The Yale Law Journal

VOLUME
127
2017-2018
Forum

Foreign Cyber Attacks and the American Press: Why the Media Must Stop Reprinting Hacked Material

03 Oct 2017

abstract. While much ink has been shed dissecting Russia’s attempt to interfere in the 2016 presidential election, few have focused on the role played by the American media in facilitating Russia’s cyber attacks. Reporters investigated thousands of hacked emails, packaged the stolen information into narratives that American voters understood, and disseminated the final product to the public. If the press had refrained from serving as a conduit between foreign hackers and the electorate, it is possible that the social harms of Moscow’s hacks could have been curtailed. Going forward, there are two ways to incentivize the media to stop assisting hostile foreign powers that steal and reveal confidential information. Under existing First Amendment precedent, because the government possess no feasible way of directly deterring state-sponsored hackers, Congress might be able to place liability on the downstream publishers of hacked material. Though liability may effectively ameliorate the harms of hacking, this law-based approach carries troubling normative implications for press freedoms. Instead of a new liability regime, this Essay argues that journalists should voluntarily adopt a professional norm against publishing the contents of a hack. This norm should only extend to hacked material and should not prevent the media from using leaks as sources—a common journalistic practice that has come under fire in recent months. While there are practical challenges to convincing journalists to adopt new ethical guidelines, state-sponsored hacks implicate core national security concerns, and members of the media may well be receptive to a call to their civic republican responsibilities at this particular moment in American history.

Over the past year, American politics has been defined by a near-constant stream of private information finding its way into the limelight. The highlights of this phenomenon are well known. Though they might not have changed the outcome of the 2016 election, Russian hackers released troves of stolen emails in an effort to harm Hillary Clinton’s campaign.1 A few months after the inauguration, Donald Trump’s presidency had become so beset by leaks that his short-lived communications director, Anthony Scaramucci, vowed to “fire” anyone who leaked information that embarrassed the President.2

While much discussion has surrounded the content of a particular hack or leak, focus has also shifted to another actor, the media, which serves as a key intermediary between those who disclose information and the American public. The Trump Administration has signaled that it will explore enacting new laws to force “newspapers and news agencies . . . to be more responsible,”3 and the Department of Justice briefly refused to rule out prosecuting reporters who publish classified material.4

This Essay addresses questions raised by leakers, hackers, and the Trump Administration’s adversarial relationship with the press. Does the First Amendment permit the government to impose liability on reporters who publish stolen-but-newsworthy information? Does the answer potentially change depending on whether the source of the information is a leak or a hack, particularly a state-sponsored hack? Within the boundaries of what the government may do, how should the government and civil society reduce the harms from hacks or leaks?

This Essay argues that a fundamental distinction exists between a leak of information and a hack.5 For the purposes of this Essay, a leak occurs when an insider (or insiders) steals legally protected information from within a government or an organization. In contrast, in a hack, an external actor (or actors) infiltrates the government or organization from the outside. American law enforcement can prosecute or otherwise discourage domestic leakers to prevent them from leaking, though historically the government has not pursued those who disclose classified material.6 That pattern of non-enforcement, however, is not guaranteed. The Obama Administration saw an increase in the number of leak prosecutions,7 and the Trump Administration appears poised to fundamentally alter the general trend against prosecuting leakers.8 In contrast, the government cannot as effectively deter hackers, particularly when they are state-sponsored (as in the 2016 election).9

By drawing this distinction between leakers and hackers, this Essay shows why First Amendment law regarding leaks could differ from the law surrounding hacks. Under the Supreme Court’s existing precedent, if the government can directly prosecute the individual who unlawfully acquires information, the government cannot impose liability on third-party journalists who then print the unlawfully acquired material. The United States, however, faces great difficulty in apprehending foreign, state-sponsored hackers. As a result, the Constitution might permit the legislature to levy some liability on those who publish hacked information—and a few commentators have advocated just that approach.10

But any potential regulation of the press carries troubling consequences, from normalizing censorship to potentially injecting unelected judges into contentious political issues. This Essay advances a different solution to the burgeoning phenomenon of foreign powers hacking elections: American journalists should create and self-police a new professional norm against reporting the contents of hacked information. While this norm would prevent journalists from distributing the results of a cyber attack, especially ones orchestrated by foreign powers, journalists may continue to provide a platform for leaks.

