Until a few days ago, nobody had an inkling that Apple Computer, musician Bono, F1 racing driver Lewis Hamilton and Britain’s Queen Elizabeth II had anything important in common beyond being very famous.
Any yet they do, according to the Paradise Papers, a 1.6TB leak of about 13-million files which German newspaper Süeddeutsche Zeitung (SZ) and the International Consortium of Investigative Journalists (ICIJ) allege contains evidence linking these, and many other well-known people, to tax havens.
Notice we just used the media’s preferred word leak instead of describing the revelations as a data breach which is, arguably, just as valid a description – the files were acquired without the consent of their owners after all.
So, is there a difference between a data breach and a data leak, and is it fair to draw a hard distinction between the Paradise Papers and, say, the database records pilfered from companies such as Equifax?
Untangling this means measuring four issues: the number of people affected, the type of data made public, the balance of damage versus public interest (which influences legal arguments), and most important of all, the motivation and methods of the leakers or breachers.
SZ says the Paradise Papers were gathered from 21 different sources, with law firm Appleby reportedly the biggest single contributor, bulked by documents from Asiacity Trust and the business registers of 19 tax havens.
Although smaller in size than the Panama Papers of 2016 (a previous SZ/ICIJ leak), the researchers still had to use a big data system from Australian company Nuix to analyse the trove of Word documents, PowerPoint files, images, spreadsheets, emails and PDFs.
Unlike most breaches, then, these were not personal data records, and the number of people affected is a minuscule fraction of the perhaps 3 billion affected by the Yahoo breach, or even the 145 million individuals caught up in the Equifax debacle. Similarly, the data is not being released in its raw file form and is being processed carefully by journalists (albeit a large number) working within the law.
That looks like it’s 2-0 to the argument that this is, potentially, a legitimate leak.
Public interest and motivation are tougher to assess. The newspaper and the ICIJ see a public interest, not dissimilar to that claimed by Wikileaks when it posted Bradley Manning’s “collateral murder” footage in 2010, and by Edward Snowden when he lifted the lid on NSA surveillance in 2013.
A problem with this is that a fair amount revealed by the Paradise Papers appears to be legal. This doesn’t mean there is not a public interest in knowing about it but slightly muddies the waters legally and morally.
Where the data came from, and who leaked it, might be the deciding question.
It’s tempting to assume that a cache of documents this huge must have come from an insider with special access, but this is contested. SZ stated:
For reasons of source protection, the SZ does not provide information on how the data reached the newspaper, who submitted it, and when it was handed over.
While Appleby claims:
We wish to reiterate that our firm was not the subject of a leak but of a serious criminal act and our systems were accessed by an intruder who deployed the tactics of a professional hacker.
Acquiring the data from an internal source might sound as if it amounts to the same thing as acquiring it from an external one, but arguably they’re not.
Whether or not one agrees with Snowden and Manning’s decision to leak, they saw the data before releasing it, and their claim to have acted in good faith at least deserves examination.
Not so a hacker breaking into an organisation from outside who must commit the criminal act without prior knowledge of what they might find. How this data came into SZ’s hands isn’t immaterial.
So, leak or breach? It looks like a scoring draw, which alerts us to the possibility that the Paradise Papers perhaps lie uneasily somewhere between the two.
A solution might be to stop worrying about semantics and just call everything a breach, accepting that a small number will later be deemed principled whistleblowing.
What must be painfully apparent to organisations up and down the land – especially legal firms holding piles of client data – is that data protection laws count for little in these situations. Salvation’s front line is still better security, not bigger punishments.