discovered in January, but it wasn’t; it was released after a portion of the data the writer already had access to, was made more available to the general public.

    In answer to your question, “no,” I could not ethically provide access to private data for the same reasons as if twice as much data had been included. And I’ll again cite the SPJ Code of Ethics which is pretty clear on holding yourself to the same standards you are holding other people to.

    //specifically to clarify my point. There are MANY reasons why someone might want to be anonymous even if they’re not doing anything wrong.

    Point taken. I agree with that.

  • http://minnesota.publicradio.org/collections/special/columns/news_cut/ Bob Collins

    //Not everyone online is quite so honest as Adria Richards. The reality is that you have to assume that if Adria stumbled onto the data that others likely did too.

    Perhaps. But in watching her video explaining how she did it, and saying a third grader could’ve done it, I notice she said it took her about two minutes once she realized something was wrong, to actually get to the data.

    This is — if I’ve followed this correctly — a VERY smart, well educated, profession technology computer security specialist who does this for a living.

    Two minutes for someone like that doesn’t seem like accidentally stumbling on the data to me.