This norm-based solution to the state-sponsored hacking crisis—as opposed to the law-based approach—is achievable, though not without difficulty. The American press abides by a wide variety of professional norms that restrict what journalists print. For example, while the press has a constitutional right to publish the names of rape victims, the vast majority of journalists do not.11 Similarly, during ISIS’s rise, almost all major traditional and social media companies chose not to show full length ISIS videos to avoid aiding the terrorist organization.12 When it comes to sensitive matters of national security, journalists frequently weigh whether publication would endanger lives or further the public interest.13 Having recently realized that their reporting on hacked emails played a major part in the 2016 election, American journalists may be willing to embrace a new professional norm against the dissemination of hacked material.14

The Essay proceeds in three Parts. Part I briefly explores the relevant First Amendment case law governing the publication of unlawfully acquired information. Part II shows why, compared to domestic leaking, foreign state-sponsored hacking is a particularly vexing problem that could be partially abated if the American press did not report on hacked information. As a result, the First Amendment might permit the legislature to place liability on the press when it publishes the contents of a cyber attack. Part III argues that, rather than the government imposing a blackout on the media by law, a better solution is for the media to voluntarily adopt a self-governing norm against the publication of hacked information.15

I. is there a first amendment right to publish unlawfully acquired information?

The Supreme Court has been far from clear regarding whether the state may hold the press legally responsible for publishing newsworthy-but-unlawfully acquired information, such as a leak of classified material or the contents of a hack. The most recent pronouncement on the topic was Bartnicki v. Vopper, which very narrowly held that the First Amendment protected the right of a radio station to broadcast an illegally intercepted phone call.16 However, Bartnicki left key questions unanswered, and provides, at best, a lens through which to analyze the problem.

Over the latter half of the twentieth century, the Supreme Court developed an increasingly press-friendly jurisprudence. In the milestone 1971 “Pentagon Papers” case, the Court ruled that the state could not impose a prior restraint on speech and prevent the New York Times from publishing classified material regarding the Vietnam War.17 Consisting of a per curiam opinion, six concurrences, and three dissents, the exact doctrinal contours of the decision were less than precise. Today, the Pentagon Papers case stands for, in the words of the Court’s per curiam opinion, a “heavy presumption” that the government may not proactively prevent journalists from publishing.18

To be sure, this presumption against prior restraint is not absolute. The Supreme Court left the door open for the government to prevent publication of materials harming national security if publication would, in Justice Stewart’s formulation, “result in direct, immediate, and irreparable damage to [the] Nation or its people.”19However, from a practical standpoint, this threshold is extraordinarily difficult to meet. For a regulation of the press to pass constitutional muster, that law must instead impose civil or criminal liability only after the actual act of publication occurs.20

In the following years, the Court gradually narrowed the types of situations in which the government might impose post hoc liability on a publisher. In Cox Broadcasting v. Cohn, the Court ruled that a television station could not be held civilly liable under a Georgia law that prohibited reporting the names of rape victims.21 Cox’s holding was narrow, resting on the fact that the name of the rape victim in that particular case was already a matter of public record in court papers.22This limited holding left for another day the broader question of whether any “truthful publications may ever be subjected to civil or criminal liability.”23

Smith v. Daily Mail Publishing Co. expanded the scope of the press’s freedom to print almost all newsworthy, legally obtained information.24 When a fourteen-year-old shot and killed a fellow student, two newspapers published the alleged shooter’s name, which journalists identified by speaking to witnesses, police, and a prosecutor at the scene of the crime.25 West Virginia indicted the newspapers under a statute that prohibited the publication of the names of children involved in judicial proceedings.26 The Supreme Court found West Virginia’s statute unconstitutional on the grounds that “state officials may not constitutionally punish publication” of “lawfully obtain[ed] truthful information” “absent a need to further a state interest of the highest order.”27

From the perspective of the contemporary hacking and leaking crises, Bartnicki v. Vopper represents the most relevant precedent.28 In Cox Broadcasting, Daily Mail, and other like-cases,29 the press had obtained information from lawful sources, such as court documents, police reports, or eyewitnesses to a crime. Bartnicki narrowly extended the First Amendment to protect at least some—but not necessarily all—unlawfully acquired information that journalists legally obtain from third parties.30

At the center of Bartnicki was a heated labor dispute between a local school board and teachers in Plymouth, Pennsylvania. The union’s negotiator, Gloria Bartnicki, called Anthony Kane, the president of the teachers’ union, on a car cell phone.31 Using a commercially available radio scanner,32 a third party intercepted and recorded the conversation, during which Kane told Bartnicki that, if the school board did not agree to the union’s demands, the union would have to “blow off their front porches.”33 The interceptor anonymously mailed the recording to the head of the local taxpayers’ organization, Jack Yocum, who provided the tape to Fred Vopper, a radio commentator. Vopper then broadcasted Kane and Bartnicki’s private conversation on the air.34 The union officials sued Yocum, Vopper, and other journalists who published the conversation, seeking statutory damages under federal and Pennsylvania laws criminalizing the publication of electronic communications when a publisher knew or should have known that a recording was obtained illegally.35

In a narrow holding in 2001, six Justices ruled that the wiretap statutes were unconstitutional as applied to the facts of that case.36 For the purposes of its opinion, the Court assumed that the media “played no part in the illegal interception,” the media “obtained” the recording “lawfully,” and the recordings were a matter of public concern.37 However, the majority explicitly declined to make categorical assertions about whether the First Amendment always protects the publication of truthful information regardless of provenance. Instead, the Bartnicki Court noted that “the sensitivity and significance of the interests presented in clashes between the First Amendment and privacy rights counsel relying on limited principles that sweep no more broadly than the appropriate context of the instant case.”38 This self-consciously limited holding means that Bartnicki is a useful prism through which to understand the current hacking crisis, but Bartnicki does not settle the question of whether media organizations can be prosecuted for publishing hacked information.39

