Swire on Disclosure, Redux
Following on Chris’s post on disclosure, I’ve been meaning to mention Peter Swire’s “A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies:”
A previous article proposed a model for when disclosure helps or hurts security, and provided reasons why computer security is often different in this respect than physical security. This paper provides a general approach for describing the incentives of actors to disclose about their software or systems. A chief point of this paper is that the incentives for disclosure depend on two, largely independent, assessments – the degree to which disclosure helps or hurts security, and the degree to which disclosure creates advantages or disadvantages for the organization competitively.
The paper presents a 2×3 matrix, where disclosure for security and competition are assessed for three types of systems or software: Open Source; proprietary software; and government systems. The paper finds greater convergence on disclosure between Open Source and proprietary software than most commentators have believed…
I’ve discussed Swire’s work before in “Swire on Disclosure” and “Friday Star Wars: Open Design.” I think he’s one of the few people who are not re-treading ground while thinking about issues of disclosure, and so even though it’s a long article, it’s worth reading.
There’s an outdated, but thorough, bibliography of the disclosure debate at http://www.wildernesscoast.org/bib/disclosure-by-date.html. It hasn’t been updated since summer 2004 but includes a lot of pointers to useful data.