The EU’s Regulatory Awakening? Hack-and-Leak Operations in the new EU Code on Disinformation

Elections are democracy’s most important, yet most vulnerable moment. Interference in the process presents an attack on the foundations of trust and knowledge. One form of this is hacking candidates and then spreading the materials via social media. Twitter came up with policies on the issue – but their context and design merely enhanced the urgency of a regulatory response by the EU. The new EU Code on Disinformation might bring an end to the platform’s arbitrary handling of the issue.

Numerous Cases of Hack-and-Leak

When it comes to election interference through social media, the world’s democrats do not shy away from big words. “This is about our democracy, sovereignty and national independence”, said back then French Minister of Foreign Affairs, Jean-Marc Ayrault, about the Kremlin-orchestrated hack of the Macron campaign in 2017. The so-called #MacronLeaks present one of the most prominent cases of hacked materials being spread via social media. They were preceded by the well known case of the hack-and-leak of emails from the Clinton campaign and the Democratic National Committee before the 2016 US elections. 

Lack of Ethics (Codes) for Social Media… 

Twitter played a role in both cases. While journalistic ethics codes on fact-checking prevented traditional news media from reporting on the contents of the hacked materials (more so in Europe than in the US), the materials spread at near-instantaneous speed on Twitter. This re-affirms a central challenge in the regulation of social media platforms. They share some decisive features with traditional media companies – but are governed and regulated as technology companies. Platform regulation scholars agree that there are several aspects setting social media platforms apart from traditional media companies (such as ownership structure or business model). However, many users are consuming content on social media platforms in the same way they would consume traditional media, and only rarely post themselves.

… but the trust is still low

In support of this argument, studies such as the Reuters Institute Digital News Report have found that individuals around the globe are increasingly getting their news through social media instead of consuming traditional news media. Therefore, social media platforms are fulfilling the function of traditional media for many users – but are not guided by comparable journalistic standards. This can be dangerous, particularly in vulnerable moments such as elections and election silence periods. In France and several other countries, the electoral code demands that the media stops reporting on the candidates in the hours leading up to the opening of polling stations. The #MacronLeaks accordingly fell into the time of this journalistic vacuum and had people turn to Twitter. Paradoxically, the high democratic commitment by French media could have been a real threat to the electoral process – if it had not been for several factors such as low trust in social media among French voters which made the attempt of interference fail. 

Hack-and-Leak Operations are now on the EU’s Regulatory Agenda

That hacked materials are often spiked with disinformation and disclose names, contact details or even more sensitive information. That given, the distribution presents a challenge at the interplay of many regulatory areas. First and foremost, the regulatory “problem child” of dis- and mal-information. The EU has recognized the threat which online information operations orchestrated by malicious foreign actors, such as the leaking of hacked materials, can present to elections. Before the European Elections in 2019, several social media platforms became signatories of the 2018 EU Code of Practice on Disinformation.

Responding to company’s self-regulation practices

This Code of Practice is a self-regulatory tool which essentially failed to bring about real change. With the Digital Services Act (DSA) the EU has now recognized that platforms with behaviorally targeted advertising business models need to be strictly co-regulated. On June 16th 2022, the EU Commission finally published a revised version of the Code of Practice on Disinformation which is a part of the DSA. As the first regulatory document, the Code now mentions hack-and-leak operations in its chapter on impermissible manipulative behavior. Under Measure 14.1 of the code, platforms are obliged to “adopt, reinforce and implement clear policies” regarding hack-and-leak operations by malicious actors. This can be seen as a regulatory awakening in response to Twitter’s self-regulation of the issue.

Twitter’s Hacked Materials Policy made it a Plaything of Populists

The platform first published a hacked materials policy before the US midterm elections in 2018 in response to the uproar over Russian interference and hacking in the 2016 elections. This first version of the policy “prohibit[s] the distribution of hacked material that contains private information or trade secrets” or those that could potentially be harmful; and the company says it will “take actions on accounts claiming responsibility for a hack or include[..] threats or incentives to hack specific people or accounts.” Two years later, ahead of the US presidential election, Twitter initially removed and blocked links to a NY Post article containing private content, allegedly obtained by a hack of Hunter Biden’s laptop. After populist outcry of denying freedom of speech, Twitter reversed its decision and changed its hacked materials policy to allow links to hacked information. Essentially, the platform decided to overhaul its former policy completely and no longer delete tweets distributing or leaking hacked materials – unless they are posted by the hackers themselves. Vijaya Gadde, head of legal, policy, and trust at Twitter, explained the change in the policy in a lengthy thread. The platform made itself a plaything of populist outcries and excused it with the protection of freedom of speech. The two policies and their context show that the company responded to current perceived political sentiments rather than developing a policy on hacked materials which would mirror ethics codes of traditional media.

Efficiency on hack-and-leak operations remains open    

The updated EU Code of Practice on Disinformation now co-regulates hack-and-leak operations as impermissible manipulative behavior. The coming months will show how Twitter’s hacked materials policy will change as a response. In the light of especially Russia’s frequent election interference activities, one can only hope that the EU’s regulatory awakening includes effective enforcement measures.