The Bartnicki Court dismissed two potential government interests advanced by criminalizing the broadcasting of illegally recorded phone calls. First, and most important for our purposes, the majority rejected the so-called “dry up the market” theory.40 In a “dry up the market” situation, the government deters illegal conduct not only by policing the wrongdoer, who might be challenging to catch, but also by prosecuting downstream beneficiaries of the illegal act to “prevent[] the wrongdoer from enjoying the fruits of the crime.”41

In Bartnicki, the government claimed that, because phone interceptors were difficult to apprehend, the government could only deter criminals by preventing interceptors from publicizing illegal recordings in the press.42 However, the Bartnicki Court found this logic unpersuasive. According to the Court, the identity of cell phone interceptors was almost always known in prior litigation. The government could simply prosecute the interceptors—and not the press—to deter interceptions.43

Second, the Bartnicki majority rejected the argument that criminalizing the broadcasting of phone calls protects private speech from intrusion.44 The majority reasoned that, because the union negotiations were “a matter of public concern,” the media deserved robust First Amendment protections to broadcast the recordings.45 In the Court’s words, “[o]ne of the costs associated with participation in public affairs is an attendant loss of privacy.”46

While the majority opinion seemingly dismissed both the dry up the market theory and individual privacy interests, Bartnicki was neither unanimous nor unqualified. Joined by Justice O’Connor, Justice Breyer wrote a concurrence that articulated a pragmatic approach balancing the rights of free speech and individual privacy.47 According to Justice Breyer, Bartnicki’s “particular circumstances” justified the Court’s decision.48 In particular, he characterized the contents of the phone call as a threat of violence, in which “the speakers had little or no legitimate [privacy] interest.”49 Justice Breyer also took pains to note that “the Constitution permits legislatures to respond flexibly to the challenges future technology may pose to the individual’s interest in basic personal privacy.”50 This concurrence balances values of privacy and free speech, presciently envisioning the current hacking dilemma. From this vantage point, First Amendment protections for telephone interceptors might not make sense for other privacy invaders, such as computer hackers.

Along with Justices Thomas and Scalia, Chief Justice Rehnquist dissented, finding the government’s “dry up the market theory” convincing.51 According to the Chief Justice, the law permits a dry up the market strategy in other contexts. For instance, the state can criminalize the possession of child pornography to deter its production.52 So too, Chief Justice Rehnquist argued, the First Amendment allows the government to sanction the publication of illegally obtained information to prevent the initial theft.53

Since 2001, appellate courts have grappled with how and when to apply Bartnicki to new circumstances.54 Some courts do not provide First Amendment protections to journalists who participate in the illegal acquisition of private material.55 Other courts have declined to extend Bartnicki to situations in which someone publishes stolen information that is not a matter of public concern.56 Yet other courts have cabined Bartnicki to its particular facts and reevaluated, in the context of a different dispute, how to best balance particular privacy interests with First Amendment rights.57

Finally, there is some indication that courts are willing to reconsider the validity of the “dry up the market theory” for situations other than phone interception. In Jean v. Massachusetts State Police, the First Circuit held that the First Amendment protected the right of a person who had received an illegal videotape of police misconduct to place the recording online.58 Unlike in Bartnicki, “the identity of the interceptor” in Jean was “known.”59 As a result, the First Circuit concluded that there “[wa]s even less justification for punishing a subsequent publisher than there was in Bartnicki.60

To be clear, Jean reached the same outcome as Bartnicki: the First Circuit rejected the “dry up the market theory” and protected the First Amendment rights of the publisher. And Jean’s analysis was also admittedly brief. However, the court’s willingness to independently examine a “dry up the market theory” outside of the phone interception context suggests that, in the right circumstances, courts might conclude that imposing liability on the press is the only way to deter certain illegal activity.

The combination of Breyer’s Bartnicki concurrence, the vigorous dissent, and Bartnicki’s progeny all suggest that Bartnicki did not close the door to imposing liability on the press, given the correct circumstances. Instead, in any given case, to understand properly whether the government can regulate the publishing of newsworthy stolen information requires the investigation of at least two interrelated questions. First, are the individual privacy and government interests at play more or less compelling than those in Bartnicki? And, second, does the government possess another feasible method of policing against the theft of information, other than drying up the market?

II. the dry up the market theory is stronger when it comes to state-sponsored hackers

This Part applies Bartnicki’s framework to the Trump Administration’s leaking problem and the foreign hacking crisis. Under that framework, the government cannot impose liability on the publication of leaked classified information chiefly because the United States possesses the capacity to identify and discourage leakers. In contrast, foreign hackers, in particular those who enjoy state sponsorship, pose a vexing enforcement problem and can seriously harm the American political process. As a result, there is an argument, at least under Bartnicki’s calculus, that the First Amendment might permit imposing liability on the press to prevent the media from publishing the contents of hacks.

