The Debate Over Publishing Stolen Twitter Documents

By Claire Cain Miller
News Analysis

The Web has been buzzing over confidential Twitter documents that a hacker stole and sent to some blogs after breaking into Twitter’s corporate network.

The incident has raised age-old questions about the ethics of publishing confidential material, questions that have taken new twists in the age of blogs.

TechCrunch, one of the blogs that received the confidential material, is working closely with Twitter as it determines which pieces of information to publish, said Michael Arrington, TechCrunch’s founder.

“It is within our ethical obligation to help Twitter” in this situation, Mr. Arrington said in interview. He is protecting the identity of his source, the hacker, but is assisting Twitter in other ways “to help them mitigate the damages” that could come as a result of sharing personal documents, he said.

He has sent Twitter all the documents he received and is trying to put Twitter in direct contact with the hacker, he said.

The hacker, who calls himself “Hacker Croll,” sent TechCrunch a zip file Tuesday with 310 private files from inside Twitter. They include business-related documents like financial projections and discussions of competitive threats and potential acquisitions. They also include personal information, like meal preferences and phone call logs of Twitter employees.

In an interview Wednesday, Mr. Arrington said he has been involved in two separate debates. The first is legal. He said that he has lawyers looking at the legal aspects of trade secrets and the receipt of stolen goods, but added that he did not want to discuss the legal issues any further.

The other debate, he said, is ethical. He decided not to publish embarrassing personal information, including call logs and a record of people who interviewed for jobs at Twitter.

However, he said he deems the financial information worthy of publishing. “There’s some really interesting stuff here that I think is newsworthy — revenue projections, draft financials, costs, detailed strategy documents that talk about the Facebook threat and when and how they might sell the company,” he said.

“That is immensely interesting from a news perspective, and that’s where the debate internally here is going on — what’s appropriate to post.”

When TechCrunch told its readers that it would publish some of the material, the blog received hundreds of comments, many from readers who thought TechCrunch should keep the material private.

But Mr. Arrington pointed out in a subsequent post that much of what his blog and many other publications put out is confidential material.

“If you disagree with that, O.K.,” he wrote. “But then you also have to disagree with the entire history of the news industry. ‘News is what somebody somewhere wants to suppress; all the rest is advertising,’ is something Lord Northcliffe, a newspaper magnate, supposedly said. I agree wholeheartedly.”

A French blog called Korben, another site that received the documents, published very little of the material, even blurring out what is written on images of Twitter merchandise like T-shirts and baseball caps. The blogger, Manuel Dorne, said in an interview with my colleague Brad Stone that he did so because “I have a lot of respect for Evan Williams and a lot of respect for Twitter, so I’ll never publish sensitive information about them that could cause them prejudice.”

“I don’t know if TechCrunch has gone too far,” he added. “But what I can say is that the Web is small, everybody knows everybody, and publishing this information shows a lack of respect for the Twitter team.”

Mr. Arrington said that despite his efforts to keep personal documents private, all the documents could very well turn up elsewhere on the Web. “We’re not the only people who have them,” he said. “There’s presumably a young hacker out there who wants to make a name for himself. I wouldn’t be surprised to see them wrapped up and thrown on BitTorrent at some point.”

Comments are no longer being accepted.

JD July 15, 2009 · 9:57 pm

Tough call. It’s important to remember that the hacker committed a crime with the specific intent of publicizing this information. Arrington may not have been a party to the crime itself, but he is effectively doing the criminal’s bidding, and by doing so is encouraging others to do the same.

Neo Donald July 15, 2009 · 11:29 pm

It really does not matter what others do with the information…it all boils down to what you do with it…

trudy July 16, 2009 · 1:11 am

There’s no excuse for publishing stolen private information unless it is to expose corruption, like the Pentagon Papers.

