In the world of cyber hacks and leaks, there are two general categories of players: the fraudsters who steal data in order to obtain a profit, and the “hacktivists” who expose data, purportedly for the greater good.
Attacks by vigilante hackers highlight an emerging issue in the world of cyber-security: can illegally obtained data be used in a civil proceeding? A consideration of the case law in Canada suggests that the courts will permit its use provided that the cyber-breach was committed by a third party and not by the litigant him or herself.
Incidents of hacktivism are on the rise. High profile cases include the release of the Panama Papers, a database containing over 11.5 million stolen records, Edward Snowden's release of the U.S. National Security Agency's global surveillance records,1 and Julian Assange's creation of WikiLeaks, which continues to anonymously publish “restricted official materials”2. Most recently, the digital anarchist group, Anonymous, announced “a cyber-attack war against the Bank of England and [the] New York Stock Exchange”.3
With the release of the Panama Papers, state officials around the world were reported to have seized upon the evidence to initiate investigations or inquiries aimed at those identified in the stolen data. With the further release of the searchable database containing 200,000 documents from the Panama Papers, it can be expected that this evidence will be relied on in civil proceedings as well.
The admissibility of stolen data was recently addressed by the Federal Court of Missouri in a class action suit brought against Avid Life Media Inc., the company that owns and operates AshleyMadison.com.4 In this case, the plaintiffs sought to rely on records they obtained solely as a result of the “altruistic” cyber-attack perpetrated against the company and its members. In response, the defendants brought a motion to prevent the plaintiffs from using the stolen documents.5
The Ashley Madison hack was executed by a group of hackers called The Impact Team, self-proclaimed cyber vigilantes on a moral mission to shut down the site and expose the “cheating dirtbags” who use it.6 The anonymous cyber-group ultimately disclosed millions of Ashley Madison users' personal and financial information, as well as internal discussions regarding corporate data security.
In considering whether to allow the plaintiffs to refer to the once-confidential data in proving their case, Judge John A. Ross answered in the negative.7 His Honour observed that even though the records had already been published online, that did not change their confidential nature or the fact that they were stolen. Judge Ross explained that stolen information “cannot form the basis for a good faith belief of evidentiary support for a...
