There's an interesting debate afoot about TechCrunch's decision to publish selected documents it received from someone who hacked into the email accounts of Twitter CEO Evan Williams and other Twitter employees. There's already been some good coverage of the journalism ethics side of the debate, but I wanted to weigh in with some detail on what U.S. law has to say about the situation. Is it legal for TechCrunch to publish hacked documents? As with most questions worth asking a lawyer, it depends. It depends largely on whether the content of any particular published document is of legitimate concern to the public.
You are probably familiar with the facts already. TechCrunch received an email from "Hacker Croll" with a zip-file containing hundreds of Twitter's confidential corporate documents. According to the New York Times Bits Blog, "the hacker apparently broke into the Internet accounts of various Twitter employees, including Evan Williams, Twitter’s chief executive, as well as Mr. Williams’s wife, who does not work for Twitter, and two Twitter employees." The 310 stolen documents include corporate financial projections, confidential contracts with Twitter business partners, executive meeting notes, and private information pertaining to Twitter employees, such as meal preferences, calendars, and phone logs.
After announcing its receipt of the documents and its intention to release some of them, TechCrunch published an internal Twitter financial forecast from February 2009 (predicting its first revenue in Q3 2009 and 1 billion users in 2013, although Twitter says it wasn't an official document and is no longer accurate), as well as a pitch for a Twitter TV reality show. French blogger Korben also received the hacked documents, but has published very little out of what he says is respect for Twitter and Mr. Williams.
So what are the legal issues here? As I see it (and I'm probably missing something in my haste to get a post up), TechCrunch faces three possible legal claims:
First, publishing confidential company documents may be trade secret misappropriation under California law (both Twitter and TechCrunch are based in California), assuming the published documents qualify as trade secrets -- that is, information that derives economic value from not being generally known to the public and that is subject to reasonable efforts to maintain its secrecy.
Second, publishing sensitive or embarrassing personal information obtained by the hacker could create liability for invasion of privacy for the publication of private facts. If there's anything in those documents more sensitive than employee meal preferences -- say, social security numbers or health-related information -- TechCrunch would want to avoid publishing it. Certainly nothing Mr. Arrington has published so far poses any risk in this regard.
Third, receiving the hacked emails might violate criminal law against receipt of stolen property. Section 496 of the California Penal Code makes it a crime to "receive any property that has been stolen or that has been obtained in any manner constituting theft or extortion, knowing the property to be so stolen or obtained." Documents can be "property" under statute, but there is some question whether "mere information," rather than the paper it is printed on, can qualify (admittedly, this could be viewed as a pretty outdated distinction). See People v. Dolbeer, 29 Cal.Rptr. 573, 574-75 (Cal. Ct. App. 1963).
This all sounds pretty intimidating, but these sources of liability are subject to First Amendment limitations. A long line of Supreme Court cases hold that the First Amendment protects truthful speech on matters of public concern. See, e.g., Bartnicki v. Vopper, 532 U.S. 514, 527-28, 533-35 (2001) (First Amendment barred imposition of civil damages under wiretapping law for publishing contents of conversation relevant to matter of public concern); Florida Star v. B.J.F., 491 U.S. 524, 534 (1989) (First Amendment barred imposition of civil damages on newspaper for publishing rape victim’s name); Smith v. Daily Mail Publ’g Co., 443 U.S. 97, 103-06 (1979) (First Amendment barred prosecution under state statute for publishing names of juvenile offenders without permission of court); Landmark Communications, Inc. v. Virginia, 435 U.S. 829, 841-42 (1978) (First Amendment barred criminal prosecution for disclosing information from a confidential judicial discipline proceeding). Therefore, “if a newspaper obtains truthful information about a matter of public significance then state officials may not constitutionally punish publication of the information, absent a need to further a state interest of the highest order.” Smith, 443 U.S. at 103; accord Bartnicki, 532 U.S. at 527-28.
In the most analogous case, Bartnicki v. Vopper, members of a teachers union sued a radio announcer under state and federal wiretapping laws after he played an unlawfully recorded telephone conversation on the air. The radio show host had received the recording from a third party who himself had received the tape in the mail from an anonymous source. The Supreme Court held that the First Amendment prohibited the recovery of damages against the radio show host for publishing the tape, explaining that “a stranger’s illegal conduct does not suffice to remove the First Amendment shield from speech about a matter of public concern.” Id. at 535. The constitutional principle in Bartnicki and other Supreme Court cases is not limited to traditional forms of media like newspapers and radio broadcasters. See Mary T. Jean v. Massachusetts State Police, 492 F.3d 24 (1st Cir. 2007) (First Amendment barred criminal prosecution for posting illegally recorded video online when recording made by third party, even if knowing receipt of the recording constituted a crime under Massachusetts law).
So, TechCrunch is probably in the clear for publishing anything that would qualify as a "matter of public concern" under Bartnicki and friends. Of course, there's no quick and easy definition of what qualifies as a matter of public concern, and this is where the legal questions bleeds back into the ethical question. To be sure, the category of public concern does not include everything the public might be interested in. Still, the courts are rightly hesitant to decide for themselves what is newsworthy and what is not, so they tend to err on the side of liberality. In the current scenario, it is fair to say that a good deal of information about Twitter as a company is fair game given its immense popularity and newfound cultural significance. Twitter's financial projections probably fall safely within the public concern category. The TV pitch might be a closer call, but still probably falls on the safe side of the line.
But this does not mean that every document in Hacker Croll's email is fair game. To the extent Twitter claims that any of the hacked documents are trade secrets, their publication may not qualify as matters of public concern, an issue expressly left open by the Supreme Court in Bartnicki. See 532 U.S. at 533. Sensitive personal information about individual Twitter employees that could form the basis for an invasion of privacy claim would probably not be protected as well. California law reflects the First Amendment principle -- to succeed on a publication of private facts claim, a plaintiff must establish that the published material was not newsworthy.
I'm not sure how the First Amendment would impact a possible prosecution for receipt of stolen property because it is receipt of stolen material, not publication, which is criminalized. But it seems unlikely that First Amendment concerns wouldn't also limit criminal liability in this context. If anybody has expertise in this area, please share your wisdom in the comments.