December 15, 2014

Over the weekend I received a nice holiday letter from lawyers representing Sony Pictures Entertainment, demanding that I cease publishing detailed stories about the company’s recent hacking and delete any company data collected in the process of reporting on the breach. While I have not been the most prolific writer about this incident to date, rest assured such threats will not deter this reporter from covering important news and facts related to the breach.

A letter from Sony's lawyers.

A letter from Sony’s lawyers.

“SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen information, and to request your cooperation in destroying the Stolen Information,” wrote SPE’s lawyers, who hail from the law firm of Boies, Schiller & Flexner.

This letter reminds me of one that I received several years back from the lawyers of Igor Gusev, one of the main characters in my book, Spam Nation. Mr. Gusev’s attorneys insisted that I was publishing stolen information — pictures of him, financial records from his spam empire “SpamIt” — and that I remove all offending items and publish an apology. My lawyer in that instance called Gusev’s threat a “blivit,” a term coined by the late, great author Kurt Vonnegut, who defined it as “two pounds of shit in a one-pound bag.”

For a more nuanced and scholarly look at whether reporters and bloggers who write about Sony’s hacking should be concerned after receiving this letter, I turn to an analysis by UCLA law professor Eugene Volokh, who posits that Sony “probably” does not have a legal leg to stand on here in demanding that reporters refrain from writing about the extent of SPE’s hacking in great detail. But Volokh includes some useful caveats to this conclusion (and exceptions to those exceptions), notably:

“Some particular publications of specific information in the Sony material might lead to a successful lawsuit,” Volokh writes. “First, disclosure of facts about particular people that are seen as highly private (e.g., medical or sexual information) and not newsworthy might be actionable under the ‘disclosure of private facts’ tort.”

Volokh observes that if a publication were to publish huge troves of data stolen from Sony, doing so might be seen as copyright infringement. “The bottom line is that publication of short quotes, or disclosure of the facts from e-mails without the use of the precise phrasing from the e-mail, would likely not be infringement — it would either be fair use or the lawful use of facts rather than of creative expression,” he writes.

Volokh concludes that Sony is unlikely to prevail — “either by eventually winning in court, or by scaring off prospective publishers — especially against the well-counseled, relatively deep-pocketed, and insured media organizations that it’s threatening,” he writes. “Maybe the law ought to be otherwise (or maybe not). But in any event this is my sense of the precedents as they actually are.”

This is actually the second time this month I’ve received threatening missives from entities representing Sony Pictures. On Dec. 5, I got an email from a company called Entura, which requested that I remove a link from my story that the firm said “allowed for the transmission and/or downloading of the Stolen Files.” That link was in fact not even a Sony document; it was a derivative work — a lengthy text file listing the directory tree of all the files stolen and leaked (at the time) from SPE. Needless to say, I did not remove that link or file.

Here is the full letter from SPE’s lawyers (PDF).


129 thoughts on “In Damage Control, Sony Targets Reporters

  1. Rick M.

    Sony really is getting what they deserve for outsourcing their IT staff, ignoring the warnings from PWC and for attacking people on everything they do. I don’t think there is any love lost on Sony from the IT community.

    Now, what happened was completely wrong and utterly devastating, probably the worst attack I have seen in 18 years in security. Nothing makes it right but security is also about reducing your footprint and profile, in this case they have done the opposite. Keep in mind LulzSec took down PSN in 2011 and Sony still hasn’t fixed it.

    1. Rick M.

      By the way, attacking the media is just another example of the cluelessness of this organization. They even had Kevin Mandia write a shill letter, release it publicly to protect the CEO.

  2. John Dittmer

    Sony is certainly covering itself in glory, isn’t it? It, as an orgnaization, seems to be acting more like a spolied brat who got caught with its hand in the cookie jar due to its poor security and other bad practices.

  3. 1776

    Any entity associated with Viacom is a turd in the punch bowl of public commerce.

    1. JCitizen

      HA!HA! Good visualization! I say F**k SONY and the horse they road in on! >:(

  4. Gary B

    Threatening news people somehow doesn’t seem like the best plan they could have come up with. But then getting Kevin Mandia to send out a letter that holds no water doesn’t either. Wonder what they’ll do next? Blame it on North Korea, oups, they already did that too.

    How about just saying Mea Culpa?

  5. Attila

    Sony could have learned more from the past. By this action it is putting itself in a position that I wouldn’t say is favorable.

    1. JimV

      Which never succeeds in containing any bad news embedded in the message when it’s already been widely released by someone who had purloined the contents while the message recipient was sound asleep.

  6. IA Eng

    I think, since they know they are going to be short on insurance money, they have decided to use their thugs to try and pressure reporters and possibly – but highly unlikely – to milk many for additional funds to they can clean up THEIR stinkpot.

    The information you have seen was posted by a third party. I personally think you can write about the issues all day long, but they are concerned about the wide spread contamination of PII.

    Salted Hash posted an article, in great detail about the possibility of Sony not having enough insurance to cover all of thier downtime. It shows documents and autographs and quotes from emails.

    Do as you wish, but since this SPE ( Sony’s Patheic Embotchment) will require alot of lawyer time, they are looking for anyone they can drag in the mud as well. Its a pathetic shore up in case they get sued by employees, VIP’s and other people.
    They may simply use the defense that if the leak wasn’t smeared all over the world, it would have saved them millions….heh. who knows.

    I did read however that some of the links to the latest Pastebin were torn down, so I think it’s probably driven by some serious punch behind the scenes – no pun intended.

    Tread lightly and enjoy.

  7. Tim O

    Thanks for standing up and doing the right thing. Security is all too often addressed after the fact, if at all. The vlame is passed to the customers, the taxpayers and anyone but the ones truly at fault – the greedy owners and shareholders.

