Many, many reasons to put some thought into the ethics of email hacks and leaks currently.
Firstly, is the current political trajectory of Wikileaks – in the past seen as somewhat anarchic and/or libertarian and now being cast as a tool of authoritarian strongman Vladimir Putin. In either case, it is worth asking is there a way of looking at the ethics of what Wikileaks has done beyond comparing the rightness/wrongness of the people who have either benefit or suffered as a consequence?
Secondly, Chelsea Manning remains imprisoned where she has been treated in a way that has been described as “cruel, inhuman and degrading“. Aside from the specific cruelties she has been subject too, should she anyway be pardoned by Obama before he leaves office?
Thirdly is the issue of the ethical culpability of the press or others (such as a rival political campaign) in exploiting revelations from an illegal leak or hack. Currently, the question of press coverage of the leaked DNC emails in the recent election and what electoral benefits the Trump campaign may have gained from those leaks.
There are some easy answers of course:
- The Russian government shouldn’t be trying to manipulate US elections.
- Whatever the rights or wrongs of Chelsea Manning’s acts, she should not be subject to cruel punishments.
- Trump is deeply unethical on multiple levels regardless of whether he benefited from the DNC hacks.
But can we do better than these clearer issues?
Firstly there is an ethical distinction between leaks and hacks. Practically there are blurred lines between the two (e.g. an insider leaking a password to a third party who gains illegal access to a server) but we can still make a distinction between:
- Somebody inside an organisation revealing confidential information to somebody outside an organisation.
- Somebody outside an organisation breaking in (either physically or electronically) and stealing information.
The distinction is related to (but not identical to) the degree of discrimination in the information sought and released.
- Somebody obtaining and disseminating specific information about an organisation, with some awareness of the information they are revealing.
- Somebody obtaining and disseminating bulk information about an organisation, with little knowledge of what that information contains.
There is a sliding scale between the two.
Yet another pair of factors, and again on a scale, there is a question of personal risk.
- The actor responsible for the leak or hack is acting at significant personal risk, either to their career or facing legal sanction or violence.
- The actor responsible for the leak or hack is facing very limited risk and/or may gain financially or professionally from their actions.
Lastly, I’d make one more paired distinction.
- The leak or hack is of a government body or agency.
- The leak or hack is of a non-government body or agency, or of an individual.
In all cases, I’d contend that the default is an assumption of privacy. That is either a leak or a hack of data is, by default, morally wrong without some sort of mitigating factor. Put another way, non-consensual transparency purely for the sake of transparency is not sufficient justification for dissemination either leaked or hacked information BUT there may be times and occasions when other factors can justify both leaks and hacks (and indeed we know that such times and occasions do exist).
Roughly speaking, this is how I am seeing things:
- Leaks are easier to justify ethically than hacks.
- Targetted release of ‘stolen’ data is easier to justify ethically than dumps of data.
- Acts done in the face of personal risk are easier to justify ethically than acts done with low risk or for personal gain.
- The release of government data is easier to justify than the release of non-government data, which is easier to justify than the release of an individual’s data.
Beyond that questions of legitimate public interest and consequence matter.
Scenario 1: Donald Trump is President and a member of Whitehouse staff leaks a very specific email regarding the purchase of ‘adult diapers’. The leaked email is widely disseminated and there is much speculation that the President has some degree of incontinence.
I’d see Scenario 1 as unethical. Although it essentially government data (and hence publically owned data) and although it is targetted and a leak (forgive the pun) and the staff member runs the risk of being sacked (and maybe prosecuted) – it fails ethically because the public interest test is weak (yeah, there is an argument that the state of the President’s health is public business but this is a stretch) and the consequence is the bowel/bladder movements become fair game for judging the worthiness of politicians. Odds are that many effective US presidents have had less than functional bodies with regarded to toilet functions.
Scenario 2: An activist believes (because of persistent but inconclusive evidence) that a private company is knowingly involved in testing pharmaceuticals in third-world countries to avoid protocols on human experimentation. The activist manages to download encrypted backups of emails. Believing that there might be ‘smoking gun’ evidence in the emails that executives knew about the testing, but lacking the resources to decrypt and then examine all the emails, the activist releases all the data in an attempt to ‘crowd source’ an examination of the data.
I’d still lean to this being somewhat unethical action by the activist, but it would really rest on how reasonable their belief was that the company was knowingly engaged in unethical human experimentation.
Scenario 3: A lower level manager believes that the private company they work for is knowingly involved in testing pharmaceuticals in third-world countries to avoid protocols on human experimentation. The manager knows that there are emails that can prove this but doubts that people will believe a single email that anybody could have faked. Instead, they pass on to an activist group a download of encrypted backups of emails. The surrounding emails and the encryption scheme help verify that the emails are really from the company concerned.
I think this is more clearly ethical. The person is acting in the face of clear wrongdoing.