The Bartnicki framework tilts strongly in favor of the First Amendment protecting the publication of leaks for a simple reason: the government possesses a wide variety of means of deterring leakers, ranging from prosecuting those who disclose classified material to various types of formal and informal discipline.61 Most notably, the Espionage Act of 1917 prohibits those who possess national security documents or information from giving the material “to any person not entitled to receive it.”62 In United States v. Morison, the Fourth Circuit held that the Act applies not only to “classic spying” on behalf of a foreign power but also to leakers who provide information to the press.63 Despite the Espionage Act’s wide applicability, there have been only thirteen Espionage Act cases brought against defendants for leaking classified information, eight of which occurred in the Obama Administration.64

In his comprehensive study of leaking, David Pozen argues that the modest number of leak prosecutions reflects an implicit acceptance of classified leaking within the government. As an empirical matter, the vast majority of leakers are senior officials who possess close relationships with journalists and leak strategically.65 In Pozen’s analysis, the executive as an institution profits enormously from being a leaky branch. Consider one such benefit: the government often authorizes officials to anonymously “float trial balloon” policies in the press that it can plausibly disown upon bad reception.66 In a world where the government vigorously prosecuted all unauthorized leakers, it would be difficult for an administration to distance itself from a failed trial balloon. Few would leak without permission, and journalists would quickly assume that every anonymous source was an authorized government plant. However, in an environment rife with unauthorized leaks, such as exists today, the executive can plausibly deny a failed trial balloon because one can never truly know if the proposal represented official policy.67

But just because the executive finds leaking convenient does not mean that the government could not clamp down on leakers, if it chose to do so.68 Indeed, there is some indication that the number of leaks has increased dramatically in the first few months of the Trump Administration.69 In response, the Administration has taken a firm stance against leakers. While it may eventually prove to be more smoke than fire, the Justice Department announced that it “is pursuing about three times as many leak investigations as were open at the end of the Obama era.”70 Recently, officials arrested a contractor, Reality Winner, and charged her with leaking classified “information regarding a 2016 Russian military intelligence cyberattack.”71 While Winner’s prosecution is consistent with prior leak prosecutions targeting lower-level employees, it may also have been carefully calibrated to discourage leaking among other likeminded bureaucrats opposed to the Trump Administration. In short, when it wants to, the government can force leakers to internalize the costs of their actions.

The Department of Justice also briefly signaled that it might prosecute journalists under the Espionage Act, though officials quickly walked back their suggestion only a few days later.72 While the government has never successfully applied the Act to journalists, the Act’s broad language theoretically extends to members of the press who receive classified information.73 Indeed, in one high-profile 2006 case, United States v. Rosen, a district court permitted the government to prosecute two lobbyists who had received classified information and conveyed that information to others.74 Though the government eventually abandoned the case,75 some commentators worry that Rosen provides a framework for applying the Espionage Act to reporters.76 However, these commentators should have little to fear if the Court faithfully follows Bartnicki’s calculus: because the ability to deter leakers obviates the need to pursue publishers, the First Amendment should prevent holding a reporter liable under the Espionage Act in most situations.77

In contrast to leakers, foreign hackers—especially those with state sponsorship—are both difficult to apprehend and pose a more destabilizing threat to the United States than does a leaky executive branch. As a result, it is not inconceivable that the Constitution might permit the government to dry up the market for hacks by going after the media.

Consider some highlights of the foreign hacking crisis: in 2014, North Korea attacked Sony Pictures in retaliation for a movie mocking the Hermit Kingdom and released confidential Sony data to the public. The media quickly pounced on the hacked material and uncovered everything from correspondence in which an executive bashed Angelina Jolie as “a minimally talented spoiled brat” to the fact that female co-stars made less than their male counterparts.78 In the SONY hack’s wake, scholars79 and public commentators80 began to suggest that courts should not allow the press to publish information stolen by third parties.

Two years later, Russia attempted to influence the 2016 election.81 Just before the Democratic National Convention, WikiLeaks released roughly 20,000 emails from seven staffers.82 In one notable exchange, the Democratic National Committee’s (DNC) chief financial officer observed that Bernie Sanders’ Jewish heritage might harm Sanders in Kentucky and Virginia: “My Southern Baptist peeps would draw a big difference between a Jew and an atheist.”83 Later in October, WikiLeaks began disseminating 50,000 emails stolen from John Podesta, Clinton’s campaign chairman.84 Similar hacks have affected other Western democracies. During the 2017 French election, a cyber attack targeted Emmanuel Macron’s campaign for President.85 While their concerns did not materialize, German officials worried that hackers who had infiltrated the Bundestag’s servers in 2015 would divulge confidential information to disrupt that country’s recent election.86

The practical harms from these kinds of state-sponsored hacks are great. At the least, hacks present the same privacy concerns present in Bartnicki, though arguably to a greater degree given the amount of information that individuals place online. When hackers repeatedly breach the email servers of politicians and ordinary citizens alike, the result is a culture of caution and silence in which individuals increasingly commit less to electronic communication or routinely delete material to protect themselves. Such a culture may already be emerging. Notable figures such as former Treasury Secretary Hank Paulson refuse to use email.87 One unnamed network anchor was so concerned after hackers infiltrated former Secretary of State Colin Powell’s email that he retroactively purged his digital files for fear of being next.88 Over time, this aversion to electronic communication could greatly increase inefficiency in government operations, the campaign trail, or business.

