BreachExchange mailing list archives
Re: Details on AOL search log disclosure
From: Jon Passki <jon.passki () hursk com>
Date: Thu, 10 Aug 2006 07:54:17 -0500
On Aug 8, 2006, at 5:54 PM, security curmudgeon wrote:
: Now that we all have the list -- how ethical are we being by using it, : for whatever purposes? : : Which ethical guidelines apply in this circumstance. : : (would type more but sliced hand opened a harddrive last night) Hopefully more will pipe up on this isssue, especially any lawyers lurking around. There are a couple issues that I see here. First, having the list in general can be debated. If I have such a list, is it unethical? It depends on how I obtained it really.
Disagree. Principles can relate to possession or usage. Now, what school of ethics are you? (^_^) I feel a massive online debate about to start...
If I hack a server or trick a person into giving it to me, no. If I get it from a popular torrent site and thousands of people are reading through it as I download it, i'd say no. Just possessing it in that circumstance isn't necessarily unethical but again, what am I doing with it?
It's about principles, which can relate to possession, if appropriate. Since this is not data about you but others (I'm assuming you don't use AOL (^_^), ethics should apply even with possession. In my school of ethics, I see something as being ethical if it benefits, without harm, society, myself, and those impacted by what's in question, w/o going against my principles. We could debate ad nauseam what principles are at play here, so let's not. So, for me, I would ask myself if it does benefit, without harm, society, myself, and the people who are within the data set for me to gather, analyze, or report on that information, without violating my principles. At the minimum, is there a benefit? Sure. A reasonable person can state that privacy is in the good of society and examples can be made from this dataset that show an absence of privacy since it was leaked. One could conclude that no agency should ever get a massive amount of data without all parties being informed, since privacy would be violated. And, with this, one can point to the AT&T vs. EFF case and shake a finger at the gov't. Has that been done already? Yes, many parties have reported on the ease of figuring out private information and individuals [1]. So, what other benefit are you going to provide to society or the person w/i the dataset? If you're snickering while you look at the data, it's probably unethical (^_^) Since most people on this list, I'll assume, are in the information security biz, then we are often at times custodians to other peoples' data (OPD, ya you know me). The same ethics code should apply here, too. [1] http://news.google.com/?ncl=http://computerworld.com/blogs/node/ 3191&hl=en
Another key point to think about when debating the "possession of such a list" angle, is if the victim knows about the disclosure. In the case of the AOL list, they know it was leaked out so I don't see myself (or anyone on this list) having an obligation to report it to them. If I was under the impression that AOL wasn't aware, it would be an ethical duty to report it to them or law enforcement.
Could it be of benefit? Reasonably speaking, mass media has probably a larger impact than an individual's announcement at this point, so there's probably no real benefit.
Moving on from that issue, once we have the list and resolve any ethical dilemna in possession.. what are we doing with it? Anyone doing analysis on the content of the list attempting to determine the extent of disclosure, I don't see a problem with that. Obviously if you are browsing it looking for sensitive information to use in a crime or questionable activity, sure it crosses the boundary of ethical use.
See my short dissertation above (^_^) Cheers, Jon _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 142 million compromised records in 296 incidents over 6 years.
Current thread:
- Details on AOL search log disclosure lyger (Aug 07)
- Re: Details on AOL search log disclosure Dennis Opacki (Aug 07)
- Re: Details on AOL search log disclosure Chris Walsh (Aug 07)
- Re: Details on AOL search log disclosure Joshua Reich (Aug 07)
- Re: Details on AOL search log disclosure lyger (Aug 07)
- Re: Details on AOL search log disclosure security curmudgeon (Aug 08)
- Re: Details on AOL search log disclosure Jon Passki (Aug 10)
- Re: Details on AOL search log disclosure Joshua Reich (Aug 07)