Sony Seeks To Scare Press Away From Publishing Information Obtained in Hacking Attack
Sony is warning the press not to publish material leaked by hackers, but it doesn't have much of a legal leg to stand on.
Over the past week or so, Sony Pictures has been dealing with the consequences of having had its computers hacked by forces that remain unknown and unidentified. Some claims have linked the cyber attacks to the North Korean government, which has complained vociferously about an upcoming comedy film called The Interview in which the two main characters are drafted into a plot to kill the leader of North Korea. Whatever the source, though, the attack has resulted in much embarrassment for the company to the extent it has revealed confidential employee information such as health records, confidential communications among top executives concerned many Hollywood stars such as Angelina Jolie, who was described in one email from a producer as a “spoiled brat,” Jennifer Lawrence, and even President Obama. There have also been reports that the hack resulted in the theft of the early draft of the newest upcoming James Bond film. In response, the media has reported not just the facts of the cyber attack itself, but also many of the more salacious details of what has been leaked to date. With threats from the as yet unidentified hackers that more material will be released, Sony is responding by threatening to sue media companies that publish any of the stolen material:
LOS ANGELES — Sony Pictures Entertainment warned media outlets on Sunday against using the mountains of corporate data revealed by hackers who raided the studio’s computer systems in an attack that became public last month.
In a sharply worded letter sent to news organizations, including The New York Times, David Boies, a prominent lawyer hired by Sony, characterized the documents as “stolen information” and demanded that they be avoided, and destroyed if they had already been downloaded or otherwise acquired.
The studio “does not consent to your possession, review, copying, dissemination, publication, uploading, downloading or making any use” of the information, Mr. Boies wrote in the three-page letter, which was distributed Sunday morning.
Heather L. Dietrick, general counsel for Gawker Media, said the organization was not yet aware of Mr. Boies’s letter. She said Gawker reports had been confined to “very newsworthy” and “revelatory” documents. A Bloomberg spokesman declined to comment.
Kurt Opsahl, deputy general counsel for the Electronic Frontier Foundation, voiced doubt that the media could be forced to avoid such material, even if it was illegally obtained by a third party, given court precedent. “It is unfortunate that Sony got hacked, and lost control over its internal information,” Mr. Opsahl said in an email. “But the solution is not to muzzle the press.”
As Sony has been battered, other major studios and the Motion Picture Association of America until now have offered virtually no public backing. Asked about the stance of Christopher Dodd, the association’s chief executive, a spokeswoman said he was not immediately available.
But the association issued a statement that read in part: “From the highest levels of our organization working with the highest levels of theirs, we are doing anything and everything that Sony believes could be helpful and will continue to do so.”
According to several people who were briefed on the matter, and who spoke on condition of anonymity because they were not authorized to comment, Mr. Dodd and Sony’s chairman, Michael Lynton, have sought, without success, to organize a letter of support from fellow studio chiefs. The letter did not materialize, according to one of those people, in part because rival studio chiefs felt it would be ineffective and might look like “a publicity stunt.”
Another person briefed on the discussions said Sony’s search for assistance was complicated by the studio’s Japanese ownership and a cultural reluctance by those in Japan to risk fanning the flames with public action. Some of Sony’s counterparts have also been reluctant to speak up because Sony itself has kept its public self-defense to a minimum.
Representatives for Walt Disney, Paramount Pictures, Universal Pictures, 20th Century Fox, Warner Bros. and Sony Pictures either declined to comment or did not respond to queries.
Privately, some Sony executives have expressed bewilderment and resentment at the public silence of the company’s peers. One of the studio’s executives used the following analogy: Imagine a cul-de-sac where, when one house erupts in flames, the neighbors never come outside to help.
A general reluctance to speak out against the free use of Sony’s stolen secrets is fueled, at least in part, by the fear that attention will swing to any vocal defender, either in the form of hacking or in unwanted media attention.
Indeed, there is a tacit acknowledgment that, so far, virtually nothing in Sony’s stolen emails looks different from what would likely surface if the hackers hit another studio.
There’s no question, of course, that the fact that Sony’s computers were hacked is a news story that outlets can and should legitimately report on. At the very least, it is just the latest example of the vulnerability of American corporate, and potentially government, computer systems to data breaches that could have serious consequences for business, infrastructure, and national security. Bringing in the international angle, which has also shown up in reports about alleged hack attacks against American corporate and other targets originating in Russia and China, makes the news worthiness of the hacking side of the story rather obvious. These attacks are exposing vulnerabilities that are obviously matters of public concern not just because of the impact they could have on commerce and the security of private information, but because of the fact that such attacks could easily be directed at infrastructure targets such as power plants and other potentially dangerous targets. The question here, though, is whether any data that is made public and published for anyone to see on the Internet is also newsworthy, or whether a news organization would expose itself to liability if it reported on such information. This is of obvious concern to businesses because it could be possible in the future that valuable trade secrets, or even information that could subject the company to civil or criminal liability completely separate from the hacking attack, could be made public and then widely reported. Creating the precedent that this information should be kept secret is obviously the motivation behind the letter that has been sent to the media, but the claim that news organizations can be barred from publishing such information seems dubious at best:
Eugene Volokh doubts that the legal argument that Sony is making has much merit:
There are two relevant precedents, which aren’t squarely on point, but which are pretty close.