Politically motivated hacks also carry a deeper concern beyond individual privacy: these hacks can, potentially, interfere with the American democratic process. The 2016 Russian cyber attacks provide an important case study. It is admittedly impossible to determine whether swing state voters cast their ballots because of the specific information revealed by the DNC or Podesta emails.89 For the politically sophisticated, the hacks likely provided little new information. To pick just one example, leaked emails from DNC staff merely confirmed the DNC’s favoritism toward Hillary Clinton in the primary, no surprise to astute observers of the presidential campaign.90 Nevertheless, the stolen emails could have affected the electorate in two important ways. First, the hacks may have created the appearance of scandal, even if the actual information offered no true revelations. When released to the public, frank internal communications can damage the façade of respectability that politicians model for the public. In other words, while many voters may suspect that elected officials scheme behind closed doors, the electorate may prefer not to see horse trading or politicking in the light of day. Second, the 2016 election hacks may have occupied limited media bandwidth and diverted political conversation away from other campaign issues.91

Not only are hacks potentially harmful, but there are also few feasible ways to prevent them. As a result, the “dry up the market theory” rejected by the Bartnicki Court with respect to phone interception carries more weight in the context of foreign hackers releasing private information to American news outlets.

Unlike domestic phone call interceptors, whom the Bartnicki majority believed were easily identified and prosecuted, foreign hackers live outside American jurisdiction and face a reduced risk of prosecution.92 Insofar as those hackers are governments like North Korea or Russia, the United States possesses few ways to meaningfully deter the hacks.93 While in theory the government could impose costs on adversaries through retaliatory cyberwarfare, economic sanctions, or even military force, it is in practice difficult to calibrate a foreign policy response to state-sponsored hacking that both deters an enemy and avoids enveloping the United States in a broader conflict.94 For instance, while the Obama Administration imposed sanctions on Russia in response to its hacking of the U.S. election,95 it is hard to imagine that this relatively modest response will discourage Moscow from again sowing discord on the American political scene.

Even when the United States government as an institution can effectively respond to foreign hacks, it might not be in President’s personal interest to retaliate, though retaliation is the best outcome for the country. For instance, foreign hackers can undermine a President’s domestic political opponents, and an executive might want to encourage this behavior to aid his or her reelection. Indeed, this scenario may not be far from reality: during the 2016 campaign, then-candidate Trump seemed to call on the Russian government to release his opponent’s emails, saying, “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing.”96 Once in office, despite an assessment from the intelligence community that Russia sought to interfere in the U.S. election, President Trump initially resisted Congress’s attempts to codify the Obama Administration’s sanctions on the Russian government.97

A recalcitrant President who wants to avoid responding to a state-sponsored cyber attack also benefits from the so-called “attribution problem”: for technological and intelligence reasons, countries can rarely prove with certainty and in a public venue that a cyber attack emanated from a particular state.98 An executive who refuses to respond to a foreign enemy could justify that decision on the pretextual grounds that he or she could not determine who was responsible for the attack. President Trump has embraced a form of this tactic as well, routinely casting doubt on whether the Russians were responsible for the 2016 election hacks.99

In contrast to the problems that hinder deterrence, imposing liability on news outlets that report hacked content seems like an efficient way to dry up the market. The mainstream press plays three key roles as an intermediary between foreign hackers and American voters. First, major news outlets investigate and sift through the tens of thousands of hacked documents to find the most pertinent information.100 Second, the mainstream press packages the relevant material, placing an embarrassing or salacious email within a larger, political context.101 Third, the press disseminates the final product to the public. Despite the proliferation of blogs and social media, most Americans still receive their news through major television networks or established news agencies.102 If the Court allowed the government—or an injured third party—to sue journalists who reproduce hacked information, foreign hackers would lose the press as a partner in providing the fruits of their wrongdoing to the American people.

In short, curtailing the media’s reporting on hacked material could help address the current hacking crisis by “drying up the market” for hacks. But we should be wary about undermining press freedoms and achieving this solution via legal regulation. This Essay now outlines an alternative path—based not in law but in professional norms—in which journalists voluntarily choose to not print most hacked information. This norm-based outcome could protect core First Amendment values while also reducing the harms posed by foreign hacking.

