Responsible Transparency?
Over at the ncircle blog, Mike Murray* takes me to task for advocating transparency, and argues for “Responsibility and Disclosure.” [link to http://blog.ncircle.com/archives/2006/06/responsibility.htm no longer works] His argument is solid:
We’ve had a “responsible disclosure” debate in the vulnerability research community for a whole lot of years – the point is simply that, while disclosure forces everyone to be responsible, sometimes, you can have too much of a good thing.
I do have to point out that the move to responsible disclosure took pain and suffering on all parts: the researchers, the vendors, and the innocent sysadmins. At the same time, that pain was needed to force vendors to move to a new position. Some vendors have embraced that new position really well. Others haven’t. There’s still a great deal of resistance to the new transparency. There are active efforts under way to roll it back. To impose federal “fox guards the henhouse” clauses on the state laws.
Those efforts will fail. They’ll either fail to be passed, or a liability suit will make the escape clause too expensive to invoke. Unfortunately, I expect we need to go through this painful phase to get to the good point of having a “national breach victimization survey,” and enabling a market for cool ID-theft prevention techniques like those coming from Debix[http://debix.com/].
I had a really interesting conversation with my friend S the other night. He asked if I’d give up 1386 notices to individuals in exchange for mandatory reporting to a central data collection authority. My answer was “if we still get notices where there’s reason to believe an individual will be affected.” Now I’m less sure. I think that notices to individuals serves important and still hard to discern processes. It feels right, even if I’m as yet unsure what the other arguments for it will be.
* Really, make that m “I need real names on the blog” murray. Photo from National Geographic [link to http://news.nationalgeographic.com/news/2006/05/060530-duck-alien.html no longer works] via Bullockdi on Flickr.
SB1386 and its ilk require notification when PII is thought to have been acquired by unauthorized people, but delayed disclosure is permitted at the request of law enforcement, or if disclosure would impact an ongoing investigation (or similar language to that effect). How is it that this is insufficient?