Leaks, hacks and data brokers: the shifting landscape of evidence gathering

Authors: Patrick Sewell, Lorna Van Oss & Ramon Ghosh

In May 2022, the International Consortium of Investigative Journalists (ICIJ) published its final batch of data relating to the Pandora Papers; a trove of leaked offshore company documents obtained by the ICIJ from anonymous sources and first published in October 2021.

This latest uncovering of previously private information which encompassed 12 million files and 2.94 TB of data shows once again how leaks and big data are rewriting the rules of investigations. It also raises ethical questions for corporate investigators over where data is sourced, and how best to support clients in building their legal case.

Data leaks and data brokers

In recent years, a series of data leaks from African companies and financial institutions have enabled journalists to carry out many high-profile investigations into corruption across the continent.

The most notable case has been the Congo Hold-up: a leak of 3.5 million documents obtained in 2021 by the Platform to Protect Whistleblowers in Africa (PPLAAF) and France’s Mediapart. The documents had been leaked from BGFIBank Group SA, a pan-African financial group headquartered in Libreville, Gabon, and include bank statements, emails, contracts, bills and corporate records that cover nearly a decade of transactions. Particular focus fell on the bank’s Democratic Republic of the Congo (DRC) subsidiary, BGFIBank DRC, which was 40% owned by the sister of the DRC’s former president, Joseph Kabila. Extensive analysis of the leaked documents, undertaken over a six-month period by a consortium of journalists coordinated by the European Investigative Collaborations, shed light on various schemes used to transfer at least $138 million from DRC public coffers to Kabila’s associates and family members.

In November 2021, a report published by investigative organisation The Sentry found that $65 million of state funds had been transferred to close associates and relatives of Kabila through the BGFIBank DRC accounts of shell companies owned by a middleman, David Du Wei. The following month, The Namibian reported how Albert Yuma, a Kabila ally and then Chair of DRC’s state-owned mining company Gécamines, had embezzled as much as $41 million from the Central Bank of Congo through fictitious contracts with a Namibian fishing company. Yuma was removed as Gécamines Chair in early December 2021 as revelations from the Congo Hold-up leak emerged. This illustrates the potential for investigative journalism to precipitate the removal of government officials accused of corruption.

In certain jurisdictions, investigative journalists have the possibility of accessing datasets beyond what is available in the public domain or via data leaks. In countries which suffer from serious data protection shortcomings, reporters may be able to acquire private data leaked from government and company databases, often by low-level employees seeking to supplement their income. By obtaining these records (such as telephone records with geolocation data, passenger manifests, and residential addresses) from so-called data brokers, and then combining it with open-source research techniques (such as corporate record retrieval, analysis of photographs posted to social media, and satellite imagery), investigative journalists have broken significant political stories.

Ethical and legal implications

The use of leaks, hacks and data brokers raises important ethical and legal questions within both journalism and the legal profession.

The data traded by brokers is part of a wider cybercrime black market, which was estimated by Bromium in 2018 to be $1.5 trillion in size. Data brokers occupy the ‘low end’ of the data black market due to their relatively low cost and ease of access. At the market’s ‘high end’ are cyber criminals and hackers who might offer to hack specific individuals or organisations.

Netherlands-based investigative group Bellingcat has been open about their use of data acquired via cryptocurrency transfers on what is effectively an information black market. Lead Bellingcat investigator Christo Grozev has stated in press interviews that this is done as a last resort, and only done when there is a strong public interest, such as the suspicion that a state crime has taken place.

In the UK, the admissibility of hacked emails as evidence at trial was discussed in a 12 March 2021 judgment by the English Court of Appeal, Ras Al Khaimah Investment Authority (RAKIA) -v- Farhad Azima [2021] EWCA Civ 349. As part of a counterclaim and defence to fraud allegations brought against him by RAKIA in 2016, Farhad Azima, a US-Iranian businessman engaged in aviation, accused the claimant of hacking his emails and publishing them on the dark web. In the judgment, the Court of Appeal upheld the previous decision that it had been right to admit hacked material as evidence, even in circumstances where the claimant may have been responsible for the hacking.

In assessing the Court of Appeal’s decision, it is important to note that this judgment cannot be interpreted as giving freedom to claimants to act unlawfully in obtaining evidence. While the Court of Appeal confirmed that even stolen evidence could be admitted in trial if relevant to the matters in issue, the judgment nevertheless underlined the discretionary power maintained by judges to exclude evidence that would otherwise be admissible. The Court of Appeal concluded that the exclusion of such evidence, while unjustified in the dispute between RAKIA and Mr Azima, was possible under the balance of conflicting public interests. The Court of Appeal has referred Mr Azima’s counterclaim back to the High Court for a full re-hearing, and so there is the possibility that criminal charges in obtaining the hacked material may still be brought.

Hacked information as evidence

The Court of Appeal’s decision in this case could be of considerable significance to those building evidence in ongoing and future disputes. The largescale online publication of hacked emails and other documents that began in the 2000s with WikiLeaks has accelerated in recent years. However, even where these documents are admissible, their controversial origins make thorough verification, contextualisation and cross-checking an absolute necessity before they can be relied upon in legal proceedings. This work should be carried out by investigative teams possessing the requisite linguistic expertise and professional credentials.

One obstacle to the use of leaked data in legal proceedings, whether hacked or not, may be the lack of access to raw data. The ICIJ for example, rarely publishes original files for the records it leaks, and many media outlets with access to leaked datasets have policies that prohibit sharing them with private companies or national governments. However, there have been examples of governments reportedly buying data to assist their own monitoring and investigations. For example, in order to access files documenting the financial transactions of its nationals, in 2016 the government of Denmark reportedly bought leaked Panama Papers data from an anonymous source for $1.3 million. Germany similarly paid just under €1m in 2014 for files leaked from Mossack Fonseca, the Panamanian law firm whose leaked documents would later become the Panama Papers.

Information made public by investigative journalists has been successfully used as evidence in court hearings in the UK and other jurisdictions. For example, investigators working for the Republic of Kazakhstan in Ascom Group S.A., Anatolie Stati, Gabriel Stati and Terra Raf Trans Trading Ltd. v. Republic of Kazakhstan (I), SCC Case No. 116/2010 successfully combined leaked corporate data compiled by the ICIJ with the disclosed records of financial transactions from a Latvian bank to identify approximately 80 different companies owned or controlled by the claimants. Evidencing this control demonstrated that the claimants had made false representations concerning supposedly independent companies and helped (according to a Svea Court of Appeal decision of 25 November 2019) to establish that “the claims granted by virtue of the [previous] Award [granted to the claimants] are based on gross criminal acts”.

New data possibilities in corporate investigations?

Tenacious corporate investigators are well placed to benefit from the innovations in data collection and analysis pioneered by their colleagues in journalism. Through careful consideration of the complex ethical and legal dimensions of the shifting landscape of evidence gathering, the best investigators will succeed in identifying when and where it is appropriate to harness these innovations for the benefit of their clients.