III. why the media should adopt a norm against reporting hacked content

Despite the seeming attractiveness of allowing the government to impose liability on the press when it publishes hacked information, that type of regulation carries troubling implications, which this Part explores. Instead of allowing government censorship in any form, this Essay proposes a middle ground between government regulation of the press and the uninhibited publication of all hacked information: journalists should voluntarily adopt a strong professional norm against disseminating the fruits of cyber attacks. Such a norm could help prevent foreign hackers from reaching American audiences, thereby “drying up the market,” while still protecting First Amendment values.

Section III.A outlines the basic contours of what a professional norm against publishing hacked content would entail and shows why a norm is preferable to a liability regime. Section III.B argues that there are reasons to think that journalists might rise above the collective action problem and voluntarily forgo the fruits of state-sponsored cyber attacks. To be clear, there are practical difficulties to this kind of a norm emerging, and I do not mean to dismiss them. Rather, I want to show that a norm-based approach to the foreign hacking crisis is desirable and potentially feasible, even if not inevitable.

A. The Contours of a Norm-Based Approach

The new journalistic norm against printing hacked information should take the form of a rebuttable professional presumption, overcome only by a journalist’s own assessment that a particular piece of hacked information is of such paramount importance that it warrants publication.

This presumption against reporting should be high, though not completely insurmountable. When considering whether a rare hack meets that bar, journalists should evaluate a number of factors that all caution against publication. For instance, does the stolen material’s principle value stem, not from whatever factual revelations it contains, but from its private or salacious nature? Could other non-cyber sources provide the public with a similar understanding of events, though possibly with less precision? Was the cyber attack likely intended to interfere in the American democratic process, and would publication aid that effort? In making these judgments, members of the media possess a variety of resources. To determine attribution, for example, journalists can often rely on government assessments (where they exist103) or the work of private cyber security firms.104 Many nontechnical conclusions require simple deductive logic. If a hack targets a candidate or campaign staff, common sense suggests that the hacker sought to influence an election. Moreover, given the strong presumption against publication, journalists who are unsure of any these variables should simply refrain from disseminating the fruits of a cyber attack.

This norm should only extend to hacked information and should not govern other information, such as that stemming from a leak. Of course, in implementing this norm, it may sometimes be difficult for the media to determine whether the material they receive anonymously comes from a leaker or a hacker. For example, the massive digital leak of corporate records from a major Panamanian law firm implicating powerful elites across the globe known as the “Panama Papers” ostensibly came from a self-proclaimed whistleblower named “John Doe.”105 Though he styles himself as a “whistleblower,” John Doe could be an external hacker who stole the documents, rather than an internal leaker. In these types of circumstances, journalists must exercise their professional judgment (as they frequently do) to determine whether the underlying information stemmed from a hack or a leak and whether it merits publication.106

A norm is preferable to government regulation of the press for a number of reasons. At the broadest level, even if it is constitutional, there is a troublesome social price any time the government regulates the media: it may normalize censoring the press in other, potentially unconstitutional circumstances. Normalization is a particularly worrisome possibility in the current political environment, where First Amendment values have already come under attack, from opposite ends of the political spectrum. Consider two diverse examples: during the campaign, then-candidate Donald Trump threatened to sue the New York Times for reporting about allegations that he engaged in sexual misconduct.107 Lest this general anti-speech sentiment be thought to be confined to the President, a study by the Pew Research Center found that “[f]our-in-ten Millennials say the government should be able to prevent people publicly making statements that are offensive to minority groups.”108 To be sure, the First Amendment protects both the Times’s right to report and the right to offend one another;109 constitutional law on either subject is unlikely to change soon. Nevertheless, prohibiting the press from publishing hacked material, even if it would be constitutional, might contribute to the broader societal erosion of First Amendment values.

From a pragmatic perspective, a norm-based approach offers a nimbler solution to the hacking problem than a law-based approach. Laws are inherently crude. Any potential government regulation of the press must take one of two forms: the legal bar could be complete and brook no exceptions. Alternatively, the ban could allow for exemptions in certain circumstances, such as for “extreme newsworthiness.” Under the first option, even if hacks revealed extraordinarily important information—such as the fact that a presidential candidate committed murder—the law would still deter the press from revealing that data to the public. In the second option, a judge must weigh after the fact whether a hack meets the bar for“extreme newsworthiness” and thus whether the press should be subjected to liability for publishing the material.

Both of these scenarios are unsatisfactory. In a world without exceptions for the publication of extraordinarily important (but hacked) information, American voters could potentially find themselves without information necessary to make decisions regarding the health of the republic. But a world with limited exceptions is no better; that world forces judges to distinguish between reportable and nonreportable hacks in charged political contexts. Content-based decision-making is incompatible with the passive virtues of the judicial branch and could conceivably result in drastically different results in a given case depending on a judge’s political predispositions. Indeed, a study of the Supreme Court’s First Amendment decisions from 1953-2010 found that the Justices’ “votes tend to reflect their preferences toward the speakers’ ideological grouping.”110 Thus, we can reasonably suspect that judges (whether consciously or not) might approve of the publication of hacked material when those judges disapprove of the person harmed by the hack (and vice versa).