If TechCrunch thinks it is okay to publish other than that, I can only hope someone with a telephoto lens takes pictures through their bedroom windows and puts them on the net. Poetic justice.

alansky July 16, 2009 · 1:32 am

“There’s no excuse for publishing stolen private information unless it is to expose corruption…” —trudy

Totally, totally agree. TechCrunch’s behavior, their mock show of respect notwithstanding, is a perfect expression of the reprehensible but widely-held belief that absolutely anything is ok if it makes a profit.

gaex July 16, 2009 · 6:10 am

“I wouldn’t be surprised to see them wrapped up and thrown on BitTorrent at some point.”

That’s right, give him/her ideas…

LH July 16, 2009 · 6:54 am

There is no valid reason that stolen information should be published in any shape or form. TechCrunch is clearly wrong, and I’ve personally written them off as a blog I will visit. They probably care less about one person, but hopefully more do so as well.

Steven Kane July 16, 2009 · 8:17 am

every news outlet and every blog with journalistic aspirations routinely publishes confidential information – in fact, they all aspire to do so, as such is typically a “scoop”

the only issue here, then, is the method by which the stuff was acquired, eg by a “hacker” rather than by a “leaker.” kara swisher over at the WSJ/All Things Digital thinks this is a huge difference and claims she will never use material that has been acquired thru (what she considers to be) dirty methods.

of course kara swisher is one of the blogosphere’s most successful and prolific publishers o confidential documents but she is at pains to distinguish between her “trusted sources” leaking information and rogue hackers “stealing” it

journalism is not a court of law, where rules of evidence are absolutely necessary and vital. if journalism is about the public’s right to know, don’t journalists have an obligation to report on this stuff?

andrew July 16, 2009 · 9:02 am

Is it a crime to report about riots that in turn could spur more people to join those riots? In Iran it was. In China it is. So those defending the privacy of Twitter also justify the oppression China and Iran impose on their media.

VultureTX July 16, 2009 · 9:43 am

Interesting , multiple bloggers here who don’t understand the difference between a leak (violation of terms of employment or contract usually, punished with civil action) and criminal theft of information (statutorily illegal, usually a felony. And if the publisher continues the association, it is a conspiracy crime as well as possible accessory charges. )

Are these bloggers claiming that criminal acts to obtain information are to be rewarded with publishing of the info? And are you only allowed to hack to get it, can you con someone? can you extort to the this private info? just what crimes are legal in order to publish confidential info again? Physical Trespass, vandalism (yes hackers routinely commit this actually) , and the list goes on. Just where does journalism end and crime sprees begin seems to be up to discussion for these bloggers.

capps July 16, 2009 · 11:11 am

I find it interesting that everyone blames the consumer for weak passwords. The entire concept of passwords is fundamentally flawed. It’s no better that Vista’s annoying “allow or deny” technology that no one knows when to say yes, so they disable it all, to get back to work.
Passwords are a technology that was invented shortly after language, and are obsolete and dangerous. The right answer is to NOT use passwords. There are many available technologies that are far more secure and eliminate the silly idea that the consumer is responsible for using strong passwords for each and every web site, system, laptop, and whatever. The right answer is to simply eliminate ALL usage of password technolgoies and evolve to a modern method that does not simply blame the user for a bad core technology.

Byron July 16, 2009 · 12:10 pm

““There’s no excuse for publishing stolen private information unless it is to expose corruption…” —trudy”

Actually, they are exposing corruption via dereliction of duty, most specifically by the CTO, who HAD to know that this was a possibility. If the only gateway in was a lazy employee and his/her ‘1234’ password, they should have also known that you can’t prevent laziness.

Exposing Pentagon documents is a no no; better to take them directly to the Pentagon. In the Twitter case, however, the American population should be notified…they could have re-dacted the documents, but then, who would believe that…we have 6% still thinking the moonlanding was faked, so, redacting the documents would not be convincing.

Put it this way, if the tech I work with was not aware that companies routinely check social websites, then how much moreso the general population? No, this had to be done…especially on the cusp of Googles push to make cloud computing a reality. Something I am vehemently opposed to exactly because of the Twitter breach.

