The media this morning is full of reports of the release by Wikileaks of a searchable archive of Sony Pictures Entertainment (SPE) emails. In some ways, this is old news – the raw data has been out there since the original breach last year; all this changes is the ease of access to the information by the less technically-literate. So what new lessons are there to learn from today’s news?
Firstly, it’s a reminder that you can’t put the genie back into the bottle. Once you’ve had a breach and data has escaped your control, it stays out there forever. It makes counting the cost of breaches harder, because you’re never sure when the incident is actually over. Information does lose its currency, but as Operation Yewtree proved, we’re hardly averse to raking over past coals.
Secondly, it’s a valuable insight into the current internet mindset. It’s hard for most of us to cast SPE as the enemy; we might sympathise with exposing the potentially abusive behaviour of the security services; we might feel that phone-hacking, price cartels or major environmental disasters offer a public-interest defence for the revelation of confidential information; but SPE has been responsible for none of these. They make movies. Unless you’re in the tinfoil-hat, all-corporates-are-evil brigade, it’s difficult to see how to justify what is, in reality, the exploitation of stolen property. I doubt Wikileaks would happily hold an auction of burgled jewellery, but because this is information, it’s fair game.
It’s part of the peculiar morality we seem to have fallen into on the net. From death-threats on Twitter, through abusive reviews and misinformation to outright theft and blackmail, we tolerate – and in some cases, celebrate – behaviour that we would condemn out of hand in real life. We seem, some of the time, to have forgotten that just because you can doesn’t mean you should.
It may well be that the SPE email archive contains material that would form the basis of a legitimate newspaper story. I should say here for clarity that I’ve not looked at the material itself, since I try not to be a hypocrite. Wikileaks isn’t a newspaper, and hasn’t carefully worked through the mass of data to bring out the story: they’ve just indexed it and dumped it on the net. Our society, particularly in commerce, depends on a reasonable expectation of confidentiality. Businesses expect to be able to keep their internal information away from their competitors; it’s part of how competition works. Internet morality seems to be unable to distinguish between the legitimate protection of commercial secrets and the concealment of malfeasance.
Even if we choose not to care about whether SPE should be entitled to corporate privacy, though, we should surely care – or should – about the personal privacy of its employees. Unfortunately, in a world in which celebrities’ private photos are joyfully circulated, we seem to have forgotten that there are real lives behind the data. It’s pretty likely that the SPE archive will contain some emails that are deeply personally embarrassing to their authors. Not just ill-advised commentary on film stars, but messages revealing affairs, personal dramas, financial difficulties. Even the most paranoid people rarely practise perfect information hygiene in separating work and personal email addresses.
If and when some of this personally-compromising data is highlighted, as people use the index to trawl the archive, will the affected employees have a case against SPE for failing in their duty of care to protect employee’s personal information? Would that be reasonable? On the other hand, if – as any employer quite reasonably might – SPE remind employees that no guarantee of privacy was given for personal use of work email systems, what recourse do the employees have?
Yes, this is an information-security issue. SPE should have prevented the breach, and their security training and practices should have reduced the sensitivity of the contents in the first place. But ultimately we must be careful not to blame the victim. But this is also a moral issue. Data is property, and taking it without permission is theft. Passing it on and making it easier to use is the same as handling stolen goods. We should remember that the Internet is part of real life, and stop pretending that the rules are somehow different on-line.