In contrast to judges, individual journalists can make granular judgments about the merits of publishing a particular hack, without the troubling specter of an unelected judge injecting his or her political bias into a legal decision. This is not to say that journalists do not also possess viewpoints that color their decision-making; a stereotypical Fox News reporter might conceivably consider hacked material worthy of publication that a CNN reporter would not. But, unlike a judge, when a journalist acts in response to bias, he or she does not command the imprimatur of the law. As a result, an individual journalist’s biased decision to report or quash hacked material cannot coercively bind other peer reporters. Additionally, because they engage with whistleblowers and leakers on a daily basis, journalists are arguably better equipped than judges to evaluate difficult boundary-line questions, such as whether to print the Panama Papers or whether to publish material digitally stolen from the American government by American citizens, such as Edward Snowden.

In part, these justifications for a new professional norm find their roots in First Amendment principles. According to an institutional approach to the First Amendment, the Constitution especially protects the autonomy of self-regulating First Amendment institutions, such as churches, libraries, schools, and the press.111 To pick just one example, colleges and universities enjoy a certain amount of academic freedom—by virtue of the First Amendment—that allows them to decide whether and how to adopt affirmative action admissions.112 One justification for protecting First Amendment institutions is epistemological, akin to justifications for Chevron deference113: just as courts are not competent to judge policy issues and so often defer to administrative agencies, courts are similarly incompetent to judge certain First Amendment issues, such as the merits of a particular education policy or a religion’s dogma.114So too, according to an institutionalist perspective, the judiciary should allow the press to regulate itself, rather than meddling in the affairs of an autonomous First Amendment institution and deciding whether a particular story is, or is not, worthy of publication.115

Though the press does not enjoy a unique constitutional status in our modern jurisprudence, an institutionalist perspective lurks in the background of some of the relevant Supreme Court First Amendment precedent.116 In the Pentagon Papers case, Justice White’s concurrence noted that when leaked “material poses substantial dangers to national interests . . . a responsible press may choose never to publish the more sensitive materials.”117 Admittedly, Justice White did contend that “hazards of criminal sanctions” could potentially help incentivize the press to be responsible.118 But he also envisioned a media that independently evaluated whether a publication would harm national security and joined a per curiam opinion that prevented judges from making that exact same evaluation through a prior restraint on speech.119 Similarly, two of the dissenters in the Pentagon Papers case articulated a vision of “a responsible press collaboratively weighing the national security harms that disclosure would raise.”120 While far from a full-throated embrace of First Amendment institutionalism, this precedent lends credence to the notion that, where possible, we should prefer to let the press self-regulate rather than impose external constraints on their behavior.

Finally, from a constitutional law perspective, a norm against reporting on hacked information carries a further benefit: unlike a law-based approach, a norm avoids creating binding First Amendment precedent on the subject that, though it might respond to today’s hacking crisis, might also prove to be harmful in the future. If Congress passes a law imposing liability on journalists who report on hacks, reporters will certainly challenge the law’s constitutionality. The Supreme Court might conceivably weigh in, potentially upholding the law for all the reasons stated in Part II. Given the high bar to overturning constitutional precedent, we should be wary of constitutionalizing the solution to the 2016-2017 hacking crisis if an alternative pathway exists that achieves the same result without making constitutional law.121

B. But Is a Norm Feasible?

Skeptics will doubt that the media can ever abide by a professional standard against reporting on hacked digital information. Once one newspaper prints a story about a hack, others must also out of fear of losing readers—or so the theory might go. Others might worry that the fragmentation of the traditional press and the proliferation of nonprofessional reporters will make it impossible to achieve a total blackout on the reporting of hacked information. Still others might wonder whether a partisan media outlet would really abstain from reporting on a subject that advances its ideological agenda.

Each of these criticisms contains merit, and I do not intend to discount the practical difficulty faced by my proposal for a new professional norm. It is certainly not inevitable that a norm against publishing hacked material will emerge. But there is some reason to believe that the press could be convinced to treat hacks with more ethical delicacy than they currently do. State-sponsored cyber attacks implicate a core civic republican value: guarding the nation against untoward foreign influence. In the wake of the 2016 election, journalists have begun to recognize just how Moscow exploited their reporting to maliciously interfere in the American democratic process.122 Some have gestured toward the need for a new professional code of ethics when it comes to hacking.123 In this particular climate, the media might respond favorably to a call to its patriotic impulses.

