The Ashley Madison data breach and subsequent exposure of users’ identities is the first major data dump that feels truly personal.
Reporters covering the story for news outlets around the world documented the romantic, financial, and potential national security fallout from the hack. Many journalists mined the stolen data released in the breach, using it to search for recognizable names or public figures or to find contact information for private citizens exposed as users of the infidelity site.
Now, as stories based on the data will undoubtedly continue at least in the short term, the journalism community is debating how news organizations should treat the private information within the stolen Ashley Madison database. One of the questions raised is whether reporters should use the information to reach out to sources.
“If this were another type of information, would we feel comfortable using that database?” said Susan McGregor, assistant director of the Tow Center for Digital Journalism at Columbia University, referring to medical data. “And if the answer is ‘No,’ then I think you have to question whether you should use it as a starting point.”
In this case, she said, perhaps journalists “feel there’s a little more latitude because there’s a little bit of a sense that these people were doing something they shouldn’t have.” Even so, she said, reporters should avoid contacting private citizens listed in the stolen data unless there is some greater news value beyond being an outed Ashley Madison member.
“These people were legitimate participants in a perfectly legal site," she said.
At least when it comes to using the information to reach a potential source, however, media ethicist Kelly McBride doesn’t see a problem with reporters relying on the personal details exposed in the hack.
“Journalists have an obligation to use every means available to them,” said Ms. McBride of the journalism training organization The Poynter Institute and author of “The New Ethics of Journalism.”
“There’s nothing unethical about calling a source for a story and saying, ‘Would you like to comment?’" she said. "And in fact, I think it’s more unethical to not call a source because you have some inhibition about how you got the source’s contact information.”
In regard to deciding whether to report on private individuals, McBride said the determination for when private actions become newsworthy varies per publication. Most outlets, she said, define a qualifying person as someone in a position of power, but a gray area exists for semipublic figures such as reality TV stars.
Experts contacted for this story agreed that new organizations should refrain from publishing the names of users exposed in the break, unless those users expressly give permission to have their names included. In a story about the breach by the Associated Press, for instance, the reporter made clear that names were not released because the users mentioned were “not elected officials or accused of a crime.”
Reporters may also have difficulty verifying who was an actual member of the site. The Ashley Madison site didn’t require that users verify their e-mail addresses, so many of the addresses and names exposed in the hack are fakes.
A story erroneously linking someone to the Ashley Madison site who wasn't actually a user would be highly damaging to that person and to the news outlet involved, said Fred Brown, co-vice chair of the Society of Professional Journalists ethics committee. “In today’s world of journalism, verification is essential, if you want to have a reputation for reliability.”