White Hat Computer Crime?
Does a well-intentioned security researcher commit a crime by probing a social network for vulnerabilities?
Some observers have feared the answer is yes. They have speculated that the researcher might enter a computer without authority and thereby violate an anti-hacking law like the federal Computer Fraud and Abuse Act.
The validity of those fears is debatable. And by tradition some web site owners have taken offense to researchers who test their sites for security holes. Tradition suggests that the less discussion of security the better. [For a rough example, see the FBI investigation that emerged after self-proclaimed researchers announced they had acquired sensitive information from AT&T about new iPad owners (although I do not know whether the investigation came as a consequence of a complaint from AT&T).]
But Facebook is pioneering a fresh approach. Facebook feels it can benefit from tests by independent researchers. Rather than forbidding security interrogations, it encourages them, provided they meet some conditions. Facebook says it will not seek punishment of someone who finds a security flaw and then reports it to Facebook a reasonable time before disclosing it to the public (provided the person makes a good effort to avoid abuses like identity theft or data destruction).
[Facebook doesn’t say what it will do if it catches a good researcher who is probing its network, but not finding anything to report.]
Facebook’s strategy suits our modern, networked age. Facebook candidly admits that it can make a mistake. Facebook’s attitude is that while it cannot know everything about its systems, it wants to learn as much as it can, as fast as it can. Thus, it encourages the multitudes on the Internet to find and reveal information Facebook craves. When Facebook opens itself to scrutiny, the cost is low, but the payoff in tips can be high.
These days, being open to talking about dangerous topics can help an enterprise win friends and propel it on a course of constant improvement.
–Benjamin Wright
Mr. Wright, a practicing attorney, teaches the law of data security and investigations at the SANS Institute.
Comments