Consider those self-restraining norms that the press does observe. Despite their constitutional right to print the names of rape victims, mainstream outlets almost universally do not, unless those victims publicly identify themselves.124 This norm is incredibly strong in the journalistic community. For instance, during the widespread publicity surrounding the recent trial of Stanford swimmer Brock Turner, no one revealed the victim’s name, even though her statement to the court at sentencing became a viral sensation and Glamour announced her (anonymously) as a person of the year.125 To be clear, I do not intend to equate the trauma a rape victim undergoes with the harms of hacking. Rather, the fact that journalists shield rape victims’ identities is an example of journalists’ professional norms working, curbing what journalists print even when the law permits publication and intense public interest exists regarding the issue.

Sexual assault is not the only topic that the media handles with a sensitive touch. Before Steven Sotloff’s brutal beheading by ISIS in 2014, American journalists did not discuss his Judaism in an attempt to shield that information from ISIS and save Sotloff’s life. When the New York Times accidentally reported Sotloff’s religion, the paper quickly scrubbed that fact from its website.126 Indeed, with respect to ISIS, the media has been particularly cognizant of its role in transmitting the terrorist organization’s propaganda. Major television networks, for instance, choose to show only portions or still frames of ISIS videos, despite widespread interest in ISIS.127 Social media platforms like YouTube have similarly embraced the anti-ISIS norm by taking down ISIS content, including full-length beheading and recruiting videos.128 (The chief exception to this rule was Fox News, which placed on its website the entire video of ISIS members burning a Jordanian pilot alive.)129

Journalists also show similar restraint in situations where the publication of information might directly harm national security. For instance, at the government’s request, CNN recently chose not to report certain classified details about terrorist plans to build “laptop bombs” to protect the sources of that information.130 This is not to claim that journalists always censor themselves when the government asks them to; far from it. Rather, it shows that journalists frequently consider whether they should publish sensitive national security material in light of the adverse consequences.131 In the words of one editor, “[m]y role as the editor of a newspaper, and the newspaper’s role in the society, is . . . to try to make that kind of judgment.”132 Journalists can make equally nuanced judgments when it comes to deciding whether to report on hacks.

Of course, these examples of journalistic ethics involve subjects that decent people either find repugnant or, in the case of national security related reporting, trigger core civic republican values. For a journalistic norm to become a reality, the media and some segment of society will have to begin to view state-sponsored hackers with a degree of moral opprobrium. But it is not unreasonable to assume that the same civic impulses that lead journalists to quash stories involving national security might also lead them to refrain from assisting state-sponsored hackers.

The proliferation of nontraditional journalists, bloggers, and social media actors using Twitter, Facebook, and other platforms to report on current events makes it difficult—but not impossible—for the press to enact a self-imposed media blackout of hacked materials. Skeptics will argue that even if the New York Times and Fox News do not publicize hacked material, nontraditional media outlets will refuse to abide by this norm and continue to disseminate hacks to the American public. But the available evidence suggests that, even if hobby-journalists “report” on hacks via Twitter, the majority of Americans may never see that amateur reporting. As noted above, contrary to popular belief, most Americans receive their news through traditional media organizations, such as televisions or major news websites—not through random Twitter users or blogs.133 According to Pew, the “greatest portion of U.S. adults, 46%, prefer to watch news rather than read it (35%) or listen to it (17%).”134 Among those who get their news online, almost double the number of people receive their news via major news organizations than those who receive it via social media.135 In short, restraint among mainstream news reporters could create an effective if not complete media blackout—even if Twitter users and their followers continue to publicize the contents of a hack.136

The ultimate point is this: it might not be simple, but journalists can rise above their individual incentives to publish and self-enforce a professional standard of restraint. They should do so today to combat foreign hacking, drying up the market without the harm to the First Amendment that would come with government regulation of the press.

Conclusion

Leakers and hackers, especially state-sponsored foreign hackers, are likely here to stay. This Essay has argued that journalists should treat these two types of information-theft differently, continuing to publish the former while refraining from reporting the contents of the latter.

Unlike its ability to prosecute leakers, the government possesses few effective means of deterring hackers. As a result, under Bartnicki’s framework, the First Amendment might permit the legislature to impose liability on the press when it publishes stolen information. But that option, while perhaps seductive to some, comes with its own costs: the erosion of First Amendment values and the potential placement of judges in the thorny position of deciding what material does or does not merit publication. Instead, the press should adopt a professional norm against the publication of stolen material. While not without its practical challenges, this option could both secure core First Amendment values while also mitigating the harms that state sponsored hacks pose to society.

Nathaniel A. G. Zelinsky is a J.D. Candidate at the Yale Law School. For their helpful comments, he thanks Sophia Chua-Rubenfeld, Scott Levy, Josh Macey, Professor David Pozen, Yishai Schwartz, David Simon, Judge Stephen Williams, and Professor Edward Zelinsky. He also thanks Sam Adkisson and the editors of the Yale Law Journal for their edits and assistance.

Preferred Citation: Nathaniel A. G. Zelinsky, Foreign Cyber Attacks and the American Press: Why the Media Must Stop Reprinting Hacked Material, 127 Yale L.J. F. 286 (2017), http://www.yalelawjournal.org/forum/foreign-cyber-attacks-and-the-american-press.