Yes there are benefits to cloud computing, but not like distributed computing, which inherently has better security. I use my PS3’s application Folding at home, which is a great app and more secure because its distributed. You have to be on the PSN and have a PS3 to use it. Not to mention its contributing something to society which makes me feel better about being a 38 year old SOCOM gamer. The difference is a dedicated machine, on a dedicated network. Sure it uses the internet(s) to access the network, but, once connected, its easy to track as well…so footprints are more likely to be found.

“Just where does journalism end and crime sprees begin seems to be up to discussion for these bloggers.”

It is a thin line, to be sure…but being that this is an organization, I’d say this is journalism…if it were an individual that would truly be dangerous; and who’s to say whether or not this hacker is truly white hat or not. Or that it hasn’t happened already?

One thing it does show is that this whole thing about ‘cloud computing’ is inherently unsafe. And that goes for Mozy or any other online resource. If Google wants an OS, let them make Android more stable, bring it in at half the price point of XP/Vista/7 and they might have something. Otherwise, just stick to search functions, please.

Hasn’t anyone learned from Microsofts attempts to be everything digital?

Sam July 16, 2009 · 12:42 pm

@gaex

Don’t worry, all because you didn’t think of this until reading this article, it doesn’t mean that no one though of it. In fact, the first thing I did after reading this on Techcrunch was look for the Torrent. I’m sure the person who got these files is familiar with Torrents and their use in spreading info to the gen. pop.

elizof July 16, 2009 · 3:07 pm

It is unconscionable that Michael Arrington wants to find any excuse or justification for sharing stolen material with the general public.
Aside from the legal and ethical implications that should make Michael delete the zip file, whatever happened to common sense?
It irks me that he even dares to suggest that because the hacker might post it on bit torrent it is okay for TechCrunch to beat the hacker to it. utterly outragoeus!
Businesses need to discourage illegal dissermination of confidential data by colloborating to shut the door on information from hackers..
A line should be drawn in the sand that excludes the distribution of hacked data; refusal to do so simply means a company is wilfully aiding and abetting criminal activity, is an accessory to a crime, and ought to be held liable in a lawsuit.
Michael, do the right thing, end the pontificating and delete those files. You owe it to your business to cut the crass and rise above the fray..
No good will come out of divulging private Twitter business strategies and financial projections. If the shoe was on the other foot, I suspect you’d appreciate similar consideration.

Jonathan Spira July 16, 2009 · 5:38 pm

There are a lot of interesting opinions on what individual workers should be doing, what the CTO should have done, whether passwords are good, etc.

My colleague David Goldes wrote a brief article on the same topic earlier today. In it, he questions the relative ease with which on line apps are accessed – despite Twitter’s attempt to “absolve” Google of blame.

See David’s comments at //www.basexblog.com/2009/07/16/google-apps-twitter-hack-raises-red-flags-on-password-security/

gaex July 16, 2009 · 10:11 pm

@sam

I didn’t think of torrents in particular but I supposed the information would end up on the web anyway (as you increase the number of people who possess a piece of information, it becomes more difficult to suppress it), but I agree that many others thought of it. It was the way Arrington said it – it almost looked as if he was trying to offer a suggestion, or maybe he’s just trying to shield himself from criticism given that he believes the information would end up being published somewhere anyway.

JCH July 17, 2009 · 1:02 am

Once again, Arrington proves how much of a jerk that he is…TWIT’s like us (people who watch and follow Leo Laporte) know this from this well known incident just over a month ago (//www.youtube.com/watch?v=IsV-lgnAjps) where he accused Leo of a biased review based on fact that he didn’t pay for the unit…

Had this been a leaked document, that’s one thing but when it was stolen, no matter how weak the locks were, it’s a crime…try telling the cops when they catch you with stolen property that its’ ok because the guy who stole it only had to guess the combination on the door lock…won’t work then, right? So why is it ok here? It’s not!

Dalton July 17, 2009 · 7:16 am

“Is it a crime to report about riots that in turn could spur more people to join those riots? In Iran it was. In China it is. So those defending the privacy of Twitter also justify the oppression China and Iran impose on their media.

— andrew”

Thank you sir! That is one of the most tortured bits of logic I have ever had the privilege or reading online!