[Dataloss] Details on AOL search log disclosure
security curmudgeon
jericho at attrition.org
Tue Aug 8 18:54:01 EDT 2006
: Now that we all have the list -- how ethical are we being by using it,
: for whatever purposes?
:
: Which ethical guidelines apply in this circumstance.
:
: (would type more but sliced hand opened a harddrive last night)
Hopefully more will pipe up on this isssue, especially any lawyers
lurking around.
There are a couple issues that I see here. First, having the list in
general can be debated. If I have such a list, is it unethical? It depends
on how I obtained it really. If I hack a server or trick a person into
giving it to me, no. If I get it from a popular torrent site and thousands
of people are reading through it as I download it, i'd say no. Just
possessing it in that circumstance isn't necessarily unethical but again,
what am I doing with it? Another key point to think about when debating
the "possession of such a list" angle, is if the victim knows about the
disclosure. In the case of the AOL list, they know it was leaked out so I
don't see myself (or anyone on this list) having an obligation to report
it to them. If I was under the impression that AOL wasn't aware, it would
be an ethical duty to report it to them or law enforcement.
Moving on from that issue, once we have the list and resolve any ethical
dilemna in possession.. what are we doing with it? Anyone doing analysis
on the content of the list attempting to determine the extent of
disclosure, I don't see a problem with that. Obviously if you are browsing
it looking for sensitive information to use in a crime or questionable
activity, sure it crosses the boundary of ethical use.
More information about the Dataloss
mailing list