The ChoicePoint incident has once again caused me to wonder whether security professionals have a blind side when it comes to the nature of different types of data/information – in particular, whether it is personal information, entertainment information, or vulnerability information.
Here is how I interpret what I see/hear/read from security professionals:
- Personal information is of highest value and should be protected at all costs, in order to protect privacy. Ultimately, we are better off not aggregating this data because the negative impact is higher in the case of a failure. Implicit in this assumption (I think) is the idea that the information somehow CAN be protected and the data, though often shared among many people, actually IS private.
- Entertainment information (movies, music, etc..) has no value and should be shared with as many people as possible (okay, I am exaggerating a bit). This information "wants to be free" and we should allow that. In fact, any attempt to protect it can be circumvented and the circumvention techniques should be described in the most public forums so that everyone can do it. Since circumvention is possible, protection is useless.
- Vulnerability information should be made available to as many people as possible because people may be able to find it anyway. It is okay to aggregate public information (like Cryptome and MI2G do periodically) because it is public; there is no harm done.
Here is what I think:
- Different people treat different information differently. We should respect the rights of individuals when they care about privacy or when they care about their intellectual property, and should allow for similar forms of protection.
- No security measures will ever be completely successful, so we should strive to introduce reasonable security measures based on our understanding of the threat.
- The notion of "reasonability" increases every time anyone (good or bad) discloses more security vulnerabilities associated with any data types.
- Aggregated, public data has greater value (positive or negative) than distributed, disconnected, public data. Period. We should treat all aggregation as a value-enhancer, either to good guys or bad guys and act accordingly. We should punish those who aggregate data similarly when its distribution leads to inappropriate/malicious activities.
What do you think?
I think that there’s an important difference between private information (such as my phone number) and information which needs to be shared to be used (such as music)
I can easily construct a system in which we can do business without you knowing my phone number. I can’t do the same for music. If I can’t hear, and perhaps record, the music, why would I pay for it?
To go from “different people value things differently,” which is true and important to “should allow for similar forms of protection.” is a big jump over the different realities in the need to transfer information.
When the music companies can deliver a service without me having a chance to record it, they do. (Eg, searches for recording devices at concerts.) I should be able to demand the same: Businesses should take reasonable deposits in lieu of offering me credit, and then treat the account the same as they treat other accounts.