    1. Cavoyo

      It’s the fault of the hackers, not their victims. You can’t have a hack without hackers.

      1. BVR

        And Sony did the hacking….oh wait, we weren’t talking bout the root kits they put on their CDs some years ago that nobody was arrested for?

  8. E.M.H.

    It’s probably the better part of discretion to not even reply to the message. But I have to admit, it’d probably feel good to compose a “this is Fair Use” statement in response. The situation is practically crying out for someone to say that.

    1. IA Eng

      I agree, I somehow feel that its going to be a fist fight and they aim to drag down as many people with them as they wish. I personally think it is WAY too late for the letter. They should have reached out in a more professional and graceful manner and it might have been received a little better.

      IF I was in the receiving end of this letter, I would probably take offense to it, BUT, calmer heads prevail. What I mean by this is, even though they may not have a leg to stand on in reference to the case, I would not want to spend any time in court listening to their misery and potentially “inaccurate claims” far from home.

      They should have thought about this before sending. If word spreads about thier Brutus style tactics, they may end up not only seeing their reputation in ruins, they may end up being boycotted by many as well.

      Knee jerking is never a good thing.

      1. JCitizen

        I’ve already been boycotting them for years – though I admit going to see Fury in the movie theater. I just had to see what it was like for my buddies who were tankers in WW2. It was pretty damn accurate!

  9. Brett

    Brian…The way I read the letter isn’t how you’re portraying it in your article above. I didn’t see where they said you couldn’t publish news, stories or articles related to the hacking but ask that you destroy any SPE material that you may have acquired during your investigation into the attack on SPE. The letter doesn’t have a negative connotation and seems to come across as a plea for help to keep sensitive information from being disseminated further. Given this websites entire purpose, I know this isn’t your intention and therefore you shouldn’t take offense to their request.

    Thanks for all your hard work and all the things you do to keep us all informed.

    1. Erika

      I agree with you, Brett. I think they are pleading for help that you not publish the stolen info, and they are not saying not to publish anything on the topic, just not the stolen material.

      They probably sent this to the most influential writers in the market in an effort for it to be noted they are doing all they can to protect their employees and intellectual property.

      ~E

  10. Amiee C. LaVenture

    Thanks for standing up and doing the right thing. I personally would continue to move forward. Just my personal opinion. As always, the decision is solely yours.

  11. Robert Scroggins

    Keep up the good work, Brian! Perhaps Sony should emulate your work ethic by getting off its corporate butt and implementing some real security mfeasures instead of going after the messengers.

    Regards,

  12. Bob

    Talk about self-harming your own brand – how can clever people be so stupid?

  13. Phil

    “We do not consent”. LAFF. It’s my first Amendment right. Derp. We don’t ‘consent’ to you trying to squash your incompetence Sony. Oh that reminds me, here’s our motion to DISCLOSE to all, all that you failed to protect. Ha!

  14. Clark

    Is it my imagination , or did this legal firm never identify themselves as legal council for Sony. They just implied it.

    As for asking all their data back (or deleted) is kind of like trying to get the toothpaste back into the tube. They just look foolish for even asking. And the nice guys that would consider doing it aren’t the ones they should be worrying about. But I have never understood lawyers anyway.

  15. Hello

    This whole thing is like some sort of schadenfreude advent calendar. Every day leading up to Christmas brings new laughs and joy.

    1. BrianKrebs Post author

      hah! You better trademark that while you can. Schadenfraude advent calendar. Each new day, you get to open a new door that features some chocolate treat shaped like a belligerent breach victim. Brilliant!

    1. Eric

      I hadn’t heard about that one.

      I really start to question the sanity of the people who talk about “The Internet of Things”.

  16. hello

    So in light of these requests, I’m wondering if the full extent of future Sony data releases will be made fully public. It does seem that the mainstream media is under-reporting this story – which seems to me as the most intriguing story to ever happen in IT.

    I am so intrigued that I am considering searching for, and downloading the leaked Sony torrents. I have no malicious intent, but I want to personally see the leaked information and get real insight into the contents of their file servers and other documents which are not being published.

    Is that a bad idea? I obviously would do this over public WiFi onto a virtual machine, and not use my personal internet connection. Just wondering if that would in fact be a crime to download the information for the sole purpose of personal review?

    I am one of the good guys, but a curious one at that. Thoughts???

  17. Dan

    Funny that, since they’re in the entertainment biz, they should be getting ready for the full Streisand Effect! 😛

  18. Mike

    I feel no sympathy for Sony. I decided years ago to essentially boycott all Sony products (except for unavoidable things that are made into other things). I can’t seem to find forgiveness for “root kits” and all their senseless DRM.

    They try so hard yet they just can’t add two and two. I know they’ve been around for a very long time, but it’s time to explain a few things. If large companies don’t start to actually learning something about these technologies outside of the idea that they can make money from them….those that do understand i.t. will bowl over them. Other companies (like ISP’s and department stores) really NEED to take notice. Methods and procedures NEED to change.

  19. charisse

    Hey Brian,
    Send them a letter back saying that their request was unactionable as it was too vague and non-specific and ask them to specifically and in detail list all the “Stolen Information” with exact copies of said “Stolen Information” including SHA-256 hashes of the original material so you can compare it to what you might or might not currently have 🙂

  20. petepall

    Better be careful, Sony. If you lift the blivet (however it’s defined or spelled), you might get some on you!

  21. Erik Carlseen

    It sounds like Sony’s executives had a major brainstorming session to see how they could raise the ire of the hacking community to its highest possible point… and then…

    “Hey! Let’s get the same lawyer that spearheaded SCO’s UNIX / Linux copyright suits against Novell and IBM and have him try to bully the press!”

Comments are closed.