First, let’s look at Bartnicki v. Vopper (2001). Vopper was a radio commentator who received a tape recording of an illegally intercepted conversation; he apparently wasn’t involved in the illegal interception, but a reasonable recipient of the recording should have realized that the conversation had been illegally intercepted, and Vopper likely actually did realize this. Vopper played parts of the conversation on his program, and was sued under a federal statute that made both the interception and the use of such conversations illegal (both a crime and a tort).
But the Supreme Court held that Vopper’s broadcast incorporating the intercepted communication was protected by the First Amendment. Though the interception was illegal (and could constitutionally be kept illegal), the playing of illegally intercepted material under these circumstances was constitutionally protected, at least when the broadcaster wasn’t involved in the illegal interception, and the communication was on “a matter of public concern.” (The particular conversation involved union leaders who were allegedly discussing physically attacking managers.)
The second precedent is Pearson v. Dodd (D.C. Cir. 1969) — not a Supreme Court precedent, but still influential. Some ex-employees of Sen. Thomas Dodd, in league with some current employees, took some documents from the senator’s office without permission, photocopied them, and then sent the copies to investigative reporters Drew Pearson and Jack Anderson. Pearson and Anderson published articles based on the documents. Dodd sued, claiming the publication was an invasion of privacy, and also constituted “conversion,” which is to say basically use of stolen property.
The D.C. Circuit rejected these theories, concluding that the publication just wasn’t tortious (and thus not having to reach the First Amendment issue). When information is on a matter of public concern, the court held, the fact that it was illegally leaked doesn’t make publishing it an invasion of privacy. And the information in the copied letters does not “fall under the protection of the law of property, enforceable by a suit for conversion.”
Thus, it seems likely that the publication of the documents isn’t likely to be tortious. And even if it can fit within some tort (such as the improper use of trade secrets, a tort that is sometimes said to apply to disclosers of illegally released information), the First Amendment would likely preempt the tort.
As Volokh goes on to note, there may be some situations where Sony would have a stronger case. In both of the cases he cites the courts involved relied heavily on the fact that the illegally obtained material dealt with matters of public concern. This suggests that when the data that is leaked is not a “matter of public concern,” or when it concerns something that is highly private and confidential such as the aforementioned health records or personal contact information such as addresses and other information generally kept confidential for security reasons, then there might bWhie a a stronger case in favor of preventing publication, or of imposing some form of liability if the information is published. There would also likely be some kind of similar protection against the publication of information that would cause financial harm if it were made public, such as corporate trade secrets. While the details about how to make the distinction between matters of public concern that could be published and private and confidential information that could potentially be blocked by court order, or form the basis for liability if it were published, will vary from case to case, the distinction that Volokh talks about makes sense. There’s a difference, obviously, between information that is arguably of public interest such as the relationships between stars and studios or what studio executives who have publicly endorsed the President of the United States say about him in private, the same can not be said about clearly private information such as health records or confidential contact information for employees or celebrities that could potentially be used for nefarious purposes. The first set of information might be highly embarrassing, but there is no exception to the First Amendment for information that is highly embarrassing.
Another case that is potentially relevant here, of course, is the Pentagon Papers case, which dealt with efforts by the Nixon Administration to prevent The New York Times and Washington Post from publishing information related to documents regarding the Vietnam War dating back to the 1950s. There was little question that the leaker involved in that case, Daniel Ellsberg, had acted illegally. Despite that fact, the Supreme Court agreed with two lower courts that the Federal Government had not met its burden for proving that publication of the papers would be so damaging that the extraordinary remedy of a prior restraint on speech was necessary. Justice Hugo Black put it this way in a concurrence:
In the First Amendment the Founding Fathers gave the free press the protection it must have to fulfill its essential role in our democracy. The press was to serve the governed, not the governors. The Government’s power to censor the press was abolished so that the press would remain forever free to censure the Government. The press was protected so that it could bare the secrets of government and inform the people. Only a free and unrestrained press can effectively expose deception in government. And paramount among the responsibilities of a free press is the duty to prevent any part of the government from deceiving the people and sending them off to distant lands to die of foreign fevers and foreign shot and shell. … [W]e are asked to hold that … the Executive Branch, the Congress, and the Judiciary can make laws … abridging freedom of the press in the name of ‘national security.’ … To find that the President has ‘inherent power’ to halt the publication of news … would wipe out the First Amendment and destroy the fundamental liberty and security of the very people the Government hopes to make ‘secure.’ … The word ‘security’ is a broad, vague generality whose contours should not be invoked to abrogate the fundamental law embodied in the First Amendment. The guarding of military and diplomatic secrets at the expense of informed representative government provides no real security … . The Framers of the First Amendment, fully aware of both the need to defend a new nation and the abuses of the English and Colonial governments, sought to give this new society strength and security by providing that freedom of speech, press, religion, and assembly should not be abridged.
While the Sony data obviously does not rise to the level of the Pentagon Papers, the arguments against any kind of prior restraint or post- publication punishment regardless of the nature of the information published strike me as being the same. In both cases, the Freedom of the Press protected by the First Amendment seems to be clear, while the arguments made by those who would block publication seem to be incredibly weak. Sony may find it inconvenient that this information has become public, but that inconvenience does not mean that it can use the courts to either prevent others from reporting on it, or punish them after the fact for doing so. The standard would obviously be different if the media organization were involved in compromising Sony’s computer security, but that was not the case here. Therefore, it seems clear to me that, as long as the information is regarding matters of public concern or interest, Sony has no remedy against the media for writing about what has been made public.