Re: Details on AOL search log disclosure

[Jon Passki <jon.passki () hursk com>]

On Aug 8, 2006, at 5:54 PM, security curmudgeon wrote:

> : Now that we all have the list -- how ethical are we being by  
> using it,
> : for whatever purposes?
> :
> : Which ethical guidelines apply in this circumstance.
> :
> : (would type more but sliced hand opened a harddrive last night)
>
> Hopefully more will pipe up on this isssue, especially any lawyers
> lurking around.
>
> There are a couple issues that I see here. First, having the list in
> general can be debated. If I have such a list, is it unethical? It  
> depends
> on how I obtained it really.

Disagree.  Principles can relate to possession or usage.  Now, what  
school of ethics are you? (^_^)  I feel a massive online debate about  
to start...

> If I hack a server or trick a person into
> giving it to me, no. If I get it from a popular torrent site and  
> thousands
> of people are reading through it as I download it, i'd say no. Just
> possessing it in that circumstance isn't necessarily unethical but  
> again,
> what am I doing with it?

It's about principles, which can relate to possession, if  
appropriate.  Since this is not data about you but others (I'm  
assuming you don't use AOL (^_^), ethics should apply even with  
possession.  In my school of ethics, I see something as being ethical  
if it benefits, without harm, society, myself, and those impacted by  
what's in question, w/o going against my principles.  We could debate  
ad nauseam what principles are at play here, so let's not.

So, for me, I would ask myself if it does benefit, without harm,  
society, myself, and the people who are within the data set for me to  
gather, analyze, or report on that information, without violating my  
principles.  At the minimum, is there a benefit?  Sure.  A reasonable  
person can state that privacy is in the good of society and examples  
can be made from this dataset that show an absence of privacy since  
it was leaked.  One could conclude that no agency should ever get a  
massive amount of data without all parties being informed, since  
privacy would be violated.  And, with this, one can point to the AT&T  
vs. EFF case and shake a finger at the gov't.  Has that been done  
already?  Yes, many parties have reported on the ease of figuring out  
private information and individuals [1].  So, what other benefit are  
you going to provide to society or the person w/i the dataset?  If  
you're snickering while you look at the data, it's probably unethical  
(^_^)

Since most people on this list, I'll assume, are in the information  
security biz, then we are often at times custodians to other peoples'  
data (OPD, ya you know me).  The same ethics code should apply here,  
too.

[1] http://news.google.com/?ncl=http://computerworld.com/blogs/node/ 
3191&hl=en

> Another key point to think about when debating
> the "possession of such a list" angle, is if the victim knows about  
> the
> disclosure. In the case of the AOL list, they know it was leaked  
> out so I
> don't see myself (or anyone on this list) having an obligation to  
> report
> it to them. If I was under the impression that AOL wasn't aware, it  
> would
> be an ethical duty to report it to them or law enforcement.

Could it be of benefit?  Reasonably speaking, mass media has probably  
a larger impact than an individual's announcement at this point, so  
there's probably no real benefit.

> Moving on from that issue, once we have the list and resolve any  
> ethical
> dilemna in possession.. what are we doing with it? Anyone doing  
> analysis
> on the content of the list attempting to determine the extent of
> disclosure, I don't see a problem with that. Obviously if you are  
> browsing
> it looking for sensitive information to use in a crime or questionable
> activity, sure it crosses the boundary of ethical use.

See my short dissertation above (^_^)

Cheers,

Jon



_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.