I have written an article that appears on SecurityFocus today. Because both I and SecurityFocus have been mentioned in the FBI’s affidavit outlining the charge of computer intrusion against Eric McCarty, further publishing articles on the topic poses legal and ethical questions.
I will not be discussing the legal questions here. However, readers have the right to know about the ethical issues involved in publishing the article. (Also, it happens to be Ethics Week.)
The case, as the reader may be aware, is against a source that revealed to me a vulnerability in the online Web application for prospective students of the University of Southern California. The article appeared on SecurityFocus last July. The affidavit, which I received last Thursday, mentions SecurityFocus and my name several times and includes an e-mail that my source sent to me.
I did not cooperate with the FBI’s investigation. The FBI made a single attempt to contact me last August, but–on the advice of legal counsel–I never returned the call. To the best of my knowledge, SecurityFocus, a subsidiary of Symantec, never cooperated with the investigation nor was asked to cooperate.
Following the release of the affidavit, I contacted Eric McCarty at the number contained in the court filing. (Other reporters have done so as well.) During the interview conducted on Friday and in an e-mail exchange, McCarty indicated that he would go on the record with his statements. In the e-mail exchange, he offered proof that he was SecurityFocus’s source and waived the condition of anonymity that he requested for the original article.
The ethics of covering a case in which a source is the defendant is a bit murky. Over the past four days, I have sought advice from three journalism experts and referred frequently to the Society of Professional Journalists’ Code of Ethics, to which I strive to adhere.
Journalists have a mandate to act independently, and having a source prosecuted can affect that independence. Yet, journalists also have a mandate to seek out and report the truth. Any decision regarding whether to cover a significant issue should consider both factors.
The experts I discussed the issue with (and who I refer to anonymously here because I did not get permission to mention them by name) are an ethicist for a respected journalism association, a professor of journalism, and a former editor who spent 15 years at a major U.S. newspaper. I am indebted to them for the time they took to talk with me. Any decision regarding this case is my own.
The experts identified two courses of action. I could:
- Recuse myself from the story, or
- Cover the story and inform my editors and readers of any potential or perceived conflicts.
The story I published today covers the effect that the prosecution of a vulnerability researcher, who acted in the way many researchers have acted in the past, will have on other flaw finders. Because this story is important, especially to SecurityFocus’s audience, I decided to continue to pursue it. I have already notified SecurityFocus of the ethical considerations that covering the story could pose, and they agreed that the issue is an important one. This statement is meant to notify readers of the decision.
Among its Code of Ethics, the Society of Professional Journalists calls for reporters to hold themselves accountable and “clarify and explain news coverage and invite dialogue with the public over journalistic conduct.” My hope is that this statement furthers those requirements.
My own ethics policy, built on the SPJ’s Code of Ethics, can be found on my site.
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
You must log in to post a comment.